Statera Health Privacy Policy

Statera Health Pty Ltd ACN 685 763 544. Privacy Policy: Last updated 01/04/2026

1.      Definitions

  • APPs means the Australian Privacy Principles set out in Schedule 1 of the Privacy Act.

  • Health Information is as defined by the relevant Health Record Law (where applicable) and includes any equivalent, substantively similar or corresponding terms applied by such applicable Health Record Law.

  • HPPs mean the Health Privacy Principles set out in Schedule 1 of the Health Records Act 2001 (Vic).

  • Health Record Law means any applicable law or regulations (including decisions and guidance by relevant supervisory authorities) in force regulating the handling of Health Information including but not limited to the Privacy Act, the Health Records Act 2001 (Vic) and the HPPs.

  • Personal Information is as defined in clause 3 of this Privacy Policy.

  • Primary Purpose is as defined in clause 8 of this Privacy Policy.

  • Privacy Act means the Privacy Act 1998 (Cth).

  • Privacy Law means any applicable law or regulations (including decisions and guidance by relevant supervisory authorities) in force relating to data protection, privacy and/or the processing of Personal Information, including without limitation, the Privacy Act, the APPs, the Health Record Law and any codes of conduct, directives or orders issued or made pursuant to such legislation or regulations.

  • Privacy Policy means this privacy policy provided to you when you register as a patient of the practice and which may be accessed here.

  • Secondary Purpose is as defined in clause 8 of this Privacy Policy.

  • Sensitive Information is as defined in the Privacy Act, which includes Health Information.

  • we, us, our, our practice, ourselves means Statera Health Pty Ltd ACN 685 763 544..

  • you means a patient of our practice.

2.      Introduction

We have developed this Privacy Policy to protect patient privacy in compliance with the Privacy Law and Health Record Law. This Privacy Policy describes our policy relating to:

  • the kinds of information that we collect and hold, which, as a medical practice, will include Personal Information and Health Information;

  • how we collect and hold Personal Information and Health Information;

  • the purposes for which we collect, hold, use and disclose Personal Information and Health Information;

  • how you may access your Personal Information and seek the correction of that information;

  • how you may complain about a breach of the APPs and how we will deal with such a complaint; and

  • whether we are likely to disclose Personal Information to overseas recipients.

3.      What is Personal Information?

‘Personal Information’ referred to in this Privacy Policy consists of:

  • any information or opinion that identifies you or that will enable your identity to be reasonably ascertained. Personal Information can include your name and contact details such as your residential or postal address, email address, date of birth or your telephone number; and

  • any associated Sensitive Information (including Health Information) linked to your identity.

4.      What Personal Information do we collect?

The type of information that we may collect and hold include:

  • your name, address, date of birth, age, email, telephone number and other contact details;

  • Medicare number, DVA number and other government identifiers (although we will not use these for the purposes of identifying you in our practice);

  • health fund details;

  • the following Health Information about you for the purposes of the provision of health services:

    • notes of your symptoms or diagnosis and the treatment given to you;

    • your specialist reports and test results;

    • your appointment and billing details;

    • your prescriptions and other pharmaceutical purchases;

    • your genetic information;

    • your healthcare identifier;

    • any other information about your race, sexuality or religion, when collected by a health service provider; and

  • your credit card details to be held with our payment processor in accordance with clause 12.

If you provide us with Personal Information about other people (for example, family members, guardian or responsible person) then you confirm you have their consent to do so and will make them aware of the information contained in this Privacy Policy about how we will use their Personal Information.

5.      Sensitive Information

By acknowledging this Privacy Policy, you consent to us collecting, using and disclosing your Personal Information (including any Sensitive Information) described in clause 4 in accordance with this Privacy Policy and as permitted by the Privacy Law and Health Record Law.

6.      How do we collect Personal Information?

We will generally collect Personal Information:

  • from you directly when you provide your details to us. This might be via a face-to-face discussion or consultation, telephone conversation, questionnaire, registration form or online form;

  • from a person responsible for you (where it is not reasonable and practicable to obtain this information directly from you); and/or

  • from third parties where the Privacy Law, Health Record Law or other law allows it. This may include, but is not limited to, other involved healthcare professionals or members of your treating team, pathology and diagnostic centres, specialists, hospitals, the My Health Record system, electronic prescription services, Medicare, your health insurer and the Pharmaceutical Benefits Scheme.

For further details in relation to My Health Record, please see: https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/content/home

7.      Why do we collect, hold, use and disclose personal information?

As a general rule, we only collect, use and process Personal Information for purposes that would be considered relevant and reasonable in the context of the functions and activities of our practice. The purposes for which we use and disclose your Personal Information will depend on the circumstances in which we collect it. Whenever practicable, we will endeavour to inform you of why we are collecting your Personal Information, how we intend to use that information and to whom we intend to disclose it at the time that we collect your Personal Information.

In general, we collect, hold, use and disclose your Personal Information for the following purposes:

  • to provide health services to you;

  • to contact and communicate with you in relation to the health services being provided to you (including via electronic messaging such as by SMS, email, mail, phone or in any other lawful manner);

  • to comply with our legal obligations, including, but not limited to, mandatory notification of communicable diseases or mandatory reporting under applicable child protection legislation;

  • to help us manage our accounts and administrative services, including billing, arrangements with health funds, pursuing unpaid accounts, management of our ITC systems;

  • for consultations with other doctors and allied health professional involved in your healthcare;

  • to obtain, analyse and discuss test results from diagnostic and pathology laboratories;

  • for identification and insurance claiming;

  • if you have a My Health Record, to upload your Personal Information to, and download your Personal Information from, the My Health Record system;

  • to disclose your Personal Information through an electronic transfer of prescriptions service;

  • to liaise with your health fund, government and regulatory bodies such as Medicare, the Department of Veteran’s Affairs and the Office of the Australian Information Commissioner (OAIC) (to address any issues or complaints should you make a privacy complaint to the OAIC), as necessary;

  • to establish, exercise or defend ourselves from any claims;

  • when required or authorised by law (e.g. court subpoenas); and

  • for internal research and analysis purposes of our practice to inform and assist us with developing our website, any marketing material and improving our services. In doing so, we may extract certain information from the Personal Information provided by you for data analysis purposes. This data will not be shared with any other person is intended for internal use by our practice only.

8.      How is artificial intelligence used in our practice?

We use a digital note-taking platform based in Australia that employs artificial intelligence (AI) to assist in documenting your consultation. This platform records the conversation during your consultation to capture details and improve the quality of care. All data processing occurs locally within Australia and complies with the Privacy Law and Health Record Law.

In addition, we may use other services, including AI-based services, which may be based in Australia or overseas, to support our practice. These services may include, but are not limited to, cloud storage, data transfer, and telehealth.

For further information in relation to the third party software used and the international transfer of Personal Information, see clauses 9 and 10 below.

9.      Who do we disclose Personal Information to?

Subject to this clause 9, we do not share or disclose your Personal Information with third parties, except where it would be reasonable for you to expect us to use or disclose the information for the purposes described in clause 7 (Primary Purpose) or for another purpose (Secondary Purpose) provided that the Secondary Purpose is directly related to the Primary Purpose. This may include disclosing your Personal Information to the following types of third parties:

  • our third party service providers. These may include for example:

    • Xestro Pty Ltd ACN 620 603 009 (trading as Xestro). This is the practice management software used for our practice for patient management and clinical workflows. The data is stored and processed within Australia. For further information, please see: https://xestro.com/security/;

    • Zoho Corporation Private Limited (operating Zoho CRM). This is the customer relationship management software used by our practice including for the purposes of issuing questionnaires and forms to prospective patients and existing patients of the practice to collect the relevant Personal Information. The data is stored and processed in Australia;

    • Unlimited 4 Pty Ltd (operating Osher Digital). This is an AI-based service which provides integration services in respect of our practice management and customer relationship management software and assists our practice with streamlining its patient management and onboarding processes. The data is stored and processed in servers and databases located within Australia. All AI data analysis and workflow automation processes are run through services infrastructure that are hosted in Australia. For further information in relation to the main server used by Osher Digital to store the data provided by our practice, please see: https://aws.amazon.com/compliance/australia-data-privacy/;

    • Doxy.me Inc (operating doxy.me). This is the video platform that our practice uses to conduct remote telehealth consultations. This software is compliant with the Health Insurance and Portability and Accountability Act (HIPAA) being a federal regulatory standard in place in the United States of America in relation to managing the security, privacy and integrity of Health Information. Your Personal Information will not be stored by doxy.me following the telehealth consultation. The doxy.me servers are used to establish the initial audio or video connection between our practice and yourself during telehealth consultations. Following which, all audio and video data will flow directly between our practice and yourself without passing through the doxy.me servers. All transmitted data are encrypted point-to-point. For further information, please see: https://help.doxy.me/en/articles/95911-security-and-privacy-overview and https://help.doxy.me/en/articles/3839200-where-are-doxy-me-servers-located;

    • Heidi Health Trading Pty Limited ACN 649 783 871 (operating Heidi AI Scribe). This is the digital and AI-powered clinical documentation tool referred to in clause 8 above which assists our doctors with transcription and note generation during and after consultations. Note that you may opt out of the use of AI Ambient Scribe recording during your consultation by informing our practice. For further information, please see: https://www.heidihealth.com/en-au/legal/privacy-policy;

    • CAKE.com Inc. (which operates Clockify). This is the time tracking software that we use to log time taken for consultations and to calculate billing hours. The data is stored in Australia. For more information, please see https://cake.com/privacy;

    • Microsoft Corporation (operating Microsoft 365 and Microsoft Teams). Microsoft Teams is a unified messaging, tasking and collaboration web platform used internally by the staff of our practice. The data in connection with the Microsoft 365 accounts of our staff members and the use of Microsoft Teams by our practice is stored and processed within Australia;

    • Tyro Health Pty Ltd ACN 615 345 536 (operating Tyro Health Online). This is the payment processor that we use to store details of credit cards saved on file and to process online payments to our practice. The data is processed and stored in Australia. For further information, please refer to clause 12 below and the privacy policy here: https://www.tyrohealth.com/privacy/privacy-policy/;

  • third parties where reasonably required to protect our rights, patients, systems and services (e.g. legal counsel, accountants, insurers, auditors and information security professionals and other professional advisors); and

  • any third parties to whom you have directed or permitted us to disclose your Personal Information to.

Before we disclose any Personal Information to a third party, we take steps to ensure that the third party will protect Personal Information in accordance with the Privacy Law, Health Record Law and in a manner consistent with this Privacy Policy.

To the extent permitted by law, you acknowledge and agree that we are not liable in respect of any unauthorised access, misuse, loss, modification or disclosure of any Personal Information which has been transferred to a third party in accordance with this clause 9.

10.   International transfer

Your Personal Information and data will mainly be stored in data centres located in Australia. Some of the third parties to whom we disclose Personal Information are located outside of Australia.

Where we transfer your data outside of Australia and the jurisdiction to which your data is transferred does not maintain the same level of data protection as in Australia, we will take all reasonable steps to ensure that any overseas recipients of your data comply with the APPs and the HPPs and that your data is encrypted during transfer and storage. This may include entering into a data transfer agreement with the overseas recipient, incorporating provisions requiring the overseas recipient to comply with the Privacy Law and Health Record Law in Australia in relation to the data and that we are notified of any data breaches (or suspicions of data breaches) are immediately and appropriate remedial action is taken.

You acknowledge and accept that there are inherent risks in electronic data storage and transmission, including potential unauthorised access, modification, or disclosure.

By providing your Personal Information to us, you consent that Personal Information relating to you may be transferred, stored or processed in the manner contemplated in clauses 9 and 10.

11.   How can you access and correct your personal information?

You have a right to seek access to, and correction of the Personal Information which we hold about you. We may charge you a reasonable fee for access if a cost is incurred by us in order to retrieve your information, but in no case will we charge you a fee for your application for access.

In some circumstances, we may still require retention of the original record despite having made corrections to the Personal Information.

In some circumstances, we may refuse to provide you with access to or correct your Personal Information including, but not limited to, where:

  • giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety;

  • giving access would have an unreasonable impact on the privacy of other individuals;

  • the information relates to existing or anticipated legal proceedings, and the information would not be discoverable in those proceedings;

  • giving access would be unlawful; and

  • denying access is otherwise required or authorised by law.

If we refuse to provide you with access to or correct your Personal Information, we will provide you with an explanation in writing.

For details our contact details, please refer to clause 19.

12.   How do we collect and manage your stored credit card details?

  • Credit card details are stored through our payment processor gateway via tokenisation. We do not have access to your underlying credit card details.

  • Your credit card on file details is used to processes payments only for cancellation fees and otherwise work that has been discussed with you. This would include but not is not exclude to patient consultations, scripts, medication permit applications, replying to email or phone queries for medical advice, referral letters, documentation for third parties.

  • We will inform you every time we bill your credit card that is held on file.

  • We will delete your credit card details once you are no longer an active patient.

13.   Data security

Our staff are trained and required to respect and protect your privacy. We take reasonable steps to protect information held from misuse and loss and from unauthorised access, modification or disclosure. This includes:

  • holding your information on an encrypted database and in secure cloud storage consistent with industry standards, which are only accessible by practice staff who have special access rights to such systems;

  • using industry-standard encryption technologies where practicable when transferring or receiving personal data (subject to clause 15 below);

  • robust access controls and malware protection in respect of devices used in our practice;

  • ensuring that all staff of our practice sign confidentiality agreements; and

  • subject to our obligations under the Health Record Law, all confidential paper documents are destroyed once no longer required/uploaded into our encrypted database.

14.   Anonymity and pseudonyms

The Privacy Law provides that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with our practice, except in certain circumstances, such as where it is impracticable for us to deal with you if you have not identified yourself.

It is our view that in the context of a medical practice this is largely impracticable and will impede the provision of your medical service.

15.   Can I opt-out of providing Personal Information?

If you do not wish to have your Personal Information used or disclosed in a manner described in this Privacy Policy, you can contact us. However, we may be unable to provide you with the relevant health services.

16.   Communication

We may at times correspond with you, other health professionals and relevant third parties in your care via email if there is no other practical secure method of communication. The recipient email server may be overseas. You consent to email communication and acknowledge that no data transmission over the internet via email communication can be guaranteed as completely secure If you do not wish to have any correspondence via email you agree to inform Statera Health and are able to opt out of any email communication.

We may at times correspond with you via SMS, which include but may not be limited to appointment bookings and telehealth web links. You consent to SMS communication and acknowledge that SMS communication is cannot be guaranteed as completely secure. If you do not wish to have any correspondence via SMS you agree to inform Statera Health and are able to opt out of any SMS communication.

To the extent permitted by law, you acknowledge and agree that we are not liable in respect of any unauthorised access, misuse, loss, modification or disclosure of any Personal Information communicated via email and SMS in accordance with this clause 16.

17.   Updates to this Privacy Policy

You acknowledge that this Privacy Policy will be reviewed and may be updated from time to time to take into account new laws and technology, changes to our operations and other necessary developments.

Any updates to this Privacy Policy will be reflected on our website and/or communicated to you via email or other means. You may also request for a copy of the updated Privacy Policy from our reception.

18.   Privacy and websites

For the privacy policy in respect of our website, please see https://www.drsong.com.au/website-privacy-policy.

19.   Links to other websites

This Privacy Policy may contain links to other websites from time to time for the purposes of providing further information. We are not responsible for other websites’ privacy practices or website content and are not liable for any damages incurred by you in connection with the use of any third-party websites.

20.   Contact us

We are committed to protecting the privacy of your Personal Information. If you have questions or comments about privacy-related issues or about our administration and management of your Personal Information, please contact our Privacy Officer via email at reception@staterahealth.com.auor in person at Statera Health, Suite 12.6, Level 12, East Wing Tower, Epworth Eastern, 1 Arnold Street, Box Hill Victoria 3128.

You may also use this address to communicate any concerns or complaints that you may have regarding compliance with this Privacy Policy, or to correct any of your Personal Information about you. We will endeavour to respond to your communication within 30 days after the communication is made.

21.   Complaints

If you are dissatisfied with our response, you may refer the matter to the Office of the Australian Information Commissioner:

·        Phone: 1300 363 992

·        Email: enquiries@oaic.gov.au

·        Fax: +61 2 9284 9666

·        Post: GPO Box 5218 Sydney NSW 2001

·        Website: https://www.oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint

22.   Governing law

You agree that this Privacy Policy and the Financial Policy are construed in accordance with and is governed by the laws in force in the State of Victoria, Australia.

You irrevocably submit to and accept the exclusive jurisdiction of any of the Courts of the State of Victoria or the Commonwealth of Australia and any courts of appeal from these courts.