TANDEM REHAB

PRIVACY POLICY

Effective Date: 28.04.2022
Last Updated: 09.06.2026

1. About Tandem Rehab

Tandem Rehab is committed to protecting the privacy and confidentiality of personal and health information in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs).

This Privacy Policy explains how Tandem Rehab collects, stores, uses, discloses and manages personal and/or sensitive information.

2. Personal Information We Collect

Tandem Rehab may collect personal and health information reasonably necessary for its functions and activities in providing exercise physiology and related services.

The information that Tandem Rehab may collect includes:

  • Name, date of birth, address, phone number and email address;

  • Emergency contact details;

  • Medicare, private health insurance, NDIS, DVA, Workers Compensation and CTP information;

  • Medical history and health information;

  • Referral information and reports from healthcare providers;

  • Assessment findings, treatment records and rehabilitation program information;

  • Billing and payment information; and

  • Correspondence and communication records,

(together, the Information).

Some of the Information may constitute ‘personal information’ or ‘sensitive information’ under the Privacy Act.

3. How and Why Information Is Collected

Information may be collected through intake forms, consent forms, consultations, assessments, treatment sessions, telephone conversations, emails, online enquiries, online bookings, referral letters, healthcare providers, insurers, funding bodies and other authorised sources. Where practical, Information is collected directly from the client.

Information is collected to:

  • Provide exercise physiology assessment and treatment services;

  • Develop and monitor rehabilitation programs;

  • Maintain clinical records;

  • Coordinate care with healthcare providers;

  • Process Medicare, NDIS, DVA, Workers Compensation, CTP and other funding claims;

  • Process payments and invoices;

  • Communicate regarding appointments and services; and

  • Meet legal, professional and regulatory obligations.

The collection of Information is reasonably necessary to allow Tandem Rehab to provide exercise physiologist services to the person from whom the Information is collected. 

If necessary Information is not provided, Tandem Rehab may be unable to provide some or all services.

4. Storage and Security of Information

Information may be stored electronically, in cloud-based systems, email systems, accounting software and physical records where required.

Tandem Rehab currently uses:

  • Nookal for practice management, scheduling, invoicing and clinical record storage;

  • Physitrack for exercise prescription and rehabilitation programming; and

  • Heidi Health for AI-assisted clinical documentation.

Reasonable steps are taken to protect information from misuse, interference, loss, unauthorised access, modification or disclosure. Security measures may include password protection, access controls, encryption, secure cloud storage and secure disposal procedures.

5. Use and Disclosure of Information

Information is used and disclosed only for purposes related to the provision of services, administration of Tandem Rehab and compliance with legal obligations.

Information may be shared with:

  • General Practitioners and Medical Specialists;

  • Allied Health or other healthcare providers involved in your care;

  • Hospitals and healthcare facilities;

  • NDIS representatives and plan managers;

  • Medicare, DVA, Workers Compensation and CTP insurers;

  • Private health insurers;

  • Case managers;

  • Professional advisers such as accountants or legal advisers where required.

Information will only be disclosed where consent has been provided, disclosure is reasonably necessary for service delivery, or disclosure is authorised or required by law.

6. Overseas Disclosure

Tandem Rehab utilises third-party service providers including Nookal, Physitrack and Heidi Health. These providers may use cloud-based infrastructure located within Australia and overseas for data storage, processing, backup, security and technical support. As a result, Information may be stored, processed or backed up outside Australia. These arrangements may change over time as service providers update their infrastructure.

Tandem Rehab takes reasonable steps to ensure overseas service providers handle Information in a manner consistent with the Privacy Act and the APPs.

Tandem Rehab does not sell or disclose Information to overseas recipients for marketing purposes.

7. Accessing and Correcting Information

You may request access to your Information held by Tandem Rehab and request correction of Information that is inaccurate, incomplete, out-of-date, irrelevant or misleading. Requests should be directed to Tandem Rehab using the contact details provided in this Privacy Policy. Requests will be managed in accordance with applicable privacy legislation. In some circumstances, access may be refused where permitted by law.

8. Privacy Complaints

If you believe your privacy has been breached or your Information has been mishandled, please contact:


Tandem Rehab

Phone: 0466 006 286
Email: tandemrehab@gmail.com

Tandem Rehab will acknowledge your complaint, investigate the matter, seek further information if required, and provide a written response outlining any findings and actions taken.

If you are dissatisfied with the outcome, you may contact the Office of the Australian Information Commissioner (OAIC):

Phone: 1300 363 992
Website: www.oaic.gov.au

9. Retention, Destruction and De-identification

Tandem Rehab retains Information only for as long as required to fulfil the purposes for which it was collected and to comply with legal, professional and regulatory obligations.

Health records are retained in accordance with applicable Commonwealth and State legislation, professional standards and insurer requirements.

When Information is no longer required, reasonable steps will be taken to securely destroy or permanently de-identify the Information. This may include secure deletion of electronic records, secure destruction of paper records and permanent de-identification of data used for administrative or statistical purposes.

10. Website and Electronic Communications

The Tandem Rehab website may collect limited technical information such as IP addresses, browser type, device information, website usage information and cookie data to improve website performance and user experience. By using the Tandem Rehab website, you consent to the collection of technical information and cookie data, as described in this Privacy Policy.

Clients may receive communications via email, SMS, telephone, Nookal and Physitrack.

While reasonable steps are taken to protect Information transmitted electronically, no method of communication can be guaranteed to be completely secure.

12. Notifiable Data Breaches

The Privacy Act imposes mandatory data breach notification obligations. If Tandem Rehab becomes aware of a data breach that is likely to result in serious harm to one or more individuals, Tandem Rehab will, as soon as practicable:

·      assess whether the breach constitutes an ‘eligible data breach’ under the Privacy Act;

·      notify the OAIC using the prescribed form; and

·      notify affected individuals whose Information was involved and who are at risk of serious harm.

Where Tandem Rehab suspects a breach may have occurred but cannot complete an assessment within 30 days, Tandem Rehab will notify the OAIC of the suspected breach pending completion of the assessment. Notifications will include the kind of Information involved, the circumstances of the breach, and steps taken or recommended for affected individuals.

13. Cyber Incident Response

A cyber incident is any event that compromises or threatens to compromise the confidentiality, integrity or availability of Information held by Tandem Rehab, including ransomware attacks, unauthorised access, phishing, malware, and system intrusions affecting third-party platforms such as Nookal, Physitrack or Heidi Health.

Where a cyber incident occurs (or is suspected to have occurred), Tandem Rehab will undertake the following steps:

Immediate Response (0–24 hours)

Upon detecting or being notified of a suspected cyber incident, Tandem Rehab will immediately: contain the incident by isolating affected systems or accounts; preserve evidence including logs, error messages and affected files; notify relevant third-party platform providers (Nookal, Physitrack, Heidi Health) where their systems are involved; and engage IT support or a cybersecurity specialist where required.

Assessment (24–72 hours)

Tandem Rehab will assess: the nature and scope of the incident; which categories of Information were or may have been accessed, altered or exfiltrated; the number of individuals potentially affected; and whether the incident constitutes an eligible data breach under Privacy Act. Where the assessment cannot be completed within 30 days, Tandem Rehab will notify the OAIC of the suspected breach in accordance with section 12 of this Policy.

Notification and Remediation

Where an eligible data breach is confirmed, Tandem Rehab will notify affected individuals and the OAIC as required by the Privacy Act. Remediation steps will be taken to prevent recurrence, including reviewing and updating security controls, access permissions, staff procedures and third-party service provider arrangements. A written record of the incident, assessment and response will be maintained.

If you become aware of or suspect a cyber incident affecting your Information held by Tandem Rehab, please contact Tandem Rehab immediately using the contact details in section 8 of this Policy.

14. Changes to this Policy

Tandem Rehab may update this Privacy Policy from time to time to reflect changes in legislation, technology, business practices or service delivery arrangements.

The most current version will be available through Tandem Rehab and on the Tandem Rehab website.