Health record requests: powered by patients.

Surely is a patient-led service that gives individuals full control over their health information. Patients can use Surely to request their health records directly from their general practice, and decide how those records are used. Whether they choose to share them with a third party, such as an insurer, remains entirely up to them.

Book a demo See how it works for your practice →
Practice Management System integration · Aligned with the NZ Privacy Act and the HIPC · Zero cost to general practices
Surely platform: secure health record request and delivery
The Problem

Health records should move at the speed patients need.

Currently, when a patient requests a copy of their records, whether to support an insurance application, seek a second medical opinion, or simply access their own information, the process between general practice, patient, and third parties can be slow, unclear, and resource-intensive. This creates challenges for everyone involved.

01. Patients without visibility
The records belong to the patient

While health records belong to the patient, they frequently have little insight into the status of their request, or exactly what information will be shared and when.

02. Administrative burden on clinical teams
Requests often arrive without clear, documented consent

This means practice staff and clinicians must spend valuable time verifying authority before any records can be released, time that could be better spent on patient care.

03. Compliance and audit complexity
Without a clear consent record, compliance is hard to demonstrate

Without a clear, traceable record of consent at every step, it can be challenging to demonstrate full alignment with the New Zealand Privacy Act 2020 and the Health Information Privacy Code 2020 if questions or audits arise.

04. No operational benefit for practices
All the administrative workload, with no efficiency gains

Practices carry the administrative workload of fulfilling health record requests, often without tools that streamline the process or improve efficiency for staff and patients alike.

How It Works

From request to release, the patient is in control.

Four steps. One platform. Built around the Practice Management System your practice already uses.

01
Patient-defined request

A request is prepared for the patient or applicant to review. They confirm the practice details and sign off on who their health information can be shared with, ensuring they remain in control before anything is sent to the practice.

02
Scoped digital consent

Before your practice receives the request, the patient provides a digitally signed, clearly scoped authorisation. This consent aligns with the New Zealand Privacy Act 2020 and the Health Information Privacy Code 2020, specifying exactly what information can be shared and with whom.

03
Practice review and oversight

Once a consented request is received, your practice has a clear view of the consent scope and authorised use. This ensures transparency and supports compliance, with no records accessed or shared without your practice's knowledge.

04
Secure release and delivery

Approved records are extracted directly from your Practice Management System through secure FHIR-based integration, and delivered safely to the patient or their authorised recipient. A complete audit trail is retained for your records, and once the request is fully actioned, all related data is automatically and permanently deleted from Surely within a defined number of days.

Compliance & Trust

Built to support your compliance obligations.

Surely manages consent documentation, auditability, and secure data handling, helping your practice and partners meet their obligations with confidence.

NZ Privacy Act 2020 Aligned
Consent workflows mapped to the Information Privacy Principles. Each disclosure is clearly scoped, documented, and aligned with IPP 11, so information is only shared as authorised.
HIPC 2020 Aligned
Health information is handled in accordance with HIPC requirements from consent through to delivery. Sensitive record categories can be flagged and configured to align with your practice's policies.
Complete audit trail
Every consent, approval, record retrieval, and delivery is logged with secure timestamps. In the event of an inquiry from the Privacy Commissioner, your records are already organised, traceable, and ready.
Data minimisation by design
Surely does not store records long-term. Once a request is fully processed, all related information is automatically and permanently removed from our system within a defined number of days.
AICPA SOC 2 Type II Certified
SOC 2 Type II Certified
Independently audited against SOC 2 Type II controls for security, availability, and confidentiality. Patient data is held to the highest standard.
Book a demo