top of page

Privacy Policy

Dr Megan Richardson Athelas Psychiatry
Introduction

This privacy policy provides information to patients and, where relevant, their families or carers, about how personal information, including health information, is collected, used, stored and disclosed within this practice.

Dr Megan Richardson, trading as Athelas Psychiatry, is committed to protecting patient privacy and managing personal information carefully, lawfully and respectfully.

This practice manages personal information in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles. As a health service operating in the ACT, the practice also manages health information in accordance with the Health Records (Privacy and Access) Act 1997 (ACT), where applicable.

A copy of the Australian Privacy Principles is available from the Office of the Australian Information Commissioner at www.oaic.gov.au.

When you register as a patient of the practice, you provide information that allows Dr Richardson and authorised administrative staff to provide clinical care and manage the administrative functions of the practice. Only people who need to access your personal information for clinical, administrative, billing, legal or safety purposes will be able to do so.

If the practice needs to use or disclose your information for a purpose other than those described in this policy, we will seek additional consent unless the use or disclosure is otherwise required or authorised by law.


What is personal information and why do we collect it?

Personal information is information or an opinion that identifies, or could reasonably identify, an individual. Health information is a type of sensitive personal information.

Examples of personal information collected by the practice may include:

• your name, date of birth, address and contact details;

• Medicare details, pension or concession details, and billing information;

• emergency contact details;

• referral letters and reports from general practitioners, psychologists, schools, hospitals, specialists or other health professionals;

• personal, developmental, psychiatric, medical, family and social history;

• assessment information, diagnosis, formulation, treatment plans and clinical notes;

• medication information and prescribing history;

• information relevant to risk, safety, consent, capacity, family or carer involvement, and continuity of care;

• correspondence with you, your referrer, your general practitioner, your care team or other relevant people involved in your care.

Personal information may be collected from you directly, or from other sources where this is clinically appropriate and you have provided consent, or where collection is otherwise required or authorised by law.

This may include information from:

• general practitioners;

• psychologists or other allied health professionals;

• specialists or hospitals;

• family members, carers or guardians;

• schools or educational institutions;

• referrers or other members of your care team.

The practice collects personal information for the primary purpose of providing psychiatric assessment, treatment, management, correspondence, administrative support, billing and continuity of care.

The practice may also use or disclose personal information for secondary purposes that are closely related to the primary purpose, where you would reasonably expect this to occur, or where you have provided consent, or where the use or disclosure is required or authorised by law.


How your information may be used

Your personal information may be used for:

• providing psychiatric assessment, treatment, management and follow-up care;

• communicating with you about appointments, clinical care, referrals, prescriptions, letters, billing or administrative matters;

• communicating with your general practitioner, referrer, psychologist, allied health providers, specialists, hospitals or other members of your care team, where consent has been provided or where disclosure is otherwise required or authorised by law;

• preparing letters, reports, referrals, treatment plans or clinical correspondence;

• billing, payment processing, Medicare claiming and compliance with Services Australia / Medicare requirements;

• appointment reminders and other administrative communications by phone call, SMS or email;

• managing the practice, including record keeping, audit, information technology, accounting, payment processing and professional advice;

• responding to emergencies, serious risk, mandatory reporting obligations, subpoenas, court orders, warrants or other legal requirements;

• supporting continuity of care if a locum, supervisor, professional adviser, referrer or care team member needs relevant information, where consent has been provided where required, and where disclosure is clinically appropriate and legally permitted.


Dealing with us anonymously or under a pseudonym

You have the right to deal with the practice anonymously or under a pseudonym unless it is impracticable for the practice to provide care in that way, or unless the practice is required or authorised by law to deal only with identified individuals.

Because psychiatry involves assessment, diagnosis, prescribing, correspondence, Medicare billing and management of clinical risk, it will usually be necessary for patients to be identified in order to receive clinical care.


Sensitive information

Sensitive information includes health information and may also include information about racial or ethnic origin, religious or philosophical beliefs, sexual orientation, political opinions, membership of professional associations, criminal record, disability, family relationships and other sensitive matters.

Sensitive information will be collected, used and disclosed only:

• for the primary purpose for which it was collected;

• for a directly related secondary purpose that you would reasonably expect;

• with your consent;

• where required or authorised by law;

• where necessary to lessen or prevent a serious threat to life, health or safety;

• where otherwise permitted under the Privacy Act or other applicable law.


Children, young people, parents and carers

When care involves a child or young person, the practice may need to collect information from, and communicate with, parents, guardians, carers, schools or other treating professionals.

Information sharing will be managed according to the young person’s age, maturity, capacity, consent, safety needs, legal requirements and clinical circumstances.

Where clinically and legally appropriate, Dr Richardson may also support a young person’s privacy and confidentiality within their family system. There may be circumstances where information needs to be shared with parents, guardians, carers, other health professionals or relevant authorities, particularly where there are concerns about safety, risk, consent, capacity or legal obligations.


Third parties

Where reasonable and practicable, the practice will collect personal information directly from you.

In some circumstances, information may be provided by third parties, such as referrers, general practitioners, psychologists, hospitals, schools, family members, carers or other members of your care team. Where this occurs, reasonable steps will be taken to ensure that you are aware of the information collected, where appropriate and practicable.


When, why and with whom do we share your personal information?

The practice may share your personal information:

• with other healthcare providers involved in your care, including your general practitioner, referrer, psychologist, allied health providers, specialists, hospitals or other members of your care team, where consent has been provided or where disclosure is otherwise required or authorised by law;

• with a supervisor, locum, professional adviser, referrer or care team member where this is clinically appropriate, consent has been provided where required, and disclosure is limited to what is necessary;

• with third parties who work with the practice for business or administrative purposes, such as information technology providers, secure communication providers, payment processors, accounting providers, accreditation agencies, payment recovery services or professional advisers;

• when required or authorised by law, including in response to a subpoena, court order, warrant, mandatory reporting obligation or other legal requirement;

• when necessary to lessen or prevent a serious threat to a patient’s life, health or safety, or to public health or safety, and it is unreasonable or impracticable to obtain consent;

• to assist in locating a missing person;

• to establish, exercise or defend a legal or equitable claim;

• for the purpose of a confidential dispute resolution process;

• where there is a statutory requirement to share certain personal information, such as mandatory notification requirements;

• during the course of providing medical services, where disclosure is necessary for your care.

Only people who need to access your information will be able to do so.

Other than in the course of providing medical services or as otherwise described in this policy, the practice will not share your personal information with a third party without your consent unless required or authorised by law.

The practice will not use your personal information for direct marketing without your express consent. If you do consent, you may opt out of direct marketing at any time by notifying the practice in writing.


Overseas disclosure and technology providers

The practice uses secure technology providers to support clinical care, practice administration, billing, communication, telehealth and record keeping.

Some technology providers may store, process or provide technical support for information using infrastructure located outside Australia.

Where overseas storage, processing or technical access occurs, the practice takes reasonable steps to ensure that the provider handles personal information consistently with Australian privacy requirements and that appropriate privacy and security safeguards are in place.

Patients may review the privacy policies of relevant technology providers through those providers’ websites.


How do we store and protect your personal information?

Your personal information is stored in a manner that reasonably protects it from misuse, interference, loss, unauthorised access, modification or disclosure.

The practice uses secure practice management and clinical software, including Xestro and Halaxy, for appointment management, billing, correspondence and clinical record keeping.

The practice takes reasonable steps to use systems that are appropriate for handling health information and that have privacy and security controls suitable for Australian health care practice.

Paper information, if received, is securely stored and transferred into the practice management or clinical record system where appropriate. Paper documents are securely destroyed when no longer required.

Information, including letters and documents sent by email, is handled with reasonable care. The practice uses secure email services where possible. However, the practice cannot guarantee the security of third-party email platforms or servers used by patients, families or other professionals.

The practice uses email, fax, telephone and SMS to contact patients and providers. Where possible, the practice prefers to use Medical Objects or another secure healthcare communication platform for communication between health professionals.


Telehealth

Telehealth may be provided through Coviu or another secure telehealth platform suitable for clinical consultations.

During telehealth consultations, patients are asked to participate from a private location where possible. Dr Richardson may ask who is present and whether you consent to proceeding in that environment.

Patients are asked not to record consultations without prior discussion and consent. Dr Richardson will also inform you if any recording, transcription or AI-assisted documentation tool is proposed for use during a consultation.


Use of transcription and AI-assisted documentation tools

Dr Richardson may use secure health-specific transcription or AI-assisted documentation tools, including iScribe and/or Heidi, to assist with clinical note preparation.

These tools may transcribe part or all of the consultation and generate a draft summary of the information discussed.

The draft summary is reviewed by Dr Richardson before any note is entered into the clinical record. The transcript itself is not copied into the clinical record unless clinically required. The clinical record contains Dr Richardson’s clinical note, in the same way it would if notes were typed or written during the appointment.

Where these tools are used, you will be informed and your consent will be sought. If you do not wish an AI scribe or transcription tool to be used during your appointment, this will be respected.

Only the minimum necessary identifying information is used with these tools. Patients are not registered as users of these tools and will not be contacted directly by the transcription or AI documentation provider.


Data breaches

If the practice becomes aware of a privacy breach involving your personal information, reasonable steps will be taken to contain the breach, assess what has occurred, and reduce the risk of harm.

Where required under the Notifiable Data Breaches scheme, affected individuals and the Office of the Australian Information Commissioner will be notified.

The practice will also take reasonable steps to review the incident and improve systems or processes where needed.


Retention and destruction of records

Personal information is retained for as long as required for clinical, administrative, legal and professional purposes.

Health records are generally retained for at least seven years from the date of last contact for adult patients. For information collected when a patient was under 18 years of age, records are generally retained until the patient turns 25 years of age.

When personal information is no longer required, the practice will take reasonable steps to securely destroy or permanently de-identify it, unless the information must be retained for legal, clinical, administrative or professional reasons.


Access to your personal information

You may request access to personal information held about you, subject to certain exceptions under privacy law and health records legislation.

If you wish to access your personal information, please contact the practice in writing.

The practice will require appropriate identification before releasing personal information. Where the request is made by another person, written authority or evidence of legal authority may be required.

The practice will not charge a fee for making an access request. An administrative fee may be charged for providing copies of records or preparing information for release.

In some circumstances, access may be refused or limited, including where providing access would pose a serious threat to life, health or safety, would have an unreasonable impact on another person’s privacy, would breach confidentiality, would be unlawful, or where another legal exception applies.

If access is refused or limited, the practice will provide an explanation where required and appropriate.


Correction of personal information

The practice takes reasonable steps to ensure that personal information is accurate, complete and up to date.

If you believe that information held by the practice is inaccurate, incomplete or out of date, please advise the practice as soon as practicable.

Where appropriate, the practice will update or correct the information. If there is a disagreement about whether information should be changed, you may ask for a statement to be added to the record noting your view.


Policy review

This privacy policy will be reviewed regularly to ensure that it remains current and consistent with applicable privacy obligations.

The policy will be reviewed at least annually and updated on the practice website where applicable.

Important updates may also be provided directly to patients by email or another appropriate communication method.


How can you lodge a privacy-related complaint, and how will the complaint be handled?

The practice takes privacy complaints and concerns seriously.

If you have a privacy concern, please contact the practice in writing. The practice will review your concern and attempt to resolve it in accordance with the practice complaints resolution process.

You may also contact the Office of the Australian Information Commissioner. Generally, the OAIC will require you to give the practice time to respond before it will investigate.

Further information is available at www.oaic.gov.au or by calling the OAIC on 1300 363 992.

If your concern relates to a health service or health record in the ACT, you may also be able to contact the ACT Human Rights Commission.


Contact details

Please contact the practice with any questions about this privacy policy or the handling of your personal information.

Email: admin@drmeganrichardson.com

Typewriter
© Copyright Athelas Psychiatry 2026

We acknowledge the Ngunnawal and Ngambri peoples as the Traditional Custodians of this land, paying our respects to their Elders past, present, and emerging.

bottom of page