Privacy Policy

Last Updated: 8 June 2025

CURA Medical Specialists (operated by The Trustee for HYT Services Trust, ABN: 49 386 238 906) is committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth) and the Health Records and Information Privacy Act 2002 (NSW).

1. About Us

CURA Medical Specialists is a multidisciplinary clinic providing specialist neurological and related medical services. We collect and manage personal information in order to deliver safe, effective healthcare and meet our legal and professional obligations.

2. What Information We Collect

We collect only the information necessary to provide medical care and meet our legal obligations. This may include:

• Personal details: Your name, date of birth, address, and contact details
• Health identifiers: Medicare, DVA, and private health fund details
• Health information: Referrals, medical history, investigations, clinical notes, treatment plans, and outcomes
• Communication records: Correspondence between you and our clinic (including emails, SMS, and phone records)
• Visual records: Clinical photographs, diagnostic images, or video consultations (with your consent)
• Financial information: Billing and payment details

3. How We Collect Information

We may collect your personal information when you:

• Visit our clinic for appointments or consultations
• Participate in telehealth consultations
• Submit information via our website (e.g. contact or intake forms)
• Communicate with us by phone, SMS, or email
• Are referred by another healthcare provider
• Complete patient questionnaires or assessment forms

We will always inform you when we are collecting your personal information and why, unless it is unreasonable or impracticable to do so.

4. Anonymity and Pseudonymity

Due to the nature of healthcare services, it is generally not possible for us to provide medical care anonymously or under a pseudonym. We require accurate identification for patient safety, continuity of care, and to meet our legal and professional obligations.

5. How We Use and Disclose Your Information

Primary Purposes: We use your information primarily to provide healthcare services, including diagnosis, treatment, referrals, and ongoing care management.

Secondary Purposes: We may also use or disclose your information for:

• Billing and payment: Submitting claims to Medicare, DVA, or private health funds
• Referrals and consultations: Sharing relevant information with other healthcare providers involved in your care
• Quality assurance: Internal review processes to maintain and improve our services
• Legal obligations: Mandatory reporting requirements (e.g. notifiable diseases, child protection, elder abuse)
• Emergency situations: Disclosure necessary to prevent serious threat to life, health, or safety
• Law enforcement: When required by law or court order

Your Consent: We will always seek your consent before disclosing your information for purposes beyond those listed above, except where authorised or required by law.

6. Use of Third-Party Services and Cross-Border Disclosure

We use third-party services where necessary for care delivery and clinic operations. These may include:

• Practice management system: Gentu (Australian-hosted, ISO27001 certified)
• Patient forms and intake: Snapforms (Australian-hosted)
• Appointment booking: HealthEngine (Australian-hosted)
• Communication platforms: SMS/email services
• Diagnostic providers: Pathology and imaging services
• Telehealth platforms: Video consultation services
• Payment processors: Secure billing systems
• Dictation and transcription services: AI-powered clinical documentation tools

Data Storage Locations: Our core clinical systems (practice management, patient forms, and appointment booking) store data within Australia to ensure compliance with local data sovereignty requirements.

Some specialised services may process data outside Australia, particularly:

• AI-powered dictation and transcription services (typically processed in the United States using de-identified audio data)
• Certain telehealth or communication platforms
• Payment processing systems

We ensure all third-party providers are bound by strict privacy and confidentiality obligations equivalent to Australian standards.

Your consent to overseas disclosure: Where services process identifiable data outside Australia, by using our services you consent to your personal information being disclosed to these overseas recipients for the purposes described above. For AI dictation services, audio is processed overseas in de-identified form to protect your privacy. We will inform you when your personal information is likely to be disclosed overseas and, where practicable, which countries are involved. You may withdraw this consent at any time, though this may limit our ability to provide certain services.

7. Website Usage and Online Data

Our website may collect limited personal information through contact forms. We also use basic website analytics tools and cookies to understand how users interact with our site.

Important: No medical data is stored in cookies or analytics tools. Any identifiable medical data submitted via the website is handled securely and separately from general website analytics.

8. Communication and Direct Marketing

We may contact you for:

• Appointment reminders: SMS, email, or phone calls about scheduled appointments
• Treatment follow-up: Post-appointment care instructions or check-ins
• Health education: Information relevant to your condition or general health (only with your consent)
• Practice updates: Important notices about our services or policies

You can opt out of non-essential communications at any time by contacting us directly.

9. Photography, Recording, Dictation, and Telehealth

Clinical Photography: We may take clinical photographs for diagnostic or treatment purposes with your written consent. These images are stored securely as part of your medical record.

Doctor Dictation and Ambient Recording: Our clinicians may use digital dictation or ambient AI-powered transcription services during consultations to create accurate clinical notes. These services may involve:

• Real-time recording of consultation conversations
• Cloud-based transcription processing (which may occur overseas using de-identified audio data)
• Temporary storage of audio recordings for processing purposes

Privacy protection in dictation: When dictation services involve overseas processing, patient identifying information is removed or obscured before transmission to ensure privacy protection during transcription.

Your rights regarding dictation: You will always be informed before any recording begins and have the right to decline. If you prefer not to have your consultation recorded, alternative note-taking methods will be used. Audio recordings are typically deleted after transcription, with only the written clinical notes retained as part of your medical record.

Video Consultations: Telehealth consultations may be recorded for quality assurance or training purposes only with your explicit consent. You will be clearly informed before any recording begins.

CCTV: Our clinic premises may have security cameras in common areas for safety and security purposes.

10. Research and Quality Improvement

We may use de-identified patient data for research, quality improvement activities, or teaching purposes. Individual patients cannot be identified from this data. If we wish to use identifiable information for research, we will seek your explicit consent.

11. How We Protect Your Data

Patient confidentiality and data security are core to our practice. We implement:

• Administrative safeguards: Staff training, access controls, and confidentiality agreements
• Physical security: Secure premises, locked filing systems, and restricted access areas
• Technical measures: Secure networks, regular system updates, and multi-factor authentication where available
• Regular reviews: Ongoing assessment and improvement of our security practices

Third-party providers: We use trusted, secure platforms including Gentu (practice management), Snapforms (patient forms), and HealthEngine (appointment booking) as our primary data processing partners. All are Australian-hosted and maintain their own robust security standards including encrypted data storage, ISO27001 certification (Gentu), and compliance with Australian privacy requirements.

Access to your information is limited to authorised staff and providers directly involved in your care.

12. Data Breach Notification

In the unlikely event of a data breach that may result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner as required under the Notifiable Data Breaches scheme.

13. Accessing or Correcting Your Information

You have the right to:

• Access your personal health information held by us
• Request correction of information that is inaccurate, incomplete, or out of date
• Request a copy of your medical records (fees may apply for copying and administrative costs)

Requests can be made by contacting us directly. We will respond within 30 days and handle all requests in accordance with the Australian Privacy Principles in a timely and respectful manner.

14. Data Retention

We retain medical records in line with our legal and professional obligations:

• Clinical records: At least 7 years from your last contact with us (adults) or until the patient turns 25 years of age (children)
• Patient forms and intake data: Retained as long as clinically necessary and in accordance with the above timeframes
• Audio recordings: Dictation recordings are typically deleted after transcription (usually within 30 days), with only written clinical notes retained. Any audio processed overseas is de-identified to protect patient privacy
• Account termination: If you close your patient account, forms data is removed from active systems within 14 days, with encrypted backup destruction within 30 days
• Longer periods may apply for certain conditions or where required by law

When records are no longer required, they are destroyed securely in accordance with professional guidelines and our service providers' certified data destruction processes.

15. Complaints and Concerns

If you have any concerns about your privacy or how your information is handled:

1. Contact us directly using the details below - we are committed to addressing complaints promptly and respectfully
2. External review: If unsatisfied with our response, you may lodge a complaint with:
   • Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
   • NSW Privacy Commissioner: www.ipc.nsw.gov.au
   • Health Care Complaints Commission (NSW): www.hccc.nsw.gov.au

16. Policy Updates

This privacy policy may be updated from time to time to reflect changes in our practice, technology, or legal obligations. We will notify patients of significant changes and encourage you to review this page periodically to stay informed.

Contact Information

Dr Hugh Stephen Winters
Principal Clinician
CURA Medical Specialists

Email: clinic@curaspecialists.com.au
Phone: 02 7906 8356

For privacy-related enquiries, complaints, or requests to access or correct your personal information, please contact us using the details above. Our Practice Manager can assist with administrative aspects of privacy requests.