Halaxy is a healthcare industry leader in data and privacy protection and transparency: protecting your data is at the core of everything we do. Here’s everything you need to know about how we handle data, security, and privacy at Halaxy, so you have the peace of mind to focus on what matters: health.
With Halaxy, your data is backed up daily and protected by bank grade security and encryption here in Australia, meaning that your data is secure at rest and in transit (where they are only accessible via TLS/SSL). Your data is stored safely here in Australia, or in the EU, if you are based there.
Halaxy is hosted on Amazon Web Services (AWS), one of the most used and well-regarded hosting services in the world. AWS physical access is controlled using human and video surveillance, intrusion detection systems, and world class security protocols. AWS has the following accreditations and certifications, among may more:
Our infrastructure within AWS defaults to the strictest configuration levels.
When Halaxy first integrated with funding bodies (such as Medicare and DVA), Halaxy passed system-wide security and operational tests before being permitted to integrate with these governmental bodies. Halaxy was also the first major practice management software provider to integrate with Medicare’s latest web services online claiming systems.
In the event of a data breach, an internal policy and response plan has been prepared in accordance with the Notifiable Data Breaches Scheme.
The data you store in Halaxy is monitored 24 hours a day by threat detection systems, and logging and alert systems. So, if something happens, our technical team can handle any issues immediately. Importantly, we have 24 hour phone customer service Monday to Friday, so you can call us anytime during the week, giving you the security of knowing that urgent issues are known and followed up immediately.
For users in the EU, data is stored in the EU in accordance with GDPR requirements. This data is also protected by 256-bit bank grade encryption, with multiple backups in place.
We peer review and test our code prior to release, including manual and automated checks for security issues. We only release software after comprehensive testing in our development and staging environments, and we aim to release new features at times that will minimise disruption for users.
You can choose to integrate your Halaxy with third parties such as accounting packages like Xero and QuickBooks (for practitioners), medical devices (for consumers), and services like SMS providers. This sub-processors are listed in our Privacy Policy. Data is only shared with these third parties when you give your permission, and only shared for the purpose for which it was given. Our integration partners must meet the same stringent privacy standards that we do (you can read more in our Privacy Policy).
Halaxy's payments gateway is powered by Braintree in Australia and Hyperwallet globally, which are both owned by Paypal, one of the world's largest payments providers.
As a security measure, card details are stored through our partners and not stored by Halaxy directly, so payment data is not stored with patient records and Halaxy cannot retrieve card details.
When a patient's or client's card details are entered into Halaxy, the details are stored and tokenised by Halaxy's payments gateway. This means that once initially entered and captured, card details are not visible to anybody within the practice or at Halaxy, and cannot be retrieved by Halaxy. If card details need to be altered or updated, payment details need to be completely re-entered (as a tokenised card is unable to be edited).
For practitioners, Halaxy features a customisable authorised payment limit for transactions, giving you the added security of the cardholder being required to enter a verification code via SMS to authorise the transaction. This not only protects cardholders from unauthorised transactions, it also lowers the risk of disputed payments because the cardholder is required to actively authorise the payment. You also have the option to include a secure payment link that patients can click to pay the invoice online
Our blog provides more details on how to manage your patient's card details in Halaxy, as well as an FAQ page for patients about card security.
As well as world class data storage and management, Halaxy’s design and architecture ensures that privacy and confidentiality are infused throughout the Halaxy platform and service, no matter whether you’re a practitioner user or a consumer user.
For practitioners, there are four access levels for practitioners and three levels for administrative staff, including a number of specific options and restrictions within each level dependent upon the particular user. This means that access to sensitive clinical, practice or financial information (and system settings) can be limited only to those who need it.
For consumers using our personal health record, you can choose whether to give access to others (such as family members or practitioners).
Our practice management software accommodates the real-world needs of practitioners through our smart anonymisation options, such as:
We’re only the guardians of your data, we do not have access to sensitive patient or practice information. When we access your account to assist with service queries, all confidential details are anonymised or removed. If Halaxy staff need to assist regarding a particular patient record for example, they will ask for an anonymised patient ID rather than a patient's name.
Practitioners can be reassured and confident that Halaxy does not use patient data that you enter to market anything to patients, and we do not provide patients' data to others so that they can be directly marketed to - this is anathema to us.
If a non-practitioner does sign up to Halaxy to use our personal health record, they are governed by their own Terms (which you can read here).
Here are some of the many security features that Halaxy offers to support your practice and ensure patients’ data is protected:
With several access levels for practitioners and administrative staff as well as customisable restrictions individual to a user, Halaxy’s extensive access levels enable you to limit access to confidential information to only those who need it.
Start with setting up a unique password for your Halaxy account and then set up two-factor authentication for extra protection. Two-factor authentication is a layer of additional security that means that even if someone does happen to guess your password, they will be unable to log in to your Halaxy account unless they also have physical access to your personal authentication method (such as through your mobile phone authenticator).
You can also set your password to be automatically refreshed at set intervals, as well as set up automatic logout after a specified period of inactivity.
You can always track the action that users take in your Halaxy account - e.g.: who viewed a patient’s profile or changed appointment times.
With Halaxy you can completely anonymise your calendar (for example, display only patient initials or IDs), patient records (including patient profiles and clinical notes), as well as invoices and finance reports, so you can provide invoices and reports to funding bodies and accountants without breaching confidentiality.
Halaxy integrates with Argus and ReferralNet to enable you to securely send and receive referrals and clinical notes via Halaxy.
When a patient's or client's card details are entered into Halaxy, they are stored and tokenised by Halaxy's payments gateway. We also have customisable authorised payment limit for transactions, protecting cardholders from unauthorised transactions, and lowering the risk of disputed payments because the cardholder is required to actively authorise the payment. You also have the option to include a secure payment link that patients can click to pay the invoice online.
For more information, please see our Terms and Conditions and Privacy Policy. Our Privacy Policy explains: how we store and use data, and how you may access and correct your personal information; how you can lodge a complaint regarding the handling of your personal information; and how we will handle any complaint.
If you would like any further information about our privacy policies or practices, or would like to report any issues, please contact us at privacy@halaxy.com.