STD & STI Testing Online - Stigma Health
Get an STI test now

Privacy Policy

We respect your privacy

Last updated: March 2026

Hyphen Health Pty Ltd ABN 77 646 122 910 respects your right to privacy and is committed to safeguarding the personal information and health information of our patients, customers, and website visitors. We comply with the Australian Privacy Principles contained in the Privacy Act 1988, the Notifiable Data Breaches scheme, and applicable State and Territory health privacy laws.

This Privacy Policy explains how we collect, hold, use, disclose, and protect personal information and health information.

Brands covered by this policy

This Privacy Policy applies to Hyphen Health Pty Ltd and all services and brands operated as registered business names of Hyphen Health Pty Ltd, including:

  • Stigma Health
  • PrEP Health
  • RoidSafe
  • Hey Fella

References to “we”, “us”, or “our” mean Hyphen Health Pty Ltd and its related brands.

Anonymity and pseudonymity

Where practicable, you may interact with us anonymously or using a pseudonym. However, for healthcare, telehealth, prescribing, pathology referrals, and related services, we are required to collect your real identity to provide safe and effective care and to meet our legal, professional, Medicare, and regulatory obligations.

What is personal information and health information

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Health information is a type of sensitive information and includes information about your physical or mental health, medical history, test results, prescriptions, and healthcare services. Health information is subject to a higher level of protection.

Collection of personal information

We may collect personal and health information when you:

  • Use our websites, platforms, or applications
  • Access our healthcare, telehealth, pharmacy, pathology referral, or support services
  • Participate in consultations with clinicians or partner providers
  • Communicate with us electronically, by phone, or in person
  • Complete forms, questionnaires, or surveys
  • Make payments or manage your account

The types of information we may collect include your name, date of birth, contact details, identification information, medical history, test results, prescriptions, payment details, Medicare details where applicable, feedback, and any other information you provide.

If you choose not to provide certain information, we may be unable to provide some or all of our services.

How we collect personal information

We collect information directly from you, through our websites and platforms, during service delivery, and from authorised third parties such as partner doctors, pathology providers, payment processors, and technology providers.

Health information specific protections

We collect and use health information only where:

  • You have provided consent (which may be express or implied depending on the circumstances), and
  • It is necessary to provide healthcare or related services, or
  • We are required or authorised by law

Health information is used and disclosed only for purposes directly related to your care or as otherwise permitted by law. We do not use health information for direct marketing without your express consent.

We apply additional safeguards to health information, including restricted access, encryption, audit logging, and secure clinical systems.

Telehealth services

Where we provide telehealth services:

  • Consultations are conducted using secure platforms
  • Consultations are not routinely recorded. Where a clinician wishes to use an AI transcription tool to assist with consultation notes, you will be asked for your specific consent at the beginning of that consultation. You may decline without it affecting your care.
  • Telehealth systems use encryption and access controls to protect information

You are responsible for maintaining the confidentiality of your login details and for accessing telehealth services using secure devices and networks. Using shared devices or unsecured networks may increase privacy risks.

How we use personal information

We use personal and health information to:

  • Provide healthcare, telehealth, and related services
  • Manage appointments, referrals, prescriptions, and test results
  • Process payments and administer accounts
  • Communicate with you about your care, services, or account
  • Improve our services, systems, and user experience
  • Conduct internal research and analysis using de-identified data
  • Support clinical and administrative workflows, including through automated summarisation tools
  • Meet legal, regulatory, Medicare, PBS, and professional obligations
  • Verify identity, detect and prevent fraud, misuse, or unauthorised access, and monitor system integrity and compliance

Use of automated tools and artificial intelligence

We use automated tools, including artificial intelligence features within our clinical systems, to assist clinicians and administrative staff with tasks such as summarising medical histories, consultation notes, and supporting administrative workflows.

These tools may be provided by third party technology providers integrated into our clinical systems. Where used:

  • Relevant portions of your personal or health information may be processed by third party service providers for the purpose of generating summaries or administrative assistance
  • Processing may occur in Australia or overseas depending on the technology provider
  • Information is transmitted using secure, encrypted connections
  • AI outputs are returned to and stored within our Australian clinical systems

We take reasonable steps to ensure technology providers handling information through automated tools comply with Australian privacy standards. This includes imposing strict contractual restrictions that prohibit them from using your information for any purpose other than providing the service directly to us. They are not permitted to use your information to train their own AI models, for their own research, or for any independent commercial purpose. We require them to meet stringent security standards.

All AI-generated content intended for inclusion in your clinical record or to inform clinical decisions is reviewed by a qualified clinician or appropriate staff member before being finalised. Automated tools assist with efficiency and do not replace clinical judgement or decision making. These tools are used to support consultation documentation and administrative workflows only, and do not make autonomous treatment or clinical decisions.

Where AI transcription is used during a consultation, this occurs only with your prior consent.

We remain accountable under Australian privacy law for the use of automated tools and any overseas processing that occurs as part of these services.

De-identified information

De-identified information is information that has been processed to remove or obscure personal identifiers so individuals cannot be reasonably identified.

We may use de-identified information for service improvement, research, analytics, and reporting. While we take reasonable steps to prevent re-identification, a residual risk may exist.

Marketing communications

We may send marketing communications only where you have provided consent. Consent is typically obtained through opt-in mechanisms such as registration forms, account settings, or explicit agreement.

We comply with the Spam Act 2003 and the Do Not Call Register Act 2006 where applicable.

You may manage marketing preferences or opt out at any time, at no cost, by using the unsubscribe mechanism in any communication or by contacting us directly. Separate preferences may apply for email, SMS, and phone communications.

Disclosure of personal information

We may disclose personal and health information to:

  • Employees, contractors, and officers involved in service delivery
  • Partner doctors, clinicians, pathology providers, and healthcare partners
  • IT, hosting, cloud, analytics, and customer support providers
  • Payment processors and financial service providers, including Stripe
  • Professional advisers, insurers, auditors, and regulators
  • Government agencies, including Services Australia, where required or authorised by law

My Health Record

Hyphen Health does not upload clinical records, pathology results, or other health information to My Health Record. We have no technical connection to the My Health Record system.

Where we refer you to a third party pathology provider for testing, that provider may upload your results to My Health Record in accordance with their own policies and processes. This occurs independently of Hyphen Health and is outside our control. While our pathology referrals may include instructions regarding My Health Record preferences, we cannot guarantee that third party providers will action those instructions.

If you wish to control what information appears on your My Health Record, you can manage your record settings, remove documents, or cancel your record through your myGov account or by contacting the My Health Record Help Line on 1800 723 471. You can also contact the relevant pathology provider directly to request changes to how your results are handled.

If you have concerns about information that has been uploaded to your My Health Record by a third party provider, we encourage you to raise the matter directly with that provider in the first instance.

Overseas disclosure

Our clinical systems and primary data storage are located in Australia. However, we use some global technology service providers to support our operations. As a result, personal and health information is disclosed to, or accessed by, overseas recipients in certain circumstances.

This may include overseas access or processing by:

  • Payment processing services, including Stripe
  • Email and communication services provided through Microsoft 365
  • Messaging and notification services integrated within our clinical systems
  • Security monitoring, analytics, and technical support services provided by global technology vendors

Overseas recipients may be located in countries including the United States and other jurisdictions where these service providers operate.

We take reasonable steps to ensure overseas recipients handle personal and health information in accordance with Australian privacy laws, including through contractual privacy and security obligations, access controls, encryption, and vendor due diligence. Where required by law or with your consent, we may also disclose information to overseas recipients in other circumstances. We remain accountable under Australian privacy law for overseas disclosures.

Medicare and Pharmaceutical Benefits Scheme (PBS)

Where you choose to claim Medicare benefits for our services:

  • We collect your Medicare card details with your consent
  • We submit claims to Services Australia on your behalf
  • Your health information is disclosed to Services Australia for claims processing, compliance, audit, and public health purposes
  • Medicare related records are retained for at least 7 years in accordance with provider obligations

You may choose to pay privately for services instead of using Medicare. Private payment does not involve disclosure of your information to Services Australia for claims purposes.

Where we prescribe medicines under the Pharmaceutical Benefits Scheme:

  • Prescription information is disclosed to Services Australia for PBS subsidy and compliance purposes
  • PBS records are retained for at least 7 years
  • You may request private (non-PBS) prescriptions where clinically appropriate

These disclosures are authorised by law and are necessary for the operation of Medicare and the PBS.

Business transfers

If there is a change of control, restructure, or sale of business assets, personal information may be transferred as part of that transaction, subject to confidentiality obligations and applicable law.

Data security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Measures include administrative controls, access restrictions, encryption, secure hosting environments, authentication requirements, and regular security reviews. Pathology results and Medicare related records are stored securely within our clinical systems and are accessible only to authorised internal staff where required for care delivery or compliance.

Data retention

We retain information in accordance with legal and regulatory requirements, including:

  • Adult medical records: at least 7 years from the last clinical entry
  • Child and young person medical records: until the individual reaches the age of 25, or for a period of 7 years from the last health service provided, whichever is the longer period
  • Pathology results: retained as part of the medical record in our clinical systems
  • Medicare and PBS records: at least 7 years in accordance with Services Australia requirements
  • Financial records: at least 7 years
  • Other records: as required by law or operational needs

When information is no longer required, it is securely destroyed or de-identified. Where you request deletion of your information, we will take reasonable steps to comply, except where we are required or authorised by law to retain it, or where retention is necessary for the establishment, exercise, or defence of legal claims.

Access and correction

You may request access to personal information we hold about you and request corrections where information is inaccurate, out of date, incomplete, irrelevant, or misleading.

We will respond to access requests within 30 days. There is no charge for making an access request. However, a reasonable administrative fee may be charged for providing access to the information. Access may be refused in limited circumstances permitted by law, such as where providing access would pose a serious threat to life or health or breach legal privilege. If access is refused, we will provide reasons and information on how to complain.

Data breaches

In the event of a data breach likely to result in serious harm, we will assess the breach in accordance with the Notifiable Data Breaches scheme and notify affected individuals and the Office of the Australian Information Commissioner where required.

Cookies and tracking technologies

We use essential cookies for website functionality and may use non-essential cookies for analytics and advertising purposes. We may also use tracking technologies such as pixels or tags provided by third-party advertising and analytics platforms (including Google Analytics and social media platforms) to measure the performance of our services and to deliver relevant content. These third parties may collect information in accordance with their own privacy policies.

You can manage cookies through your browser settings. Some features may not function correctly if cookies are disabled.

Children and young people

Certain services, including RoidSafe, are strictly limited to individuals aged 18 years and over.

Other services may be available to individuals aged 16 years and over, subject to parental or guardian consent or where a qualified clinician assesses the individual as having sufficient maturity and understanding to consent to their own healthcare (Gillick competence).

Children’s and young people’s health information is subject to additional safeguards, and access is restricted to authorised staff involved in care delivery.

Brand specific privacy protections

Some of our services involve particularly sensitive or potentially stigmatised health information. In addition to the protections set out in this Privacy Policy, the following applies.

RoidSafe

RoidSafe provides harm reduction and health monitoring services for individuals using anabolic steroids.

  • Information about steroid use is treated as highly sensitive health information
  • Access is restricted to clinicians and staff directly involved in your care
  • We do not ordinarily disclose information to employers, insurers, sporting organisations, or other third parties without your consent, except where required or authorised by law
  • We do not voluntarily report personal steroid use to law enforcement agencies
  • Disclosure may occur where there is a serious threat to life or health, or where required by court order

PrEP Health

PrEP Health provides HIV prevention, sexual health, and related healthcare services.

  • HIV status, sexual health information, and STI results are treated as highly sensitive
  • Access is limited to clinicians and staff directly involved in your care
  • We do not ordinarily disclose this information to partners, family members, employers, or insurers without your consent, except where required or authorised by law
  • Under Australian public health laws, we are required to notify state or territory health departments of certain diagnoses (such as HIV and other notifiable sexually transmitted infections)
  • We will inform you where notification is required

Hey Fella

Hey Fella provides HIV prevention, sexual health, and related healthcare services for gay, bisexual, trans, and other people who identify as male.

  • HIV status, sexual health information, and STI results are treated as highly sensitive
  • Access is limited to clinicians and staff directly involved in your care
  • We do not ordinarily disclose this information to partners, family members, employers, or insurers without your consent, except where required or authorised by law
  • Under Australian public health laws, we are required to notify state or territory health departments of certain diagnoses (such as HIV and other notifiable sexually transmitted infections)
  • We will inform you where notification is required

Complaints

If you have a complaint about how we handle personal information, please contact us by email at practicemanager@hyphen.health. We will acknowledge complaints within 7 days and aim to provide a substantive response within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at www.oaic.gov.au.

Changes to this policy

We may update this Privacy Policy from time to time. Changes take effect when published on our websites.

Contact details

Hyphen Health Pty Ltd
ABN 77 646 122 910

Postal address
PO Box 3229
Thornton NSW 2322

Phone 1300 479 023
Fax 02 9094 2230

keyboard_arrow_up