EpiSoft Privacy Statement
EpiSoft Pty Ltd (EpiSoft) provides Software as a Service technology and clinical research services to healthcare professionals and clinical research organizations. EpiSoft is committed to protecting the personal and health information which it collects, and holds, in providing these services from inappropriate use or disclosure.
Episoft complies with applicable privacy and health information security laws in all jurisdictions where it operates and holds personal health information on behalf of its health professional customers.
This includes Privacy Principles (including Health Privacy Principles) specified in the Australian and New Zealand Privacy Acts and amendments and other Australian and NZ state and federal health records legislation and regulations for the responsible handling of personal and health information; and the American standards for business associates set by The Health Insurance Portability and Accountability Act (1996) as amended.
These principles regulate the way that EpiSoft collects, uses, discloses, stores and shares personal and health information.
What do we collect?
Episoft collects personal information from registered users of EpiSoft (healthcare professionals, hospitals and other medical groups) when they access the EpiSoft program, including but not limited to:
• Email address
• Business address
• phone numbers
• registration numbers for the purposes of electronic claiming and prescribing
• health professional accreditation
• clinical role/specialty
• years of experience (optionally)
Some of this type of personal information may also be collected from people who: interact with us via our website and request a product brochure, make a product or service enquiry; order a product, request a trial of our product correspond with us, including by email; call our Customer Enquiries line; make a complaint or receive a visit from one of our representatives.
Episoft collects personal information from healthcare professionals and other registered users for a number of reasons, including to:
• determine the registered user’s access privileges and views off the EpiSoft System
• populate letters, prescriptions and other system created documentation
• billing and claiming
• facilitate clinical benchmarking with a network of health professional peers
• sell and deliver products and services
• respond to questions or requests for information
• send direct marketing material by email or post
• send out customer surveys or notify of new releases
• enhance and improve our products and services
• keep a record of our dealings with each other
• comply with legal obligations
• analyse website utilisation and activity
• maintain audit trail of health records
If you do not provide us with your personal information, we will not be able to provide these services. You can generally visit our website without telling us who you are or revealing other personal information however we do track general information about visitors to our website including visiting domains and referring websites for the purposes of marketing and analytics.
Personal information collected by EpiSoft will not be disclosed to third parties unless:
• you have given us your consent to do so;
• it is necessary for us to do so to fulfil the primary purpose(s) for which we collected your personal information;
• you would reasonably expect us to disclose it for a related purpose such as billing and claiming or for distribution of an electronic referral; or
The third parties EpiSoft will typically share such personal information with includes our authorised representatives and service providers which we use to conduct our business, functions and activities. These organisations may be involved or conduct:
• mailing, shipping or courier operations
• legal, auditing, accountancy or other professional services
• insurance services
• billing and debt collecting functions and other outsourced business functions
Personal and health information about patients (patient records) are held in the EpiSoft system. EpiSoft does not collect this information directly, but provides services which enable its registered healthcare professionals and providers to enter this information.
This information includes:
- Contact details
- Next of kin information
- Government identifiers such as Medicare and social security numbers
- Health fund information
- Advanced care directives
- History of illnesses
- Current conditions, surgeries and medications
- Lifestyle (smoking, drinking, exercise, drugs)
- Progress notes by health professionals and observations
- Appointment and visit details
- Mental health diagnoses
- Histories including legal, mental health status, abuse
- Scores on assessments on issues such as suicide risk, drug and alcohol, mental health risk
- Test results, clinical trial data records, symptom diaries
- Medication and other clinical treatment records
- Adverse event records
Episoft’s registered users are required to seek the consent of their patients prior to the collection of such information and to inform them of how their personal and health information may be used or disclosed.
The accuracy and currency of patient records is the responsibility of the healthcare professional entering the records into the EpiSoft system, although patients using eAdmissions can update their information prior to each admission.
EpiSoft’s registered users manage access to the patient records they have entered into the EpiSoft program. This is typically done in consultation with the patient and is determined by which healthcare professionals are involved in providing healthcare services to the patient.
Healthcare professionals and other researchers may, however, for analysis purposes, be able to view de-identified and aggregated information that is stored in the EpiSoft system. This type of information does not identify the patient.
EpiSoft relies on its registered users to destroy or de-identify personal and health information in patent records when it is out of date or no longer needed for the purpose for which it was provided, unless a legal exception applies.
Cross Border disclosure
EpiSoft’s business operates in countries outside Australia, including New Zealand, Singapore, Hong, Kong, China and the United States. Cross border disclosures may occur if data is collected in one country but is hosted in another. EpiSoft’s databases (including for its cloud based services) are hosted in Australia where personal and health information is held in accordance with security standards set by the Australian Privacy Principles.
Personal or health information collected in Australia will only be disclosed to persons in countries outside Australia if this falls within the scope of the requested services, and then to the minimum necessary to achieve this. Any such disclosures will be in compliance with applicable Australian data protection and privacy laws; and if EpiSoft reasonably believes that the information will remain subject to principles for fair handling of the information which are substantially similar to the applicable Australian privacy laws.
EpiSoft has its own system generated identifier. It does not adopt identifiers for patients that have been authorized under Australian law (such as Medicare numbers, although these may be stored) as its own primary identifiers.
Whenever it is lawful and practicable, patients will have the option of not identifying themselves or of using a pseudonym or by their initials (except in the case of eAdmissions where your full name and date of birth is required for safe and reliable record matching in the hospital system).
EpiSoft has in place comprehensive security measures to protect personal and health information stored on the EpiSoft program, including:
- Encryption of all data in the database that could identify or re-identify a person;
- Encryption of link between the database and the application;
- Audit trail of differential changes made to personal and health information on the EpiSoft system including a record of deletions, additions and modifications with the detail of who made the change and when;
- Industry standard methods for secure password creation and forgotten password retrieval;
- Use of additional token (passcode) for secure signing of documents as required by some EpiSoft clinical communities; -
- Government certifed (FortiGate) hardware firewalls, anti-spam and anti-virus filters;
- EpiSoft hardware located within a purpose-built secure Data Centre compliant with ISO 27001 security standards and ASIO T4 intrusion detection requirements
- Detailed policies and procedures covering the obligations of EpiSoft and its Personnel (including employees, contractors and agents), in protecting your personal and health information from unauthorised use or disclosure. These policies and procedures include but are not limited to:
- All EpiSoft Personnel undergo regular training and in-services on their obligations with regard to information security and privacy
- All EpiSoft Personnel are required to sign a Confidentiality Agreement before being granted access to personal and health information
- All EpiSoft Personnel are only able to access personal and health information for the intended purpose of providing technical support and related services to end users of the EpiSoft System
- The sanctions imposed on EpiSoft Personnel who have been found not to comply with the Company’s policies and procedures.
Further information about EpiSoft’s security policies and procedures are available on request.
Accessing your personal information
EpiSoft will take all reasonable steps to ensure that personal information collected by it is relevant, accurate, complete and up-to-date.
EpiSoft’s does not collect personal health information from patients, but facilitates its secure management on behalf of its healthcare provider clients. Episoft’s responsibility with regard to the accuracy and completeness of health information which it manages on behalf of health care providers covers only data issues caused by a malfunction of the software or the hardware upon which it resides. EpiSoft is not responsible for the accuracy, completeness and currency of any information entered by healthcare professionals or other client users.
Episoft’s registered users (such as healthcare professionals) and patients have a right of access to most personal and health information EpiSoft holds about them and the right to correct or update such information. This right is subject to certain exceptions allowed by law.
To request access, please contact our privacy officer, whose contact details are set out below. All requests must be: in writing, state the name and address of the individual making the request, sufficiently identify the personal or health information to which access is sought and specify the form in which the individual wishes the information to be provided.
We will need to verify your identity before responding to your request in writing, and we will process it in a reasonable time. We may charge you a reasonable administrative fee to process your request and will advise you of this fee before responding to your request
As EpiSoft does not directly collect health information from patients, any patient access requests will be managed involving the collecting healthcare provider. Please include the details of the healthcare provider who collected this data in any access or correction requests. Prior to providing access, EpiSoft will involve the healthcare provider to verify identity, any limitations on access (such as a breach of third party confidentiality) and other relevant considerations. For this reason, patients seeking patient records held by us are encouraged to direct enquiries for access or correction to their personal or health information to their healthcare professional.
Queries and Complaints
The Privacy Officer, EpiSoft Pty Ltd, Suite 216, 20 Dale Street Brookvale NSW 2100 Australia
If we become aware of any ongoing concerns or problems, we will take these issues seriously and work to address these concerns with you. If, however, you are not satisfied with our response, you may make a complaint to the relevant authority in your country, including:
Australia: Office of the Australian Information Commissioner
Phone: 1300 363 992
New Zealand: Office of the Privacy Commissioner
Mail: PO Box 10094, Wellington, 6143
United States: US Department of Health & Human Services
Mail: 200 Independence Avenue, S.W., Room 509H, HHH Bldg., Washington, DC, 20201
Episoft may amend this policy from time to time, and we encourage you to check on the website for the most current version.