Data Security in Halaxy


Data security

For the user, confidentiality and security is infused throughout Halaxy so that you can be confident that you’re managing access to your data correctly. Examples include:

  • Extensive user access levels, with four levels for practitioners and three levels for administrative staff, including a number of specific options within each level dependent upon the particular user;

  • Hiding of sensitive information within patient profiles and clinical notes (e.g. users cannot immediately see clinical notes when they open a patient's profile); and

  • anonymisation of invoices and finance reports, so that you can provide invoices and reports to funding bodies and accountants without breaching confidentiality.

Halaxy service staff cannot see sensitive information; when Halaxy service staff access your account to assist with service queries, all confidential details are randomised or removed. If Halaxy staff need to assist with regard to a particular patient, they will ask for an anonymous patient ID rather than a patient's name.

Internally, Halaxy is operated from Melbourne, and data for Australian practitioners is stored within Australia in securely protected data centres with multiple backups in place. This data is protected by 256-bit bank grade security and encryption, meaning patient records, notes, and payment information are protected to the same level required by Australian banks.

For practitioners in the EU, data is stored in the EU in accordance with GDPR requirements. This data is also protected by 256-bit bank grade encryption, with multiple backups in place.

Access to data is restricted, patient and practitioner data is anonymised, and data transmissions are encrypted. In the event of a data breach, an internal policy and response plan has been prepared in accordance with the Notifiable Data Breaches Scheme.

When Halaxy integrated with funding bodies (such as Medicare and DVA), Halaxy passed system-wide security and operational tests to be permitted to integrate with these governmental bodies.

Debit/credit card details

Halaxy's payments gateway is powered by Braintree in Australia and Hyperwallet in the EU. Both are subsidiaries of PayPal, who as one of the world's largest payments providers are protected by bank-grade encryption and world-class security protocols.

As a security measure, card details are stored through our partners and not stored by Halaxy directly, so payments data is not stored with patient records and Halaxy cannot retrieve card details.

When a patient's or client's card details are entered into Halaxy, they are stored and tokenised by Halaxy's payments gateway. This means that once initially entered and captured, card details are not visible to anybody within the clinic or at Halaxy and cannot be retrieved by Halaxy. If card details need to be altered or updated, this requires the card to be completely re-entered, as a tokenised card is unable to be edited.

In addition, Halaxy features a customisable authorised payment limit for transactions at which point the cardholder is required to enter a verification code via SMS to authorise the transaction. This not only protects cardholders from unauthorised transactions, it also lowers the risk of disputed payments because the cardholder is required to actively authorise the payment.

Our blog provides more details on how to manage your patient's card details in Halaxy, as well as an FAQ page for patients about card security.

Disclosure of information to third-parties

The exact ways in which we can obtain and use data, including a full list of our integration partners (known as sub-processors), is fully disclosed in our privacy policy.

Data you enter into Halaxy may be disclosed to third parties for the purpose of providing you a service (for example, to send SMS reminders we must provide patients' mobile phone numbers to our SMS provider). Halaxy does not and has never used or disclosed identifiable patient data to third parties except in the provision of such a service.

Halaxy does not use identifiable patient data to market anything to patients. This is specified in the Data Commitment section of our privacy policy. Disclosure of patient data outside of our terms would be a breach of the Australian Privacy Principles, which would render us liable under government standards.

Note that some of our integrations with sub-processors, such as with Xero accounting software, may result in data being stored overseas due to those companies operating in other territories. Therefore if a practitioner integrates their Halaxy account with Xero, their data could go offshore to the USA, which is one of the reasons why we allow practitioners to remove names when they are syncing with Xero. This is unique in the market and another way we help practitioners protect their patients and clients' privacy.

Terms and conditions and privacy policy

For more information, please see our terms and conditions and privacy policy.

0 out of 0 found this helpful



Article is closed for comments.