Privacy policy
Last updated: June 2026
Introduction
At The Spine Institute, protecting your privacy and maintaining the confidentiality of your personal and health information is a fundamental part of the care we provide. We understand the trust you place in us when sharing sensitive information about your health, and we are committed to handling that information responsibly, securely, and in accordance with applicable privacy laws.
This Privacy Policy explains how we collect, use, store, disclose, and protect your personal and health information when you engage with our services. It has been developed in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Health Records Act 2001 (Vic). As a registered chiropractic practice, we also comply with the professional and ethical standards established by the Australian Health Practitioner Regulation Agency (AHPRA) and the Chiropractic Board of Australia.
By accessing our website, contacting our clinic, receiving treatment, or otherwise providing us with your personal information, you acknowledge that you have read and understood this Privacy Policy and consent to the handling of your information as described within it.
About This Policy
This Privacy Policy applies to all personal and health information collected, held, used, and disclosed by The Spine Institute in connection with the provision of our services. This includes information collected through our clinic, our website, telephone communications, email correspondence, and any other interactions with our practice.
This policy applies to current and former patients, prospective patients, website visitors, carers, guardians, and any other individuals whose personal information we may collect in the course of operating our practice.
A current copy of this Privacy Policy is available on our website and may also be obtained from our clinic upon request. If you have any questions about this policy or how your personal information is handled, please contact our officer using the details provided at the end of this document.
We encourage you to read this policy carefully so that you understand how we collect, manage, and protect your information, as well as your rights in relation to that information.
In this Privacy Policy, personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, regardless of whether the information is true and regardless of whether it is recorded in a material form. Health information is a type of sensitive information and includes information about an individual's physical or mental health, medical history, treatment, or healthcare services received.
Information We Collect
We collect only the personal and health information that is reasonably necessary to provide our care, manage our professional relationship with you, and operate our practice effectively. The information we collect will vary depending on the nature of your interaction with us and the services you receive.
Types of Information We Collect:
Personal Information
- Full name
- Date of birth
- Gender
- Residential and postal address
- Telephone number and email address
- Emergency contact and next-of-kin details
- Medical and health history
- Current symptoms and presenting complaints
- Clinical examination findings
- Diagnoses and treatment plans
- Progress notes and treatment records
- Diagnostic imaging and X-ray reports
- Referral letters and correspondence from other healthcare providers
- Payment and billing details
- Private health fund membership information
- Medicare and Department of Veterans' Affairs (DVA) details
- Claims and transaction records
- Occupation and work-related factors
- Physical activity and exercise habits
- Lifestyle factors relevant to your health and treatment
- Other information reasonably necessary to assess and manage your care
- Appointment bookings and scheduling information
- Records of telephone calls, emails, SMS messages, and other correspondence
- Feedback, enquiries, and communications relating to your treatment or our services
Where you choose not to provide information that is reasonably required for your assessment or treatment, we may be unable to provide certain services, deliver appropriate care, or effectively manage your ongoing treatment.
How We Collect Information
We collect personal and health information through a variety of channels in the course of providing chiropractic care and managing our practice. Wherever reasonably practicable, we collect information directly from you.
Information Collected Directly from You
We may collect information directly from you when you:
- Complete patient registration, consent, or health history forms;
- Attend consultations, examinations, and treatment appointments;
- Communicate with us by telephone, email, SMS, online, or in person;
- Make an appointment through our website or secreterial servises; or
- Provide feedback, enquiries, or other communications relating to our services.
Where necessary and appropriate for your care, we may collect information from third parties, including:
Healthcare Providers
- Referrals from general practitioners, specialists, allied health professionals, or other treating practitioners;
- Diagnostic imaging reports, X-ray results, pathology reports, and hospital discharge summaries; and
- Clinical information relevant to your assessment, treatment, or ongoing care.
Health Funds and Government Agencies
- Private health insurers for the verification of membership details and processing of health fund claims;
- Medicare, the Department of Veterans' Affairs (DVA), WorkSafe Victoria, or other relevant agencies for claim processing and administrative purposes.
Direct Collection and Unsolicited Information
Consistent with the Australian Privacy Principles, we will generally collect personal information directly from you unless it is unreasonable or impracticable to do so.
If we receive personal information that we have not requested, we will assess whether we could have lawfully collected that information under applicable privacy laws. If the information is not reasonably necessary for our functions or activities and we are not otherwise permitted to retain it, we will take reasonable steps to destroy or permanently de-identify the information as soon as practicable.
Why We Collect Your Information
We collect, hold, use, and disclose personal and health information for purposes that are reasonably necessary to provide chiropractic care, manage our practice, and comply with our legal and professional obligations.
The purposes for which we may collect and use your information include:
Providing Healthcare Services
To assess, diagnose, treat, and manage your spinal, musculoskeletal, and related health conditions. This includes maintaining accurate clinical records, developing personalised treatment plans, monitoring your progress, and supporting continuity of care.
Managing Appointments and Patient Services
To schedule, confirm, reschedule, and manage appointments, send appointment reminders, and administer patient services associated with your care.
Billing, Payments and Claims Processing
To issue invoices, process payments, maintain financial records, and facilitate claims through private health insurers, Medicare, the Department of Veterans' Affairs (DVA), WorkSafe Victoria, or other relevant funding bodies.
Communicating With You
To provide information about your treatment, respond to enquiries, deliver health-related information relevant to your care, communicate administrative updates, and follow up regarding your treatment and wellbeing where appropriate.
Coordinating Your Care
To communicate and exchange relevant information with your general practitioner (GP), specialists, allied health practitioners, diagnostic imaging providers, or other healthcare professionals involved in your care, where you have provided consent or where otherwise permitted or required by law.
Practice Management and Service Improvement
To manage our business operations, maintain quality assurance processes, train and supervise staff, evaluate and improve our services, and ensure the efficient operation of our practice.
Legal, Regulatory and Professional Compliance
To comply with our obligations under applicable laws, regulations, professional standards, and accreditation requirements, including the Privacy Act 1988 (Cth), Health Records Act 2001 (Vic), Health Practitioner Regulation National Law, and other relevant legislation.
Research and Statistical Purposes
Where permitted by law, we may use de-identified information for practice analysis, quality improvement activities, service planning, and statistical reporting. Information used for these purposes will not identify you personally.
We will only use or disclose your personal information for the primary purpose for which it was collected, or for a related purpose that you would reasonably expect. We will not use or disclose your information for any other purpose unless you have provided your consent, or we are authorised or required to do so by law.
Disclosure of Information
We are committed to protecting the confidentiality of your personal and health information. We will only disclose your information where it is necessary for the provision of healthcare services, where you have provided consent, or where disclosure is otherwise permitted or required by law.
Your information may be disclosed in the following circumstances:
Healthcare Providers
We may disclose relevant personal and health information to your general practitioner (GP), specialists, allied health practitioners, diagnostic imaging providers, or other healthcare professionals involved in your care. This may include referral letters, treatment summaries, clinical notes, imaging reports, and other information necessary to support the continuity and coordination of your healthcare.
Health Funds and Claims Processing
We may disclose information to private health insurers and electronic claiming services, including HICAPS, to verify eligibility and process claims on your behalf.
Government Agencies and Statutory Bodies
Where required for administrative or claims-related purposes, we may disclose information to organisations such as Medicare, the Department of Veterans' Affairs (DVA), WorkSafe Victoria, the Transport Accident Commission (TAC), or other government agencies and statutory bodies.
Regulatory and Professional Bodies
We may be required to disclose information to regulatory authorities, including the Australian Health Practitioner Regulation Agency (AHPRA), the Chiropractic Board of Australia, or other professional or regulatory bodies in connection with audits, investigations, complaints, disciplinary proceedings, or compliance activities.
Legal and Public Safety Requirements
We may disclose personal information where required or authorised by law, including in response to a subpoena, court order, warrant, or other lawful request. We may also disclose information where necessary to lessen or prevent a serious threat to the life, health, or safety of an individual, or to public health or safety.
Third-Party Service Providers
We engage carefully selected third-party providers to support the operation of our practice, including providers of practice management software, secure cloud storage, information technology services, billing systems, communications services, and website hosting. These providers may have access to personal information only to the extent necessary to perform services on our behalf and are required to maintain appropriate privacy, confidentiality, and security standards.
Business and Administrative Purposes
In limited circumstances, personal information may be disclosed to professional advisers, auditors, insurers, or legal representatives where reasonably necessary for the management, protection, or operation of our practice and where appropriate confidentiality obligations apply.
We do not sell, rent, trade, or otherwise disclose your personal information to third parties for marketing purposes.
Unless otherwise permitted by law or with your express consent, we do not disclose personal information to recipients located outside Australia. Where an overseas disclosure is necessary, we will take reasonable steps to ensure that the recipient handles your information in accordance with applicable Australian privacy laws.
Sensitive Health Information
As a healthcare provider, The Spine Institute routinely collects health information, which is classified as sensitive information under the Privacy Act 1988 (Cth). Sensitive information is afforded a higher level of protection under the Australian Privacy Principles and the Health Records Act 2001 (Vic).
We collect sensitive health information only where it is reasonably necessary to provide healthcare services and fulfil our professional obligations. This information may include:
- Medical and health history;
- Current and past health conditions;
- Medications and allergies;
- Previous injuries, surgeries, and treatments;
- Family health history;
- Diagnostic imaging and test results; and
- Other information relevant to your assessment, diagnosis, treatment, and ongoing care.
Your health information is accessed only by authorised personnel who require access to perform their duties or provide healthcare services. We will not collect, use, or disclose sensitive health information except as permitted or required by law, including where necessary to prevent or lessen a serious threat to an individual's life, health, or safety.
You may withdraw your consent to the collection, use, or disclosure of certain information at any time. However, doing so may affect our ability to provide safe and appropriate healthcare services.
Data Security
We take reasonable steps to protect personal and health information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures are designed to safeguard information throughout its lifecycle and are regularly reviewed to ensure their effectiveness.
Physical Security
Our premises are secured using appropriate physical security measures. Paper records and sensitive documents are stored in a filing systems and secure areas that are accessible only to authorised personnel.
Electronic Security
Electronic records are protected through industry-standard security controls, which may include encrypted data transmission, secure servers, password protection, multi-factor authentication, firewalls, anti-malware systems, and role-based access controls.
The recordes are highly secure, utilizing enterprise-grade infrastructure. It maintains an ISO 27001 certification, ensuring strict adherence to international security and privacy standards.
Key security features include:
- Encryption in Transit & at Rest: All data transmitted between devices and the data centers uses strong, modern encryption, including TLS 1.3 and Perfect Forward Secrecy. On-disk storage is fully encrypted.
- Access Control: Production cloud infrastructure is heavily segregated from internal corporate networks, and strict processes limit server access to authorized IT specialists only. Software support peronal cannot access your database unless you grant them explicit, temporary permission.
- Authentication Options: To protect your account from unauthorized users, It supports Two-Factor Authentication (2FA) and Passkeys for a secure, passwordless login experience.
- Granular Permissions: It can set specific access levels and permissions for different team members, ensuring users only see the data relevant to their role.
- Cloud Backups: By using its Cloud, your server backups are automatically handled, safely encrypted, and stored off-site, protecting The Spine Institute from data loss due to hardware failure or theft.
Access Controls
Access to personal and health information is restricted to staff members and practitioners who require access to perform their professional duties. Individual user accounts and access permissions are assigned according to role and responsibilities.
Staff Training and Confidentiality
All practitioners, employees, and contractors are required to comply with privacy and confidentiality obligations. Staff receive training regarding privacy legislation, information security, and the handling of personal and health information.
Data Breach Response
In the event of a suspected or actual data breach, we will investigate the incident promptly and take appropriate remedial action. Where a breach is likely to result in serious harm, we will comply with the Notifiable Data Breaches Schemeunder the Privacy Act 1988 (Cth), including notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) where required.
Data Retention
We retain personal and health information only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal, regulatory, and professional obligations.
Clinical Records
Adult patient records are retained for a minimum of seven (7) years from the date of the last entry in the record, or for any longer period required by law or professional standards.
For patients who were under 18 years of age at the time treatment was provided, records are generally retained until the patient reaches 25 years of age, or for seven (7) years after the last entry in the record, whichever period is longer.
Financial Records
Financial, billing, taxation, and related business records are retained for the period required under applicable taxation and financial reporting legislation.
Secure Disposal
When personal information is no longer required and we are not legally required to retain it, we will take reasonable steps to securely destroy or permanently de-identify the information. Paper records are securely shredded or destroyed, and electronic records are permanently deleted or anonymised using appropriate methods.
Your Rights
You have a number of rights regarding the personal information we hold about you under the Privacy Act 1988 (Cth), the Australian Privacy Principles, and applicable health records legislation.
Access to Information
You may request access to the personal and health information we hold about you, subject to any lawful exceptions.
Correction of Information
You may request that we correct information that is inaccurate, incomplete, out of date, irrelevant, or misleading. We will take reasonable steps to ensure that the information we hold is accurate and up to date.
Withdrawal of Consent
Where we rely on your consent to collect, use, or disclose information, you may withdraw that consent at any time, subject to legal and clinical requirements.
Privacy Complaints
You may make a complaint if you believe your privacy rights have been breached or your information has been mishandled.
Anonymity and Pseudonymity
Where lawful and practicable, you may interact with us anonymously or using a pseudonym. However, in most cases this will not be possible where healthcare services are being provided.
Requests for access or correction should be directed to our Privacy Officer. We will generally respond within 30 days. While there is no fee for making a request, a reasonable administrative charge may apply for the provision of copies of records.
In certain circumstances, we may lawfully refuse access to information, including where access would pose a serious threat to health or safety, unreasonably impact another person's privacy, or where the request is frivolous, vexatious, or otherwise exempt under applicable legislation. If access is refused, we will provide written reasons and information about available review mechanisms.
Third-Party Links
Our website may contain links to external websites operated by third parties, including government agencies, professional organisations, healthcare resources, and other information providers.
These websites operate independently from The Spine Institute and are subject to their own privacy policies and practices. We are not responsible for the content, security, or privacy practices of third-party websites and encourage you to review their privacy policies before providing any personal information.
The inclusion of a link on our website does not constitute an endorsement of the third party or its content.
Children's Privacy
The Spine Institute provides healthcare services to patients of all ages and is committed to protecting the privacy of children and young people.
Consent:
For patients under the age of 18, personal and health information is generally collected with the consent of a parent or legal guardian. Depending on the patient's age, maturity, and circumstances, we may assess whether a young person is capable of providing their own consent in accordance with applicable laws and professional guidelines.
Protection of Children's Information
Personal and health information relating to children receives the same level of protection as information relating to adult patients. All provisions of this Privacy Policy regarding collection, use, disclosure, security, access, and retention apply equally to children's records.
Access to Children's Records
Parents and legal guardians may be entitled to access a child's health information. However, as children mature, their privacy rights may increase. We will consider the child's best interests, maturity, legal rights, and applicable legislation when responding to access requests.
Retention of Children's Records
Records relating to patients treated as minors are retained in accordance with applicable legal and professional retention requirements, including retention beyond the patient's eighteenth birthday where required.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal obligations, or business practices.
Any updates will be published on our website and will take effect from the date of publication. Where changes are significant, we may take additional steps to notify patients, including through our website, clinic communications, or direct contact where appropriate.
We encourage you to review this Privacy Policy periodically to remain informed about how we manage and protect your information.
Complaints
If you believe we have breached your privacy rights or mishandled your personal information, you may lodge a complaint with us.
Step 1 – Contact Our Privacy Officer
Please contact our Privacy Officer in writing, by telephone, or by email and provide sufficient detail to enable us to investigate your concerns.
Step 2 – Investigation and Response
We will acknowledge receipt of your complaint as soon as practicable and will generally respond within 30 days. We may contact you during the investigation to obtain further information or clarification.
Step 3 – External Review
If you are dissatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or, where relevant, the Health Complaints Commissioner Victoria.
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au Phone: 1300 363 992 Email: enquiries@oaic.gov.au Post: GPO Box 5218, Sydney NSW 2001
Contact Us
If you have any questions about this Privacy Policy, wish to access or correct your personal information, or would like to make a privacy complaint, please contact our Privacy Officer.
Privacy Officer: Dr. Ilan Sommer
The Spine Institute
434 St Kilda Road, Level 1, Suite 112B
Melbourne VIC 3004
Phone: 1300 662 295
Email: spine_au@aol.com
We aim to respond to privacy-related enquiries as promptly as possible and, where required by law, within the applicable statutory timeframes.