Privacy Notice
Bupa Best Doctors Virtual Care program is brought to you by Teladoc Health, Inc (“Teladoc Health”).
Teladoc Health Australian & New Zealand Privacy Policy
Effective 4/16/2024
1. Purpose
Teladoc Health Australia Pty Ltd (“Teladoc Health” or “we”
or “us” or “our”) is committed to maintaining compliance with all applicable laws related to the
confidentiality of personal information including, amongst others, the Australian Privacy
Principles set out in the Privacy Act 1988 (Cth), the Health Records Act 2001, and the New
Zealand Privacy Act 2020 (collectively “Applicable Law”), and complying with all contractual
requirements concerning privacy and confidentiality (“Privacy Requirements”).
The purpose of this Australian and New Zealand Privacy Policy (“Policy”) is to outline
Teladoc Health’ responsibilities with respect to the uses, disclosures, and handling of Personal
Information (“PI”) for its Australian and New Zealand based Medical Services.
2. Policy Owner
Privacy Officer
3. Scope
This Policy applies to the administration of Medical Services in Australian and New Zealand (“ANZ"). Medical Services (“Services”) are offered by Teladoc Health to eligible individuals (“Members”). The Services are designed to improve the quality of health care by connecting individuals (i) with treating physicians, (ii) with psychologists and/or (iii) jointly with their treating physicians with specialists who can provide medical service/guidance with respect to diagnoses and treatment plans. The Services include, but are not limited to, the following individual service lines: GP services, Expert Medical Opinion, Doc Online and Mental Health Navigator. This Policy applies to all full time, part time and temporary employees at Teladoc Health (“Employees”) involved in the administration of the ANZ based Services and that have access to Personal Information.Personal Information (“PI”) is defined as: any information or set of information relating to members, physicians, patients, and employees (individually “Individual” and collectively “Individuals”), including (a) all information that identifies that individual or could reasonably be used to identify such individual, and (b) all information that any Applicable Law treats as personal information, personal data, or similarly protected information, and (c) Sensitive Personal Information. Sensitive Personal Information shall mean Personal Information that is afforded extra protection and/or considered “sensitive” under Applicable Law, including, but not limited to: health information, biometric, genetic, sexual tendency, ethnic or racial origin, religious or political beliefs, salary, social security number, and credit card information.
4. Personal Information Collected
Teladoc Health collects Members’ Personal Information that is necessary to perform the Medical Services. The type and volume of Personal Information collected varies according to the type of Medical Service being provided. To the extent necessary, we collect the following Personal and Sensitive Personal Information.
Personal Information:
-
Demographic information, including name, address, phone number, date of birth, email address, IP address;
-
Identification information, including driver’s license or passport as necessary to verify identity;
-
Insurance policy number; or
-
Demographic information of Members’ relatives or friends who may legally represent the member (“Legal Representative”).
Sensitive Personal Information
-
Medical records, including medical history, treatment records, diagnostic testing, diagnostic imaging such as x-rays and CT-Scans, pathology samples, sexual orientation, etc.
5. How Personal Information (including Personal Sensitive Information) is Collected
We collect PI in the following ways:
-
Directly from the Member and/or the Member’s Legal Representative;
-
Directly from the Member’s treating physician upon authorization from the Member to collect medical records; and
-
From the Member’s insurance company or employer, solely as necessary to determine eligibility for Services.
Prior to the collection of PI, except as necessary to determine eligibility for Medical Services on behalf of Teladoc Health customers, we provide notice to the Member and obtain consent as required by law.
6. Purposes for Collecting, Using, and Disclosing Personal Information
The primary purpose for which Teladoc Health collects, uses and discloses Personal Information is to provide the Services to Members.
6.1 Uses and Disclosures Necessary to Provide the Medical Services
Teladoc Health may use and disclose PI as necessary to provide the Medical Services. Activities we perform to provide the Medical Services include:
-
Checking eligibility for Medical Services;
-
Collecting medical history and treatment information
-
Collecting medical history and treatment information
-
Assessing, diagnosing and treating Members as per our healthcare authorisations;
-
Engage Members and notify them of their eligibility for the Medical Services; and
-
To recommend hospitals and/or doctors to Members
6.2 Uses and Disclosures for Management and Administrative Purposes
Additionally, to the extent necessary to facilitate and/or perform the Medical Services, we will use and disclose PI as necessary for our own management and administration purposes (“Management and Administration”). Teladoc Health’s Management and Administration involves activities associated with operating and managing our business including:
-
Information security and privacy compliance;
-
Maintaining information technology systems;
-
Business development and planning;
-
Sending information related to changes to Medical Services or information that may be useful to Members;
-
Product development;
-
Quality assessment and improvement;
-
Training and managing personnel;
-
Reviewing competence or qualifications of health care professionals;
-
Legal services;
-
Auditing; and
-
Sales, transfer, merger, or consolidation of all or part of the company.
6.3 Disclosures to the Member (or his/her legal representative and/or individual’s involved in the Member’s care)
Teladoc Health will disclose PI it collects about a Member to the Member and/or the Member’s Legal Representatives after proper verification. Teladoc Health may disclose PI to an individual involved in the Member’s care pursuant to verbal or written permission from the Member. Verbal permission shall be documented by Teladoc Health in the appropriate information system or record.
6.4 Disclosures to Subcontractors
Teladoc Health may use trusted third party, including contractors and service providers (“Subcontractors”) to help perform the Medical Services. We may also use Subcontractors to assist us with our Management and Administrative functions. Examples of Subcontractors to who Best Doctors discloses PI include:
-
Teladoc Health healthcare experts (“Experts”) who provide Services;
-
Companies that host and administer our information technology systems; and
-
Current or future parent company, any subsidiaries, joint ventures, or other companies under a common control (“Affiliates”), in which case we will require our Affiliates to honor this Policy.
Before disclosure of any PI to a Subcontractor, Teladoc Health enters into an appropriate agreement with the Subcontractor that provides for the continued privacy and security of PI (“Subcontractor Agreement”).
Additionally, as part of its due diligence process and prior to disclosure of PI to a Subcontractor, Teladoc Health will use reasonable efforts to assess such third party’s compliance with privacy and security requirements. Prior to the signature of any contract with a Subcontractor that might have access to PI from Teladoc Health, approval from Legal, Privacy and IT Security Department needs to be obtained.
If Teladoc Health knows of a pattern of activity or a practice of the Subcontractor that constitutes a violation of the Subcontractor Agreement, Legal Department needs to be involved and will investigate. If Teladoc Health determines that a violation of the Subcontractor Agreement has or is occurring, Teladoc Health will a) terminate the agreement if the infringement is very serious and/or b) require the Subcontractor to takes steps to cure the breach or end the violation. If such steps are unsuccessful, Teladoc Health will terminate the Subcontractor Agreement if feasible.
Upon termination of a Subcontractor Agreement, the Privacy Officer will ensure that all PI held by the Subcontractor is either securely destroyed or returned to Teladoc Health.
6.5 International Data Transfer
Teladoc Health stores all Personal Information on servers and information technology systems located in ANZ.
Certain experts that we work with might be located outside of ANZ: United States Europe and Asia. Teladoc Health’ parent company and other subsidiaries (“Affiliates”) are located outside of ANZ. Some Administrative and Management functions that involve the use of Personal Information may take place at an Affiliate located outside of ANZ. These Affiliates are mainly in the European Union. The functions these Affiliates perform include legal, privacy and security, information technology management, and business management functions.
As such, Teladoc Health might, depending on the Medical Service, transfer Personal Information outside of ANZ. Prior to the transfer of Personal Information outside of ANZ, Teladoc Health will provide notice and obtain consent from Members and comply, if applicable, with appropriate legal requirements.
6.6 When Required by Law and for Public Policy
Under certain circumstances, Teladoc Health may use and disclose PI for the following purposes:
-
As required by law;
-
As necessary for public health activities (such as public health reporting, child abuse reporting, notification of exposure to disease or condition);
-
To report victims of abuse, neglect or domestic violence;
-
For health oversight activities;
-
For judicial and administrative proceedings;
-
To law enforcement officials; and
-
For health or safety.
Any use or disclosure of PI for any of the above purposes must be reviewed and approved by the Privacy Officer prior to making the use or disclosure.
7.Authorisations
Except as permitted in this Policy, Teladoc Health will not make any other uses or disclosures of PI without first obtaining a written authorisation from the Member (“Authorisation”). Teladoc Health obtains an Authorisation from Members to facilitate the collection of medical records from physicians and health care facilities.
8. Minimum Necessary
Teladoc Health makes reasonable efforts to limit the use, disclosure or request of PI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
9. Verification
Prior to disclosing PI to a person requesting such information (“Requestor”), unless the Requestor is known to Teladoc Health, Teladoc Health takes reasonable steps to verify the identity of the Requestor and the authority of the Requestor to have access to such PI. We verify identity in a number of different ways, including asking a series of questions or asking for a copy a driver’s license.
10. Sale of Personal Information
Teladoc Health does not request, receive or pay any cash or other remuneration in exchange for PI.
11. Security of Personal Information
Teladoc Health maintains a robust information security program. We have appropriate technical and organizational measures in place to protect Personal Information against unauthorized use or disclosure, damage or destruction. Such measures include but are not limited to:
-
Training staff on protection Personal Information;
-
Disposing of Personal Information in a secure manner;
-
Ensuring the physical security of the premises where Personal Information is processed;
-
Signing confidentiality agreements with employees, Subcontractors and clients;
-
Using effective password protection;
-
Encrypting or password protecting emails and other communications containing sensitive Personal Information;
-
Implementing a disaster recovery plan, that includes making backups of personal data;
-
Undertaking regular data security audits to detect errors and implement improvements; and
-
Retaining Personal Information for the amount of time needed to meet legal and compliance requirements, typically 10 years from the date the Medical Services are completed.
12. Member Rights
12.1 Access to Personal Information
Members have the right to obtain a copy of the Personal Information that Teladoc Health maintains about them.
12.2 Amendment to Personal Information
Requests by Members to amend the PI that Teladoc Health maintains, must be submitted to Teladoc Health in writing at the corporate address or email list below.
12.3 Questions and Complaints
All Members have the right to file a complaint with Teladoc Health or ask questions regarding our privacy practices. All Member complaints and questions shall be sent to Teladoc Health corporate address or email listed below. All Member complaints (once anonymized) and questions regarding Teladoc Health’s privacy practices shall be forwarded to the Privacy Officer (Cc. Legal International Department) for review and response. The Privacy Officer will review all complaints and questions and guide on the respond to the Member in a timely manner.
Any complaint that meets the definition of a Privacy Incident shall be handled pursuant to Section 13—Incident Response.
12.4 Contact Information
Members may initiate any of the right listed in this section by either mailing to the Teladoc Health Australasia corporate address or email to dataprotectionofficer@teladochealth.com.
Any such complaints, once anonymized by Teladoc Health, are to be forwarded to the following email address: PHI-Incident@teladochealth.com.
13. Incident Response
Employees must report all Member’s potential unauthorized uses or disclosures of PI (“Privacy and Security Incidents”), once anonymized, to the Privacy Officer at the following email address: PHI-Incident@teladochealth.com and copy Legal Department at: dataprotectionofficer@teladochealth.com. To report any Privacy and Security Incident please anonymized the case by removing Member’s personal identifiers (name surname, ID or insurance numbers, initials or date of birth, etc.). Should you have any question as per how to anonymized, please contact relevant departments.
The Privacy Officer will guide the investigation of all reported Privacy and Security Incidents involving relevant departments at Teladoc Health.
The Privacy Officer will document all aspects of the investigation of the Privacy and Security Incident and determine whether any notification to the Member, client and/or regulatory agency is required.
14. Policy Exceptions
Any exceptions to this Policy will be made on a case-by-case basis by the Privacy Officer after consultation with legal counsel, as appropriate.
15. Enforcement
All Teladoc Health Employees are required to comply with all company policies and standards. Failure to comply with any policy or standard is grounds for disciplinary action up to and including termination.