About this Policy
We are committed to respecting the privacy of your personal information.
Certain disclosures of personal information between related bodies corporate do not have the same protection as disclosures to other persons.
The Service includes any website, application program interface (“API”), software, programs, documentation, tools, internet-based services and components, including those that interact directly using our service provider web claiming systems, Individual smartphone applications or indirectly via integrations with practice management systems, health funds, schemes, insurance agencies and their related systems (“Insurers”) or other partner services that allows you to book medical appointments, obtain quotes, process health claims and payments and communicate with us about transactions (collectively referred to as the “Service”).
- any other privacy or collection notice that we may provide to you when we collect your personal information or provide a particular product or service including the Service;
- any terms and conditions of use which govern your access to and use of each of our products and services or the Service; and
- our User Terms which can be found at https://medipass.com.au/user-terms
- someone involved in the provision of medical services who is permitted to access and use the Service (“Service Providers”);
- patients and consumers (“Individuals”); and
- other individuals whose personal information is collected by us during the conduct of our business,
collectively referred to as “you” or “Users”.
What is “personal information”?
How do we collect personal information?
We ordinarily collect personal information directly from you or where it is provided to us with your authority (e.g. from a person appointed to act on your behalf). We may also be required to collect personal information about you from a third party.
We will only collect personal information which is reasonably necessary for, or directly related to, our functions or activities.
The type of personal information we collect about you depends on your relationship with us.
As an Individual, the personal information you may provide to us includes your contact information (such as name, address, email address and phone numbers), date of birth and gender, insurer account details, Commonwealth identifiers (such as your Medicare number) and financial information (such as bank account, credit card details and income tier information) that is entered via our Service. We may also collect and hold sensitive information, such as your health claim details (including item codes you claimed for and the benefit you were paid) and health information in connection with your participation in the Service.
As a Service Provider, when you register for an account and use the Service, we collect the personal information you provide. The key personal information you may provide to us includes contact information (such as name, address, email address and phone numbers), Your practice business registration, company or practice name, Your registration details (such as provider numbers, Insurer accreditation information and modality registrations) and Government, Commonwealth and industry issued identification numbers to verify your identity for underwriting and identity validation purposes.
We may also collect personal information about you because we are required or authorised by law to collect it. For example, we may require personal information to verify your identity under Commonwealth Anti-Money Laundering law.
You may choose not to provide us with certain information, but then you may not be able to take advantage of the Service or certain features of the Service or facilitate the provision of, the products and services you request.
When you contact Tyro Health, we may keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our Service, such as letting you know about upcoming changes or improvements.
Some Insurers require us to obtain and store your physical location when you are approving a claim. You are provided a choice as to whether you allow Tyro Health access to this information. By declining to provide your location, you may be unable to process a claim via the Service. If you opt in to location services, we may collect and process information about your actual location. This is used to process a claim, to search for nearby Service Providers and for fraud detection purposes. We use sensor data from your device including GPS, Wi-Fi, Bluetooth and mobile network towers to determine your location.
Third Party Information
In addition to the information you directly provide Tyro Health, we may collect additional information about you from third parties and other verification services such as credit bureaus and accreditation bodies in order to comply with legal or security requirements (for example, for identity verification). This information may be collected either directly using our Service Provider applications, Individual applications or indirectly via integrations with medical practice management systems, Insurer platforms or other partner services.
Insurers may provide information to Tyro Health about you, which is primarily used for the purposes of validating your membership credentials. For example, Tyro Health may receive your date of birth from Insurers to match against and validate your Tyro Health account access. Tyro Health may receive information on whether, as a Service Provider, you are approved and eligible to access an Insurer’s scheme and raise claims on behalf of patients. This information may include your provider number, practice location, modality and other personal information.
When adjudicating claims on your behalf, Tyro Health typically receives transaction data, such as the item codes you claimed for and the benefit you were paid for those services by your selected Insurer. The details of your transactions are received and stored by Tyro Health.
Personal information automatically collected
Tyro Health automatically receives and records information on our server logs from your browser or smartphone including your hardware model, operating system version, device identifiers, browser type, IP address, browser cookie information and the function you requested. We also collect and use information about your interactions with the Service in a manner and format that does not identify you as an individual (“non-personally identifiable information”). We may collect, use, and disclose the following types of non-personally identifiable information:
We use third-party analytics tools to help us measure traffic and usage trends for the Service. These tools collect information sent by your browser or smartphone app as part of a web or application page request, including the pages you visit, your browser add-ons, your browser’s or device’s width and height, and other information that assists us in improving the Service. We may collect and use this analytics information together with your personally identifiable information to build a broader profile of our Users so that we can serve you better, to improve the Service and for internal business purposes. We may disclose this combined information to our third-party business partners in aggregated, anonymised form as described below.
We utilise “cookies” and other technologies to collect non-personally identifiable information from our website and from other websites that use our Service. Information gathered through cookies and web-server log files may include information such as the date and time of visits, the pages viewed, IP addresses, MAC address, links to/from any page and time spent at our site.
We use cookie data to measure web traffic and usage activity on our website for purposes of monitoring, troubleshooting and improving our website and the Service, to look for possible fraudulent activity, and to better understand the sources of traffic and transactions on our website and the websites of merchants that use our Service. Cookies also allow our servers to remember your account information for future visits and to provide personalised and streamlined information across related pages on our website and also across other websites or applications that use Service.
When you call us on the telephone, we may monitor and, in some cases, record the telephone conversation for staff training and record-keeping purposes. Further, when we communicate with you by email, we may use technology to identify you so that we will be in a position to know when you have opened the email or clicked on a link in the email.
How do we store personal information?
We store your personal information in a number of ways including:
- in electronic systems and devices;
- in telephone recordings;
- in paper files; and
- document retention services off-site.
This may include storage on our behalf by third party service providers. See our comments below about how we protect your personal information.
How we use the personal information we collect
How we use the personal information we collect about you depends on your relationship with us. In general, the personal information provided to us is used for such purposes as:
- to provide the Service;
- to manage our ongoing relationship with you;
- administer, process and audit private health claims and pay benefits if you have an insurance product with an Insurer;
- to verify accounts and activities, to monitor suspicious or fraudulent activities;
- to process payment transactions and keep you advised as to the status of a payment; and
- respond to your inquiries, resolve disputes and provide support.
Tyro Health may use your personal information including your provider number, practice location, modality and other personal information for the purposes of verifying your identify, ensuring that you are approved and eligible to access an Insurer’s scheme and to raise claims on behalf of Service Providers.
As an Individual, the key personal information we have regarding you is used for such purposes as allowing you to book medical appointments, obtain quotes, process health claims and payments, verify your identity and communicate with you about transactions.
When you make a booking, obtain a quote or process a health or payment transaction, we may communicate certain information with the selected Service Provider, your Insurer and your payment card financial services organisation. We use this information as part of the health quote, health claim and payment process.
Direct marketing involves communicating directly with you for the purpose of promoting our Service or the goods or services of a third party organisation. From time to time, we may use your personal information for marketing purposes. This includes sending you updates about new products and services that we or third party organisation’s are offering. When we contact you, it may be by mail, telephone, email, SMS or through any other means. When we use your personal information for the purpose of marketing, we will:
- allow you to ‘opt out’ or in other words, allow you to request not to receive further direct marketing communications of the relevant type; and
- comply with a request by you to ‘opt-out’ of receiving further communications of that type within a reasonable timeframe.
If you do not wish to receive direct marketing information, you can contact the Privacy Officer using the contact details provided below, email firstname.lastname@example.org or you can click the unsubscribe link within the marketing emails you receive from us, and Tyro Health will take immediate steps to ensure that you do not receive any direct marketing information in future. If you opt out, we may still send you non-promotional emails, such as emails about your accounts or our ongoing business relations.
What Information do we share with third parties?
- with service providers, contractors, affiliates, agents, related bodies corporate and business partners who are working with us in connection with the operation of the Service;
- with Insurers with whom you have a relationship, for submitting quotes and claims, receiving payment, managing communications, if you make a complaint, providing and sharing information with Insurers including documents uploaded by you to the Service (e.g. capacity certificate) and related purposes;
- with financial institutions and payment processors including banks and non-bank financial institutions in the course of processing transactions;
- with financial institutions, anti-fraud organisation’s and law enforcement agencies for the purposes of identifying and preventing fraud, money laundering, terrorist financing and other financial crimes;
- with verification and credit bodies or other approved third parties who are authorised to assess the validity of identification information (Identification Bureau);
- when you give us your consent to do so, including if we notify you that the information you provide will be shared in a particular manner and you provide such information;
- when we are lawfully authorised or required to do so or where doing so is reasonably necessary or appropriate to comply with the law or legal processes or to respond to legal authorities, including responding to lawful subpoenas, warrants or court orders;
- in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition, or in any other situation where personal information may be disclosed or transferred as one of the business assets of us; and
- otherwise as permitted or required by law.
Tyro Health may disclose personal information it collects about you to third parties for a variety of purposes in connection with providing its Service. We may also disclose personal information that has been updated or changed (such as an updated address or contact information) to third parties for a variety of purposes in connection with providing its Service.
We may share Individual contact information, but not the Individual’s payment or health fund account information, with Service Providers as part of appointment booking or health claim and payments transaction processing.
We may provide your name, address and date of birth to an Identification Bureau, who will assess whether the information you provide matches the information held by the Identification Bureau and complete certain checks to verify your identity. The Identification Bureau will use the information provided by us in addition to its own information, to make its assessment and undertake the checks to verify your identity.
Where we disclose your personal information to third-parties we will use reasonable endeavours to ensure that such third parties only use your personal information as reasonably required for the purpose we disclosed it to them and in a manner consistent with the Australian Privacy Principles under the Privacy Act.
How do we protect personal information?
Although no data transmission can be guaranteed to be 100% secure, we take reasonable steps to ensure that your personal information is accurate, complete, up-to-date, relevant and stored securely. We also take all reasonable steps to ensure that the personal information we hold is protected from misuse, interference and loss and unauthorised access, modification or disclosure. These include:
- using appropriate information technology and processes;
- restricting access to your personal information to our employees and those who perform services for us who need your personal information to do what we have engaged them to do;
- protecting paper documents from unauthorised access or use through security systems we deploy over our physical premises;
- using computer and network security systems with appropriate firewalls, encryption technology and passwords for the protection of electronic files;
- securely destroying or “de-identifying” personal information if we no longer require it subject to our legal obligations to keep some information for certain prescribed periods; and
- strong encryption technology to safeguard the account registration process and sign-up information.
Although we take reasonable measures to ensure the security of personal information stored by us, we cannot guarantee that they are absolutely secure from malicious third-party circumvention of security measures on our electronic resources (including our website and app), whether those resources are at any of our premises or those of our service providers. You submit information over the Internet at your own risk.
Please note that third party recipients of personal information, including our service providers that provide the information, may have their own privacy policies and we are not responsible for their actions, including their handling of personal information. We cannot control the actions of other users with whom you share your information.
Does personal information leave Australia?
Our principal place of processing is Australia. Any sensitive information you provide to us and payments information is processed and stored exclusively in Australia.
However, subject to any agreements with Insurers, we may disclose personal information to our related bodies corporate, service providers, and processing partners, such as our help desk platform, that are located outside of Australia. Some of the third parties to whom we disclose your personal information are located outside of Australia. These countries may include the United States of America, Ireland or the United Kingdom.
We will only disclose personal information to an overseas recipient for the primary purpose for which it was collected, unless an exception applies under the Privacy Act. See “How do we use the personal information we collect?” above.
Except in some cases where we may rely on an exception under the Privacy Act, we will take reasonable steps to ensure that such overseas recipients do not breach the Australian Privacy Principles in the Privacy Act in relation to such information.
Can I opt-out of providing personal information?
- we subsequently notify you of the intended disclosure and you do not object to that use or disclosure;
- we believe that the use or disclosure is reasonably necessary to assist a law enforcement agency or an agency responsible for government or public security in the performance of their functions;
- to enforce out terms and conditions;
- to protect our rights;
- to protect the safety of members of the public and users of our Service; or
- we are required by law to disclose the information.
Notification of Data Breach
An “eligible data breach” arises when either:
- there is unauthorised access or disclosure of personal information and a reasonable person would conclude that the disclosure or access is likely to result in serious harm to those individuals affected; or
- information is lost in circumstances where unauthorised access or disclosure is likely to occur and assuming that unauthorised access or disclosure were to occur, a reasonable person would conclude that the disclosure or access is likely to result in serious harm to the affected individuals.
If we become aware that there are reasonable grounds to suspect that there has been an “eligible data breach”, we will prepare a statement including:
- our identity and contact details;
- a description of the eligible data breach;
- the types of information concerned; and
- recommendations about the steps that you should take to protect yourself or mitigate harm.
We will provide this statement to the Privacy Commissioner and we will take steps to notify affected individuals directly or indirectly via a notice on our website.
Accessing and correcting personal information
We take reasonable steps to ensure that your personal information is accurate, complete and up-to-date. You may request access to the personal information we hold about you at any time by contacting our Privacy Officer by email at email@example.com or by post at Level 18, 55 Market Street Sydney NSW 2000.
In certain circumstances, we may be unable to give you access to all of your personal information in our possession. Some of these circumstances include:
- where giving you access would compromise some other person’s privacy;
- where giving you access would disclose commercially-sensitive information of ours or any of our agents or contractors;
- where we are prevented by law from giving your access; or
- where the personal information your request relates to existing or anticipated legal proceedings.
If we are unable to give you access, we will consider whether the use of an intermediary is appropriate and would allow sufficient access to meet the needs of both parties.
Where we do grant access to your information, we may charge you a fee for accessing your personal information.
Under the Privacy Act, you also have a right to request that we correct information that you believe to be inaccurate, out of date, incomplete, irrelevant or misleading.
If at any time you believe that personal information about you is inaccurate, out of date, incomplete, irrelevant or misleading, please advise us by contacting our Privacy Officer by email at firstname.lastname@example.org or by post at Level 18, 55 Market Street Sydney NSW 2000, and we will take all reasonable steps to correct the information.
If we do not correct the information, you can also ask us to include with the information held, a statement from you claiming the information is not correct.
If there is a denial of access to your personal information or a dispute as to the correctness of any personal information held, we will provide you with reasons for the denial or its refusal to correct the personal information. If you disagree with our decision for the denial or refusal to correct the personal information, you may request that we review the decision via our complaints handling procedures which are outlined below.
Any complaints should be directed to the Privacy Officer in the first instance at email@example.com. If you believe Tyro Health has not adequately dealt with your complaint, you may complain to the Privacy Commissioner, details of which can be found at www.oaic.gov.au.
If you are an individual in the EU, you may lodge a complaint with your local data protection supervisory authority within the European Union if your complaint has not been adequately dealt with by Tyro.
We will review and respond to all complaints within a reasonable period of time. If you are not satisfied with our response, to the extent permitted by applicable law, you may take your complaint to the applicable regulator in your jurisdiction.
We may change this Policy from time to time for any reason without prior notice to you to reflect changes in our personal information handling practices. The up-to-date version of this Policy is located on Tyro Health’s website, www.tyrohealth.com. You will be notified of any changes to this policy by us uploading an updated version to this website.
We will indicate in the Policy when it was most recently updated. Please check this Policy and our website periodically to ensure that you are aware of any changes or updates.
If you have any further questions or concerns about the way we manage your personal information, including if you think we have breached the Australian Privacy Principles, please contact:
Phone: 1300 00 TYRO (8976) or +61 2 8311 4889
Mail: Level 18, 55 Market Street Sydney NSW 2000
If you are an individual in the EU, please contact the Privacy Officer to obtain details of Tyro Health’s representative for the purposes of the GDPR.