Data Protection Policy

Introduction

Medi Elves Pty Ltd (“Medi Elves,” “we,” “our,” “us”) is fully committed to protecting the privacy, security, and integrity of your personal and health information. As a specialist medical billing service provider, we understand the sensitivity of the data we handle and operate in strict compliance with the Australian Privacy Act 1988, including the Australian Privacy Principles (APPs), the Health Records and Information Privacy Act 2002, the US Health Insurance Portability and Accountability Act (HIPAA) where applicable, and the Security of Electronic Transactions Act 2000 (SETA).

This Data Protection Policy outlines how we collect, store, process, secure, and dispose of data entrusted to us, ensuring that your information remains confidential and protected against unauthorized access or misuse.

Scope

This policy applies to all personal, health, financial, and technical data collected, processed, or stored by Medi Elves, whether electronic, paper-based, or verbal. It covers all employees, contractors, and third-party partners with access to this data.

Principles of Data Protection

Medi Elves adheres to the following core data protection principles consistent with APPs and HIPAA:

  • Lawfulness, Fairness, and Transparency: Data processing is lawful, transparent, and based on consent or other legitimate legal grounds.
  • Purpose Limitation: Data is collected solely for specified, explicit, and legitimate purposes related to medical billing services.
  • Data Minimization: Only the minimum necessary data is collected and processed.
  • Accuracy: Data is kept accurate, complete, and up to date.
  • Storage Limitation: Data is retained only for as long as necessary under legal and operational requirements.
  • Integrity and Confidentiality: Data is protected through appropriate technical and organizational security measures.
  • Accountability: We maintain comprehensive records and procedures to demonstrate compliance.

Data Collection and Use

We collect personal and health information necessary to perform medical billing services, including but not limited to:

  • Identity information (name, date of birth, Medicare/DVA numbers)
  • Contact details (email, phone, address)
  • Clinical and billing information required for claims processing
  • Financial information (bank details for payment processing)
  • Technical information (IP address, device details for website security)

This data is used exclusively for:

  • Accurate and timely billing and claims submissions to Medicare, DVA, TAC, and private insurers
  • Communication with clients regarding billing and service support
  • Compliance with regulatory and legal obligations
  • Fraud prevention and security monitoring
  • Service improvements and reporting (in anonymized form)

Legal Basis for Processing

Processing of data is based on:

  • Consent obtained in accordance with APP 3 and HIPAA privacy standards
  • Legal obligations to comply with healthcare and tax regulations
  • Legitimate interests of delivering effective medical billing services

Data Security Measures

Medi Elves implements robust security measures aligned with HIPAA Security Rule standards and Australian security requirements:

Technical Safeguards

  • Encryption: All sensitive data is encrypted using AES-256 standards during storage and TLS 1.2+ encryption in transit.
  • Access Controls: Role-based access with multi-factor authentication (MFA) restricts data access to authorized personnel only.
  • Firewalls and Intrusion Detection: Advanced firewalls and continuous monitoring detect and prevent unauthorized access attempts.
  • Regular Security Audits: Internal and third-party penetration testing and vulnerability assessments ensure ongoing system integrity.
  • Secure Backup: Encrypted backups are maintained offsite to prevent data loss from system failures or disasters.

Organizational Safeguards

  • Employee Training: Mandatory annual privacy and security training ensures staff understand data protection responsibilities.
  • Confidentiality Agreements: All employees and contractors sign binding confidentiality and non-disclosure agreements.
  • Vendor Management: Third-party service providers undergo strict due diligence and contractual data protection obligations.

Data Retention and Disposal

Data is retained only as long as required to fulfill the purpose of collection or as required by law, including taxation and healthcare regulations. Upon expiration of retention periods:

  • Electronic data is securely deleted or anonymized using industry-standard techniques.
  • Physical records are shredded or incinerated under secure conditions.

Cross-Border Data Transfers

When data is transferred outside Australia (e.g., to international partners or cloud providers), we ensure that equivalent or stronger protections are in place through:

  • Binding corporate rules
  • Standard contractual clauses compliant with Australian and international privacy laws
  • Ensuring compliance with HIPAA requirements where applicable

Your Rights

You have the right to:

  • Access your personal and health information held by Medi Elves.
  • Request correction or updates to inaccurate or incomplete data.
  • Request restriction or objection to certain types of data processing, where legally permitted.
  • Withdraw consent for non-essential processing activities.
  • Lodge a complaint with Medi Elves or the Office of the Australian Information Commissioner (OAIC) if you believe your privacy rights have been breached.

Requests and inquiries can be directed to:
admin@medielves.com.au

Data Breach Response Plan

Medi Elves recognises that despite all precautions, data breaches may occur. We have established a comprehensive Data Breach Response Plan to ensure rapid and effective action to mitigate risks, comply with legal requirements, and protect affected individuals.

  1. Identification and Reporting
  • All employees must immediately report any suspected or confirmed data breach to the Privacy Officer or designated Data Protection Lead.
  • Suspected breaches include unauthorized access, disclosure, loss, or destruction of personal or health data.
  1. Assessment and Containment
  • The Privacy Officer will promptly assess the breach’s nature, scope, and severity.
  • Immediate steps will be taken to contain the breach and prevent further data loss, such as revoking access rights or isolating affected systems.
  1. Notification
  • Where required by law (e.g., under APP 11.1 and HIPAA Breach Notification Rule), we will notify affected individuals as soon as practicable, detailing:
    • The nature of the breach
    • Types of information involved
    • Potential risks or harm
    • Measures taken to mitigate risks
    • Steps individuals can take to protect themselves
  • Relevant regulatory authorities, including the OAIC and, where applicable, the U.S. Department of Health and Human Services (HHS), will be notified within the legally mandated timeframe.
  1. Investigation and Remediation
  • A thorough investigation will determine the root cause of the breach.
  • Corrective actions will be implemented to prevent recurrence, such as policy updates, enhanced security controls, or staff retraining.
  1. Documentation and Reporting
  • All breaches and response actions will be documented comprehensively.
  • This documentation will be reviewed during audits and compliance checks to continually improve our data protection framework.
  1. Support for Affected Individuals
  • We commit to providing timely assistance to affected individuals, including guidance on mitigating identity theft or fraud risks.

Monitoring and Review

Medi Elves continuously monitors compliance with this Data Protection Policy and relevant laws. This policy is reviewed annually or more frequently as needed to incorporate changes in legislation, technology, or operational practice.

Contact Information

For questions, concerns, or data protection requests, please contact our Privacy Officer at:
admin@medielves.com.au