This policy explains what information biio. collects, why we collect it, how we use it, who we share it with, how we protect it, and what choices and rights you have.
This Privacy Policy explains how biio. collects, uses, discloses, stores, protects, and otherwise handles personal information and health information in the course of providing care and running the service around that care.
It applies across the patient-facing service environment currently operated by biio., including the clinic, telehealth, biiography (biio.’s proprietary technology platform), the patient portal, website intake forms, digital forms, email, SMS, and phone support.
It applies whether you use biio. from within Australia or from another country.
This policy is written in plain language on purpose. Health information is personal. Privacy language should still be understandable.
For this policy, biio. means BIIO PTY LTD (ABN 26 674 271 455, ACN 674 271 455).
Our privacy contact is:
Privacy Officer
privacy@biio.com.au
The information biio. collects depends on how you use the service and what care you receive. It may include:
biio. collects information directly from you when you make an enquiry, complete forms, book or attend appointments, use telehealth, use the patient portal, send us documents, make a payment, or communicate with us by phone, email, SMS, or another approved channel.
We may also collect information from another person or organisation where that is reasonably necessary for your care or for running the service around that care. Depending on the situation, this may include a parent, guardian, authorised representative, referrer, GP, specialist, allied health practitioner, pathology provider, imaging provider, pharmacy, hospital, insurer, plan manager, or another person involved in your care or payment pathway.
Some information is collected automatically through digital systems used to provide or support the service, including biiography, the patient portal, website forms, helpdesk systems, security tools, and audit systems.
Where the law requires notice at or before collection, or as soon as practicable afterwards, biio. may give that notice through this policy and through shorter notices, scripts, prompts, or collection statements used in the relevant channel.
If you do not provide information that biio. reasonably needs, biio. may not be able to:
Where lawful and practicable, biio. may allow limited dealings on an anonymous or pseudonymous basis, such as a general enquiry or general feedback that does not require us to identify you.
In most clinical, safety, record-keeping, communication, billing, prescribing, referral, claim, and identity-verification contexts, this will not be lawful or practicable. In those situations, biio. requires you to identify yourself so we can provide safe care, create and maintain an accurate health record, communicate with you properly, and meet our legal and operational obligations.
Sometimes biio. may receive information it did not ask for.
If biio. receives information it did not solicit, biio. will decide whether it could lawfully have collected that information in the ordinary way. If not, biio. will destroy it or de-identify it where reasonable and lawful to do so.
biio. collects, uses, and discloses information so it can:
biio. only collects, uses, and discloses information in ways that are reasonably necessary for these purposes, or otherwise permitted or required by law.
biio. takes reasonable steps to keep the information it collects, uses, and discloses accurate, up to date, complete, and relevant for the purpose.
You also play a role in that. Please tell biio. if something material changes, such as your contact details, medication list, funding pathway, representative, or location for telehealth.
biio. is built around coordinated care. Relevant clinicians may share information with each other through approved systems where that is reasonably necessary to assess, plan, provide, or coordinate your care.
In most areas of care at biio., relevant clinical reasoning entered into biiography is visible across the treating team so care can compound rather than reset.
Psychology is a deliberate carve-out. Psychology notes do not follow the general visibility model. They are separately restricted. Where appropriate, a psychologist may share a short therapeutic summary or other limited clinically relevant information with the wider team without sharing the protected content of psychology notes more broadly.
Non-clinical staff do not have access to clinical notes, except to the extent strictly necessary for an authorised operational task that does not expose the substantive content of clinical care.
biio. may disclose relevant information outside biio. where that is reasonably necessary for your care or otherwise permitted or required by law. Depending on the circumstances, this may include disclosure to:
If biio. is involved in a restructure, financing, merger, sale, or transfer of all or part of its business, information may also be disclosed to professional advisers, financiers, counterparties, or successor entities on a confidential and need-to-know basis where the law allows and appropriate safeguards are used.
Where biio. discloses information, biio. aims to disclose only what is reasonably necessary for the purpose.
Recording and transcription are core workflows at biio. They are not buried inside generic technology language for that reason.
Telehealth consultations are audio-only recordings. They are not video-recorded.
Audio recording and transcription are routine for telehealth consultations. In-person consultations are also recorded as standard practice.
Ordinary phone consultations are not a standard service pathway. If they occur, they are not recorded.
Helpdesk calls are different from clinical consultations. They are operational calls, not clinical consults, and they follow a separate operational recording and retention pathway.
The purpose of recording and transcription is to support accurate documentation, continuity, and the quality of clinician-authored notes. The recording is not a marketing asset, not a general archive, and not a second permanent clinical record.
The final clinician-authored note entered into biiography is the authoritative health record for the consultation.
Raw audio and transcript drafts are temporary working material.
For telehealth, transcript deletion is automatic and is triggered when the clinician submits the report for that consultation into biiography. Raw telehealth audio is intended to be permanently deleted within 7 days, including within the systems biio. controls directly.
In-person recordings and transcript drafts are also treated as temporary working material. They are handled under the applicable workflow settings rather than as a second permanent record.
Transcript drafts for consultations are visible only to the treating clinician. Transcript drafts are not visible to non-clinical staff.
Patients are told clearly when a consultation is being recorded and why.
A patient may verbally decline telehealth recording at the start of the consultation, or withdraw that agreement during the consultation. If a patient declines recording, the consultation may continue using an alternative workflow, including manual note-taking, if that is clinically workable. Declining recording may affect how the consultation is delivered or documented.
Helpdesk call recordings and transcripts are operational material and are currently set to a 30-day deletion period.
biio. does not currently use patient-facing AI tools.
Where AI-supported tools are used, they are limited to back-end transcription, documentation support, and administrative support rather than direct patient interaction.
AI-supported tools are used to support the service, not to replace clinical judgment. Clinically significant outputs are subject to human review, and final responsibility for the clinical record and for clinical decisions remains with the clinician.
biio.'s current operating position is that it does not use identifiable patient data with vendors on a training-permitted basis.
biio. does not input identifiable patient information into publicly available generative AI tools.
Where an AI-supported tool generates, infers, summarises, or transforms information about you, biio. treats that information as personal information or health information where it relates to an identified or reasonably identifiable person.
If biio. introduces a patient-facing AI tool in the future, biio. will identify that clearly at the point of use and update the relevant notices and policy settings.
biio. uses approved technology providers to support clinical care, telehealth, recording and transcription workflows, payment, administration, security, and helpdesk functions.
Some systems or services biio. uses may be provided by companies located outside Australia or may involve overseas storage, processing, or support access. Where that happens, biio. takes reasonable steps to protect information and to require appropriate privacy and security safeguards through contracts, vendor controls, and access settings.
biio. remains responsible under Australian privacy law for the way your information is handled where that accountability applies.
biio. uses My Health Record and Individual Healthcare Identifiers, although they are not currently integrated into the core platform.
Where biio. accesses, uploads, uses, or handles My Health Record information or healthcare identifiers, it does so in accordance with the laws and rules that apply to those systems.
If information is downloaded from My Health Record into a local system, it is then handled under the ordinary privacy, health record, and professional obligations that apply to the local record.
biio. does not adopt a government-related identifier as its own identifier of a person except where the law permits that handling.
biio. uses technical and organisational safeguards designed to protect the information it holds.
Security measures biio. can currently stand behind include:
biio. also uses staff training, contractual controls, access management, review processes, and operational safeguards to reduce the risk of misuse, loss, unauthorised access, modification, or disclosure.
biio. keeps information for as long as it is reasonably needed for the purpose for which it was collected or otherwise used or disclosed, and for any longer period required by law, professional obligations, safety needs, complaint handling, or another legitimate retention requirement.
Final clinician-authored records are retained in line with applicable legal and professional obligations.
Temporary working material is handled differently.
When information is no longer needed and no retention obligation applies, biio. will take reasonable steps to destroy it or de-identify it.
biio. may use SMS, email, phone, portal messages, and other approved channels to communicate with you about appointments, booking changes, practical care coordination, documents, billing, results-related contact, follow-up, and other service-related matters.
These communications are part of running care and the service around care.
Operational contact channels are not emergency channels and are not an ongoing direct line to clinicians between appointments.
biio. does not use your health information for direct marketing without the appropriate permission.
Optional non-care communications, such as newsletters, general updates, or invitations not directly tied to your own care, are handled separately. If you opt in to those communications, you can unsubscribe at any time.
You may ask for access to the personal information or health information biio. holds about you. You may also ask biio. to correct information that is inaccurate, incomplete, out of date, irrelevant, or misleading.
biio. may ask you to verify your identity, put your request in writing, and describe the information you want and how you would like to receive it.
If possible, biio. aims to respond within 30 days.
biio. may refuse access or correction where the law allows that. If that happens, biio. will explain the position in writing unless the law allows otherwise, and biio. will tell you how you can complain.
biio. does not charge a fee for correction requests. If you request copies, a reasonable fee may apply for the actual cost of retrieval, reproduction, and sending, but it will not be excessive.
If you have a privacy concern or complaint, please contact the Privacy Officer at privacy@biio.com.au first. biio. will review the concern, respond in writing, and try to resolve it fairly and promptly.
If you are not satisfied with biio.'s response, you may complain to the Office of the Australian Information Commissioner.
If biio. becomes aware of a data breach that is likely to result in serious harm and the law requires notification, biio. will follow the applicable data breach process, including taking steps to contain, assess, and respond to the incident and notifying affected people and regulators where required.
biio. may update this Privacy Policy from time to time to reflect changes in law, technology, service design, or the way the service operates.
When biio. makes a material change, biio. will publish the updated version and, where appropriate, give notice through the relevant patient-facing channel.