Privacy Policy

1. Purpose

The purpose of this Privacy Policy is to tell you how Cardihab Pty Ltd (“Cardihab”, “we”, “us”, “our”) handles personal information and health information.

We handle personal and/or health information in three situations:

  1. When you are not a patient or HCP and engage us in business, including visiting our web site cardihab.com (see section 2.3)
  2. When you are a patient who chooses to use our mobile applications or visit our web site (see section 4).
  3. When you are a HCP and use our portal or visit our web site (see section 5).

Our apps and portals (which together we call our Services) help patients complete and HCPs deliver convenient, engaging and evidence-based cardiac rehabilitation programs.

This document describes what happens to personal and/or health information when people do business with us or choose to receive or deliver health care using our services.

This privacy policy guide has been developed to comply with the Australian Privacy Act 1988 and follows Office of the Australian Information Commissioner’s (OAIC) Australian Privacy Principle (APP) guidelines.

2. Scope

We are covered by the Australian Privacy Act 1988 (“Act”) whenever someone visits our web site or uses our services. The Act defines some of the terms we use in this policy. We also define a few additional terms in this policy:

Term Definition
Act The Privacy Act 1988.
Apps Cardihab’s mobile applications, which are built for Apple iOS (iPhone, iPad) and smartphone and tablet devices that run Google Android.
Customer The organisation that pays Cardihab to provide our services to their HCPs (e.g. State health department, hospital and health service, local health district, private health practice, health insurers).
Care Team The team of Providers together with the patient and their family/loved ones who work deliver care to the patient.
Health Care Provider (“HCP”) A health professional such as a nurse, allied health professional (e.g. physiotherapist, exercise physiologist) or doctor (general practitioner, cardiologist).
Health information To assist reading of this document we have replicated the full definition of Health information from the Act. However, when using our services only points a) and b) are relevant – we do not collect the information described at c) or d). Health Information means:
a)     information or an opinion about:
i)      the health or a disability (at any time) of an individual; or
ii)     an individual’s expressed wishes about the future provision of health services to him or her; or
iii)    a health service provided, or to be provided, to an individual;
that is also personal information; or
b)    other personal information collected to provide, or in providing, a health service; or
c)     other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
d)    genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
(Privacy Act 1988)
Patient Person undertaking the Cardiac Rehabilitation program.
Personal information Personal Information is information or an opinion about an identified individual, or an individual who is reasonably identifiable:
e)    whether the information or opinion is true or not; and
f)      whether the information or opinion is recorded in a material form or not.
(Privacy Act 1988)
Portal Cardihab’s HCP web portal.
Services Cardihab’s apps, Portal and Web site in combination.
Web site The Cardihab web site at https://cardihab.com/.

3 Business Contacts

3.1 Why we collect personal information about business contacts

We do not collect any health information and minimise the amount of personal information we collect about business contacts. When we do collect personal information about a business contact, we use it to provide services to that business contact and to help us to carry out our business.

3.2 How we collect business contact personal information

The ways we collect business contact personal information are:

  1. When they give it directly to us, for example when they contact us via our website, send us email, subscribe to receive communications or exchange business cards with us
  2. In the course of discharging any commercial arrangements between us and the business contact or their organisation
  3. Indirectly in the course of normal business, for example, when a third party gives us information about a business contact, or we seek information about a business contact from a third party. We might do this if we are finding people to invite to an event or to offer a service.

3.3. Personal information that we collect or hold about business contacts

We do not collect any health information and minimise the amount of personal information we collect about business contacts. The sort of personal information we collect or hold may include:

  1. Information relevant to a business contact’s business interactions with us such as their name and position, email address, phone number, business postal and street address, and information about our interactions.

3.4 How we share, use and retain personal information

We only share or use personal information to provide an agreed business service to you. We retain personal information held by business contacts indefinitely, unless the business contact asks to be forgotten.

3.5 Sub-contactors

If we share personal information with a subcontractor to help us with our work, we enter into a contractual agreement to keep the information secure. We do not  share or use information about business contacts for any other purpose without their permission unless the law requires it.

3.5.1 Customer Relationship Management System

We use Insightly, US-based company, to help us manage business contact information. Insightly’s privacy policy says they “has no direct relationship with the individuals whose personal data it processes” on our behalf. Insightly also provides information on their data security arrangements.

3.5.2 Email Communication System

We use Mailchimp, a US-based online marketing company, to send emails to our business contacts and HCP’s using our Services. Mailchimp’s privacy policy says that “much of the Personal Information we collect and process about Contacts through the Services, we act as a processor on behalf of our Members.” Mailchimp also provides information on their data security arrangements.

3.5.3 Survey-based Feedback System

We use SurveyMonkey, a US-based online marketing company, to gain feedback from our business contacts. SurveyMonkey’s privacy policy states that as Cardihab is the creator of the surveys that “Your surveys/forms/applications/questionnaires and any responses you collect to them are private by default (except if you have made them available via a public link). We don’t sell individual responses to anyone and we don’t use those responses for purposes unrelated to you or improving our services, except in the limited set of circumstances outlined in the privacy policy.” SurveyMonkey also provides information on their data security arrangements.

3.5.4 Web Site Analytics

Cardihab’s web site uses Google Analytics, a web analytics service provided by Google Inc. (Google). Google Analytics uses cookies and JavaScript to collect website traffic data. The following information is transmitted to and stored on Google's servers for analysis:

  1. The time the current visit occurred
  2. Whether the visitor has been to the site before
  3. What site referred the visitor to the web page
  4. The visitor's IP address.

We use the statistics provided by Google Analytics to evaluate the effectiveness of our website and improve its functionality. We do not install any other cookies, local shared objects or other web technology to research the habits of individual visitors.

For more information about how Google Analytics collects, uses and safeguards website traffic data, click here. You can opt out of Google Analytics by visiting here.

4 Patients

4.1 Why we collect personal information about patients

We collect personal and health information about patients when they and their HCP(s) use our services. We collect this information to help patients complete and HCPs deliver a cardiac rehabilitation program using our service.

Cardiac rehabilitation is highly recommended by many authoritative organisations as one of the best ways a patient can recover from heart problems (heart attack, coronary revascularisation (CABG, PCI), heart failure, stable angina, valve replacement, pacemaker or ICD implant and many others) and has been proven to reduce the risk of further heart problems (secondary heart attack), improve overall health and result in fewer hospital admissions.

Our way of delivering cardiac rehabilitation (our “model of care”) involves a patient using our smartphone/tablet app to record health measurements, medication use, view educational materials and follow an exercise prescription. This information is sent from our app to our HCP portal. During each week of our six-week program, the patient and their HCP conduct a telephone call during which the HCP reviews the patient’s progress in the portal, records progress notes in the portal and provides the counselling and support that are at the heart of a cardiac rehabilitation program.

At the end of a cardiac rehabilitation program the patient can choose to continue using the app as an aid to their long-term care, or delete the app from their device. The HCP will use the portal to create a discharge summary that may be distributed to the patient, other members of the patient’s care team (GP, cardiologist) and/or stored in an electronic health record system depending on the policies of the HCP’s health care organisation.

We also collect personal information when a patient visits our web site, so we can carry out our business.

4.2 How we collect patient personal and health information

The ways we collect patient personal and health information are:

  1. When a patient chooses to use our apps they record personal and health information,
  2. When a HCP uses our portal to design and deliver a cardiac rehabilitation program to the patient via our apps,
  3. When a patient visits our web site our web site analytics will also collect information about their visit as described in 3.5.4.

4.3. Personal and health information that we collect or hold about patients

We limit the amount of health information we collect about patients to that information required by our way of delivering a cardiac rehabilitation program (our “model of care”). The information required by our model of care includes:

  1. Demographic information required by HCPs to identify a patient:
    • Name
    • Date of birth
    • Gender
    • Mobile phone number
    • Postal code
    • Marital status
    • Employment status
    • Indigenous status
    • Living status
  2. Other demographic information a patient may supply to us when maintaining their profile in our app
    • Email address
    • Contact details for other members of their care team (GP, cardiologist, etc)
  3. Cardiac history and identified risk factors required by the HCP to design a cardiac rehabilitation program for a patient:
    • Principal Diagnosis, Current Episode or Procedure
    • Current medications
    • Past medical history
    • Past surgical history
  4. Details of the cardiac rehabilitation program being delivered by the HCP to the patient:
    • Period or length of program
    • Health measures being monitored
    • Education content
  5. Information recorded by the patient and HCP during the cardiac rehabilitation program (the exact information in each of these categories depends on the patient’s cardiac history, risk factors and the program being developed by the HCP):
    • Health measures
    • Symptoms
    • Exercise completed
    • Medications taken
    • Patient goals
    • Notes written by the HCP about the patient’s progress through the program
  6. Statistics about app performance
    • App installs & uninstalls
    • App ratings provided to the app store
    • App crashes and performance metrics
    • App feature use
    • Device type and operating system version

4.4 How we share, use and retain patient personal and health information

We will only share patient’s personal and health information with HCPs who are employed by our Customer, or where we believe the patient would reasonably expect us to share the information to support the delivery of health care to the patient. This may include sharing information with other members of the patient’s care team.

With the patient’s permission we may create a de-identified and pseudo-anonymised version of the personal and health information which may be used to improve the quality and performance our services and the HCPs using our services. For example, we may provide the de-identified and pseudo-anonymised information to clinical registries so that patient outcomes and clinical practice can be analysed, compared and improved over time.

Our de-identification/pseudo-anonymisation process follows guidance from the OAIC and CSIRO to remove and alter the parts of the information so that the risk of re-identification of the involved is very low. This process involves removing personal identifiers (e.g. name, mobile phone number, email address and care team if provided), then removing and/or altering other information (date of birth, HCP notes) to create the de-identified and pseudo-anonymised information.

As Cardihab is the custodian of patient and personal health information we will retain this information on behalf of our customer and patient. This will be done in accordance with local legislation for Health Sector (Clinical Records) Retention and Disposal Schedule. Records displaying evidence of clinical care to a patient need to be retained for a minimum of 7-10 years (depending on local legislation) after the last patient service provision or medico-legal action. After this time it is not a legal requirement to dispose of these records and Cardihab will continue to securely store it as archived data beyond this time.

4.5 Sub-contactors

We use sub-contractors to help us deliver our services. We thoroughly vet these sub-contractors, then enter into contractual agreements to keep personal and health information secure. We check from time to time that they have complied with their agreement.

We do not share information about patients with any other organisation for any other purpose without the patient’s permission unless the law requires it.

4.5.1 Cloud Computing Platform

Our web portal runs on the Australian-based cloud computing platform provided by Amazon Web Services (AWS), a US-based cloud-computing company with data centres in Australia. Patient personal and health information is sent from our apps to our systems running in AWS for storage and processing. We also use AWS to send text messages to patients.

We control where patient personal and health information is located and processed and ensure it is always done in AWS’s Australian data centres. Patient personal and health information is encrypted at all times when “at rest” in AWS and we control encryption settings and keys. The AWS privacy policy can be found here.

4.5.2 App Stores

Our apps are available for download from the Apple App Store and Google Play. Apple and Google gather personal information about downloads from these app stores. We never share patient health information with Apple and Google. Information about Apple’s privacy policy can be found here. Information about Google’s privacy policy can be found here.

4.5.3 App Analytics

Our use of the Apple App Store and Google Play to distribute our apps to patients provides us with information about the use, performance and stability of our apps. This  information includes: installs, uninstalls, ratings, crashes and device type and operating system version. We also use Google Fabric to provide us similar information and other about use of specific features in our apps. We never share patient health information with Apple and Google. See 4.5.2 for links to the Apple and Google privacy policies.

4.5.4 Web Site Analytics

We gather web site analytics whenever someone (including patients) visits our web site, as described at 3.5.4.

5 Health Care Providers (HCPs)

5.1 Why we collect personal information about HCPs

We do not collect any health information and minimise the amount of personal information we collect about HCPs. When we do collect personal information about a HCP, we use it to provide services to that HCP and to help us to carry out our business.

5.2 How we collect HCP personal information

The ways we collect HCP personal information are:

  1. When their employing organisation is a Customer and they or someone else who works for the Customer gives us their information in the course of discharging a commercial arrangement between us and their organisation,
  2. Indirectly in the course of normal business, for example, when a third party gives us information about a HCP, or we seek information about a HCP from a third party. We might do this if we are finding people to invite to an event or to offer a service.

5.3. Personal information that we collect or hold about HCPs

We do not collect any health information and minimise the amount of personal information we collect about HCPs. The sort of personal information we collect or hold may include:

  1. Information relevant to a HCP’s business interactions with us such as their name and position, email address, phone number, business postal and street address, and information about our interactions.
  2. Information about how the HCP uses our HCP portal including statistics on how frequently and for how long the HCP uses the portal and how frequently they use particular portal features

5.4 How we share or use personal information

We only share or use personal information to provide our services to you, usually due to a contractual arrangement between us and your employer/our Customer. Our usual contractual arrangements include sharing the information we collect about you with our Customer.

5.5 Sub-contactors

If we share personal information with a subcontractor to help us with our work, we enter into a contractual agreement to keep the information secure. We check from time to time that they have complied with their agreement. We don’t share or use information about HCPs for any other purpose without their permission unless the law requires it.

5.5.1 Cloud Computing Platform

Our web portal runs on the Australian-based cloud computing platform provided by Amazon Web Services (AWS), a company based in the USA with data centres in Australia. The statistics we gather on HCP use of the portal are processed and stored on the AWS platform. See 4.5.1 for more information on how we use the AWS platform.

5.5.2 Customer Relationship Management System

We use Insightly, a company in the USA, to help us manage HCP information. See 3.5.1 for information about Insightly’s privacy and security arrangements.

5.5.3 Web Site Analytics

We gather web site analytics whenever someone (including HCPs) visits our web site, as described at 3.5.4.

6 How we Support Your Privacy Rights

Where we collect or hold information about a business contact, patient or HCP, that person has rights to access, correct, complain or inquire about that information or their privacy.

We take privacy rights seriously and have appointed a Privacy Officer who will follow our processes to manage our response to privacy requests, including reporting progress to our CEO in a timely manner. See section 6.3 for our Privacy Officer’s contact details.

6.1 Right of access, correction or deletion of personal information

Anyone who believes we hold information about them may ask us for access to, correction of or deletion of that information with the exclusion of health information which must be retained for the legislated period of time. Please contact our Privacy Officer (see section 6.3) and tell us what you would like to do with your information.

We will respond within a reasonable time, usually within 5 working days. In line with our commitment to protect your privacy, we may ask you to verify your identity and provide a reason for your request.

If you are a patient or HCP, we will inform our Customer of your request and you may be asked to pursue that request via our Customer’s privacy processes. If you are not satisfied with the outcome of our Customer’s process, we will respond to your request in manner consistent with the Privacy Act.

6.2 Complaints and Enquiries

If you have a complaint about the way we have treated your personal or health information, please contact our Privacy Officer who will work with you to address your complaint as quickly as possible. If you are a patient or HCP, we will inform our Customer of your request and you may be asked to pursue that request via our Customer’s privacy processes. If you are not satisfied with the outcome of our Customer’s process, we will respond to your request in manner consistent with the Privacy Act.

We welcome any questions and comments you may have about our privacy practices.

If you are not satisfied with our response to your privacy concern, you can complain to the Office of the Australian Information Commissioner.

Email : enquiries@oaic.gov.au
Telephone : 1300 363 992 (from overseas +61 2 9284 9749)

6.3 Privacy Officer Contact Details

Office Address:
The Privacy Officer
Cardihab Pty Ltd
Level 3
315 Brunswick Street
Fortitude Valley, QLD 4006, Australia.

Postal Address:
The Privacy Officer
Cardihab Pty Ltd
PO Box 1319
Fortitude Valley, QLD 4006, Australia

Email:
privacy@cardihab.com

Web:
cardihab.com/privacy

6.4 Updates to this policy

This Privacy Policy may be updated from time to time for any reason. The date and nature of any modifications to our Privacy Policy will be included in our policy documentation and updates will be posted on our web site. Please be advised to consult this Privacy Policy regularly to review for any changes.

In the event that the modifications materially alter your rights or obligations, we will make reasonable efforts to notify you of the change. For example, we may send a message to your email address or generate a pop-up or similar notification when you access our services for the first time after such material changes are made. Your continued use of our services after the revised Privacy Policy has become effective indicates that you have read, understood and agreed to the current version of this Privacy Policy.

Updated 29 November 2019. Reflects hard copy 2.1 of the Cardihab Pty Ltd Privacy Policy November 2019.