Privacy Policy

1. Introduction 

Starxalign Pty Ltd ("Starxalign", "we", "us" or "our") is committed to protecting the privacy and confidentiality of personal information and, in particular, patient health information and medical records. 

We comply with: 

• the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) (including as a private sector health service provider); 
• the RACGP Standards for general practices (5th edition), including requirements relating to confidentiality, authorised access and secure handling of patient health information; and 
• guidance issued by the Office of the Australian Information Commissioner (OAIC) for health service providers, including the Guide to Health Privacy. 

This Privacy Policy explains: 

• what information we collect and hold (including health information); 
• how we use, store and disclose it; 
• how patients and other individuals can access and correct information we hold; and 
• how to make a privacy complaint. 

This policy is patient-focused and is available free of charge, including via our website and at our medical centres. 

We may update this policy from time to time. The most current version will be published on our website or otherwise made available upon request. 

2. Who this Policy Applies to 

This Privacy Policy applies to Starxalign and each medical centre we operate, and covers how personal information is handled by: 

• our directors, employees and contractors; 
• practice teams (including reception and administration staff); 
• clinicians and health practitioners working within our centres; and 
• service providers we engage (e.g. IT, billing, secure hosting, document destruction). 

Access to patient health information is restricted to authorised personnel only, and limited to what is necessary for a person’s role, consistent with RACGP expectations. 

3. Key Definitions 

Personal information 

Information or an opinion about an identified individual, or an individual who is reasonably identifiable. 

Health information 

Health information is a type of personal information and includes information collected to provide a health service, such as information about a person’s health, disability, diagnosis, treatment, test results, prescriptions, referrals and expressed wishes about future healthcare. 

Sensitive information 

Sensitive information includes health information and other categories defined under the Privacy Act. We only collect sensitive information where permitted by law and, where required, with consent.

4. What Information We Collect and Hold 

4.1 Patients (health information and medical records) 

To provide safe, high-quality healthcare and manage practice operations, we may collect and hold: 

• identifying details (name, date of birth, address, contact details); 
• Medicare, DVA and private health insurance details (where relevant); 
• clinical information including medical history, allergies, medications, immunisations, diagnoses, treatment plans, referrals and clinical notes; 
• pathology and imaging results and reports; 
• appointment history and communications; 
• billing, claiming and payment records; and 
• information received from other healthcare providers involved in your care. 

4.2 Non-patients (staff, contractors and business contacts) 

We may collect and hold: 

• contact and business details; 
• recruitment and employment information (CVs, qualifications, references); 
• contractor and supplier information; and 
• incident, complaint and compliance records. 

4.3 Website and systems information 

When you use our website or systems, we may collect: 

• IP address and device/browser information; 
• pages viewed and interactions; and 
• cookies and analytics data (where enabled).  

5. How We Collect Information 

We collect information: 

• directly from you (in person, by phone, email, online forms or clinical systems); 
• from your authorised representative where applicable; 
• from other healthcare providers involved in your care; 
• from Medicare, insurers or other funders for billing and claiming; 
• from service providers who support our systems; and 
• from publicly available sources where lawful. 

Where practicable, we collect information directly from the individual concerned and provide notice about why the information is collected and how it will be handled. 

6. Consent and Use of Health Information 

6.1 Primary purpose – providing healthcare 

We use and disclose health information primarily to provide healthcare services, including diagnosis, treatment, referral and care coordination. 

6.2 Secondary purposes 

We may use or disclose health information for a secondary purpose where: 

• you consent; 
• the purpose is directly related to the primary purpose and you would reasonably expect it; or 
• it is otherwise permitted or required by law. 

Where additional consent is required (for example, for certain research or other non-care-related activities), we will seek that consent. 

8. Disclosure of Personal and Health Information 

We disclose information only where permitted by law and where necessary, including to: 

• treating and referred healthcare providers; 
• pathology, imaging and diagnostic services; 
• hospitals and community services involved in your care; 
• Medicare, insurers and other funders; 
• contracted service providers supporting our operations; 
• professional advisers such as legal, accounting and insurance providers; and 
• regulators or authorities where required or authorised by law. 

Where a valid request is made to transfer health information, we aim to do so in a timely, authorised and secure manner, consistent with RACGP expectations.  

7. How We Use Personal and Health Information 

We use personal and health information to: 

• provide and manage healthcare services and medical records; 
• communicate with patients about appointments, results and care; 
• coordinate care and referrals; 
• process billing, claiming and payments; 
• support practice administration, quality improvement and accreditation; 
• train and supervise staff where appropriate; 
• manage enquiries, complaints and incidents; and 
• comply with legal and regulatory obligations. 

9. Overseas Disclosure 

We do not disclose patient health information overseas unless it is necessary for service delivery through a third-party provider (such as secure cloud hosting) and appropriate safeguards are in place, or where otherwise permitted by law or with consent. 

10. Security, Access Controls and Record Management 

We take reasonable steps to protect personal and health information from misuse, interference, loss and unauthorised access, modification or disclosure. Measures include: 

• role-based access controls; 
• secure electronic and physical storage; 
• confidentiality obligations for all staff and contractors; 
• secure disposal and de-identification processes; and 
• regular review of information security practices. 

We retain medical records in accordance with legal and professional requirements and securely destroy or de-identify them when no longer required. 

11. Data Breaches 

As a private sector health service provider, Starxalign complies with the Notifiable Data Breaches (NDB) scheme under the Privacy Act. Where required, we will notify affected individuals and the OAIC of eligible data breaches. 

12. Accessing and Correcting Information 

Individuals may request access to, or correction of, personal information (including health information) we hold about them. We will respond within a reasonable time and may require verification of identity. Where access is refused, we will provide reasons and information about complaint options. 

13. Complaints 

If you believe we have mishandled your information, you may lodge a complaint using the contact details below. We will acknowledge and investigate complaints and aim to resolve them within a reasonable timeframe. 

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).