Privacy Policy

1. About this Policy

Flourish Health Australia Pty Ltd (ABN 94 687 929 246) ("Flourish Health", "we", "us", "our") is an allied health practice providing occupational therapy services across Victoria, Australia.

We are committed to protecting the privacy of our clients, their families and carers, referrers, and website visitors. This Privacy Policy explains how we collect, use, disclose, and protect personal information and health information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and, where applicable, the Health Records Act 2001 (Vic) and the Health Privacy Principles (HPPs).

By engaging our services or using our website (www.flourishhealth.com.au), you agree to the practices described in this policy.

2. What Information We Collect

Personal information

We may collect the following personal information:

• Full name, date of birth, and gender
• Postal address, email address, and phone number
• NDIS participant number and plan details (where applicable)
• Emergency contact and next-of-kin details
• Support coordinator and plan manager contact details
• Referrer details (name, practice, contact information)

Health information

As an allied health provider, we collect sensitive health information, including:

• Medical history, diagnosis, and disability-related information
• Functional assessment findings (including Functional Capacity Assessments)
• Therapy goals, progress notes, and treatment plans
• Home environment and daily living assessments
• Assistive technology and home modification recommendations
• Medicare and health insurance details (where relevant)

Website and technical information

When you visit our website we may automatically collect:

• IP address and browser type
• Pages visited and time spent on pages
• Referring URL and device type
• Google Analytics data (aggregated and anonymised)

3. How We Collect Information

We collect information:

• Directly from you, your family, or your authorised representative when you engage our services, complete a referral form, or contact us
• From referrers (GPs, support coordinators, hospitals, or other health professionals) with your consent or your representative's consent
• From the NDIS or your plan manager in connection with funding and service agreements
• Through cookies and analytics tools when you use our website

We collect health information only when it is necessary to provide occupational therapy services. We will always try to collect information directly from you first.

4. How We Use Your Information

We use personal and health information to:

• Provide, manage, and improve our occupational therapy services
• Conduct functional assessments, develop therapy plans, and monitor progress
• Communicate with you, your family, carers, and support coordinators about your care
• Process invoices and claim payment from the NDIS, plan managers, or other funders
• Meet our legal and professional obligations, including AHPRA registration requirements and mandatory reporting obligations
• Respond to enquiries and referrals
• Improve our website and services (using de-identified or aggregated data only)
• Comply with court orders, subpoenas, or regulatory investigations

We will not use your personal or health information for direct marketing without your explicit consent, and you may opt out of any marketing communications at any time.

5. Use of Artificial Intelligence and Automated Tools

We may use secure digital systems, including artificial intelligence (AI)-enabled tools, to assist our clinicians and staff with administrative and clinical documentation tasks. These tasks may include drafting reports, summarising clinical notes, transcribing session recordings, and supporting correspondence.

These tools are used to support service delivery and do not replace professional clinical judgement. All clinical records, reports, and recommendations generated with the assistance of AI tools are reviewed, verified, and approved by a qualified AHPRA-registered occupational therapist before being finalised or relied upon.

We take reasonable steps to ensure that any AI-enabled tools we use handle personal information and sensitive health information in accordance with the Privacy Act 1988 (Cth), the Health Records Act 2001 (Vic), and the Australian Privacy Principles. Where AI tools involve third-party services, we assess their data handling practices and, where practicable, use tools that process data within Australia or under equivalent privacy protections.

6. Disclosure of Your Information

We may disclose your information to:

• Other treating health professionals involved in your care, with your consent or where clinically necessary
• NDIS and plan managers for funding claims, service agreements, and compliance purposes
• Support coordinators and referrers for coordination of your care, where you have consented or where it is a condition of our service agreement
• Government agencies and regulators where required by law (e.g., mandatory reporting obligations under child protection or elder abuse legislation, AHPRA)
• Our professional advisors (lawyers, accountants, insurers) under strict confidentiality obligations
• Cloud service and practice management software providers who process data on our behalf under data processing agreements

We do not sell, rent, or trade your personal or health information to third parties for commercial purposes.

Some of our service providers may store data on servers outside Australia (e.g., Google Analytics, cloud infrastructure). Where this occurs, we take reasonable steps to ensure those providers meet privacy standards equivalent to the APPs.

7. Storage and Security

We store client records securely in our practice management system. Access is restricted to authorised clinicians and administrative staff. We use industry-standard encryption for data in transit and at rest.

Health records are retained for a minimum of seven (7) years from the date of the last service, or until a child turns 25 (whichever is later), in accordance with Victorian health records legislation and AHPRA guidelines.

Where records are no longer required, we securely destroy or de-identify them.

8. Your Privacy Rights

Under Australian privacy law, you have the right to:

• Access the personal and health information we hold about you
• Correct inaccurate, incomplete, or out-of-date information
• Know why we collected your information, how we use it, and who we may disclose it to
• Complain about a breach of the APPs or HPPs
• Withdraw consent where we are relying on consent as our basis for collecting or using your information (noting this may affect our ability to provide services)

To exercise any of these rights, contact our Privacy Officer at admin@flourishhealth.com.au. We will respond within 30 days.

If your request for access or correction is refused, we will provide the reasons in writing and advise you of any recourse available.

9. Cookies and Website Analytics

Our website uses cookies and Google Analytics to understand how visitors use our site. Analytics data is aggregated and does not identify individual users. You can disable cookies in your browser settings, though some website features may not function correctly if you do.

We do not use tracking cookies for advertising or remarketing purposes.

10. Children's Privacy

Many of our clients are children and young people. Where a client is under 18, we collect and handle their information with the consent of a parent, legal guardian, or authorised representative. We apply additional care to the handling of children's health records in accordance with the Health Records Act 2001 (Vic).

11. NDIS-Specific Privacy Obligations

As an NDIS-aligned provider, we comply with the National Disability Insurance Scheme Act 2013 (Cth) and associated Rules regarding the handling of participant information. We do not share NDIS participant information beyond what is necessary to deliver agreed supports and meet our reporting obligations.

Participants have the right to access information held about them by the NDIS directly through the NDIA. Flourish Health does not have access to the NDIS portal on behalf of participants unless explicitly authorised.

12. Complaints

If you believe we have mishandled your personal or health information, please contact our Privacy Officer in the first instance:

If you are not satisfied with our response, you may lodge a complaint with:

• Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au - for breaches of the APPs
• Health Complaints Commissioner (Victoria): www.hcc.vic.gov.au - for breaches of the HPPs
• NDIS Quality and Safeguards Commission: www.ndiscommission.gov.au - for NDIS-related concerns

13. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or our services. The current version will always be published on this page with the date of last update. For material changes, we will notify current clients by email.

14. Contact Us

For any privacy-related queries, contact us at: