NeuCore Physiotherapy Pty Ltd - Privacy Policy

Last Updated: 29/12/25

 

NeuCore Physiotherapy Pty Ltd ABN 32 692 769 538 ("we", "us", "our", "NeuCore") is committed to protecting your privacy and complying with the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs), and the Health Records Act 2001 (Vic).

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information and health information when you use our mobile physiotherapy services specialising in neurological, orthopaedic, and musculoskeletal conditions.

Service Eligibility: NeuCore Physiotherapy provides services exclusively to adults aged 18 years and above. We provide NDIS-funded services only for self-managed and plan-managed participants; we do not provide services to NDIA-managed clients.

 

1. Definitions

   • AHPRA: Australian Health Practitioner Regulation Agency

   • APPs: Australian Privacy Principles contained in the Privacy Act 1988 (Cth)

   • GP: General Practitioner

   • Health Information: information or an opinion about the physical, mental, or psychological health or disability of an individual

   • Medicare: Medicare Australia, the Australian Government's universal health care system

   • OAIC: Office of the Australian Information Commissioner

   • NDIS: National Disability Insurance Scheme

   • NDIS Participant: An individual receiving services funded under the NDIS

   • Plan Manager: A registered provider who manages NDIS funding and payments on behalf of a participant

   • Personal Information: information or an opinion about an identified individual, or an individual who is reasonably identifiable

   • Privacy Act: Privacy Act 1988 (Cth)

   • SMS: Short Message Service (text messaging)

2. Information We Collect

   • Personal Information - We collect personal information necessary to provide physiotherapy services:

     • Full name, date of birth, gender

     • Contact details (address, phone number, email)

     • Medicare number and private health insurance details

     • Emergency contact information

     • Payment and billing information

     • Occupation and employment details (where relevant to treatment)

     • NDIS participant number, plan details, funding type (self-managed or plan-managed), and plan dates

   • Health Information - We collect sensitive health information including:

     • Medical history and current health conditions

     • Neurological, orthopaedic, and musculoskeletal injuries, symptoms, and diagnoses

     • Treatment plans and clinical notes

   • Medical information:

     • Reports from healthcare providers (GPs, neurologists, orthopaedic surgeons, specialists)

     • Imaging and test results (X-rays, MRI, CT scans, ultrasounds)

     • Progress notes and treatment outcomes

     • Physical condition, functional capacity, and mobility assessments

     • Pain levels and symptom descriptions

     • Neurological assessment findings

     • Range of motion and strength measurements

     • Work capacity and return-to-work information

     • Photographs or videos of affected body areas (with your express consent for clinical documentation and treatment monitoring purposes).

     • NDIS goals, functional capacity information, and support needs relevant to funded supports

3. How We Collect Information

   • Unsolicited Information

     • Directly from you during consultations, assessments, and treatment sessions

     • From your healthcare providers (with your consent), including GPs, specialists, and other allied health professionals

     • From Medicare and private health insurance funds

     • Through our online referral process

     • Via email, phone, or written correspondence

     • From referral sources (GPs, specialists, WorkCover case managers, insurance case managers) who provide referral information and relevant medical history (with your consent)

     • From NDIS plan managers or support coordinators (self-managed or plan-managed) for funding, billing, and service coordination purposes

     • If we receive unsolicited personal or health information, we will determine whether we could have lawfully collected it. If not, we will destroy or de-identify the information as soon as practicable unless legally required to retain it.Z

4. Why We Collect Your Information

   • Primary Purposes

     • Providing physiotherapy assessment, treatment, and care for neurological, orthopaedic, and musculoskeletal conditions

     • Developing and implementing treatment plans

     • Monitoring your progress and treatment outcomes

     • Maintaining accurate clinical records

     • Communicating with you about your treatment

     • Ensuring continuity of care and coordinating with other healthcare providers

   • Secondary Purposes

     • Processing Medicare and private health insurance claims

     • Preparing invoices and service documentation for NDIS self-managed or plan-managed participants

     • Billing and payment processing

     • Complying with legal and regulatory obligations

     • Quality assurance and clinical governance

     • Managing complaints and incidents

     • Business administration and record-keeping

     • Professional indemnity insurance purposes

     • Workplace injury management and return-to-work planning (where applicable)

5. Disclosure of Your Information

   • We Disclose Your Information To:

     • Medicare Australia: for processing Medicare claims and rebates

     • Private Health Insurance Funds: for processing claims and pre-approvals

     • Healthcare Providers: with your consent, to coordinate care (GPs, neurologists, orthopaedic surgeons, rheumatologists, pain specialists, occupational therapists, exercise physiologists, allied health professionals)

     • Referral Sources: to provide treatment updates, progress reports, and discharge summaries to:

     • Your referring GP or specialist

     • Employers (for return-to-work planning, with your consent)

     • Professional Indemnity Insurers where required for insurance purposes

     • Legal and Regulatory Bodies where required by law (AHPRA, courts, tribunals)

     • Third-Party Service Providers who assist with business operations (IT support, practice management software, billing services)

6. Mandatory Reporting

   • We are legally required to disclose information in certain circumstances:

     • Notifiable diseases under public health legislation

     • Court orders or subpoenas

     • Serious threats to public health or safety

     • Professional registration matters with AHPRA

     • Mandatory reporting obligations under the Health Practitioner Regulation National Law

7. NDIS Participants

   • For NDIS self-managed or plan-managed participants, information may also be disclosed to:

     • Plan managers for invoicing and payment

     • Support coordinators for coordination of supports

     • Other NDIS providers involved in care, where necessary for service delivery and reporting

8. NDIS Compliance and Participant Rights

   • NDIS Code of Conduct and Practice Standards Compliance - working exclusively with self-managed and plan-managed NDIS participants, we are committed to upholding the principles of the NDIS Code of Conduct. This includes:

     • Acting with respect for your rights to freedom of expression, self-determination and decision-making

     • Respecting your privacy, dignity and confidentiality

     • Delivering supports and services in a safe and competent manner

     • Maintaining appropriate privacy and information management practices

     • Taking all reasonable steps to prevent and respond to all forms of violence, exploitation, neglect and abuse

   • Service Model: We provide services exclusively to self-managed and plan-managed NDIS participants. We do not provide services to NDIA-managed participants.

   • Reportable Incidents - We maintain our professional and legal obligations to report certain matters to appropriate authorities, including:

     • Notifiable incidents to AHPRA where required under the Health Practitioner Regulation National Law

     • Serious threats to public health or safety to relevant authorities

     • Suspected abuse or neglect to appropriate authorities as required by law

     • Matters required to be reported under Victorian or Commonwealth legislation

     • We will notify you (or your nominee/guardian) when such reports are made, unless doing so would compromise an investigation or place someone at risk.

   • NDIS Plan Reviews and Reassessments

     • With your consent, we may provide information to:

     • Your support coordinator or plan manager to assist with plan review preparation

     • Other providers involved in your care to support comprehensive plan reviews

     • The NDIA if specifically requested by you for plan reviews or reassessments

     • Information shared for plan reviews may include progress reports, functional capacity assessments, goal achievement summaries, and recommendations for ongoing or future support.

   • NDIS Participant Rights

     • As an NDIS participant using our services, you have specific rights regarding your information:

     • The right to access all NDIS-related records and reports we hold about you

     • The right to have a support person, advocate, or nominee assist you with privacy matters

     • The right to request we communicate with your nominee or guardian regarding your information

     • The right to complain to the NDIS Quality and Safeguards Commission about privacy concerns

     • The right to understand how your information is used for NDIS claiming and reporting purposes

     • The right to refuse consent for information sharing (except where required by law)

   • NDIS Pricing and Invoicing

     • We align our pricing with NDIS pricing arrangements. Your invoices will include:

     • NDIS support item numbers and descriptions

     • Date and duration of service delivery

     • Clear breakdown of charges

     • Our ABN and business details

     • Invoices are provided directly to you (if self-managed) or your plan manager, and contain only the information necessary for payment processing and your NDIS plan management.

9. Consent for Disclosure

   • We obtain your express consent before disclosing health information to third parties (except where required or permitted by law)

   • Written consent: specific consent forms for sharing information with healthcare providers or NDIS plan managers

   • Verbal consent: documented in clinical notes with date, purpose, and scope

   • Electronic consent through our digital systems where available

   • Withdrawing Consent: You may withdraw consent at any time by notifying us in writing or verbally. Withdrawal does not affect prior disclosures.

   • Implied Consent: For routine treatment communications (appointment confirmations and reminders), we rely on implied consent. Implied consent does not apply to disclosure of clinical information beyond what is reasonably necessary for treatment and administration.

10. Clinical Photography and Video

    • With your consent, photographs or videos of affected areas may be taken for clinical documentation, monitoring treatment progress, and comparing pre- and post-treatment outcomes.

    • Images are stored securely in your clinical file in Splose

    • Access is limited to treating practitioners

    • Images will not be used for marketing, education, or any other purpose without separate written consent

    • You may withdraw consent for future photography at any time. You may request deletion of existing images, subject to clinical record-keeping requirements

11. Medicare and Private Health Insurance

    • Medicare Claims:

      • For Medicare-funded services, the client can either claim their Medicare rebate themselves, or where applicable, and with consent, the therapist may process the rebate on the client’s behalf. If Medicare rejects the claim for any reason, the client is responsible for the full gap.

      • Submitted electronically to Medicare with your consent

      • Provide your Medicare number, personal details, and treatment information to Medicare

      • Issue receipts and invoices for Medicare claiming purposes

      • Process relevant Medicare item numbers

      • Information may be shared with the referring GP under GP Management Plan or Team Care Arrangement

    • Private Health Insurance Claims:

      • Verify your membership and coverage

      • Submit claims electronically where available (Tyro Health Online)

      • Provide treatment details required by your fund

      • Obtain pre-approval for services where required

    • NDIS Claims (Self-managed / Plan-managed):

      • Invoices and service details may be provided to NDIS plan managers for payment

      • Funding details, plan dates, and relevant participant information will be disclosed only as required for service delivery and invoicing

      • Participant goals and clinical reports may be shared with plan managers or support coordinators to align therapy with the NDIS plan

12. Your Rights:

    • Payment Processing - We accept payments via:

      • Private health insurance claim payment information is processed securely through Tyro's payment systems. We do not store your full credit card details on our systems. Tyro Health Online handles payment processing in compliance with Payment Card Industry Data Security Standards (PCI DSS).

      • Transaction records (amounts, dates, receipt numbers) are stored in Splose for accounting and tax purposes

      • Decline Medicare, private health insurance claiming

      • Request we do not share information with your insurer or plan manager

      • Pay privately without submitting claims

      • Request itemised receipts

      • Credit/debit cards (processed through Zeller Tap to Pay)

      • Bank transfer via invoices

      • Cash

13. How We Store and Protect Your Information

    • Security Measures - We implement robust physical, technical and administrative safeguards:

      • Secure, password-protected electronic health record systems

      • Encrypted data transmission and storage

      • Regular software updates

      • Secure disposal of records (shredding, secure deletion)

      • Password-protected and encrypted mobile devices

      • Secure backup systems for electronic records

      • Mandatory staff training on privacy and confidentiality

    • Storage Locations - Your information is stored:

      • On secure Australian-based servers only (Splose)

      • Any physical documentation is scanned and stored into the patient's file within the management software (Splose) and physical copies are destroyed.

      • On encrypted mobile devices used for service delivery

      • In cloud-based practice management systems with Australian data storage

      • All data is stored within Australia and is never transferred or stored overseas.

    • Data Backup:

      • All electronic records in Splose are backed up regularly

      • Backups are stored securely on Australian servers

      • Backup data is subject to the same security and privacy protections as primary data

    • Retention Periods - We retain information in accordance with legal requirements:

      • Adult patient records: minimum 7 years from last treatment

      • Financial records: 7 years from creation

      • Records may be retained for longer periods where clinically necessary, required for ongoing care, or for medico-legal, insurance, or regulatory purposes.

      • 7 year retention period starts from the date of last service or last entry, not just last treatment to avoid ambiguity.

    • Mobile Service Delivery - as a mobile physiotherapy service, we take additional privacy measures:

      • Clinical notes are recorded on encrypted mobile devices (tablets/laptops) during home visits

      • devices are password-protected and encrypted

      • Data is synchronized securely with our practice management system (Splose) via encrypted connections

      • Devices are never left unattended in vehicles

      • Physical documents (if any) are transported in locked bags/cases and destroyed once uploaded successfully into Splose.

      • We ensure privacy during home visits by requesting a private space for consultations

      • We will not conduct assessments or discuss clinical matters if unauthorized persons are present (unless you consent)

14. Third-Party Service Providers

    • We engage third-party service providers who may access your information:

      • Practice management software providers

      • Cloud storage providers (Australian-based only)

      • IT support services

      • Billing and accounting services

      • Professional indemnity insurers

      • Tyro Health Online and Medicare claiming services

      • Email and communication platforms

    • Specific Systems We Use - We use the following third-party systems to manage your information:

      • Splose - Our practice management software used for: Storing all patient records and clinical notes, appointment scheduling and management, treatment documentation and progress notes, billing and invoicing, document storage, all data is stored on Australian servers.

      • Tyro Health Online - Our health claims processing system used for: Processing Medicare claims electronically, Processing private health insurance claims (Tyro Health Online), verifying health fund membership, submitting claims to Medicare and private health insurers, payment processing via credit/debit, all data is transmitted securely and stored on Australian servers

      • Both Splose and Tyro Health Online: Are compliant with Australian privacy laws, Store all data within Australia, use encryption for data transmission and storage, have their own privacy policies and security measures, are bound by written agreements with us regarding data handling.

    • IT Support and Maintenance - our IT support providers may occasionally require access to our systems for:

      • Technical support and troubleshooting

      • Software updates and maintenance

      • System security monitoring

    • IT support access is:

      • Strictly controlled and monitored

      • Limited to the minimum necessary

      • Subject to confidentiality agreements - Logged and auditable

    • All third-party providers must:

      • Comply with the Privacy Act and APPs

      • Maintain confidentiality and security of your information

      • Use your information only for specified purposes

      • Store data within Australia only

      • Enter into written agreements regarding data handling and security

      • Implement appropriate security measures

15. Overseas Disclosure

    • We do not ordinarily disclose your personal or health information to overseas recipients. All systems we use are Australian-based. If overseas disclosure were ever required by law or unavoidable due to technical circumstances, we would take reasonable steps to ensure compliance with applicable privacy law. All information is stored on Australian servers, processed by Australian service providers, and managed by Australian-based staff.

16. Telehealth and Digital Services

    • Telehealth Consultations - If we provide telehealth consultations:

      • Platforms: Video consultations are conducted via Splose - secure, encrypted platforms compliant with Australian privacy laws with Australian data storage.

    • Recording Policy:

      • We do not record consultations without your express written consent

      • You must not record consultations without our express consent

      • Screenshots are not permitted without mutual consent

      • We are not responsible for any recordings, screenshots, or storage of consultation content made by patients without our consent. Any such recordings are made at the patient’s own risk and responsibility

    • Your Responsibilities:

      • Ensure your environment is private

      • Use a secure internet connection

      • Ensure no unauthorised persons can see or hear the consultation

      • Notify us if anyone else is present

      • Technical Requirements: Stable internet connection, device with camera and microphone, updated browser/app, quiet private space.

      • Connection Issues: If connection fails, we will attempt to reconnect or contact you via phone. You are only charged for time services were provided.

    • Digital Communications - Appointment Reminders are sent via:

      • These reminders are automated and sent from our practice management system (Splose). They contain:

        General Communications:

      • SMS to your mobile phone

      • Email to your email address

      • Your appointment date and time

      • Our contact details

      • Basic appointment information only (no clinical details)

      • Email and SMS may be used for appointment reminders, non-sensitive administrative matters, and general health information

      • Clinical information and sensitive health details will not be discussed via unencrypted email or SMS

      • You may opt out of digital communications at any time

17. Communications

    • We may contact you to:

      • Send appointment confirmations, reminders, and service-related notices

      • Provide information directly related to your assessment, treatment, or ongoing care

      • Share clinically relevant education specific to your condition where appropriate

      • Communicate necessary updates about your care or service delivery

      • We do not use your personal or health information for promotional or advertising purposes.

18. Data Breach Response

    • In the event of a data breach likely to result in serious harm, we will:

      • Immediately contain the breach and prevent further unauthorised access

      • Assess risks to affected individuals

      • Notify affected individuals as soon as practicable

      • Notify the OAIC where required under the Notifiable Data Breaches scheme

      • Take remedial action to prevent future breaches

      • Provide information about protective steps you can take

      • Maintain records of the breach and our response

    • Report Potential Breaches Immediately and contact us if you:

      • Receive information about another patient

      • Believe someone has accessed your records without authorisation

      • Have lost a device containing your health information

      • Receive suspicious communications claiming to be from us

19. Your Rights and Choices

    • Access to Your Information - you have the right to:

      • Request access to your personal and health information

      • Receive copies of your clinical records

      • Request corrections to inaccurate or incomplete information

      • Request a summary of your treatment history

      • Request information about who we have disclosed your information to

      • How to Request Access: Contact us using the details below in the Contact Us section. We will respond within 14 days and provide access in your requested format where possible.

      • Correction of Information: If your information is inaccurate, incomplete or out-of-date, contact us. We will correct the information within 30 days.

    • Complaints - If you have concerns about how we handle your information, contact our Privacy Officer. We will:

      If unsatisfied with our response, lodge a complaint with:

      • Acknowledge your complaint within 7 business days

      • Investigate thoroughly

      • Respond within 30 days with findings and proposed resolution

      • Keep you informed if additional time is required

      • Office of the Australian Information Commissioner (OAIC) | Phone: 1300 363 992 | Email: enquiries@oaic.gov.au | Website: www.oaic.gov.au OR

      • Health Complaints Commissioner (Victoria) | Phone: 1300 582 113 | Email: info@hcc.vic.gov.au | Website: www.hcc.vic.gov.au

      • NDIS Quality and Safeguards Commission | Phone: 1800 035 544 | Email: complaints@ndiscommission.gov.au | website: www.ndiscommission.gov.au

20. Changes to This Policy

    • We may update this Privacy Policy to reflect changes in legislation, business practices, technology, or stakeholder feedback.

    • The current version will be available on our website, and provided upon request. Material changes will be notified directly where practicable via email or during your next appointment. The "Last Updated" date indicates when this policy was last revised.

21. Contact Us

    • Privacy Officer: Pablo Medina Mena

    • Phone: 0492 836 975

    • Email: admin@neucorephysio.com.au

    • Website: www.neucorephysio.com.au

    • Business Hours:

      • Monday: 8AM-6PM

      • Saturday: 12PM - 4PM

      • Sunday: 12PM - 4PM

​​

For questions or concerns about this Privacy Policy, contact our Privacy Officer using the details above.