Privacy policy

Medipass Solutions Pty Ltd

Privacy Policy

Effective Date: 26 August 2019

Click here to read our Privacy Collection Notice.

1. About this Policy 

We are committed to respecting the privacy of your personal information.

In this Privacy Policy, we use the terms “us”, “we”, “our” and “Medipass” to refer to Medipass Solutions Pty Ltd ABN 21 615 345 536 and its subsidiaries. 

This Privacy Policy explains how we collect, store, use and disclose personal information.  We are bound by the Privacy Act 1988 (Cth) (Privacy Act) including the Australian Privacy Principles contained in the Privacy Act and are committed to protecting personal information we may hold at any time in respect of any individual, in accordance with those requirements.

Those principles do not apply to certain records and practices relating to the employment relationship between us and our employees.  In addition, certain disclosures of personal information between related bodies corporate do not have the same protection as disclosures to other persons.

The Service includes any website, application program interface (“API”), software, programs, documentation, tools, internet-based services and components, including those that interact directly using our practitioner web claiming systems, Individual smartphone applications or indirectly via integrations with practice management systems, health funds, schemes, insurance agencies and their related systems (“Insurers”) or other partner services that allows you to book medical appointments, obtain quotes, process health claims and payments and communicate with us about transactions (collectively referred to as the “Service”). 

This Privacy Policy should be read in conjunction with, and is subject to: 

  • any other privacy or collection notice that we may provide to you when we collect your personal information or provide a particular product or service including the Service; 
  • any terms and conditions of use which govern your access to and use of each of our products and services or the Service; and
  • Our User Terms which can be found at www.medipass.com.au/user-terms

2. Who does this Privacy Policy apply to?

This Privacy Policy applies to:

  • medical and health providers (“Practitioners”); 
  • patients and consumers (“Individuals”); and
  • other individuals whose personal information is collected by us during the conduct of our business, 

collectively referred to as “you” or “Users”.  

The Service is provided to Users in conjunction with health funds, schemes, insurance agencies and their related systems (“Insurers”).  Users may engage with the Service through joint software initiatives including applications and websites which are powered by Medipass.  This Privacy Policy is not a substitute for the terms and policies of Insurers which may, from time to time, provide services powered by Medipass.

3. What is “personal information”?

“Personal information” is information or an opinion about an individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, or is recorded in a material form or not.  Personal information does not include “aggregate” information, which is data we collect about the use of the Service (and which does not include information or an opinion about an identified individual or an individual who is reasonably identifiable).  Our Privacy Policy does not restrict or limit our collection and use of aggregate information.

“Sensitive information” is a subcategory of personal information.  It is information or an opinion about certain aspects of an individual, such as health information.  In this Privacy Policy, a reference to personal information includes sensitive information.  

4. How do we collect personal information?

We ordinarily collect personal information directly from you or where it is provided to us with your authority (e.g. from a person appointed to act on your behalf).  We may also be required to collect personal information about you from a third party.  

We will only collect personal information which is reasonably necessary for, or directly related to, our functions or activities.

The type of personal information we collect about you depends on your relationship with us.

As an Individual, the personal information you may provide to us includes your contact information (such as name, address, email address and phone numbers), date of birth and gender, insurer account details, Commonwealth identifiers (such as your Medicare number) and financial information (such as bank account, credit card details and income tier information) that is entered via our Service.  We may also collect and hold sensitive information, such as your health claim details (including item codes you claimed for and the benefit you were paid) and health information in connection with your participation in the Service.

As a Practitioner, when you register for an account and use the Service, we collect the personal information you provide.  The key personal information you may provide to us includes contact information (such as name, address, email address and phone numbers), Your practice business registration, company or practice name, Your practitioner registration details (such as provider numbers, Insurer accreditation information and modality registrations) and Government, Commonwealth and industry issued identification numbers to verify your identity for underwriting and identity validation purposes.

We may also collect personal information about you because we are required or authorized by law to collect it.  For example, we may require personal information to verify your identity under Commonwealth Anti-Money Laundering law.

If, at any time, you provide information about someone other than yourself such as your partner or a dependent (“Other Person”), you warrant that you have the Other Person’s consent to provide such information to us for the purposes specified in this Privacy Policy and you have informed them that you have given the information to us.  You confirm that you and the Other Person consent to us collecting, using and disclosing your and their personal (including sensitive) information, however collected by us, in accordance with this Privacy Policy.

You may choose not to provide us with certain information, but then you may not be able to take advantage of the Service or certain features of the Service or facilitate the provision of, the products and services you request.  

When you contact Medipass, we may keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our Service, such as letting you know about upcoming changes or improvements.

We will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.

Location Services

Some Insurers require us to obtain and store your physical location when you are approving a claim. You are provided a choice as to whether you allow Medipass access to this information. By declining to provide your location, you may be unable to process a claim via the Service.  If you opt in to location services, we may collect and process information about your actual location. This is used to process a claim, to search for nearby Practitioners and for fraud detection purposes. We use sensor data from your device including GPS, Wi-Fi, Bluetooth and mobile network towers to determine your location.  

Third Party Information

In addition to the information you directly provide Medipass, we may collect additional information about you from third parties and other verification services such as credit bureaus and accreditation bodies. This information may be collected either directly using our Practitioner applications, Individual applications or indirectly via integrations with medical practice management systems, Insurer platforms or other partner services.

Insurers may provide information to Medipass about you, which is primarily used for the purposes of validating your membership credentials. For example, Medipass may receive your date of birth from Insurers to match against, and validate your Medipass account access.  Medipass may receive information on whether, as a Practitioner, you are approved and eligible to access an Insurer’s scheme and raise claims on behalf of patients. This information may include your provider number, practice location, modality and other personal information.

When adjudicating claims on your behalf, Medipass typically receives transaction data, such as the item codes you claimed for and the benefit you were paid for those services by your selected Insurer. The details of your transactions are received and stored by Medipass.

Personal information automatically collected

Medipass automatically receives and records information on our server logs from your browser or smartphone including your hardware model, operating system version, device identifiers, browser type, IP address, browser cookie information and the function you requested.  We also collect and use information about your interactions with the Service in a manner and format that does not identify you as an individual (“non-personally identifiable information”). We may collect, use, and disclose the following types of non-personally identifiable information:

Analytics information

We use third-party analytics tools to help us measure traffic and usage trends for the Service. These tools collect information sent by your browser or smartphone app as part of a web or application page request, including the pages you visit, your browser add-ons, your browser’s or device’s width and height, and other information that assists us in improving the Service.  We may collect and use this analytics information together with your personally identifiable information to build a broader profile of our Users so that we can serve you better, to improve the Service and for internal business purposes. We may disclose this combined information to our third-party business partners in aggregated, anonymised form as described below.

Browser cookies

We utilise “cookies” and other technologies to collect non-personally identifiable information from our website and from other websites that use our Service.  Information gathered through cookies and web-server log files may include information such as the date and time of visits, the pages viewed, IP addresses, MAC address, links to/from any page and time spent at our site. 

We use cookie data to measure web traffic and usage activity on our website for purposes of monitoring, troubleshooting and improving our website and the Service, to look for possible fraudulent activity, and to better understand the sources of traffic and transactions on our website and the websites of merchants that use our Service. Cookies also allow our servers to remember your account information for future visits and to provide personalized and streamlined information across related pages on our website and also across other websites or applications that use Service.

Telephone recordings

When you call us on the telephone, we may monitor and, in some cases, record the telephone conversation for staff training and record-keeping purposes.  Further, when we communicate with you by email, we may use technology to identify you so that we will be in a position to know when you have opened the email or clicked on a link in the email.

5. How do we store personal information?

We store your personal information in a number of ways including:

  • in electronic systems and devices;
  • in telephone recordings;
  • in paper files; and
  • document retention services off-site.

This may include storage on our behalf by third party service providers.  See our comments below about how we protect your personal information.

6. How we use the personal information we collect

How we use the personal information we collect about you depends on your relationship with us.  In general, the personal information provided to us is used for such purposes as:

  • to provide the Service;
  • to manage our ongoing relationship with you;
  • administer, process and audit private health claims and pay benefits if you have an insurance product with an Insurer;
  • to verify accounts and activities, to monitor suspicious or fraudulent activities;
  • to process payment transactions and keep you advised as to the status of a payment; and
  • respond to your inquiries, resolve disputes and provide support.

We use personal information for the purposes described in our Privacy Policy or elsewhere on our website or the app or as otherwise disclosed to you at the time the information is collected or as permitted by law.  These purposes include:

Practitioners 

Medipass may use your personal information including your provider number, practice location, modality and other personal information for the purposes of verifying your identify, ensuring that you are approved and eligible to access an Insurer’s scheme and to raise claims on behalf of Practitioners.

Individuals 

As an Individual, the key personal information we have regarding you is used for such purposes as allowing you to book medical appointments, obtain quotes, process health claims and payments, verify your identity and communicate with you about transactions.

When you make a booking, obtain a quote or process a health or payment transaction, we may communicate certain information with the selected Practitioner, your Insurer and your payment card financial services organisation. We use this information as part of the health quote, health claim and payment process.

Direct marketing

Direct marketing involves communicating directly with you for the purpose of promoting our Service or the goods or services of a third party organisation.  From time to time, we may use your personal information for marketing purposes.  This includes sending you updates about new products and services that we or third party organisation’s are offering.  When we contact you, it may be by mail, telephone, email, SMS or through any other means.  When we use your personal information for the purpose of marketing, we will:

  • allow you to ‘opt out’ or in other words, allow you to request not to receive further direct marketing communications of the relevant type; and
  • comply with a request by you to ‘opt-out’ of receiving further communications of that type within a reasonable timeframe.

You may ask to be removed from our marketing lists for any or all types of direct marketing at any time by contacting us. You can unsubscribe from our direct marketing, or change your contact preferences by either contacting us at support@medipass.com.au, or use the unsubscribe feature for email or SMS communications. If you opt out, we may still send you non-promotional emails, such as emails about your accounts or our ongoing business relations.

7. What Information do we share with third parties?

We will not share the personal information we collect from you through the Service with third parties, except as described in this Privacy Policy or in the provision of the Service or as otherwise disclosed to you or as permitted by law.  By way of example, we share personal information with third parties as follows:

  • with service providers, contractors, affiliates, agents, related bodies corporate and business partners who are working with us in connection with the operation of the Service;
  • with Insurers with whom you have a relationship, for submitting quotes and claims, receiving payment, managing communications, if you make a complaint, providing and sharing information with Insurers including documents uploaded by you to the Service (e.g. capacity certificate) and related purposes;
  • for private health insurance, with HICAPS Pty Ltd who connect to Insurers in order to process your claim;
  • with financial institutions and payment processors including banks such as the National Australia Bank Limited and non-bank financial institutions in the course of processing transactions;
  • with financial institutions, anti-fraud organisation’s and law enforcement agencies for the purposes of identifying and preventing fraud, money laundering, terrorist financing and other financial crimes;
  • with verification and credit bodies or other approved third parties who are authorised to assess the validity of identification information such as Equifax (Identification Bureau);
  • when you give us your consent to do so, including if we notify you that the information you provide will be shared in a particular manner and you provide such information;
  • when we are lawfully authorized or required to do so or where doing so is reasonably necessary or appropriate to comply with the law or legal processes or to respond to legal authorities, including responding to lawful subpoenas, warrants or court orders;
  • to enforce or apply our Privacy Policy, our User Terms or our other policies or agreements;
  • in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition, or in any other situation where personal information may be disclosed or transferred as one of the business assets of us; and
  • otherwise as permitted or required by law.

Medipass may disclose personal information it collects about you to third parties for a variety of purposes in connection with providing its Service. We may also disclose personal information that has been updated or changed (such as an updated address or contact information) to third parties for a variety of purposes in connection with providing its Service. 

We may share Individual contact information, but not the Individual’s payment or health fund account information, with Practitioners as part of appointment booking or health claim and payments transaction processing.

We may provide your name, address and date of birth to an Identification Bureau, who will assess whether the information you provide matches the information held by the Identification Bureau and complete certain checks to verify your identity.  The Identification Bureau will use the information provided by us in addition to its own information, to make its assessment and undertake the checks to verify your identity.   

Where we disclose your personal information to third-parties we will use reasonable endeavors to ensure that such third parties only use your personal information as reasonably required for the purpose we disclosed it to them and in a manner consistent with the Australian Privacy Principles under the Privacy Act. 

8. How do we protect personal information?

Although no data transmission can be guaranteed to be 100% secure, we take reasonable steps to ensure that your personal information is accurate, complete, up-to-date, relevant and stored securely. We also take all reasonable steps to ensure that the personal information we hold is protected from misuse, interference and loss and unauthorised access, modification or disclosure.  These include:

  • using appropriate information technology and processes;
  • restricting access to your personal information to our employees and those who perform services for us who need your personal information to do what we have engaged them to do;
  • protecting paper documents from unauthorized access or use through security systems we deploy over our physical premises;
  • using computer and network security systems with appropriate firewalls, encryption technology and passwords for the protection of electronic files;
  • securely destroying or “de-identifying” personal information if we no longer require it subject to our legal obligations to keep some information for certain prescribed periods; and
  • strong encryption technology to safeguard the account registration process and sign-up information.

Although we take reasonable measures to ensure the security of personal information stored by us, we cannot guarantee that they are absolutely secure from malicious third-party circumvention of security measures on our electronic resources (including our website and app), whether those resources are at any of our premises or those of our service providers.  You submit information over the Internet at your own risk.

Please note that third party recipients of personal information, including our service providers that provide the information, may have their own privacy policies and we are not responsible for their actions, including their handling of personal information.  We cannot control the actions of other users with whom you share your information. 

9. Does personal information leave Australia?

Our principal place of processing is Australia.  Any sensitive information you provide to us and payments information is processed and stored exclusively in Australia. 

However, subject to any agreements with Insurers, we may disclose personal information to our related bodies corporate, service providers, and processing partners, such as our help desk platform, that are located outside of Australia.  Some of the third parties to whom we disclose your personal information are located outside of Australia. These countries may include the United States of America, Ireland or the United Kingdom.

We will only disclose personal information to an overseas recipient for the primary purpose for which it was collected, unless an exception applies under the Privacy Act.  See “How do we use the personal information we collect?” above.

Except in some cases where we may rely on an exception under the Privacy Act, we will take reasonable steps to ensure that such overseas recipients do not breach the Australian Privacy Principles in the Privacy Act in relation to such information.

10. Can I opt-out of providing personal information?

If you do not wish to have your personal information used or disclosed in a manner described in this Privacy Policy, you can contact us.  However, please note that if you do so, you may not be able to access, or use, all or part of the Service.  Notwithstanding this, we may still use or disclose your personal information if: 

  • we subsequently notify you of the intended disclosure and you do not object to that use or disclosure; 
  • we believe that the use or disclosure is reasonably necessary to assist a law enforcement agency or an agency responsible for government or public security in the performance of their functions; 
  • to enforce out terms and conditions; 
  • to protect our rights; 
  • to protect the safety of members of the public and users of our Service; or 
  • we are required by law to disclose the information.

11. Notification of Data Breach 

An “eligible data breach” arises when either:

  • there is unauthorised access or disclosure of personal information and a reasonable person would conclude that the disclosure or access is likely to result in serious harm to those individuals affected; or
  • information is lost in circumstances where unauthorised access or disclosure is likely to occur and assuming that unauthorised access or disclosure were to occur, a reasonable person would conclude that the disclosure or access is likely to result in serious harm to the affected individuals.

If we become aware that there are reasonable grounds to suspect that there has been an “eligible data breach”, we will prepare a statement including:

  • our identity and contact details;
  • a description of the eligible data breach;
  • the types of information concerned; and
  • recommendations about the steps that you should take to protect yourself or mitigate harm.

We will provide this statement to the Privacy Commissioner and we will take steps to notify affected individuals directly or indirectly via a notice on our website. 

12. Accessing and correcting personal information

We take reasonable steps to ensure that your personal information is accurate, complete and up-to-date.  You may request access to the personal information we hold about you at any time by contacting our Privacy Officer by email at support@medipass.com.au or by post at 134 Little Lonsdale St, Melbourne VIC 3000.  

In certain circumstances, we may be unable to give you access to all of your personal information in our possession.  Some of these circumstances include:

  • where giving you access would compromise some other person’s privacy;
  • where giving you access would disclose commercially-sensitive information of ours or any of our agents or contractors;
  • where we are prevented by law from giving your access; or
  • where the personal information your request relates to existing or anticipated legal proceedings.

If we are unable to give you access, we will consider whether the use of an intermediary is appropriate and would allow sufficient access to meet the needs of both parties.  

Where we do grant access to your information, we may charge you a fee for accessing your personal information.

Under the Privacy Act, you also have a right to request that we correct information that you believe to be inaccurate, out of date, incomplete, irrelevant or misleading.  

If at any time you believe that personal information about you is inaccurate, out of date, incomplete, irrelevant or misleading, please advise us by contacting our Privacy Officer by email at support@medipass.com.au or by post at 134 Little Lonsdale St, Melbourne VIC 3000, and we will take all reasonable steps to correct the information.

If we do not correct the information, you can also ask us to include with the information held, a statement from you claiming the information is not correct.

If there is a denial of access to your personal information or a dispute as to the correctness of any personal information held, we will provide you with reasons for the denial or its refusal to correct the personal information.  If you disagree with our decision for the denial or refusal to correct the personal information, you may request that we review the decision via our complaints handling procedures which are outlined below.

13. Complaints Handling Process

We are committed to resolving any complaint you may have.  Complaints can be received in several different ways:

  • in person;
  • in writing;
  • via email; or
  • via our website.

Internal Dispute Resolution 

Our representative will be in contact with you regarding your complaint and will let you know who will be assisting you, their contact details and the expected resolution date of your issue within 48 hours.

If the issue is a more complicated one, we may ask you for additional documentation to help resolve the issue.  In turn, we will keep you updated on the progress of your complaint.  We may provide you with information on how to contact an external dispute resolution scheme.  

Customers may contact the Privacy Officer by any of the following means:

Mail: Attention: Privacy Officer

Medipass Solutions Pty Ltd

134 Little Lonsdale Street

Melbourne  VIC  3000

In the unlikely event that your complaint remains unresolved to your satisfaction through the internal procedures outlined above, you may elect to contact the Office of the Australian Information Commissioner (OAIC) if you have a complaint about the way we handle your personal information at:

GPO Box 5218

Sydney  NSW  2001

Email: enquiries@oaic.gov.au

www.oaic.gov.au

14. Changes to this Privacy Policy

We may revise or modify this Privacy Policy from time to time. The most current version of the Privacy Policy will govern our processing of your personal data and will always be at medipass.com.au/privacy. If we make a change to this Privacy Policy, we may notify you via an email to the email address associated with your account. By continuing to access or use the Service after those changes become effective, you agree to be bound by the revised Privacy Policy.  This Privacy Policy replaces any of our other Privacy Policies which have been issued before the date of this Privacy Policy.

15. Contacting Us

If you have any further questions or concerns about the way we manage your personal information, including if you think we have breached the Australian Privacy Principles, please contact:

Privacy Officer

Email: support@medipass.com.au

Medipass Solutions Pty Ltd

134 Little Lonsdale Street

Melbourne  VIC  3000