Our security policy for the management of your personal client information
We are always conscious of the trust our clients place in us to protect their privacy and secure their personal information. As such, we’ve developed and refined our security practices and processes to help our clients understand and appreciate the steps we take to ensure all interactions with our practice remain private and confidential.
Table of Contents
Practice Management System - Halaxy
At Karepsych, we use Halaxy (formely HealthKit) as our main patient administration system. This cloud based platform is where we store all client personal details, client files and session notes encompassing ongoing treatment.
Halaxy is recognised as one of the health industry’s leading global platforms and supports over 30,000 practitioners worldwide.
To ensure the privacy of our client records, Karepsych have implemented the following security controls within the Halaxy platform:
- All psychologists have their own unique Halaxy username and complex password.
- All Karepsych psychologist accounts are protected by 2 factor authentication (also commonly referred to as multi-factor authentication)
- Only psychologists can view client session notes. Front office staff are restricted to calendar bookings and financial management functions only.
- Psychologists (with the exception of our principle psychologist Kathy Matheson) are restricted to viewing their own session notes for clients they treat.
- All staff access to the Halaxy platform is protected by bank grade encryption.
- Access audits and reviews are conducted on a regular basis.
Video Consultation Platform - Coviu
Coviu is an Australian medical and allied health video consultation platform developed out of the CSIRO’s Data61 and allows Karespych psychologists to meet our clients in the comfort of their own homes. Coviu brings the specific workflows and tools necessary for healthcare into our online video calls, while also satisfying regulatory requirements around security and privacy. To learn more about the security components of the Coviu platform, please read our deep dive article. In short:
- Coviu leverages the
- All sessions are peer to peer, meaning no data is stored on central servers
- Coviu requires no signup, nor application installations
In addition to the above, Karepsych have implemented the following security controls:
- Consultations are not recorded in any way by Karepsych psychologists
- All Karepsych psychologists are required to conduct video consultations in soundproof locations, meaning clients can rest assured they are not being overheard by others
- Only Karepsych psychologists have access to the Coviu platform. Front office staff do not need, nor have, access to the system
Office Support Platform - Office365
As a predominantly location independent business, Karepsych leverages the Office365 platform allowing both security and mobility for our staff.
Of the complete package, Karepsych only use the Outlook and OneDrive components. Outlook for email communication with clients and external parties and OneDrive for document storage. The following security controls have been put in place to protect client information:
- All accounts have complex passwords
- Knowing clients often email psychologists directly, these accounts have been kept private. Front office staff do not have delegation access to these accounts.
- Psychologist accounts are further secured by two factor authentication
- OneDrive is only used for administrative document storage. Session notes are not stored in OneDrive.
Internal Messaging Platform - Slack
Karepsych uses the Slack communication platform for internal messaging between staff members. No personally identifiable information is passed using these channels, rather the system is used as a notification pathway for appointment cancellation or rescheduling operations.
Only active Karepsych employees have access to our Slack workspace.
Direct Marketing Platform - Mailchimp
Karepsych uses the Mailchimp direct marketing platform to send practice updates to our clientele. In doing so we store your email address and first name within the Mailchimp system.
Our Mailchimp account is protected by administrative and access controls, only allowing senior and approved staff members access.
In all instances where we send emails from Mailchimp, we will offer a means to remove yourself from the mail list.
We do not on-sell nor provide third party interests access to our client mailling list.
Devices - Laptops and Mobiles
Smartphones are used in the general course of our duties to communicate via Slack and email, and to synchronise calendars. The following security controls have been placed on smartphone usage:
- All smartphone devices used by Karespych employees are to be encrypted
- All smartphone devices used by Karepsych employees are to be protected by a PIN at all times
Laptops are used to conduct video consultations and manage day to day activities. They may store administrative documents locally during the course of normal business operations.
We have placed the following security controls in place to protect any personally identifiable information on these devices:
- Laptops are to be secured by a complex password at all times
- Laptops are to self lock when left unattended
- Laptops are to make use of encrypted local storage where possible – either disk based or file based.
Communicating with external parties
At times, Karepsych staff are required to communicate sensitive material to parties outside of our practice. This may be in the course of communicating with a client, a member of the medical community, a funding organisation or for legal purposes.
During these times, Karepsych staff remain cognisant and vigilant as to the protection of this data. We have placed the following controls in place to ensure our clients confidentiality:
- Where possible, Karesych will initially seek a point-to-point communication method such as a secure fax system. This limits exposure to non intended recipients.
- Where not possible, and where the communication method transits a public network (such as the internet), Karepsych will endeavour to send the communication via an encrypted medium. This may take the form of an encrypted web store, and encrypted email or as an encrypted file.
- After the above avenues have been exhausted, and with the agreement of all parties involved, Karepsych will send the information via unencrypted email.
We wish to reiterate that client permission will always be sought prior to the sending of any sensitive information to external parties.