Our Doctors in the practice may be contacted during normal surgery hours. If the GP is a with a patient, a message will be taken and the reception staff will advise you when it is likely that the doctor will return your call. Your call will always be put through to the GP in an emergency.

We do not accept any requests for clinical information over email since we are unable to assess and examine your condition properly.

For privacy and accuracy, test results are not provided over the phone by reception staff.

Your doctor will advise you on how to review your results, which may involve a follow-up appointment or telehealth consultation. Urgent or abnormal results will be followed up promptly by your GP.

Our practice is committed to preventative care. We may call or issue you with a reminder notice from time to time offering you preventative health services appropriate to your care. If you wish do not wish to be a part of this system, please let us know at reception or with your Doctor.

Our practice abides by the ten National Privacy Principles and ensures personal health information is held in strict confidence and only available to members of staff and authorised individuals.
We take your privacy very seriously and for this reason we:

• will not give out patient details or medical information over the phone or email

• will not disclose medical information to your partner or other family member unless specifically agreed

• will not disclose medical information of a child aged 14 or over to a parent unless specifically agreed

Please note that according to legislation and Medicare rules a child aged 14 or over may attend a GP alone and consent to normal medical treatment without the parents knowledge or consent.

We are always open to feedback from you about our service. We take your concerns, suggestions and complaints very seriously so that we can improve and become a better practice.

Please feel free to talk to your doctor or our receptionists. If you prefer to write to us, please email us at info@surryhillsdrs.com.au or leave a note at the reception.. Our practice will endeavour to respond to any suggestions within 24 – 48hours of receipt.

However if you wish to take the matter further and feel that you need to discuss the matter outside of the surgery there are several options available including contacting the (a) The Medical Registration Board (b) AMA or (c) Health Care Complaints Commission. You may ask our staff to provide the details of these organisations, or refer to see online information: www.hccc.nsw.gov.au.

Introduction

Our practice is committed to best practice in relation to the management of information we collect. This practice has developed a policy to protect patient privacy in compliance with the Privacy Act 1988 (Cth) (‘the Privacy Act’).  Our policy is to inform you of:

• the kinds of information that we collect and hold, which, as a medical practice, is likely to be ‘health information’ for the purposes of the Privacy Act;

• how we collect and hold personal information;

• the purposes for which we collect, hold, use and disclose personal information;

• how you may access your personal information and seek the correction of that information;

• how you may complain about a breach of the Australian Privacy Principles and how we will deal with such a complaint;

• whether we are likely to disclose personal information to overseas recipients;

1. When and why is your consent necessary? 

When you register as a patient of our practice, you provide consent for our GPs and practice staff to access and use your personal information so they can provide you with the best possible healthcare. Only staff who need to see your personal information will have access to it. If we need to use your information for anything else, we will seek additional consent from you to do this.

2. Why do we collect, use, store, and share your personal information?

Our practice will need to collect your personal information to provide healthcare services to you. Our main purpose for collecting, using, holding and sharing your personal information is to manage your health. We also use it for directly related business activities, such as financial claims and payments, practice audits and accreditation, and business processes (eg staff training).

3. What personal information is collected? 

The information we will collect about you includes your:

• names, date of birth, addresses, contact details

• medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors

• Medicare number (where available) for identification and claiming purposes

• healthcare identifiers

• health fund details

4. Can you deal with us anonymously? 

You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.

5. How is personal information collected? 

Our practice may collect your personal information in several different ways.

• When you make your first appointment our practice staff will collect your personal and demographic information via your registration.

• During the course of providing medical services, we may collect further personal information. Information can also be collected through electronic transfer of prescriptions (eTP), My Health Record, eg via Shared Health Summary, Event Summary, and deidentified information via the local primary health network as part of the Australian Government Quality Improvement Practice Incentive Program.

• We may also collect your personal information when you visit our website, send us an email or SMS, telephone us, make an online appointment or communicate with us using social media.

• In some circumstances personal information may also be collected from other sources. Often this is because it is not practical or reasonable to collect it from you directly. This may include information from:

• your guardian or responsible person

• other involved healthcare providers, such as specialists, allied health professionals, hospitals, community health services and pathology and diagnostic imaging services

• your health fund, Medicare, or the Department of Veterans’ Affairs (as necessary).

• Various types of images may be collected and used, including: 

• CCTV footage: Collected from our premises for security and safety purpose 

6. When, why and with whom do we share your personal information? 

We sometimes share your personal information: 

• with third parties for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy 

• with other healthcare providers (e.g. In referral letters) 

• when it is required or authorised by law (e.g. court subpoenas) 

• when it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent 

• to assist in locating a missing person 

• to establish, exercise or defend an equitable claim 

• for the purpose of confidential dispute resolution process 

• When it is a statutory requirement to share certain personal information (e.g. some diseases require mandatory notification) 

• When it is provision of medical services, through electronic prescribing, My Health Record (e.g. via Shared Health Summary, Event Summary). 

Only people who need to access your personal information will be able to do so. Other than providing medical services or as otherwise described in this policy, the practice will not share personal information with any third party without your consent. 

We do not share your personal information with anyone outside Australia (unless under exceptional circumstances that are permitted by law) without your consent. 

7. Will your information be used for marketing purposes?

The practice will not use your personal information for marketing any goods or services directly to you without your express consent. If you do consent, you may opt out of direct marketing at any time by notifying the practice in writing. 

8. How is your information used to improve services?  

The practice may use your personal information to improve the quality of the services offered to patients through research, analysis of patient data for quality improvement and for training activities with the practice team 

We may provide de-identified data to other organisations to improve population health outcomes. If we provide this information to other organisations patients cannot be identified from the information we share, the information is secure and is stored within Australia. You can let reception staff know if you do not want your de-identified information included. 

9. How are document automation technologies used? 

Document automation is where systems use existing data to generate electronic documents relating to medical conditions and healthcare.  

The practice uses document automation technologies to create documents such as referrals, which are sent to other healthcare providers. These documents contain only your relevant medical information. 

These document automation technologies are used through secure medical software, Best Practice. 

All users of the medical software have their own unique user credentials and password and can only access information that is relevant to their role in the practice team. 

The practice complies with the Australian privacy legislation and APPs to protect your information. 

All data, both electronic and paper are stored and managed in accordance with the Royal Australian College of General Practitioners Privacy and managing health information guidance. 

10. How is your personal information stored and protected? 

Your personal information is stored as electronic records. Surry Hills Doctors stores all personal information securely.

Our electronic format is securely backed up by our servers onsite.

Surry Hills Doctors does not participate in saving real-time audio/visual recording, duplication, and storage of a consultation, including those via Telehealth or those conducted remotely. If this is required as case-by-case basis informed consent will be obtained prior to the consultation.

Our staff are trained and required to respect and protect your privacy. We take reasonable steps to protect information held from misuse and loss and from unauthorised access, modification or disclosure. All staff and contractors have signed the confidentiality agreement.

11. How can you access and correct your personal information at the practice? 

You have the right to request access to, and correction of, your personal information. 

The independent practitioners and practice staff acknowledge patients may request access to their medical records. All requests from patients on accessing and correcting personal information must be put in writing via mail or email.  Please provide this to our receptionist, and the relevant independent practitioner(s)/practice will respond within a reasonable time (up to 30 working days). A fee will apply for us to provide a hard copy of your records.

The practice will take reasonable steps to correct your personal information where the information is not accurate or up to date. Sometimes, we will ask you to verify your personal information held by the practice is correct and current. You may request we correct or update your information.To do this please contact via phone or email to info@surryhillsdrs.com.au.

12. How can you lodge a privacy-related complaint, and how will the complaint be handled at the practice?

We take complaints and concerns regarding privacy seriously. You should express any privacy concerns you may have. We will then attempt to resolve it in accordance with the resolution procedure. 

Please mail or bring in a letter to: Surry Hills Doctors. Attn: Practice Manager, Shop 1, 28 Foveaux Street Surry Hills NSW 2010. Phone (02) 9057 9838, Fax (02) 9057 9839. We will aim for turnaround time of up to 30 days, where a written reply will be provided by the relevant independent practitioner and/or practice staff to address your complaint. Please write your reply address and contact phone number in your letter to facilitate this process. Alternatively, you may email to info@surryhillsdrs.com.au with a title that includes Attn: Practice Manager.

If you do not feel we have resolved your issue, you may also contact the Office of the Australian Information Commissioner. The Office of the Australian Information Commissioner will require you to give them time to respond before they investigate.  For further information visit www.oaic.gov.au or call the OAIC (Office of the Australian Information Commissioner) on 1300 363 992.  

13. Policy review statement 

Our privacy policy is regularly reviewed to ensure compliance with current obligations.  

If any changes are made: 

• They will be reflected on the website.

• Significant changes may be communicated directly to patients via email or other means.

Please check the policy periodically for updates. If you have any questions, feel free to contact us. 

Our practice has a zero tolerance policy for any form of aggressive or intimidating behaviour, verbal or physical.

Any person acting in an aggressive or intimidating manner in person will be asked to leave the premises immediately, or if this occurs over the phone, the phone call will be ended immediately.

Our practice may no longer continue to provide ongoing medical care to any person who engages in any form of aggressive or intimidating behaviour and their medical records will be transferred to another medical practitioner nominated by the patient.

For the Health and Well being of our Patients, the practice has a strict non-smoking policy. Smoking and vaping are not allowed within the practice or in the immediate vicinity. Your adherence to this policy would be appreciated.

Surry Hills Doctors– AI Use Policy

Current as of: 17 November 2025

Purpose

This policy outlines the responsible use of Artificial Intelligence (AI) systems at Surry Hills Doctors (SHD) by staff and independent contractors to meet the professional and legal obligations. AI tools are implemented to support clinical decision-making, streamline administrative tasks, and improve patient care — not to replace professional judgment.

Scope

This policy applies to:

• All employed clinical and administrative staff

• Independent contractors, including GPs, allied health professionals, and consultant

Types of AI used

AI systems may be used in the following categories:

• Generative AI (including AI Scribes):

  • Text-based systems (e.g., ChatGPT) for non-clinical writing, policy drafting, or summarisingde-identified clinical information

  • Voice-to-text or transcription tools that document patient encounters (AI Scribes)

Only approved systems that comply with Australian privacy law may be used.

Use of AI

– General Use Guidelines

• AI must be used to assist, not replace, human judgment.

• Any output from an AI system must be reviewed by the user before clinical or operational use.

• Use is permitted only for purposes approved by SHD, after careful review of that tool’s privacy approach, and only within the limits of the user’s professional role and training.

Use of Patient Data in AI systems

• All use of patient data with or by AI tools must comply with:

  • SHD’s Privacy Policy

  • The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)

  • Any state-specific legislation related to health data

Patient identifiable information must not be entered into public or non-approved AI platforms.

Principles for Responsible AI Use

When using AI, SHD aligns with the following principles, adapted from AHPRA and National Boards ethical frameworks:

A. Accountability

Staff and contractors must apply human judgement to any AI output and remain accountable for all decisions, actions, or documents generated with AI support. If using an AI scribe, the practitioner is responsible for checking the accuracy, completeness, and clinical relevance of record before it is finalised.

B. Understanding

All users must understand the capabilities and limitations of the AI tools they use. At a minimum, users must:

• Review the product information about an AI tool, including how it is trained, tested, intended use, limitations, and unsuitable clinical contexts.

• Understand how data is stored, where it is located, and whether it is used to retrain the AI

C. Transparency

Patients must be made aware when AI is used in their care (e.g. AI scribes), and practitioners must be transparent in how AI informs clinical decisions, and explain how the AI works, including its data collection and use of personal information.

D. Informed Consent

If AI tools record, transcribe, or assist in patient documentation, informed consent must be obtained from patients before use. This is particularly important in AI models that record private consultations as there may be legal implications if consent is not obtained before recording. The AI scribe should include an explicit consent requirement as an initial step before proceeding.

E. Ethical and Legal Compliance

All AI use must comply with relevant medical, ethical, and legal obligations, including proper documentation, informed consent, and professional boundaries. Users must ensure patient confidentiality and privacy of patient as required by privacy and health record legislation, by confirming that any data collected, stored, used and disclosed meets legal requirements, and patient’s privacy is not inadvertently breached. Users need to be aware if patient data is used/recorded to train AI model for future patients, and whether any identifiable patient data is retained in the learning database.

Procedures to Ensure Compliance and Safety

Aligned with AHPRA’s five principles:

A. Accountability

• Treat all AI scribe output as a draft and review it for accuracy during or immediately after the consultation.

• Only clinical staff and contractors may access Heidi Health.

• Each user must have their own account — shared logins are not permitted.

B. Understanding

Before an approved AI tool is used with patients, all staff and contractors must complete training covering:

1. How AI scribes support patient care as a supplementary tool

2. How the AI scribe records and transcribes consultations

3. How the AI scribe complies with Australian privacy law, including:

   • How data is collected and stored

   • Whether data is de-identified

   • How long data is retained

   • Whether it is stored in Australia

4. How to inform patients and obtain consent for AI use

C. Transparency and Informed Consent

Patients will be informed about AI use in their care through:

1. An AI scribe use statement in the new patient registration form

2. A signed consent form (paper or digital) before each consultation where AI is in use, with a copy saved to the patient’s file

D. Ethical and Legal Compliance

1. All approved AI tools must comply with Australian privacy law, the SHD Privacy Policy, and the Cyber Security Policy in force at the time.

2. The Practice Manager or Practice Principal will regularly review procedures and clinical notes to ensure patient safety and data accuracy.

Approval Criteria for an AI tool to be used in the Practice

Before approval, SHD will assess:

1. Whether the AI provider collects or retains any data

2. Whether data is identifiable or de-identified/redacted

3. If data is retained:

   • Is it encrypted?

   • Can SHD access it?

   • How long is it held?

   • Is it stored in Australia or overseas?

   • Are there proposed secondary uses of the data?

   • What cyber security measures are in place?

   • What is the provider’s breach response process, including notification and disengagement procedures?

Current approved AI tools in use

1. Heidi Health – AI scribe for clinical documentation

Approval Rationale:

Heidi Health only stores transcripts and notes. As patient speaks, Heidi transcribes patient’s words, and the audio immediately goes poof. No audio recordings are ever saved, ensuring there’s no hidden playback. SHD has set a mandatory timeframe for all data to be deleted within 3 days.

Data is de-identified, and Heidi Health does not have access to patient’s information. Before Heidi processes a session, they strip all data of personal identifiers, so it can’t be traced back. Patient’s data remains protected, and Heidi does not and will not contact patients for any purposes

Heidi Health’s servers stay strictly in Australia, keeping everything in line with data localisation requirements under regulations like GDPR. All patients’ information stays in Australia, protected by robust framework of Australia’s Privacy Laws. Heidi Health takes zero-tolerance approach to third-party access.

Heidi Health does not use any of patient’s data to train their AI.

To mitigate data breaches, Heidi implements the best-in-class infrastructure – think ISO27001, SOC2 and Cyber Essential compliant, while also being penetration tested every year. The architecture of their data storage also ensures that patients’ protected health information (PHI) is de-identified and processed separately to the rest of the transcript. All users, free or paid, are insured and receive the highest standard of compliance.

In the event of a data breach, Heidi Health follows a strict incident response protocol in compliance with ISO27001 and SOC2 obligations. Users will be promptly notified via email and in-app notifications. Heidi Health is committed to provide comprehensive support to affected users, including guidance on mitigating potential impacts and assistance with any necessary reporting to regulatory bodies.

Monitoring and Reporting

• The Practice Manager and Practice Principals may monitor AI use to ensure compliance.

• Any suspected misuse, privacy breach, or patient concern must be reported immediately to the Practice Manager.

• Breaches of this policy may result in disciplinary action, including termination of employment.

• Independent contractors are fully responsible and legally liable for their own AI use, including any privacy breaches, under Australian privacy law and their service agreement.

Policy Review Statement

This policy will be reviewed regularly to ensure it reflects the current processes and procedures of SHD and current legislation requirements.

Our practice is mindful that even if patients have provided electronic contact details, they may not be proficient in communicating via email and patient consent needs to be obtained before engaging in electronic communication via email. Communication with patients via email is conducted with appropriate regard to privacy.