Privacy Policy

Introduction

This privacy policy is issued by Hugo eHealth and its related entities, trading in their own capacities (‘we’, ‘our’ or ‘us’). It sets out how we collected, handle and protect the personal information of any individuals (referred to as ‘you’ or ‘your’) who accessed and used our online and phone platform to connect patients (or potential patients) with independent healthcare professionals and organisations for tele health medical consultations.

If you use our eHealth mobile application, you should review the privacy policy located here. If you use any of our other products or services, you should review Hugo eHealth’s general privacy policy located here.

Privacy Act

A major compliance requirement is the Privacy Act (1988). As a general rule, the Privacy Act applies to all companies that manage health-related private information and companies of over $3,000,000 turnover that maintain private information only. The Privacy Act sets out 13 Australian Privacy Principles (APP):

  • APP 1 — Open and transparent management of personal information
  • APP 2 — Anonymity and pseudonymity
  • APP 3 — Collection of solicited personal information
  • APP 4 — Dealing with unsolicited personal information
  • APP 5 — Notification of the collection of personal information
  • APP 6 — Use or disclosure of personal information
  • APP 7 — Direct marketing
  • APP 8 — Cross-border disclosure of personal information
  • APP 9 — Adoption, use or disclosure of government related identifiers
  • APP 10 — Quality of personal information
  • APP 11 — Security of personal information
  • APP 12 — Access to personal information
  • APP 13 — Correction of personal information

Our collection, use and disclosure of personal information

The types of information we may have collected can include your:

  • name, contact details, age and sex;
  • nationality, racial or ethnic background, and sexual orientation and practices, if this is provided to us by your healthcare professional or as part of any triaging or administrative services we provide;
  • health information, including images and diagnostic information, if this was provided to us by your healthcare professional or as part of any triaging or administrative services we provided;
  • account usernames or passwords used to access Hugo eHealth or any integrated products or services;
  • financial information such as credit card or bank account numbers;
  • unique identifiers, such as your patient ID, Medicare number, or individual healthcare identifier;
  • usage information about your visit to our website and how you used our products and services;
  • records of your communications and interactions with us, or a healthcare professional you connected with, when using the Hugo eHealth Services;
  • location information; and
  • prescription information, accessed during Telehealth Consultations; and
  • any other information that you, or a healthcare professional you connected with, provided to us directly.

We may have collected your personal information in the following ways:

  • you gave it to us when you or your representatives interacted with us (for example, when you sought to or used the EHealth Services, or contacted us for help);
  • we captured the information when you used the eHealth Services, including when you contacted us through online services;
  • through telephone call recording, if you consented to any calls being recorded;
  • from our corporate customers such as health insurers, hospitals, health service providers, primary health networks, or employers, if they made the EHealth Services available to you;
  • from healthcare professionals who you connected with through the EHealth Services or who are otherwise involved in your treatment (such as a referring doctor), or a corporate entity that engages such a healthcare professional; and
  • as otherwise authorised or required by law, such as your My Health Record.

We may use, or have used, your personal information for a number of purposes, such as:

  • service provision– providing you with, and support the operation and functionality of, the EHealth Services (and in particular to have enabled us to connect you with healthcare professionals);
  • administration– properly managing the service we provided to you, such as by maintaining and updating our records and administering any charging or billing;
  • identity verification– where appropriate, to verify your identity;
  • communication– providing you with customer service, assisting you with enquiries and otherwise communicating with you for the purpose of  your experience with the EHealth Services;
  • operations– monitoring network use, quality and performance, and operating, maintaining, developing, testing and upgrading our systems and infrastructure;
  • improvement– helping us to maintain, develop, evaluate and improve the EHealth Services and any integrated products or services;
  • as otherwise authorised or required by law.

We may share, or have shared, your information with:

  • healthcare professionals, providers or networks – who you connected with or sought to connect with through the EHealth Services, or who were otherwise involved in your treatment (such as a referring doctor or a specialist who you were referred to), or a corporate entity that engaged such a healthcare professional;
  • My Health Record– Your My Health Record is an online summary of your health information, such as your medicines, allergies and your medical history. Hugo eHealth offers patients and their carers access to their My Health Record so they can see what health care providers have uploaded on their behalf and to help them make better informed decisions about their health and well being.  We may have uploaded your health summary to your My Health Record, if you or your representative provided your consent to this, or we were otherwise legally authorised or required to do so;

My Health Record

About My Health Record | OAIC

To cancel your My Health Record

You may cancel your My Health Record at any time. Log in to myGov to access your My Health Record. Or phone the My Health Record help line on 1800 723 471.

To control who accesses your My Health Record

Your My Health Record has access controls which you use to set which healthcare providers can access your My Health Record and what they can view.

For more information on setting privacy and access controls visit My Health Record or phone the My Health Record help line on 1800 723 471.

Can you decide what goes on your My Health Record?

If you don’t want a certain document added to your My Health Record, tell your healthcare provider. If they’ve already added it, you can ask them to remove it or can remove it yourself (log in to myGov, go to My Health Record).

At what age can you manage your My Health Record?

If you’re aged 14 and over, you have control of your My Health Record. Your parent or guardian is no longer authorised to access and manage the record. If you still want them to have access, you can make them a nominated representative.

For more information for young people and My Health Record visit My Health Record or phone the My Health Record help line on 1800 723 471.

Who has access to your My Health Record in an emergency?

In certain emergency situations, a healthcare provider can be given emergency access to your My Health Record. This overrides your access control settings and allows your healthcare provider to view all your health information, including any restricted document.

  • service providers – in some circumstances, certain third parties that assisted us in providing you with the EHealth Services (for example, IT and network service providers, or customer service providers) may have access to your personal information. Where we shared your information with a third-party service provider, we made sure that they first agreed to protect the privacy of your information;
  • government and regulatory authorities– such as law enforcement and national security agencies, and other government and regulatory authorities, if such disclosures are or were required or authorised by law;
  • buyers or prospective buyers– for the purposes of facilitating or implementing a transfer/sale of all or part of our assets or business;
  • our related entities; and
  • other third parties– if the circumstances warrant or warranted such a disclosure or share, but only where this is required or authorised by law.

The types of information we may have collected can include:

  • your name and contact details;
  • your qualifications and details of your professional experience, conduct and occupation/specialty;
  • your age, sex, nationality and languages spoken;
  • usernames or passwords used to access Hugo eHealth Services;
  • financial information such as credit card or bank account numbers, if you were responsible for payment of, or entitled to receive any, charges;
  • unique identifiers, such as your individual healthcare provider identifier;
  • usage information about your use of the Hugo eHealth Services and how you used any other integrated products and services;
  • records of your communications and interactions you have or had with us, or with patients you connected with through the Hugo eHealth Services;
  • location information; and
  • any other information that you provided to us directly, or that was provided to us by the business that employs or engages you.

We may have collected your personal information in the following ways:

  • we captured the information when you signed up with Hugo eHealth ;
  • as otherwise authorised or required by law.

We may use, or have used, your information for a number of purposes, such as:

  • service provision– to provide you with, and support the operation and functionality of, the EHealth Services (in particular by having connected you with patients);
  • administration– to properly manage the EHealth Services and how we provided it to you, such as by maintaining and updating our records and administering any charging or billing;
  • identity verification– where appropriate, to verify your identity;
  • communication– to provide you with customer service, assist you with enquiries and otherwise communicate with you to enhance your experience with the EHealth Services and any integrated products or services;
  • operations– to monitor network use, quality and performance, and to operate, maintain, develop, test and upgrade our systems and infrastructure;
  • improvement– to help us maintain, develop, evaluate and improve the EHealth Services and any integrated products or services;
  • as otherwise authorised or required by law.

We may share, or have shared, your information with:

  • patients and other users of Hugo eHealth Services;
  • service providers – certain third parties that assisted us to provide you with the technical services (for example, IT and network service providers, or mailing operations and customer service providers). Where we shared your information with a third-party service provider, we made sure that they have first agreed to protect the privacy of your information;
  • your employing/engaging business;
  • government and regulatory authorities – such as law enforcement and national security agencies, and other government and regulatory authorities, if such disclosures were or are required or authorised by law;
  • buyers or prospective buyers – for the purposes of facilitating or implementing a transfer/sale of all or part of our assets or business;
  • our related entities; and
  • other third parties – if the circumstances warranted or warrant such a disclosure or share, but only where this is required or authorised by law.

How we hold and secure your information

We may store your information in hard copy or electronic format, in storage facilities that we own and operate ourselves or that are owned and operated by our service providers. These facilities are situated in Australia and the data that we hold will not leave the country.

We take privacy and confidentiality very seriously and take reasonable steps to maintain the security of your information and to protect it from unauthorised use and disclosure.  In doing so, we aim to ensure that any recipients of your information protect it in accordance with the Australian Privacy Principles.

You should be aware that your own email or devices may not be secure, so care should be taken with images and information sent or stored by you.

Access to third-party services

From time to time, we may have provided you with the opportunity to connect to other third-party services or products. We do not endorse these third-party services or products and you should review their corresponding terms and conditions and privacy policies before using any third-party service or product. We accept no liability in relation to third party services or products.

How to access or correct your information or make a privacy complaint

If you wish to access any of your information that we hold, or you would like to correct any errors in that information, please contact us using the contact details set out in the “How to contact us” section of this policy, so that we can respond to your request. We may apply an administrative charge for providing access to your personal information in response to a request.

You may also use these contact details to notify us of any privacy complaint you have against us, including if you think that we have failed to comply with the Australian Privacy Principles, any binding APP code that has been registered under the Privacy Act 1988 (Cth), or any other health records or privacy laws. While we hope that we will be able to resolve any complaints you may have without needing to involve third parties, you may also be able to lodge a complaint with a relevant regulator such as the Australian Information Commissioner (www.oaic.gov.au or 1300 363 992).

The process for notifying us of any perceived privacy breaches should be provided to us in writing via email by contacting service@hugoehealth.com.au with the subject line of RE: Potential Privacy Breach for user of Hugo eHealth. Please include your username (which is your email address) and the approximate date and time that the breach occurred in your correspondence with us so we can more easily identify the potential breach concerned. You may also contact us via mail using the postal address: Level 3 HQ South Tower 520 Wickham Street Fortitude Valley QLD 4006.

Please include in your correspondence your username (email address) and the approximate date and time that you suspect the privacy breach has occurred.

Data breach notifications

In 2017 the Australian privacy legislation was changed to provide for mandatory data breach notification. This means that businesses need to notify affected individuals in the case of eligible data breaches which are likely to result in serious harm to the individual. Not all data breaches are eligible. For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Office of the Australian Information Commissioner (OAIC).

What is an eligible data breach?

An eligible data breach arises when the following three criteria are satisfied:

  1. There is unauthorised access to, or unauthorised disclosure of, personal information, or a loss of personal information
  2. This is likely to result in serious harm to one or more individuals
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

For more information on eligible data breaches read the OAIC’s draft fact sheet.

What does serious harm mean?

In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

In making an assessment of harm you need to consider the nature and sensitivity of the personal information, who has obtained or accessed the information, or who could obtain or access the information and the nature and consequences of the harm.

Notification process

In the event of an eligible data breach we will:

  1. Complete an assessment within 30 days of becoming aware of the breach
  2. Notify affected individuals and the Australian Privacy Commissioner as soon as is practicable.

The notification to individuals should include:

  • the identity of the organisation
  • the description of the breach
  • the kind of information concerned
  • any response the individual should make as a result of the breach.

How to contact us:

Email : service@hugoehealth.com.au

Postal Mail: Level 3 HQ South Tower 520 Wickham Street Fortitude Valley QLD 4006

Website: Contact – Hugo eHealth

Get in touch

Contact Us Request a consultation with us