• Home
  • About Us
  • Our Team
  • Contact Us
  • Referral Form
  • Privacy Policy
  • More
    • Home
    • About Us
    • Our Team
    • Contact Us
    • Referral Form
    • Privacy Policy
  • Home
  • About Us
  • Our Team
  • Contact Us
  • Referral Form
  • Privacy Policy

Privacy Policy

PRIVACY POLICY

1 INTRODUCTION 


This document sets out the privacy policy of The Trustee for L Bailie Family Trust (ABN 54 949 965 627) trading as Lotus Allied Health (referred to in this privacy policy as ‘we’, ‘us’, or ‘our’).

This privacy policy applies to all personal information we collect in the course of providing our services, whether in person, via telehealth, or in school or community settings.

We take our privacy obligations seriously. As a health service provider, we are bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (Privacy Act) regardless of our annual turnover, and by the Health Records Act 2001 (Vic) and the Health Privacy Principles in that Act in respect of health information we collect in Victoria. We are also bound by privacy and confidentiality obligations arising under the National Disability Insurance Scheme Act 2013 (Cth), the NDIS Code of Conduct.

This privacy policy explains how we collect, use, store, disclose and protect personal information (including sensitive information and health information). By providing personal information to us, you consent to us handling it in accordance with this privacy policy.

We may change this privacy policy from time to time by posting an updated copy on our website. We encourage you to check our website regularly to ensure you are aware of our most current privacy policy.

2 TYPES OF PERSONAL INFORMATION WE COLLECT 


The personal information we collect may include:
(a) name, date of birth, age, preferred pronouns and sex;
(b) contact details, including residential or service address, email address and telephone number;
(c) emergency contact details and relationship;
(d) information about a parent, legal guardian, nominee, support coordinator, plan manager, or other representative or any other person involved in your care (including carers, support workers, family members and informal supports);
(e) information about your circumstances relevant to the delivery of our services, including your living arrangements, school, workplace and informal supports;
(f) information collected through client surveys, questionnaires, feedback and complaints;
(g) device identity and type, IP address, geo-location information, page view statistics and standard web log information collected when you interact with our website; and
(h) any other information you provide to us, or that we collect from a third party with your consent or as otherwise permitted by law.
We do not collect credit card or other direct payment information from clients. NDIS-funded services are billed in accordance with our service agreement and the NDIS Pricing Arrangements and Price Limits.

3 SENSITIVE AND HEALTH INFORMATION

Collection of sensitive and health information
Because of the nature of our services, we routinely collect sensitive information and health information about you. We will only collect this information where you (or a person authorised to consent on your behalf) have consented, or where the collection is otherwise permitted under the Privacy Act or the Health Records Act 2001 (Vic).

Types of sensitive and health information we collect
The sensitive and health information we collect may include, but is not limited to:
(a) medical history, diagnoses, presenting conditions and treatment history;
(b) disability-related information, functional capacity and assessment results (including cognitive, skills-based and mental health assessments);
(c) medications and treating practitioners;
(d) information disclosed during therapy sessions;
(e) information that may give rise to a mandatory or other reportable disclosure (for example, in connection with child safety or risk of harm);
(f) NDIS participant number, plan dates, plan goals and information about the management of your NDIS funding;
(g) Medicare number, healthcare identifiers and other entitlement details where relevant;
(h) information from referring health care providers and associated referral documents; and
(i) photographs, video or audio (including AI-generated session recordings, dealt with separately below).

4 HOW WE COLLECT INFORMATION

We collect personal information in a lawful and fair way. Wherever reasonably practicable, we collect it directly from you.

Direct collection
We may collect personal information directly from you when you:
(a) contact us, including via our website, email, telephone or social media;
(b) complete an online enquiry, intake or referral form or participate in the preparation of your Occupational Profile;
(c) sign a service agreement with us;
(d) attend an in-person or telehealth therapy session, including any session recorded using AI tools (see clause 5);
(e) undergo an assessment; or
(f) interact with our website.

Collection from third parties
There may be occasions when we collect personal information about you from someone else, including:
(a) a parent, legal guardian, nominee, support coordinator, plan manager or other authorised representative;
(b) a referring health care provider, GP, specialist or other treating practitioner, support worker or other care team member;
(c) the National Disability Insurance Agency (NDIA), an NDIS support coordinator or plan manager;
(d) a school, teacher, well-being staff member or employer where relevant to the services we provide to you; or
(e) a family member, carer or other informal support, where appropriate. 


Information collected on behalf of someone else
If you provide personal information about another person, you must have that person’s consent (or, where the person is a minor or otherwise unable to consent, the consent of their parent, legal guardian or authorised representative). We may ask for evidence of this consent. 


Children and young people
Where a client is under 18 years old, or is otherwise unable to give informed consent, we will generally collect personal information from, and obtain consent from, a parent, legal guardian or authorised representative. We will engage the client in decisionmaking to the greatest extent possible, consistent with supported decision-making practice.

Cookies and analytics
We may collect information about your use of our website using cookies and similar tracking technologies. If you do not wish information to be stored as a cookie, you can disable cookies in your web browser.

5 AI-ASSISTED CLINICAL DOCUMENTATION


With your separate written consent, we use a third-party AI tool, HEIDI, to capture audio in real time and generate clinical notes from the transcription. We use this tool to enable our therapists to be more present during sessions and to improve the accuracy and completeness of our clinical records.

How AI recording works
(a) Before any session is recorded, we will provide you with a separate Consent for Recording Occupational Therapy Sessions Using AI form and obtain your written consent.
(b) During the session, your therapist's device captures audio in real time. According to HEIDI's published documentation, audio is transcribed in real time and is not retained after the transcript and clinical notes have been generated.
(c) The transcript and AI-generated clinical notes are reviewed and finalised by your therapist and stored as part of your clinical record in our practice management system.
(d) The transcript and clinical notes will not be shared without your further written consent, except where disclosure is required or authorised by law.

Voluntary and revocable
(e) Participating in AI-assisted recording is voluntary and is not a condition of receiving therapy from us.
(f) You may withdraw your consent to AI-assisted documentation at any time by informing your therapist.
(g) You may request that any AI-generated transcript or notes derived from your sessions be deleted, and we will action that request unless we are required by law or by NDIS or professional record-keeping obligations to retain the information.

AI provider and data handling
HEIDI is operated by Heidi Health Trading Pty Limited (ABN 84 649 783 871), an Australian company. HEIDI publishes that it hosts Australian users' data on infrastructure located within Australia. We require HEIDI to handle your information consistently with the Australian Privacy Principles. To the extent that HEIDI's related bodies corporate or personnel located outside Australia are able to access your information for support, security or maintenance purposes, that access is treated as a cross-border disclosure for the purposes of APP 8 and we have taken reasonable steps to ensure HEIDI handles the information consistently with the APPs.

6 USE OF YOUR PERSONAL INFORMATION

We collect and use personal information for the following primary purposes:
(a) to provide safe, tailored and effective occupational therapy and related services to you, including assessments, therapy sessions, telehealth, report writing and case-related liaison;
(b) to deliver services in your home, workplace, school or other community setting as agreed with you;
(c) to prepare clinical notes, assessments, progress reports, functional capacity assessments and other reports, including with the assistance of AI tools where you have consented;
(d) to communicate with you about appointments, billing, service changes and feedback;
(e) to administer our service agreement with you, including invoicing, , plan-managed, selfmanaged, NDIA-managed and private fee-for-service arrangements and managing cancellations;
(f) to comply with our obligations as an NDIS provider, including the NDIS Code of Conduct and any incident reporting obligations;
(g) to comply with mandatory reporting obligations, including in respect of child safety;
(h) to consider applications for employment or contracting with us; and
(i) for record keeping, quality improvement, training and administrative purposes.
We may also use your personal information for:
(j) a secondary purpose closely related to a primary purpose, where you would reasonably expect us to use the information for that purpose;
(k) a purpose where we reasonably believe the use is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent;
(l) any other purpose for which we have your consent; or
(m) any other purpose permitted or required by law.

7 HOW WE DISCLOSE YOUR INFORMATION

We respect your privacy and take reasonable steps to keep your personal information confidential.

Routine disclosures in connection with your care
With your consent, and only to the extent necessary to support your care and safety, we may disclose your information to:
(a) treating health practitioners, including GPs, specialists, paediatricians, psychologists, counsellors, dieticians, doctors, nurses and other allied health professionals;
(b) the NDIA, your support coordinator, plan manager or other NDIS service providers;
(c) schools, teachers and well-being staff, where you receive services in a school setting;
(d) employment providers and vocational supports, where relevant to your goals;
(e) accommodation providers, where you live in supported or shared accommodation;
(f) informal supports such as parents, family members, carers and guardians; and
(g) any other person or organisation you have authorised us to share information with.

Disclosures to service providers
We disclose personal information to third party service providers who help us deliver and administer our services, including:
(a) Splose, our practice management system, used to store client records, schedule appointments and manage clinical notes;
(b) HEIDI, our AI session recording and note-generation tool (see clause 5);
(c) Microsoft 365 (including Outlook and OneDrive), used for email, document storage and assessment files;
(d) our professional advisors, including lawyers, accountants and auditors;
(e) IT support providers; and
(f) debt collection agencies, where an outstanding amount is referred for collection in accordance with our service agreement.
We require these providers to handle your information consistently with the APPs and to use it only for the purposes for which we engage them.

Other permitted or required disclosures
We may also disclose your personal information where:
(a) you have consented to the disclosure;
(b) the disclosure is necessary in an emergency, or to prevent or investigate suspected unlawful activity;
(c) the disclosure is required under a subpoena, court order, or mandatory reporting obligation (including child safety, elder abuse or NDIS reportable incidents);
(d) we reasonably believe the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent;
(e) the disclosure is reasonably necessary for the establishment, exercise or defence of a legal claim; or
(f) the disclosure is otherwise authorised or required by law.

8 STORAGE AND SECURITY

Where your information is stored
Your records are stored electronically. We do not generally keep hardcopy records. Records may be held in our practice management system (Splose), in Microsoft 365 (including Outlook and OneDrive), and in HEIDI in respect of AI-generated transcripts and clinical notes (subject to clause 5).

Splose, Microsoft and HEIDI are Australian-facing service providers. Some of these providers, or their subprocessors, store or access information outside Australia, including in the United States.

By engaging with us, you consent to your personal information being disclosed to these providers and processed outside Australia where applicable. Before disclosing your information to an overseas recipient, we take reasonable steps under APP 8.1 to ensure the recipient handles your information consistently with the Australian Privacy Principles.

Security measures
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure, including by:
(a) using password-protected systems and two-factor authentication on our practice management system;
(b) issuing work-purposed laptops and phones to our therapists;
(c) limiting access to client records to authorised personnel on a need-to-know basis;
(d) training our staff and contractors on their privacy and confidentiality obligations; and
(e) regularly reviewing our information security practices.
While we take these steps, no information system can be guaranteed to be completely secure.

Retention
We retain client records for as long as required to provide services to you and as required by law and applicable professional and NDIS standards. In Victoria, the Health Records Act 2001 (Vic) generally requires health information about adults to be kept for at least 7 years from the date of last service, and information about children to be kept until the person turns 25 (or 7 years after last service, whichever is later). Where you cease to be a client, we will hold your information securely for the required retention period and then take reasonable steps to destroy or de-identify it.

9 CONSENT AND WITHDRAWAL

Forms of consent
In addition to this privacy policy, we use the following forms to record specific consents:
(a) our Privacy and Confidentiality Form, which sets out the categories of recipient with whom we may share your information in connection with your care;
(b) our Consent for Recording Occupational Therapy Sessions Using AI form, which is required before we first use HEIDI to record sessions with you; and
(c) any photo and media consent recorded as part of our intake process.
Once you have signed any of the consent forms referred to above, your consent applies on an ongoing basis to the collection, use and disclosure of your personal information for the purposes set out in that form and in this privacy policy, including in connection with your future appointments and the delivery of our services to you, until you withdraw or amend it.

Withdrawing consent
You may withdraw or amend your consent at any time by contacting us using the details at the end of this policy. Withdrawing consent may limit our ability to provide certain services to you, or to meet specific service obligations, and we will discuss any such impacts with you before any change takes effect.

Where consent is withdrawn part-way through service delivery, we will take reasonable steps to give effect to the withdrawal, including ceasing the relevant collection, use or disclosure on a forward-looking basis. We may continue to retain previously collected information where required by law, or where retention is reasonably necessary for record-keeping, complaints handling or legal purposes.

10 MARKETING 


From time to time we may send you marketing communications about our services. We will only do so in accordance with the Spam Act 2003 (Cth) and the APPs.

You can opt out of marketing communications at any time by using the unsubscribe facility provided, or by contacting us using the details at the end of this policy. We will action your request as soon as reasonably practicable.

We will not use your sensitive or health information for marketing purposes.

11 DE-IDENTIFIED INFORMATION

We may use de-identified information for analytical, training, quality improvement and educational purposes. Where information has been de-identified, we reserve the right to use and discuss that information without further consent. We will seek your specific consent before publishing any deidentified case study or written material derived from your information.

12 ACCESS, CORRECTION AND COMPLAINTS

Access and correction
You have the right to request access to the personal information we hold about you, and to ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading. To make a request, please contact us using the details below.

We may need to verify your identity before providing access. We will respond to access and correction requests within a reasonable timeframe and in accordance with the APPs and (where applicable) the Health Records Act 2001 (Vic). In some cases we may be unable to provide access to all of your personal information; where this occurs, we will explain why in writing.

Complaints
If you have a complaint about how we have handled your personal information, please contact us using the details below. We will acknowledge your complaint promptly and respond within a reasonable timeframe.
If you are not satisfied with our response, you may refer your complaint to:
(a) the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au;
(b) the Health Complaints Commissioner (Victoria) at www.hcc.vic.gov.au; or
(c) the NDIS Quality and Safeguards Commission at www.ndiscommission.gov.au, in respect of NDIS-related concerns.

13 LINKS

Our website may contain links to third party websites. Those links are provided for your convenience and may not be current or maintained. We are not responsible for the privacy practices of those websites and we suggest you review their privacy policies before using them.

14 CONTACT US

For further information about our privacy policy or practices, or to access or correct your personal information or make a complaint, please contact us:
Lotus Allied Health
Attention: Laura Bailie, Director
Email: laura.bailie@lotusalliedhealth.com.au

This privacy policy was last updated on 10 May 2026. 

Copyright © 2026 Lotus Allied Health - All Rights Reserved.

Powered by

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept