How to Write a Practice Privacy Policy

This video will run you through how to develop a privacy policy (and collection statement) for your practice. The policy is designed to cover all health and allied health practices.


Note: The template should not be copied word for word, but should instead be used as a template customised to your practice.


Why you need a practice privacy policy

Privacy and confidentiality are basic rights in our society. Safeguarding those rights with respect to an individual’s personal health information is our ethical and legal obligation as healthcare providers and workers. Although doing so in today’s healthcare environment is increasingly challenging.

Having a privacy policy in place is law. It is not just a guideline or recommendation. Your practice must have a privacy policy for the management of patient health information and patients need to be informed about your practice privacy policy. It is also a good idea that your staff familiarise themselves with your policy content because they are going to get questions from patients, which they need to answer.

It is also worth noting that the Office of the Australian Information Commission has the power to conduct privacy investigations and audits. Organisations must provide their privacy policy to the OAIC upon request and make their policy available on their website, on a sign at reception, and wherever else they can.

What happens if you breach your privacy policy?

The Office of the Australian Information Commission recently issued a media release regarding the assessment of the privacy policies of around 40 general practices in Australia. Alarmingly, they found that very few practices were fully compliant even though they had some sort of privacy policy in place. After such findings we should expect that there will be more investigations to come.

If you breach your patient’s privacy in any manner of the ways we cover off in this video, you may open yourself up to litigation, complaints and other significant penalties. There is a civil penalty of up to $107 million for corporations (the owners of your practice), but as an individual staff member you are also liable for up to $340,000 if you are deemed responsible for making a breach. A data breach occurs when personal information held by an organisation is lost, or subjected to unauthorised access, modification, disclosure or other misuse or interference.

What to include in your privacy policy

Guidelines on the Australian policy principles will assist general practices to meet their legal obligations in relation to the collection, use and the disclosure of that health information.

The APP privacy policy must contain the following:

  • The kinds of personal information the entity collects and holds
  • How the entity collects and holds such personal information
  • The purpose through which the entity collects, holds, uses and discloses information
  • How an individual may access their own personal information held by the entity and seek the correction of such information
  • How an individual may complain about a breach of the APPs or a registered APP code
  • How the entity will deal with such a complaint
  • Whether the entity is likely to disclose practice information to overseas recipients
  • If the entity is likely to disclose personal information to overseas recipients, we must name the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy

What to include in your collection statement

Practices must also have in place a collection statement, which contains prescribed information, including:

  • Identifying the practice and how to contact it (phone, email, postal address, fax etc)
  • The fact that information is collected
  • The circumstances in which information is collected
  • The fact that patients can access their own health information
  • The purpose for which the information is collected
  • Other organisations to which your practice usually discloses patient health information
  • Any law that requires the particular information to be collected
  • The main consequence for the individual if important health information is not provided
  • The existence of a supporting privacy policy

Please note, the above video combines a privacy policy and a collection statement in the one template.

If you have any questions please email: [email protected]

June Hannan

Founder/CEO, Pro Mentor Coaching

June Hannan has over 30 years experience in the health industry and is the CEO of Pro Mentor Coaching, which mentors and trains general practices on the best decisions concerning business challenges and opportunities. She is also Vice President of AAPM Queensland Committee, Chair of the north Queensland Regional Advisory Committee for AIM, and has owned and operated two independent optical practices.

Related Articles