security policy
Purpose
This Security Policy outlines how hear. protects patient and business information across our digital systems. It ensures compliance with the New Zealand Privacy Act 2020 and the Health Information Privacy Code 2020, and reflects our commitment to safeguarding sensitive health and financial data. Use of “We” and “You” herein refers to “hear. and its staff,” and “customers of hear.” respectively.
Scope
This policy applies to all staff, contractors, and systems used by hear., including:
Patient management system
Accounting and invoicing system
Local devices used for clinical and administrative work
Data Protection Standards
We adhere to the following principles:
Confidentiality: Patient and financial data is only accessible to authorised staff.
Integrity: Systems are protected against unauthorised alteration.
Availability: Data is backed up and accessible when required for patient care.
Compliance: All practices align with the NZ Privacy Act 2020 and Health Information Privacy Code 2020.
Patient Management System
Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
Hosting: secure data centres that comply with ISO 27001 standards.
Access Control: Role-based access ensures staff only see the information necessary for their role.
Audit Logs: All access and changes to patient records are logged.
Accounting System
Encryption: Data is encrypted in transit with TLS 1.2+ and at rest with AES-256.
Authentication: Two-factor authentication (2FA) is required for all staff accounts.
Compliance: ISO 27001 and SOC 2 standards.
Data Location: secure servers located in multiple regions, with redundancy.
Local Devices
Device Encryption: All clinic PCs use BitLocker drive encryption (AES-256) to protect data at rest.
Secure Boot & TPM 2.0: Ensures only trusted software runs at startup and encryption keys are hardware-protected.
Windows Hello & MFA: Staff logins require biometric or PIN authentication, with optional multi-factor authentication.
Automatic Updates: Security patches and updates are applied promptly via Windows Update.
Defender & Firewall: Microsoft Defender Antivirus and Firewall are enabled by default for malware and intrusion protection.
Data Access and Sharing
Patient data is never shared with third parties without explicit informed consent.
Access to systems is restricted to authorised staff with unique logins.
Remote access is only permitted via secure, encrypted connections (VPN or equivalent).
Incident Response
Any suspected data breach will fall to the responsibility of the Managing Director.
In line with the Privacy Act 2020, notifiable breaches will be reported to the Office of the Privacy Commissioner and affected individuals.
Incident logs will be maintained for accountability and review.
Staff Duties
Staff must use strong, unique passwords and enable 2FA where available.
Devices must be locked when unattended.
No patient or financial data may be stored on personal devices or unencrypted media.
Review and Updates
This Security Policy will be reviewed annually or sooner if there are changes to systems, regulations, or identified risks.
Privacy policy
Purpose
This Privacy Policy explains how hear. collects, uses, stores, and protects your personal and health information when you use our services, including our online booking system. We are committed to protecting your privacy and handling your information in accordance with the New Zealand Privacy Act 2020 and the Health Information Privacy Code 2020.
Scope
For the purpose of providing safe and effective clinical care, we collect the following information: full name, date of birth, National Health Index (NHI) number, address, email address, phone number, Hearing aid government funding details (where applicable), and any personal information shared by you as part of medical history-taking, and needs assessments. We do not collect or store tracking cookies or any other digital technology to profile your digital web footprint.
How We Use Your Information
We use this information solely for: managing your appointments and clinical records, providing audiology services and follow-up care, contacting you about your appointments, treatment, or clinic, updates, and internal administrative purposes.
Sharing Your Information
We do not share your personal or clinical information with third parties without your explicit informed consent. With your consent, we may share relevant clinical information with: your GP, ENT specialist, or other allied health professionals for case management; ACC (Accident Compensation Corporation); Disability Support Services; Veterans’ Affairs. We will always explain the purpose of sharing before seeking your consent.
Your Rights
You have the right to: access the personal information we hold about you; request corrections to your information if it is inaccurate or incomplete; withdraw consent for sharing your information at any time.
Requests can be made by contacting us directly (see Contact Us).
Retention of Information
We retain your clinical records in accordance with New Zealand health record-keeping requirements. When no longer required, records are securely destroyed.
Contact Us
If you have any questions about this Privacy Policy or how your information is handled, please contact us:
Email: hello@hearcare.nz
Address: 12 Vernon Drive, Unit 3, Lincoln 7608, Canterbury, NZ
