Zero cost to general practices · Aligned with the NZ Privacy Act and the Health Information Privacy Code

Health record requests, driven by the patient.

Surely is a patient-led service that puts patients and applicants in control of their own health information. Patients use Surely to request their own health records from their general practice. What they then choose to do with those records is entirely their decision.

Book a demo See how it works for your practice →

Practice Management System integration · Aligned with the NZ Privacy Act and the HIPC · Zero cost to general practices

Surely platform: secure health record request and delivery

The Problem

Health records should move at the speed patients need.

When a patient or applicant needs a copy of their own health records, the path from a general practice to the patient has historically been slow and opaque.

01. Patients without visibility

The records belong to the patient

The records are theirs, yet the patient is too often the person with the least visibility into where their request sits and what is being shared.

02. Clinical time spent on coordination

Requests arrive without a clear consent chain

Practice teams field record requests that arrive without a clear, scoped consent record, leaving clinicians to verify authorisation before any data can move.

03. Compliance grey areas

Without a clear consent chain, compliance is hard to demonstrate

Without a clear, auditable consent chain, it can be difficult to demonstrate compliance with the NZ Privacy Act 2020 and the Health Information Privacy Code 2020 if a query arises.

04. No upside for the practice

All the effort, none of the efficiency

Practices carry the administrative cost of every health record request, with no improvement to the underlying process.

How It Works

From request to release, the patient is in control.

Four steps. One platform. Built around the Practice Management System your practice already uses.

Patient-initiated request

The patient or applicant initiates a request for their own health records through Surely, choosing the practice and the scope of the records they need.

Scoped digital consent

Before your practice sees anything, the patient has digitally signed a scoped authorisation aligned with the NZ Privacy Act 2020 and the Health Information Privacy Code 2020, specifying exactly what can be shared.

Practice review and approval

A consented request arrives as a task in your PMS. Your practice reviews the patient name, consent scope, and report type and approves or declines. The practice decides what leaves. Surely never bypasses you.

Release and delivery

Approved records are retrieved from your PMS via standards-based FHIR integration and delivered securely to the patient, or to the recipient the patient has authorised. A full audit trail is logged, and once a request has been fulfilled, all data is automatically and permanently deleted from Surely within a defined number of days.

Compliance & Trust

Your compliance obligations, covered.

Surely handles the consent documentation, audit trail, and encryption so your practice meets its NZ Privacy Act 2020 and Health Information Privacy Code 2020 obligations.

NZ Privacy Act 2020 Aligned

Consent workflows mapped to the Information Privacy Principles. Every disclosure is scoped, documented, and reviewed against IPP 11, so your practice's obligations are met by default.

HIPC 2020 Aligned

Health Information Privacy Code-aligned handling from consent through to delivery. Sensitive record categories are flagged and configurable per practice.

Complete audit trail

Every consent, approval, retrieval, and delivery is logged with tamper-evident timestamps. If a Privacy Commissioner inquiry arises, your records are already in order.

Data is not retained

Surely does not retain data. Once a request has been fulfilled, the data is automatically and permanently deleted from the system within a defined number of days.

SOC 2 Type II Certified

Independently audited against SOC 2 Type II controls for security, availability, and confidentiality. Patient data is held to the highest standard.

PMS Integrations

Works inside the Practice Management System you already use. No new software to learn.

Practice Management System integration Live

Consented requests appear as tasks within the system your team already checks. No separate portal, no extra login, no change to your daily workflow.

Additional PMS coverage Coming Soon

Further PMS integrations are in active development so that every NZ general practice can support patient-initiated health record requests without leaving their existing system.