Privacy Policy - MediSecure

PRIVACY POLICY

MediSecure® is totally committed to protecting your privacy in the electronic prescription process it conducts of collecting, storing and transmitting your personal prescription data.

MediSecure® is highly aware that prescription information is sensitive and intensely personal to you, the patient, and you would only wish your doctor and pharmacist to be aware of the fact that the medicine had been prescribed and /or dispensed for you. MediSecure is fully compliant with the National and Victorian Privacy and health data principles and legislation.

The purpose of this Privacy Policy is to tell you what kind of information we may collect about you in the e-prescription process, how we may use that information and whether we disclose it to anyone. We also advise how long we will hold the information.

We want you to be fully informed about what information we have about you and what we do with that information. We also want you to understand that MediSecure has adopted the process and protocols that are included in Australian Technical Specification ATS4888 for electronic prescription messages.

For further information on these technical standards, you should go to the Standards Australia website and refer to the published documents that set out the prescription content, format, process and security required to meet the ATS4888 specifications.

1. What MediSecure Does

MediSecure® provides a safe, secure and simple electronic transmission of prescription system that has been approved by the Commonwealth of Australia as meeting the privacy and security requirements. The MediSecure e-prescription system links the doctors and pharmacists through a secure Script Vault where a prescription is held as an encrypted secure message until it is called for by the patient’s pharmacy dispensing system.

The MediSecure system prints a barcode on the paper prescription and this barcode links the paper prescription to the electronic prescription message.

2. Collection of Information

MediSecure® only collects non-personal information about your prescription. This transmission information, just like the delivery address and sender information on a traditional letter or parcel, is stored on the outside of the securely encrypted e-prescription message. It is placed outside the e-prescription during the encryption and authentication process before it leaves your doctor’s computer.

This information is necessary to identify your prescription (the barcode), the expiry date of your prescription, the source of the prescription (the doctor’s clinic) and the time and date the prescription was written. Before the information leaves your doctor’s computer to go to the MediSecure Script Vault®, it is encrypted and authenticated.

The secure information package (i.e., the prescription) is carried via the internet to the MediSecure Script Vault® where it is safely stored in a secure facility in Sydney, N.S.W.

This transmission information is the only information that MediSecure® collects from your prescription. The rest of the information that is written on the paper prescription remains

encrypted and is forwarded as an encrypted bundle to the pharmacy where you present your paper prescription.

The other piece of information held by MediSecure® is collected when your prescription has been dispensed at a pharmacy.

MediSecure® receives notification that this particular prescription has been filled, on what date and at which pharmacy. This dispense notification relates only to a prescription number. It does not directly relate to you.

MediSecure® does not collect any additional information about you.

3. Deletion of Personal Information

MediSecure® disposes of the unused e-prescriptions in the Script Vault® after the expiry date held on the outside of the secure e-prescription.

4. Use of Personal Information

MediSecure® does not make your personal information available in any form for any purpose other than to transmit your prescription from your doctor to the pharmacy you choose.

MediSecure® itself does not access or use the information it holds (except as detailed in 5. below. Its sole function is to transfer your prescription information from the doctor’s computer to the computer used by the pharmacist and to provide an audit trail of this process.

5. Use of Non-Identifiable Information

MediSecure® does not use your prescription information in any other way than that described.

MediSecure® may be required in the future to extract information that could be used anonymously but used for very limited purposes. The sole purpose for which MediSecure® would decide to release de-personalised data would be research purposes and then only to a limited number of institutions that are legally authorised to collect such information from the MediSecure Script Vault®.

Any information released by MediSecure® for research purposes will not contain your name or your address, it is anonymous data, aggregated with similar information, for analytical and statistical purposes only.

MediSecure® does not make your personal information available in any form for any purpose other than to transmit your prescription from your doctor to the pharmacy you choose.

6. Can MediSecure View Your Information?

MediSecure® has designed its system so that it cannot view any information inside the prescription message. All MediSecure® sees in practice is the transmission particulars of a prescription [the barcode, expiry date, source of prescription and time and date when the prescription was written], not to whom the prescription relates. This is the process set out in the Australian Technical Specification for electronic prescription messages.

We take this approach so that the prescription can only be linked to you when you attend your pharmacy-of-choice, and the doctor can be identified.

7. Disclosure

MediSecure® will disclose your information to the pharmacy you choose to visit to have your prescription filled. That applies to the initial prescription and all repeats.

MediSecure® may advise the prescribing doctor the prescription has been filled if the doctor requests that information.

MediSecure® will not disclose the information to any other person.

MediSecure has the capability to send prescription data to a third party electronic health record; this will only be done at your request. The electronic script is still held and processed by MediSecure in an encrypted format and cannot be viewed by MediSecure. MediSecure undertakes this transfer of your data in accordance with the rules and technical specifications as set out by the National eHealth Transition Authority and in accordance with the process determined by that Authority under the Person Controlled Electronic Health record legislation.

Your consent to do this must be obtained from and recorded by the doctor or pharmacist involved.

MediSecure® will comply with any laws or regulations in force from time to time requiring information to be disclosed.

8. No Sale of Personal Information

MediSecure® does not sell or receive payment for disclosing your personal information. The information will not be made available by MediSecure® for commercial purposes in any form.

9. Direct Marketing

Under no circumstances will MediSecure® access or use your personal information for the purposes of direct marketing of products and/or services in any form.

10. International Data Transfer

MediSecure® data is retained in the MediSecure Script Vault located in NSW Australia. Your data is not transferred to any third parties located offshore.

11. Security

MediSecure® operates a secure data transmission system that comes into operation from the time the information leaves the doctor’s computer until it arrives at the pharmacists’ computer. The information does not enter the control of any other party.

The MediSecure® system is of a standard that complies with the Australian Standards for the transmission of clinical data over the internet.

12. Complaints

If you have a complaint about how MediSecure® has collected or handled your personal

information, please contact our Privacy Officer (details under heading 13 below).

Our Privacy Officer will endeavour in the first instance to deal with your complaint and take any steps necessary to resolve the matter within a week.

If your complaint can not be resolved at the first instance, we will ask you to complete a Privacy Complaint Form, which details (for example) the date, time and circumstances of the matter that you are complaining about, how you believe your privacy has been interfered with and how would you like your complaint resolved.

Complaints process

We will endeavour to acknowledge receipt of the Privacy Complaint Form within five business days of receiving it and to complete our investigation into your complaint in a timely manner. This may include, for example, gathering the facts, locating and reviewing relevant documents and speaking to relevant individuals.

In most cases, we expect that complaints will be investigated and a response provided within 30 days of receipt of the Privacy Complaint Form. If the matter is more complex and our investigation may take longer, we will write and let you know, including letting you know when we expect to provide our response.

Our response will set out:

* whether in the Privacy Officer’s view there has been a breach of this Privacy Policy or any applicable privacy legislation; and

* what action, if any, MediSecure® will take to rectify the situation If you are unhappy with our response, you can refer your complaint to the Office of the Australian Information Commissioner or, in some instances, other regulatory bodies, such as the Victorian Health Services Commissioner or the Australian Communications and Media Authority.

13. Contacting us

Please contact MediSecure® if you have any queries about the personal information that MediSecure® holds about you or the way we handle that personal information. Our contact details for privacy queries are set out below.

Privacy Officer MediSecure

113/22 St. Kilda Road, St Kilda, VIC 3182

Phone: 03 8677 5500 Fax: 03 8648 5742 E: privacyoffice@medisecure.com.au

14. References

National Privacy Principles, from schedule 3 of the Privacy Act 1988 http://www.oaic.gov.au/privacy/privacy-act/national-privacy-principles

National Privacy Act 1988 http://www.comlaw.gov.au/Details/C2015C00089

Victorian Health and Information Privacy Principles http://www.dhs.vic.gov.au/about-the-department/documents-and-resources/policies,-guidelines-and-legislation/health-and-information-privacy-principles

Victorian Information Privacy Act 2000 http://www.legislation.vic.gov.au/Domino/Web_Notes/LDMS/PubStatbook.nsf/f932b66241ecf1b7ca256e92000e23be/4BE13AE4A4C3973ECA256E5B00213F50/$FILE/00-098a.pdf

Victorian Health Records Act 2001 http://www.legislation.vic.gov.au/Domino/Web_Notes/LDMS/PubStatbook.nsf/f932b66241ecf1b7ca256e92000e23be/E57A0A1DDCD389FBCA256E5B00213F4D/$FILE/01-002a.pdf

Victorian Privacy and Data Protection Act 2014 http://www.austlii.edu.au/au/legis/vic/num_act/padpa201460o2014317/

AMA Privacy and Health Record Resource Handbook https://ama.com.au/sites/default/files/documents/2014_privacy_health_record_resource_handbook_final_april_2014.pdf

Pharmacy Board of Australia, Codes and Guidelines http://www.pharmacyboard.gov.au/Codes-Guidelines.aspx

15. Changes to MediSecure Privacy Policy

This Privacy Policy was approved on the 16/12/2014. Should this Privacy Policy change in any way MediSecure® will publish the change here.

Visitors to our website are invited to check back from time to time to review any changes