Clients
Patients
Contact Us

Client Portal sign in Patient Payment Portal sign in

Contact Us
Sign Up Now Have a question?

Data Handling and Information Security Policy

Medbill Pty Ltd (ABN 58 135 003 002) (“we”, “us” or the “Company”) is committed to protecting the security and privacy of all data we handle particularly sensitive medical information. This Data Handling and Information Security Policy (“Policy”) sets out our requirements and procedures for collecting, handling, storing and protecting data.

This Policy should be read in conjunction with our Privacy Policy and other relevant company policies.

Scope and Application

This Policy applies to all employees, contractors, volunteers, and other personnel engaged by the Company. It covers all data handled by the Company, with particular focus on sensitive medical data and extends to all systems, platforms and methods used by us to collect, process and store data. The Policy requirements must be followed across all locations where Company data is accessed, including remote work environments.

Data Collection

Collection Methods

Data may be collected through:

Our secure mobile application

Our website and web portal (medicalbillingservices.com.au)

Secure email communications

Direct uploads through authorised platforms

Secure Collection Requirements

The Company maintains strict security requirements for all data collection activities. All data must be collected exclusively through authorised secure channels that have been approved by the Information Security Officer. For web-based collection, all forms utilise encryption through HTTPS protocols to ensure data security during transmission.

When collecting data through file uploads, these must only be processed through secure, authenticated portals that verify the identity of the user and maintain data integrity throughout the upload process. Any sensitive data transmitted via email must use appropriate encryption methods to protect the confidentiality of the information during transmission. It is the responsibility of the sender to ensure this occurs.

Data Handling and Processing

General Requirements

The Company implements comprehensive security measures for all data handling processes. All sensitive data must be encrypted during both transmission and storage using industry-standard encryption protocols. Access to sensitive data is strictly controlled and limited to authorised personnel who require it for their specific job functions. Data usage is restricted to authorised business purposes only, and all handling must comply with relevant privacy legislation and the Australian Privacy Principles.

Artificial Intelligence and Machine Learning Processes

The Company may employ artificial intelligence and machine learning technologies under strict security protocols. Any use of artificial intelligence (AI) or large language model (LLM) systems for data processing must be explicitly disclosed to clients before processing begins. The Company only utilises authorised and secure AI systems that have undergone rigorous security assessments.

All personal and sensitive medical information must undergo a thorough de-identification process before any AI processing occurs. This processing must take place within secure, compliant environments that are regularly monitored and audited. The Company conducts regular audits of all AI processing systems to ensure ongoing compliance and security.

Data Storage and Retention

Storage Requirements

The Company maintains robust security measures for data storage. All sensitive data is stored in secure, encrypted databases with appropriate access controls and monitoring. Our backup systems maintain the same high level of security as primary systems, ensuring data protection throughout its lifecycle All data is stored within Australia unless explicit notice has been given by the Company regarding offshore storage. We maintain comprehensive access logs for all sensitive data access, which are regularly reviewed for security for security purposes.

Retention Periods

The Company adheres to the following retention periods for various types of data:

Medical billing data: Minimum 7 years from the date of service

Client account information: Duration of client relationship plus 2 years

System logs and access records: Minimum 2 years

De-identified data for analysis: As required for business purposes

Data Disposal

The Company follows strict protocols for data disposal to ensure sensitive information remains protected throughout its lifecycle. All data disposal must follow secure deletion protocols appropriate to the type of data and storage medium involved. Physical media must undergo secure destruction processes, and all disposal actions must be logged and documented for audit purposes.

Access Controls

Authentication Requirements

The Company implements stringent authentication protocols to protect data access. Multi-factor authentication is required for all system access where available. All passwords must meet the following requirements:

Minimum length of 8 characters, containing a combination of capital letters, lower-case letters, numbers, and symbols;

If initially set by any administrator, must be uniquely and randomly generated and changed immediately by the user;

Must not be written down and left unprotected;

Must not be shared or exchanged without explicit supervisor approval; and

Must be changed immediately if there is any possibility of compromise.

The Company strongly encourages the use of password management tools to maintain password security. The Company conduct regular access reviews to ensure appropriate access levels are maintained, and all system access requires unique user IDs for accountability purposes.

Access Levels

The Company manages access to data and systems based on the principle of least privilege. Access is granted strictly on a need-to-know basis and is regularly reviewed to ensure it remains appropriate. When personnel changes roles or leave the organisation, their access is immediately reviewed and amended as necessary. Any elevated access privileges require special approval and are subject to additional monitoring.

Security Measures

Technical Security

The Company maintains comprehensive technical security measures to protect data. These include:

Regular security assessments and penetration testing;

Current encryption standards for data at rest and in transit;

Regular system updates and security patches; and

Network segregation for sensitive systems.

Physical Security

The Company implements physical security measures to protect data and systems. Access to server locations is strictly controlled and monitored. All personnel must follow a clean desk policy, which requires that:

All sensitive documents, notes, and media must be removed from desks and located away when leaving the workspace;

Computer screens must be locked when personnel leave their desks, even for short periods;

Sensitive information must not be left visible on desks or screens where it could be reviewed by unauthorised persons;

Documents containing sensitive information must be immediately retrieved from printers and not left in shared spaces; and

All sensitive materials must be properly secured at the end of each work day.

The Company maintains secure disposal processes for physical documents and enforces visitor access controls at all locations where sensitive data may be accessed.

Incident Response

Security Incidents

The Company maintains a comprehensive incident response framework. All personnel must immediately report suspected security incidents through appropriate channels. The Company maintains documented incident response procedures that are regularly tested and updated. We comply with all mandatory reporting requirements for eligible data breaches.

Data Breaches

In the event of a data breach, the Company follows strict response protocols in compliance with the Notifiable Data Breaches scheme prescribed by the Privacy Act 1988 (Cth). This includes immediate containment actions to prevent further data loss, thorough investigation and documentation of the incident, and appropriate notification procedures for affected clients and regulatory bodies.

Training and Compliance

Staff Training

The Company provides comprehensive security training to all personnel. This includes mandatory security awareness training, regular updates on security procedures, and specific training for handling medical data. All training completion is documented and tracked to ensure compliance.

Compliance Monitoring

The Company maintains active compliance monitoring through regular audits, system monitoring, and logging of security-relevant events. This Policy undergoes regular review and updates to ensure it remains current with business practices and security requirements. Regular compliance reports are provided to management for oversight.

Policy Review

This Policy undergoes review annually or more frequently is required by:

Changes in legislation or regulations;

Changes in our business practices;

Identification of new security risks or challenges;

Following any major security incidents.

This Policy should he read in conjunction with the Company’s Privacy Policy

Contact

For questions about this Policy or to report security concerns, contact the Information Security Officer at privacy@medbill.com.au

Last updated: March 2025

Get today
Start growing your revenue

Sign Up Now Contact our team