HealthPlex

Privacy Policy

Last updated: 07/08/2026   •  Applies to HealthPlex and its related entities

HealthPlex (“HealthPlex”, “we”, “us” or “our”) provides allied health, workplace rehabilitation and injury management services across New South Wales, including through our related entities (together, the “HealthPlex Group”). We are committed to protecting the privacy of everyone who interacts with us — including patients, referrers, employers, insurers, job applicants and visitors to this website.

This Privacy Policy explains how we collect, hold, use and disclose personal information, including health information, and how you can access or correct your information or make a complaint. We handle personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and applicable NSW health records legislation.

HealthPlex acknowledges the Traditional Custodians of the lands on which we operate, live and gather, and pays respect to Elders past, present and emerging.

1. The information we collect

Depending on your relationship with us, we may collect:

  • Identity and contact details — name, date of birth, address, phone number, email address.
  • Health information — medical history, diagnoses, treatment notes, clinical assessments, progress reports, imaging and referral letters, and information about your injury, condition or functional capacity.
  • Claim and billing information — Medicare and EPC referral details, NDIS participant and plan information, DVA details, WorkCover/CTP claim numbers, insurer and case manager details, and private health fund membership information.
  • Payment information — processed through our payment providers (including Tyro and HICAPS); we do not store full card details ourselves.
  • Employment-related information — for job applicants and practitioners, including qualifications, registration details, references and work history.
  • Website and technical information — IP address, browser and device type, pages visited, and information submitted through online enquiry or contact forms.

2. How we collect information

We may collect personal information directly from you — in person, by phone, email, or through forms on this website — and, where relevant to your care or claim, from:

  • referring general practitioners, specialists and other treating health professionals;
  • employers, insurers, case managers and workplace rehabilitation coordinators;
  • Medicare, the NDIS Quality and Safeguards Commission, DVA, SIRA and icare, where information sharing is required or authorised for your claim or funding arrangement;
  • our practice management and administrative systems (including PracSuite); and
  • publicly available sources, where appropriate.

Where practical, we collect health information only with your consent, and only to the extent needed to provide safe and effective care or to meet our funding, reporting and compliance obligations.

3. How we use your information

We may use personal and health information to:

  • assess, plan and deliver clinical, rehabilitation and injury management services;
  • communicate with you about appointments, treatment and outcomes;
  • bill and process claims through Medicare, NDIS, DVA, WorkCover, CTP and private health funds;
  • prepare reports required by referrers, insurers, regulators (including SIRA) or funding bodies;
  • manage recruitment, employment and credentialing of our practitioners and staff;
  • operate, maintain and improve this website and respond to enquiries; and
  • meet our legal, regulatory, accreditation and insurance obligations.

We do not use your health information for direct marketing without your consent, and we will never sell your personal information.

4. Who we may share your information with

Because injury management and rehabilitation care is collaborative, we may disclose relevant information to:

  • other treating practitioners within the HealthPlex Group (HealthPlex, Nexus Rehab and Goulburn Health Therapy) involved in your care, and your referring or treating doctor;
  • the employer, insurer, case manager or scheme agent associated with your WorkCover, CTP or NDIS claim, to the extent necessary for claims management and return-to-work planning;
  • Medicare, DVA, SIRA, icare and the NDIS Commission, where disclosure is required or authorised by law or by the terms of your funding arrangement;
  • our technology and service providers, including our practice management system (PracSuite), accounting and payroll platform (Xero), and payment processors (Tyro/HICAPS), each of whom is bound by confidentiality obligations;
  • our professional advisers, including accountants, auditors, insurers and lawyers; and
  • any other party where you have given consent, or where disclosure is required or authorised by law.

We take reasonable steps to ensure any third party who handles personal information on our behalf protects it to a standard consistent with the Australian Privacy Principles. Some of our service providers may store information on servers located outside Australia; where this occurs, we take reasonable steps to ensure comparable privacy protections apply.

5. Website, cookies and analytics

This website may use cookies and similar technologies to remember your preferences, understand how visitors use the site, and improve its functionality. Cookies do not identify you personally unless you have provided information (for example, through a contact form). You can adjust your browser settings to block or delete cookies, though some parts of the website may not function as intended if you do so.

Information submitted through website enquiry or contact forms is used only to respond to your enquiry and, where relevant, to follow up regarding our services.

6. Anonymity and pseudonyms

Where it is lawful and practicable to do so, you may interact with us anonymously or under a pseudonym — for example, for a general enquiry. This is not usually possible where we need to identify you to provide clinical care, process a Medicare, NDIS, DVA or WorkCover claim, or meet a legal obligation.

7. Direct marketing

We may send you appointment reminders and information about relevant HealthPlex services. You can opt out of marketing communications at any time by contacting us or using the unsubscribe option in the communication itself. This will not affect clinical or administrative communications relating to your care.

8. Storage, security and retention

We store personal and health information in secure electronic systems (including PracSuite and Xero) protected by access controls, encryption and firewalls, and in hard-copy form where clinically or legally required, kept in locked and access-restricted storage. Access to health information is limited to staff and practitioners who need it to provide your care or perform their role. All employees, contractors and practitioners are bound by confidentiality obligations regarding personal and health information.

We generally retain health records for a minimum of 7 years from the date of your last consultation, or, for a patient who was a minor at the time of treatment, until they turn 25, consistent with NSW health records requirements. Some records may be retained for longer where required by law or by a funding body.

We do not disclose personal information to recipients located overseas unless required by law or with your consent. Some of our technology service providers may nonetheless process or back up data on servers located outside Australia as part of their standard hosting arrangements; where this occurs, we take reasonable steps to ensure comparable privacy protections apply.

9. Access to and correction of your information

You can request access to the personal information we hold about you, or ask us to correct it if it is inaccurate, out of date or incomplete. Requests can be made in writing to the contact details below, and we will generally ask you to complete a release of information consent form. There is no fee to request access, though a reasonable administrative fee may apply to cover the cost of retrieving and copying records. We will respond within a reasonable time and may need to verify your identity before releasing information. In limited circumstances — for example, where access would pose a serious risk to your health or the health of another person — we may need to provide information through a treating practitioner rather than directly.

10. Complaints

If you have a concern about how we have handled your personal information, please contact our Privacy Officer using the details below. We will investigate and respond to your complaint in writing, generally within 30 days. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

  • Phone: 1300 363 992
  • Email: enquiries@oaic.gov.au
  • Web: www.oaic.gov.au/privacy/privacy-complaints

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. The current version will always be available on this website.

12. Contact us

For any questions about this Privacy Policy, or to make a request or complaint, please contact our Privacy Officer: