Effective Date: 1 May 2019
1. About this Policy
We are committed to respecting the privacy of your personal information.
Those principles do not apply to certain records and practices relating to the employment relationship between us and our employees. In addition, certain disclosures of personal information between related bodies corporate do not have the same protection as disclosures to other persons.
The Service (as defined below) includes any website, application program interface (“API”), software, programs, documentation, tools, internet-based services and components, including those that interact directly using our practitioner web claiming systems, Individual smartphone applications or indirectly via integrations with practice management systems, health funds, schemes, insurance agencies and their related systems (“Insurers”) or other partner services that allows you to book medical appointments, obtain quotes, process health claims and payments and communicate with us about transactions (collectively referred to as the “Service”).
collectively referred to as “you” or “Users”.
The Service is provided to Users in conjunction with Insurers. Users may engage with the Service through joint software initiatives including applications and websites which are powered by Medipass.
3. What is “personal information”?
4. How do we collect personal information?
We ordinarily collect personal information directly from you or where it is provided to us with your authority (e.g. from a person appointed to act on your behalf). We may also be required to collect personal information about you from a third party.
We will only collect personal information which is reasonably necessary for, or directly related to, our functions or activities.
The type of personal information we collect about you depends on your relationship with us.
As an Individual, the personal information you may provide to us includes your contact information (such as name, address, email address and phone numbers), date of birth and gender, insurer account details, Commonwealth identifiers (such as your Medicare number) and financial information (such as bank account, credit card details and income tier information) that is entered via our Service. We may also collect and hold sensitive information, such as your health claim details (including item codes you claimed for and the benefit you were paid) and health information in connection with your participation in the Service.
As a Practitioner, when you register for an account and use the Service, we collect the personal information you provide. The key personal information you may provide to us includes contact information (such as name, address, email address and phone numbers), Your practice business registration, company or practice name, Your practitioner registration details (such as provider numbers, Insurer accreditation information and modality registrations) and Government, Commonwealth and industry issued identification numbers to verify your identity for underwriting and identity validation purposes.
We may also collect personal information about you because we are required or authorized by law to collect it. For example, we may require personal information to verify your identity under Commonwealth Anti-Money Laundering law.
You may choose not to provide us with certain information, but then you may not be able to take advantage of the Service or certain features of the Service or facilitate the provision of, the products and services you request.
When you contact Medipass, we may keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our Service, such as letting you know about upcoming changes or improvements.
Some Insurers require us to obtain and store your physical location when you are approving a claim. You are provided a choice as to whether you allow Medipass access to this information. By declining to provide your location, you may be unable to process a claim via the Service. If you opt in to location services, we may collect and process information about your actual location. This is used to process a claim, to search for nearby Practitioners and for fraud detection purposes. We use sensor data from your device including GPS, WiFi, bluetooth and mobile network towers to determine your location.
Third Party Information
In addition to the information you directly provide Medipass, we may collect additional information about you from third parties and other verification services such as credit bureaus and accreditation bodies. This information may be collected either directly using our Practitioner applications, Individual applications or indirectly via integrations with medical practice management systems, Insurer platforms or other partner services.
Insurers may provide information to Medipass about you, which is primarily used for the purposes of validating your membership credentials. For example, Medipass may receive your date of birth from Insurers to match against, and validate your Medipass account access. Medipass may receive information on whether, as a Practitioner, you are approved and eligible to access an Insurer’s scheme and raise claims on behalf of patients. This information may include your provider number, practice location, modality and other personal information.
When adjudicating claims on your behalf, Medipass typically receives transaction data, such as the item codes you claimed for and the benefit you were paid for those services by your selected Insurer. The details of your transactions are received and stored by Medipass.
Personal information automatically collected
Medipass automatically receives and records information on our server logs from your browser or smartphone including your hardware model, operating system version, device identifiers, browser type, IP address, browser cookie information and the function you requested. We also collect and use information about your interactions with the Service in a manner and format that does not identify you as an individual (“non-personally identifiable information”). We may collect, use, and disclose the following types of non-personally identifiable information:
We use third-party analytics tools to help us measure traffic and usage trends for the Service. These tools collect information sent by your browser or smartphone app as part of a web or application page request, including the pages you visit, your browser add-ons, your browser’s or device’s width and height, and other information that assists us in improving the Service. We may collect and use this analytics information together with your personally identifiable information to build a broader profile of our Users so that we can serve you better, to improve the Service and for internal business purposes. We may disclose this combined information to our third-party business partners in aggregated, anonymised form as described below.
We utilise “cookies” and other technologies to collect non-personally identifiable information from our website and from other websites that use our Service. Information gathered through cookies and web-server log files may include information such as the date and time of visits, the pages viewed, IP addresses, MAC address, links to/from any page and time spent at our site.
We use cookie data to measure web traffic and usage activity on our website for purposes of monitoring, troubleshooting and improving our website and the Service, to look for possible fraudulent activity, and to better understand the sources of traffic and transactions on our website and the websites of merchants that use our Service. Cookies also allow our servers to remember your account information for future visits and to provide personalized and streamlined information across related pages on our website and also across other websites or applications that use Service.
When you call us on the telephone, we may monitor and in some cases record the telephone conversation for staff training and record-keeping purposes. Further, when we communicate with you by email, we may use technology to identify you so that we will be in a position to know when you have opened the email or clicked on a link in the email.
5. How do we store personal information?
We store your personal information in a number of ways including:
This may include storage on our behalf by third party service providers. See our comments below about how we protect your personal information.
6. How we use the personal information we collect
How we use the personal information we collect about you depends on your relationship with us. In general, the personal information provided to us is used for such purposes as:
Medipass may use your personal information including your provider number, practice location, modality and other personal information for the purposes of verifying your identify, ensuring that you are approved and eligible to access an Insurer’s scheme and to raise claims on behalf of Practitioners.
As an Individual, the key personal information we have regarding you is used for such purposes as allowing you to book medical appointments, obtain quotes, process health claims and payments, verify your identity and communicate with you about transactions.
When you make a booking, obtain a quote or process a health or payment transaction, we may communicate certain information with the selected Practitioner, your Insurer and your payment card financial services organisation. We use this information as part of the health quote, health claim and payment process.
Direct marketing involves communicating directly with you for the purpose of promoting our Service or the goods or services of a third party organisation. From time to time, we may use your personal information for marketing purposes. This includes sending you updates about new products and services that we or third party organisations are offering. When we contact you, it may be by mail, telephone, email, SMS or through any other means. When we use your personal information for the purpose of marketing, we will:
You may ask to be removed from our marketing lists for any or all types of direct marketing at any time by contacting us. You can unsubscribe from our direct marketing, or change your contact preferences by either contacting us at email@example.com, or use the unsubscribe feature for email or SMS communications. If you opt out, we may still send you non-promotional emails, such as emails about your accounts or our ongoing business relations.
7. What Information do we share with third parties?
Medipass may disclose personal information it collects about you to third parties for a variety of purposes in connection with providing its Service. We may also disclose personal information that has been updated or changed (such as an updated address or contact information) to third parties for a variety of purposes in connection with providing its Service.
We may share Individual contact information, but not the Individual’s payment or health fund account information, with Practitioners as part of appointment booking or health claim and payments transaction processing.
We may provide your name, address and date of birth to an Identification Bureau, who will assess whether the information you provide matches the information held by the Identification Bureau and complete certain checks to verify your identity. The Identification Bureau will use the information provided by us in addition to its own information, to make its assessment and undertake the checks to verify your identity.
Where we disclose your personal information to third-parties we will use reasonable endeavors to ensure that such third parties only use your personal information as reasonably required for the purpose we disclosed it to them and in a manner consistent with the Australian Privacy Principles under the Privacy Act.
8. How do we protect personal information?
Although no data transmission can be guaranteed to be 100% secure, we take reasonable steps to ensure that your personal information is accurate, complete, up-to-date, relevant and stored securely. We also take all reasonable steps to ensure that the personal information we hold is protected from misuse, interference and loss and unauthorised access, modification or disclosure. These include:
Although we take reasonable measures to ensure the security of personal information stored by us, we cannot guarantee that they are absolutely secure from malicious third-party circumvention of security measures on our electronic resources (including our website and app), whether those resources are at any of our premises or those of our service providers. You submit information over the Internet at your own risk.
Please note that third party recipients of personal information, including our service providers that provide the information, may have their own privacy policies and we are not responsible for their actions, including their handling of personal information. We cannot control the actions of other users with whom you share your information.
9. Does personal information leave Australia?
Our principal place of processing is Australia. Any sensitive information you provide to us and payments information is processed and stored exclusively in Australia.
However, we may disclose personal information to our related bodies corporate, service providers, and processing partners, such as our help desk platform, that are located outside of Australia. Some of the third parties to whom we disclose your personal information are located outside of Australia. These countries may include the United States of America, Ireland or the United Kingdom.
We will only disclose personal information to an overseas recipient for the primary purpose for which it was collected, unless an exception applies under the Privacy Act. See “How do we use the personal information we collect?” above.
Except in some cases where we may rely on an exception under the Privacy Act, we will take reasonable steps to ensure that such overseas recipients do not breach the Australian Privacy Principles in the Privacy Act in relation to such information.
10. Can I opt-out of providing personal information?
11. Notification of Data Breach
An “eligible data breach” arises when either:
If we become aware that there are reasonable grounds to suspect that there has been an “eligible data breach”, we will prepare a statement including:
We will provide this statement to the Privacy Commissioner and we will take steps to notify affected individuals directly or indirectly via a notice on our website.
12. Accessing and correcting personal information
We take reasonable steps to ensure that your personal information is accurate, complete and up-to-date. You may request access to the personal information we hold about you at any time by contacting our Privacy Officer by email at firstname.lastname@example.org or by post at 134 Little Lonsdale St, Melbourne VIC 3000.
In certain circumstances, we may be unable to give you access to all of your personal information in our possession. Some of these circumstances include:
If we are unable to give you access, we will consider whether the use of an intermediary is appropriate and would allow sufficient access to meet the needs of both parties.
Where we do grant access to your information, we may charge you a fee for accessing your personal information.
Under the Privacy Act, you also have a right to request that we correct information that you believe to be inaccurate, out of date, incomplete, irrelevant or misleading.
If at any time you believe that personal information about you is inaccurate, out of date, incomplete, irrelevant or misleading, please advise us by contacting our Privacy Officer by email at email@example.com or by post at 134 Little Lonsdale St, Melbourne VIC 3000, and we will take all reasonable steps to correct the information.
If we do not correct the information, you can also ask us to include with the information held, a statement from you claiming the information is not correct.
If there is a denial of access to your personal information or a dispute as to the correctness of any personal information held, we will provide you with reasons for the denial or refusal to correct the personal information. If you disagree with our decision for the denial or refusal to correct the personal information, you may request that we review the decision via our complaints handling procedures which are outlined below.
13. Complaints Handling Process
We are committed to resolving any complaint you may have. Complaints can be received in several different ways:
Internal Dispute Resolution
Our representative will be in contact with you regarding your complaint and will let you know who will be assisting you, their contact details and the expected resolution date of your issue within 48 hours.
If the issue is a more complicated one, we may ask you for additional documentation to help resolve the issue. In turn, we will keep you updated on the progress of your complaint. We may provide you with information on how to contact an external dispute resolution scheme.
Customers may contact the Privacy Officer by any of the following means:
Mail: Attention: Privacy Officer
Medipass Solutions Pty Ltd
134 Little Lonsdale Street
Melbourne VIC 3000
In the unlikely event that your complaint remains unresolved to your satisfaction through the internal procedures outlined above, you may elect to contact the Office of the Australian Information Commissioner (OAIC) if you have a complaint about the way we handle your personal information at:
GPO Box 5218
Sydney NSW 2001
15. Contacting Us
If you have any further questions or concerns about the way we manage your personal information, including if you think we have breached the Australian Privacy Principles, please contact:
Medipass Solutions Pty Ltd
134 Little Lonsdale Street
Melbourne VIC 3000