Data Security in Halaxy


Data security

For the user, confidentiality and security is infused throughout Halaxy so that you can be confident that you’re managing access to your data correctly. Examples include:

  • Extensive user access levels, with four levels for practitioners and three levels for administrative staff, including a number of specific options within each level dependent upon the particular user;

  • Hiding of sensitive information within patient profiles and clinical notes (e.g. users cannot immediately see clinical notes when they open a patient's profile); and

  • anonymisation of invoices and finance reports, so that you can provide invoices and reports to funding bodies and accountants without breaching confidentiality.

Halaxy service staff cannot see sensitive information; when Halaxy service staff access your account to assist with service queries, all confidential details are randomised or removed. If Halaxy staff need to assist with regard to a particular patient, they will ask for an anonymous patient ID rather than a patient's name.

Internally, Halaxy is operated from Melbourne, and data for Australian practitioners is stored within Australia in securely protected data centres with multiple backups in place. This data is protected by 256-bit bank grade security and encryption, meaning patient records, notes, and payment information are protected to the same level required by Australian banks.

For practitioners in the EU, data is stored in the EU in accordance with GDPR requirements. This data is also protected by 256-bit bank grade encryption, with multiple backups in place.

Access to data is restricted, patient and practitioner data is anonymised, and data transmissions are encrypted. In the event of a data breach, an internal policy and response plan has been prepared in accordance with the Notifiable Data Breaches Scheme.

When Halaxy integrated with funding bodies (such as Medicare and DVA), Halaxy passed system-wide security and operational tests to be permitted to integrate with these governmental bodies.

Debit/credit card details

Halaxy's payments gateway is powered by Braintree Paypal, who as one of the world's largest online payments providers have a stringent data and security policy when it comes to storing cardholder details.

When a patient's or client's card details are entered into Halaxy, they are stored and tokenised by Halaxy's payments gateway, meaning that once initially entered and captured, they are not visible to anybody within the clinic or at Halaxy. If card details need to be altered or updated, this requires the card to be completely re-entered, as a tokenised card is unable to be edited.

In addition, Halaxy features a customisable authorised payment limit for transactions at which point the cardholder is required to enter a verification code via SMS to authorise the transaction. This not only protects cardholders from unauthorised transactions, it also lowers the risk of disputed payments because the cardholder is required to actively authorise the payment.

Our blog provides more details on how to manage your patient's card details in Halaxy, as well as an FAQ page for patients about card security.

Disclosure of information to third-parties

Halaxy does not use patient data to market anything to patients, and we do not provide patients' data so that they can be marketed to - this is anathema to us. The reason we have the term "third party" in the privacy policy is, apart from a law enforcement request or subpoenas by the court, some features of Halaxy require third parties to function (for example, to send SMS we provide patients' mobile phone numbers to the SMS gateway electronically so that SMS appointment reminders can be sent).

This also applies with the accounting integration feature, such as with the Xero accounting software, which may store their data in the USA. Therefore if a practitioner integrates their Halaxy account with Xero, their data could go offshore to the USA, which is one of the reasons why we allow practitioners to remove names when they are syncing with Xero. This is unique in the market and another way we help practitioners protect their patients and clients' privacy.

Patients and practitioners can also integrate medical devices such as blood glucose monitors into their Halaxy records, which is highly beneficial as practitioners can remotely monitor patients. Those devices may store data overseas, which is also covered by that term.

Terms and conditions and privacy policy

For more information, please see our terms and conditions and privacy policy.

0 out of 0 found this helpful



Article is closed for comments.