EDOC Health Australia (“EDOC Health”, “we”, “us”, “our”) is a digital healthcare organisation providing telehealth and related services to patients in Australia. We take your privacy and the security of your health information seriously.

We may collect the following types of information:

• Identification information: name, date of birth, gender, contact details, address.
• Health information: medical history, medications, allergies, consultation notes, test results, diagnoses, treatment plans, referrals and other clinical information.
• Administrative and billing information: payment details, billing address, Medicare or other funder information where applicable.
• Technical information: IP address, device and browser type, access times and usage logs used to secure and improve the Platform.

Health information is considered “sensitive information” under the Privacy Act. We take additional steps to protect this information.

We collect information:

• Directly from you – when you create an account, book appointments, complete forms, participate in consultations, or contact us by phone, email, SMS or online;
• From treating clinicians – when they document consults or update your record;
• From other healthcare providers – such as your GP, specialists, pathology or imaging providers, pharmacies, where it is appropriate and lawful to do so;
• From technology systems – such as MediRecords, telehealth platforms, secure messaging systems and AI tools used to support documentation and workflow;
• From government or third parties – such as Medicare or health authorities, where legally permitted.

We collect, hold and use your personal and health information to:

• Provide safe, effective and appropriate healthcare to you;
• Maintain accurate clinical and administrative records;
• Arrange prescriptions, investigations, referrals and follow-up care;
• Coordinate care with other healthcare providers involved in your treatment;
• Manage billing, payments, funding claims and related administration;
• Monitor and improve the quality, safety and performance of our services;
• Meet legal, regulatory and professional obligations (e.g. AHPRA, Medicare, record-keeping laws);
• Conduct de-identified analytics, reporting and planning to support service improvement.

We may disclose your personal and health information to:

• Treating clinicians and other healthcare providers involved in your care;
• Pathology laboratories, imaging providers and pharmacies where requests or prescriptions are made;
• Secure messaging and digital health providers that transmit clinical information between providers;
• Government agencies, regulators or funding bodies where we are legally required or permitted (e.g. Medicare, AHPRA);
• IT service providers, hosting services, telehealth platforms and AI tools that support our systems and operations;
• Professional advisers such as lawyers, accountants or insurers where reasonably necessary and subject to confidentiality obligations.

Where we use external service providers, we take steps to ensure they comply with privacy and security standards appropriate for healthcare information.

EDOC Health may use AI-based tools, including Heidi AI Scribe, to assist clinicians in drafting and structuring consultation notes, summaries and certain clinical documents.

We manage privacy in this context by:

• Using systems that are required to meet appropriate data security standards;
• Ensuring clinicians review, edit and approve all clinical records before they are finalised;
• Minimising the use of identifiable information where feasible and consistent with clinical requirements.

If you have concerns or would prefer your consultation not to be processed with AI documentation tools, please speak with your clinician or contact us at admin@edoc.health.

We may send appointment confirmations, reminders and certain clinical communications via SMS or email, and may provide links to secure documents or portals using these channels.

You acknowledge that:

• While we take reasonable steps to protect electronic communications, SMS and email are not entirely risk-free;
• You should keep your contact details up to date and ensure only you (or authorised persons) have access to your devices and email accounts;
• You may request alternative communication arrangements where feasible, understanding this may limit some service features.

Your information is stored using secure electronic systems, including EHR and telehealth platforms, and may be hosted on servers within Australia or, in some cases, in other jurisdictions if compliant with Australian privacy requirements.

We take reasonable steps to:

• Protect your information from misuse, interference and loss;
• Prevent unauthorised access, modification or disclosure;
• Restrict access to authorised personnel on a need-to-know basis;
• Maintain appropriate technical and organisational safeguards.

If information is stored or processed overseas, we will take reasonable steps to ensure the recipient does not breach the APPs in relation to your information, or that comparable protections are in place.

You have the right to request access to personal information we hold about you, and to request corrections if you believe the information is inaccurate, incomplete or out of date.

To request access or correction, please contact:

• Email: admin@edoc.health (or the privacy contact listed on our website)

We may need to verify your identity before releasing information. In limited circumstances, we may refuse access where the law permits (for example, if providing access would pose a serious threat to someone’s life or safety). If we refuse access or correction, we will provide reasons.

If a data breach occurs that is likely to result in serious harm, and is deemed a “notifiable data breach” under the Privacy Act, EDOC Health will:

• Take immediate steps to contain and assess the breach;
• Notify affected individuals as soon as practicable; and
• Notify the Office of the Australian Information Commissioner (OAIC) where required.

We will provide information about the nature of the breach, the information affected (where known), and steps you may take to reduce the risk of harm.

We retain health records for the period required by law and clinical standards. This may include minimum retention periods (for example, many records are kept for at least seven years from the date of the last entry, or longer for children).

When information is no longer required and it is lawful to do so, we will take reasonable steps to destroy or de-identify it.

If you have a concern or complaint about how we handle your information, please contact:

• Email: admin@edoc.health
• Alternative: compliance@edoc.health

Please include details of your concern. We will acknowledge your complaint and aim to respond within a reasonable timeframe.

If you are not satisfied with our response, you may contact:

• Office of the Australian Information Commissioner (OAIC) – www.oaic.gov.au

We may update this Privacy Notice from time to time to reflect changes in law, technology or our operations. The updated version will be published on our website with a “Last updated” date.

We encourage you to review this page periodically. Continued use of our Services indicates your acceptance of any changes.