Medipass Solutions Pty Ltd
Effective Date: 23 March 2020
Click here to read our Privacy Collection Notice.
1. About this Policy
We are committed to respecting the privacy of your personal information.
Those principles do not apply to certain records and practices relating to the employment relationship between us and our employees. In addition, certain disclosures of personal information between related bodies corporate do not have the same protection as disclosures to other persons.
The Service includes any website, application program interface (“API”), software, programs, documentation, tools, internet-based services and components, including those that interact directly using our practitioner web claiming systems, individual smartphone applications or indirectly via integrations with practice management systems, health funds, schemes, insurance agencies and their related systems (“Insurers”) or other partner services that allow you to book medical appointments, obtain quotes, process health claims and payments and communicate with us about transactions (collectively referred to as the “Service”).
- any other privacy or collection notice that we may provide to you when we collect your personal information or provide a particular product or service including the Service;
- any terms and conditions of use which govern your access to and use of each of our products and services or the Service; and
- Our User Terms which can be found at www.medipass.com.au/user-terms
- medical and health providers (“Practitioners”); and
- patients and consumers and other individuals whose personal information is collected by us during the conduct of our business (“Individuals”),
collectively referred to as “you” or “Users”.
3. What is “personal information”?
4. How do we collect personal information?
We ordinarily collect personal information directly from you or where it is provided to us with your authority (e.g. from a person appointed to act on your behalf). We may also be required to collect personal information about you from a third party.
We will only collect personal information which is reasonably necessary for, or directly related to, our functions or activities.
The type of personal information we collect about you depends on your relationship with us.
As an Individual, the personal information you may provide to us includes your contact information (such as name, address, email address and phone numbers), date of birth and gender, insurer account details, Commonwealth and Government related identifiers (such as your Medicare number or driver licence numbers) and financial information (such as bank account, credit card details and income tier information) that is entered via our Service, as well as any information contained in identity verification documents you provide to us. We may also collect and hold sensitive information, such as your health claim details (including item codes you claimed for and the benefit you were paid) and health information in connection with your participation in the Service.
As a Practitioner, when you register for an account and use the Service, we collect any personal information you provide. The key personal information you may provide to us includes contact information (such as name, address, email address and phone numbers), your practice business registration, company or practice name, your practitioner registration details (such as provider numbers, Insurer accreditation information and modality registrations), Government, Commonwealth and industry related identifiers and any other information provided to us in order to verify your identity for underwriting and identity validation purposes including in any identity verification documents you provide us.
We may also collect personal information about you because we are required or authorized by law to collect it. For example, we may require personal information to verify your identity under Commonwealth Anti-Money Laundering law.
You may choose not to provide us with certain information, but then you may not be able to take advantage of the Service or certain features of the Service or facilitate the provision of, the products and services you request.
When you contact Medipass, we may keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our Service, such as letting you know about upcoming changes or improvements.
Some Insurers require us to obtain and store your physical location when you are approving a claim. You are provided a choice as to whether you allow Medipass access to this information. By declining to provide your location, you may be unable to process a claim via the Service. If you opt in to location services, we may collect and process information about your actual location. This is used to process a claim, to search for nearby Practitioners and for fraud detection purposes. We use sensor data from your device including GPS, Wi-Fi, Bluetooth and mobile network towers to determine your location.
Third Party Information
In addition to the information you directly provide Medipass, we may collect additional information about you from third parties and other verification services such as credit reporting bodies and accreditation bodies. This information may be collected either directly using our Practitioner applications, Individual applications or indirectly via integrations with medical practice management systems, Insurer platforms or other partner services.
Insurers may provide information to Medipass about you, which is primarily used for the purposes of validating your membership credentials. For example, Medipass may receive your date of birth from Insurers to match against, and validate your Medipass account access. Medipass may receive information on whether, as a Practitioner, you are approved and eligible to access an Insurer’s scheme and raise claims on behalf of patients. This information may include your provider number, practice location, modality and other personal information.
When adjudicating claims on your behalf, Medipass typically receives transaction data, such as the item codes you claimed for and the benefit you were paid for those services by your selected Insurer. The details of your transactions are received and stored by Medipass.
Personal information automatically collected
Medipass automatically receives and records information on our server logs from your browser or smartphone including your hardware model, operating system version, device identifiers, browser type, IP address, browser cookie information and the function you requested. We also collect and use information about your interactions with the Service in a manner and format that does not identify you as an individual (“non-personally identifiable information”). We may collect, use, and disclose the following types of non-personally identifiable information:
We use third-party analytics tools to help us measure traffic and usage trends for the Service. These tools collect information sent by your browser or smartphone app as part of a web or application page request, including the pages you visit, your browser add-ons, your browser’s or device’s width and height, and other information that assists us in improving the Service. We may collect and use this analytics information together with your personally identifiable information to build a broader profile of our Users so that we can serve you better, to improve the Service and for internal business purposes. We may disclose this combined information to our third-party business partners in aggregated, anonymised form as described below.
We utilise “cookies” and other technologies to collect non-personally identifiable information from our website and from other websites that use our Service. Information gathered through cookies and web-server log files may include information such as the date and time of visits, the pages viewed, IP addresses, MAC address, links to/from any page and time spent at our site.
We use cookie data to measure web traffic and usage activity on our website for purposes of monitoring, troubleshooting and improving our website and the Service, to look for possible fraudulent activity, and to better understand the sources of traffic and transactions on our website and the websites of merchants that use our Service. Cookies also allow our servers to remember your account information for future visits and to provide personalized and streamlined information across related pages on our website and also across other websites or applications that use Service.
When you call us on the telephone, we may monitor and, in some cases, record the telephone conversation for staff training and record-keeping purposes. Further, when we communicate with you by email, we may use technology to identify you so that we will be in a position to know when you have opened the email or clicked on a link in the email.
5. How do we store personal information?
We store your personal information in a number of ways including:
- in electronic systems and devices;
- in telephone recordings;
- in paper files; and
- document retention services off-site.
This may include storage on our behalf by third party service providers. See our comments below about how we protect your personal information.
6. How we use the personal information we collect
How we use the personal information we collect about you depends on your relationship with us. In general, the personal information provided to us is used for such purposes as:
- to provide the Service;
- to manage our ongoing relationship with you;
- administer, process and audit private health claims and pay benefits if you have an insurance product with an Insurer;
- to verify your identity, accounts or activities, to monitor or identify risks of suspicious or fraudulent activities;
- to process payment transactions and keep you advised as to the status of a payment; and
- to respond to your inquiries, resolve disputes and provide support.
Medipass may use your personal information for the purposes of verifying your identify, ensuring that you are approved and eligible to access an Insurer’s scheme and to raise claims on your behalf.
Medipass may use your personal information for such purposes as allowing you to book medical appointments, obtain quotes, process health claims and payments, verify your identity and communicate with you about transactions.
When you make a booking, obtain a quote or process a health or payment transaction, we may communicate certain information with the selected Practitioner, your Insurer and your payment card financial services organisation. We use this information as part of the health quote, health claim and payment process.
Direct marketing involves communicating directly with you for the purpose of promoting our Service or the goods or services of a third party organisation. From time to time, we may use your personal information for marketing purposes. This includes sending you updates about new products and services that we or third party organisation’s are offering. When we contact you, it may be by mail, telephone, email, SMS or through any other means. When we use your personal information for the purpose of marketing, we will:
- allow you to ‘opt out’ or in other words, allow you to request not to receive further direct marketing communications of the relevant type; and
- comply with a request by you to ‘opt-out’ of receiving further communications of that type within a reasonable timeframe.
You may ask to be removed from our marketing lists for any or all types of direct marketing at any time by contacting us. You can unsubscribe from our direct marketing, or change your contact preferences by either contacting us at firstname.lastname@example.org, or use the unsubscribe feature for email or SMS communications. If you opt out, we may still send you non-promotional emails, such as emails about your accounts or our ongoing business relations.
7. What Information do we share with third parties?
- with service providers, contractors, affiliates, agents, related bodies corporate and business partners who are working with us in connection with the operation of the Service;
- with Insurers with whom you have a relationship, for submitting quotes and claims, receiving payment, managing communications, if you make a complaint, providing and sharing information with Insurers including documents uploaded by you to the Service (e.g. capacity certificate) and related purposes;
- for private health insurance, with HICAPS Pty Ltd who connect to Insurers in order to process your claim;
- with financial institutions and payment processors including banks such as the National Australia Bank Limited and non-bank financial institutions in the course of processing transactions;
- with financial institutions, anti-fraud organisation’s and law enforcement agencies for the purposes of identifying and preventing fraud, money laundering, terrorist financing and other financial crimes;
- with verification and credit reporting bodies or other approved third parties who are authorised to assess the validity of identification information such as members of the Equifax group (“Identification Bureau”);
- with the Commonwealth Attorney-General’s Department to access its Document Verification Service to verify that any identity verification documents provided to us match the official record data;
- when you give us your consent to do so, including if we notify you that the information you provide will be shared in a particular manner and you provide such information;
- when we are lawfully authorized or required to do so or where doing so is reasonably necessary or appropriate to comply with the law or legal processes or to respond to legal authorities, including responding to lawful subpoenas, warrants or court orders;
- in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition, or in any other situation where personal information may be disclosed or transferred as one of the business assets of us; and
- otherwise as permitted or required by law.
Medipass may disclose personal information it collects about you to third parties for a variety of purposes in connection with providing its Service. We may also disclose personal information that has been updated or changed (such as an updated address or contact information) to third parties for a variety of purposes in connection with providing its Service.
We may share Individual contact information, but not the Individual’s payment or health fund account information, with Practitioners as part of appointment booking or health claim and payments transaction processing.
If we undertake checks to verify your identity, we may disclose your name, address, date of birth and any personal information collected by us to an Identification Bureau, who will assess whether the information you provide matches the information held by the Identification Bureau and/or in third-party databases (such as Medicare, Drivers’ License authorities or Births, Deaths and Marriages) . If we seek to verify your identity, you authorize the Identification Bureau to use the information provided by us in addition to its own information and/or to access third-party information as your agent, to make its assessment and undertake the checks to verify your identity. We may also contact the issuer or official record holder of any identity verification documents you provide us to verify that these match the official record data by using the Document Verification Service provided by the Commonwealth Attorney-General’s Department. This document check may involve an approved third-party system or service.
Where we disclose your personal information to third-parties we will use reasonable endeavors to ensure that such third parties only use your personal information as reasonably required for the purpose we disclosed it to them and in a manner consistent with the Australian Privacy Principles under the Privacy Act.
8. How do we protect personal information?
Although no data transmission can be guaranteed to be 100% secure, we take reasonable steps to ensure that your personal information is accurate, complete, up-to-date, relevant and stored securely. We also take all reasonable steps to ensure that the personal information we hold is protected from misuse, interference and loss and unauthorised access, modification or disclosure. These include:
- using appropriate information technology and processes;
- restricting access to your personal information to our employees and those who perform services for us who need your personal information to do what we have engaged them to do;
- protecting paper documents from unauthorized access or use through security systems we deploy over our physical premises;
- using computer and network security systems with appropriate firewalls, encryption technology and passwords for the protection of electronic files;
- securely destroying or “de-identifying” personal information if we no longer require it subject to our legal obligations to keep some information for certain prescribed periods; and
- strong encryption technology to safeguard the account registration process and sign-up information.
Although we take reasonable measures to ensure the security of personal information stored by us, we cannot guarantee that they are absolutely secure from malicious third-party circumvention of security measures on our electronic resources (including our website and app), whether those resources are at any of our premises or those of our service providers. You submit information over the Internet at your own risk.
Please note that third party recipients of personal information, including our service providers that provide the information, may have their own privacy policies and we are not responsible for their actions, including their handling of personal information. We cannot control the actions of other users with whom you share your information.
9. Does personal information leave Australia?
Our principal place of processing is Australia. Any sensitive information you provide to us and payments information is processed and stored exclusively in Australia.
However, subject to any agreements with Insurers, we may disclose personal information to our related bodies corporate, service providers, and processing partners, such as our help desk platform, that are located outside of Australia. Some of the third parties to whom we disclose your personal information are located outside of Australia. These countries may include New Zealand, the United States of America, Ireland or the United Kingdom.
We will only disclose personal information to an overseas recipient for the primary purpose for which it was collected, unless an exception applies under the Privacy Act. See “How do we use the personal information we collect?” above.
Except in some cases where we may rely on an exception under the Privacy Act, we will take reasonable steps to ensure that such overseas recipients do not breach the Australian Privacy Principles in the Privacy Act in relation to such information.
10. Can I opt-out of providing personal information?
- we subsequently notify you of the intended disclosure and you do not object to that use or disclosure;
- we believe that the use or disclosure is reasonably necessary to assist a law enforcement agency or an agency responsible for government or public security in the performance of their functions;
- to enforce our terms and conditions;
- to protect our rights;
- to protect the safety of members of the public and users of our Service; or
- we are required by law to disclose the information.
11. Notification of Data Breach
An “eligible data breach” arises when either:
- there is unauthorised access or disclosure of personal information and a reasonable person would conclude that the disclosure or access is likely to result in serious harm to those individuals affected; or
- information is lost in circumstances where unauthorised access or disclosure is likely to occur and assuming that unauthorised access or disclosure were to occur, a reasonable person would conclude that the disclosure or access is likely to result in serious harm to the affected individuals.
If we become aware that there are reasonable grounds to suspect that there has been an “eligible data breach”, we will prepare a statement including:
- our identity and contact details;
- a description of the eligible data breach;
- the types of information concerned; and
- recommendations about the steps that you should take to protect yourself or mitigate harm.
We will provide this statement to the Privacy Commissioner and we will take steps to notify affected individuals directly or indirectly via a notice on our website.
12. Accessing and correcting personal information
We take reasonable steps to ensure that your personal information is accurate, complete and up-to-date. You may request access to the personal information we hold about you at any time by contacting our Privacy Officer by email at email@example.com or by post at PO Box 12257, A’Beckett Street, Melbourne, Victoria, 8006.
In certain circumstances, we may be unable to give you access to all of your personal information in our possession. Some of these circumstances include:
- where giving you access would compromise some other person’s privacy;
- where giving you access would disclose commercially-sensitive information of ours or any of our agents or contractors;
- where we are prevented by law from giving your access; or
- where the personal information your request relates to existing or anticipated legal proceedings.
If we are unable to give you access, we will consider whether the use of an intermediary is appropriate and would allow sufficient access to meet the needs of both parties.
Where we do grant access to your information, we may charge you a fee for accessing your personal information.
Under the Privacy Act, you also have a right to request that we correct information that you believe to be inaccurate, out of date, incomplete, irrelevant or misleading.
If at any time you believe that personal information about you is inaccurate, out of date, incomplete, irrelevant or misleading, please advise us by contacting our Privacy Officer by email at firstname.lastname@example.org or by post at PO Box 12257, A’Beckett Street, Melbourne, Victoria, 8006, and we will take all reasonable steps to correct the information.
If we do not correct the information, you can also ask us to include with the information held, a statement from you claiming the information is not correct.
If there is a denial of access to your personal information or a dispute as to the correctness of any personal information held, we will provide you with reasons for the denial or refusal to correct the personal information. If you disagree with our decision for the denial or refusal to correct the personal information, you may request that we review the decision via our complaints handling procedures which are outlined below.
13. Complaints Handling Process
We are committed to resolving any complaint you may have. Complaints can be received in several different ways:
- in person;
- in writing;
- via email; or
- via our website.
Internal Dispute Resolution
Our representative will be in contact with you regarding your complaint and will let you know who will be assisting you, their contact details and the expected resolution date of your issue within 48 hours.
If the issue is a more complicated one, we may ask you for additional documentation to help resolve the issue. In turn, we will keep you updated on the progress of your complaint. We may provide you with information on how to contact an external dispute resolution scheme.
Customers may contact the Privacy Officer by any of the following means:
Mail: Attention: Privacy Officer
Medipass Solutions Pty Ltd
PO Box 12257, A’Beckett Street
Melbourne VIC 8006
In the unlikely event that your complaint remains unresolved to your satisfaction through the internal procedures outlined above, you may elect to contact the Office of the Australian Information Commissioner (OAIC) if you have a complaint about the way we handle your personal information at:
GPO Box 5218
Sydney NSW 2001
15. Contacting Us
If you have any further questions or concerns about the way we manage your personal information, including if you think we have breached the Australian Privacy Principles, please contact:
Medipass Solutions Pty Ltd
PO Box 12257, A’Beckett Street
Melbourne VIC 8006