Privacy Policy
Privacy Policy
Riverina Diabetes and Endocrinology
Current as at Wednesday 20 May 2026
1. Overview and purpose
Riverina Diabetes and Endocrinology respects your right to privacy and takes our privacy obligations seriously. We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (“Privacy Act”) and, where applicable, the Health Records and Information Privacy Act 2002 (NSW) (“HRIP Act”), including the Health Privacy Principles (HPPs).
When you first register as a patient, our new patient consent form requests your consent so that we can collect, use, hold and share your personal information in order to provide you with the best possible healthcare and to allow us to manage our practice. If we intend to use your personal information for any other purpose, we will seek your consent first.
This Privacy Policy explains:
• how we manage your personal information (including your health information), including the collection, use, disclosure, quality and security of that information;
• the kinds of information we collect and how that information is held;
• the purposes for which we collect, hold, use and disclose personal information;
• how you can access your personal information and how you can request to correct it; and
• how you can complain about a breach of your privacy and how we will handle your complaint.
If you have any queries, concerns or feedback regarding this Privacy Policy, please contact our Practice Manager, Chris Moore.
Phone: (02) 5940 8140
Email: chris@riverinaendo.com.au
Post: Riverina Diabetes and Endocrinology, 11 Gormly Avenue, Wagga Wagga NSW 2650
In this Privacy Policy, we use the following terms:
“Personal information” as defined in the Privacy Act, meaning “information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.”
“Health information” as defined in the Privacy Act and the HRIP Act. This is a subset of “personal information” and means information or an opinion about:
• the health or a disability (at any time) of an individual;
• an individual’s expressed wishes about the future provision of health services to him or her; or
• a health service provided, or to be provided, to an individual.
Personal information also includes “sensitive information,” which is information such as your race, religion, political opinions, sexual orientation and/or your health information. Sensitive information attracts a higher privacy standard under the Privacy Act and is subject to additional protections.
“We,” “us,” “our” means:
• Riverina Diabetes and Endocrinology; and
• employed, contracted and independent medical and healthcare practitioners who practice from our rooms.
2. Collection of personal information
Riverina Diabetes and Endocrinology collects information that is necessary to provide you with healthcare services and to appropriately manage and conduct our business. This includes personal information such as your name and contact details, medical history, family history, past and current treatments, lifestyle factors, and any other information that helps us provide you with appropriate care. We will also collect your Medicare number and private health fund details where applicable.
Where we collect government-related identifiers such as your Medicare number, Department of Veterans’ Affairs (DVA) number, or Individual Healthcare Identifier (IHI), we only use and disclose those identifiers for the purposes for which they were issued (for example, claiming Medicare benefits or correctly identifying you in the My Health Record system). We do not adopt them as our internal patient identifier.
You have the right to deal with us anonymously or under a pseudonym, unless it is impracticable for us to do so or unless we are required or authorised by law to deal only with identified individuals. Please note that providing incomplete or inaccurate information, or withholding information, may compromise the quality of care we are able to provide.
My Health Record
Our practice participates in the My Health Record system. When you register as a patient, our new patient consent form asks whether you consent to us uploading your personal and health information to My Health Record. This is treated as a standing consent and covers future uploads relating to your care at our practice. You may withdraw this consent at any time by notifying our Practice Manager, in which case we will cease making uploads from that point. You can find further information and the My Health Record privacy policy at https://www.digitalhealth.gov.au/initiatives-and-programs/my-health-record.
AI clinical documentation (AI scribe)
To assist with accurate clinical documentation, our practice uses Heidi, an Australian AI clinical scribe provider. Heidi listens to the consultation in real time and produces a draft consultation note for the treating clinician to review.
Our use of Heidi has the following safeguards:
• Use of Heidi is opt-in. Our new patient consent form asks whether you consent to the use of an AI scribe during your consultations. If you do not consent, Heidi will not be used in your appointments.
• You may withdraw consent at any time, including at the start of any individual consultation, and the scribe will not be used.
• Heidi processes and stores data on servers located in Australia, with encryption in transit and at rest.
• Heidi does not retain audio recordings of your consultation. Only the transcript and the resulting clinical note are stored, and these are accessible only to the treating clinician and authorised practice staff.
• Every draft note generated by Heidi is reviewed and, where necessary, corrected by the treating clinician before being saved into your medical record. The clinician, not the AI, remains responsible for the content of your medical record and for all clinical decisions about your care.
How we collect information
Riverina Diabetes and Endocrinology will usually collect your personal information directly from you, including from patient consent forms, medical records and consultations, or from another health service provider such as your referring doctor. Sometimes we need to collect information about you from third parties, such as relatives, friends, carers, or private health insurers.
We will only collect information from third parties where:
• you have consented to such collection;
• the collection is necessary to provide you with appropriate healthcare services (such as in an emergency or where your health is at risk);
• the collection is reasonably necessary to appropriately manage and conduct our business; or
• it is otherwise legally permissible for us to do so.
Adults with impaired capacity
Where an adult patient is unable to provide consent due to impaired decision-making capacity, we may collect, use and disclose personal information through a substitute decision-maker, such as a guardian or a person holding an enduring power of attorney or enduring guardianship, in accordance with applicable law.
CCTV
Riverina Diabetes and Endocrinology is located within Riverina Surgical Consulting at 11 Gormly Avenue, Wagga Wagga. Riverina Surgical Consulting operates CCTV systems in and around the building for the purposes of maintaining safety and security for patients, visitors, staff and other attendees. The CCTV system may collect and store personal information, the use of which is governed by Riverina Surgical Consulting’s privacy policy. A copy of that policy is available on request at reception.
3. How we use your personal information
Riverina Diabetes and Endocrinology only uses your personal information to provide you with diabetes and endocrinology related healthcare services, or to enable us to appropriately manage and conduct our business, unless:
• there is a secondary purpose that directly relates to the primary purpose, and you would reasonably expect (or we have informed you) that your information will be used for that secondary purpose, or you have given consent for that secondary use;
• the disclosure is necessary for the enforcement of criminal law or a law imposing a penalty or sanction, or for the protection of public revenue;
• the disclosure will prevent or lessen a serious and imminent threat to somebody’s life or health; or
• we are required or authorised by law to disclose your information for another purpose.
For example, we use your personal information to:
• provide healthcare services to you;
• appropriately manage our practice, including conducting audits and accreditation processes, managing billings, and training staff; and
• effectively communicate with third parties, including private health insurers, Medicare Australia and relevant government departments.
Appointment reminders and recalls
We may contact you by SMS, email or phone for the purposes of appointment reminders, recall messages (for example, to arrange follow-up appointments or to discuss test results), and other communications directly related to your clinical care. We do not use your personal information for third-party marketing. If you do not wish to receive reminder or recall communications, or wish to nominate a preferred contact method, please let our reception staff or Practice Manager know and we will update your preferences.
4. Disclosing your personal information
Riverina Diabetes and Endocrinology may disclose your personal information to our employees, contractors and service providers in order to provide healthcare services to you and to allow us to manage our business. We will also disclose your personal information to healthcare professionals directly involved in your treatment. Where your medical records are required in a medical emergency, we will provide them to the relevant medical professional without waiting for your consent, where we reasonably believe this is in your interests.
Your personal information may also be provided to third parties if we are legally obliged to do so, for example by a court subpoena, statutory authority, search warrant, coronial summons, or to defend a legal action.
We may provide your personal information to third parties involved in your care, such as:
• your parents, children, relatives, close friends, guardians, or a person exercising a power of attorney or enduring power of attorney (please advise us if you do not wish any such person to have access to your personal information);
• government departments and agencies, such as the Department of Defence or the Department of Veterans’ Affairs, or departments responsible for health, aged care and disability, where we are required to do so;
• private health insurers and Medicare Australia; and
• anyone authorised by you to receive your personal information.
Riverina Diabetes and Endocrinology engages the following categories of third-party service providers that assist us in delivering our services to you:
• other medical specialists involved in your care;
• dietitians and diabetes educators;
• Magentus (Genie Solutions), the provider of our cloud-based practice management software, Gentu;
• Heidi Health, the provider of our AI clinical scribe; and
• Google LLC, the provider of our Google Workspace email and document services.
5. Overseas recipients
Our practice management system, Gentu, stores patient and practice data in secure Australian data centres. Heidi, our AI clinical scribe, also processes and stores data on servers located in Australia.
We use Google Workspace for our business email and associated document services. Google is a global service provider, and the data we hold within Google Workspace (including email correspondence and documents that may contain personal information) may be stored or processed by Google at data centres located outside Australia, including in the United States and other countries in which Google operates.
We have taken reasonable steps to ensure that overseas recipients of your personal information handle it in a manner consistent with the Australian Privacy Principles, including by relying on Google’s contractual privacy and security commitments to its Workspace customers.
Other than as described above, we do not engage with overseas entities or persons to transfer, store or disclose your personal information. Should we wish to transfer your personal information overseas in any other circumstances, we will seek your consent first.
6. Data storage, quality and security
We take reasonable steps to maintain the reliability, accuracy, completeness and currency of the personal information we hold, and to protect its privacy and security. We are an electronic medical records practice and do not retain hard copies of your medical or personal information. All clinical data is stored electronically in our cloud-based practice management software, Gentu, which is hosted in secure Australian data centres. Once your data is entered into our medical software, all paper copies are securely destroyed.
All personal information stored in electronic form is protected from unauthorised access, misuse, interference, loss, modification or disclosure. Steps we take to keep your personal information secure include:
• maintaining physical security over our rooms within the Riverina Surgical Consulting facility;
• training our staff on privacy obligations as part of induction and on an ongoing basis;
• using Gentu, an ISO 27001-certified cloud practice management platform hosted in Australian data centres, with multi-factor authentication, encryption in transit and at rest, and automated daily backups across multiple Australian sites;
• using Heidi, an Australian AI clinical scribe with encryption in transit and at rest, that does not retain audio recordings;
• requiring strong authentication on Google Workspace accounts used to access practice email and documents;
• relying on our software providers to apply industry-standard firewalls, anti-malware protection, intrusion detection and regular independent security testing; and
• periodically reviewing our information handling and security practices.
In accordance with Part IIIC of the Privacy Act, if we become aware of a data breach involving your personal information that is likely to result in serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.
Our website and email are connected to the internet. No transmission of data over the internet is completely secure. Any information you transmit to us online or by email is transmitted at your own risk.
7. Retention and destruction of personal information
We retain your medical records for the periods required by law. Under NSW health records legislation, we are generally required to keep:
• medical records for adult patients for at least 7 years from the date of last service provided to the patient; and
• medical records for patients who were under 18 at the time of last service until the patient has reached the age of 25.
Once the applicable retention period has expired and the records are no longer required by us or under law, records containing personal information may be securely destroyed or de-identified in accordance with our information handling procedures.
8. Accessing and amending your personal information
You have the right to ask us whether we hold health information about you and, if so, the general nature of that information, what it is used for, and how you may access it. We encourage you to contact us if you have any queries regarding your personal information.
You also have a right to request access to information we hold about you. If you make a request to access personal information that you are entitled to access, we will provide you with a suitable means of accessing it. We do not charge a fee for making the request. Where you ask us to provide a copy of your personal information, we may charge a reasonable fee to cover the costs of complying with the request.
You may also request an amendment to your personal information if you consider that the information we hold is inaccurate, incorrect, out-of-date, incomplete, irrelevant or misleading.
There may be circumstances where we cannot grant you access to some of the information we hold. For example, where doing so would interfere with the privacy of others or where access is otherwise restricted by law. If this is the case, we will provide you with a written explanation of the reasons.
You can contact our Practice Manager, Chris Moore, with any queries:
Phone: (02) 5940 8140
Email: chris@riverinaendo.com.au
Post: Riverina Diabetes and Endocrinology, 11 Gormly Avenue, Wagga Wagga NSW 2650
9. Complaints
If you have a complaint about how we have dealt with your personal information, or believe we have breached your privacy, please contact us so that we may investigate. We will deal with your complaint fairly and confidentially. On receipt of your complaint, we will contact you within 10 business days to confirm what investigation will occur. We will then communicate the outcome to you in writing and invite a response to our conclusion. If we receive a response from you, we will assess it and advise if we have changed our view.
Phone: (02) 5940 8140
Email: chris@riverinaendo.com.au
Post: Riverina Diabetes and Endocrinology, 11 Gormly Avenue, Wagga Wagga NSW 2650
If you are not satisfied with our response, you may refer the complaint to the Office of the Australian Information Commissioner (OAIC):
Phone: 1300 363 992
Website: https://www.oaic.gov.au/
In NSW, complaints relating to the handling of health information may also be referred to the NSW Information and Privacy Commission at https://www.ipc.nsw.gov.au/.
10. Review and changes to this Privacy Policy
We may amend this Privacy Policy from time to time following any legislative change or upon review of our information handling processes. The version currently in force is the most recent version published on our website.
The current version of our Privacy Policy is available:
• at riverinaendo.com.au; or
• by contacting reception on (02) 5940 8140.
Our practice is located at:
Riverina Diabetes and Endocrinology
11 Gormly Avenue
Wagga Wagga NSW 2650