Surely Health Privacy Policy


Last Updated: July 2025

1. Our Commitment to Privacy

Surely is a health information intermediary and acts as an agent for authorised parties under s.22F of the Health Act 1956. We handle identifiable health information only on the basis of valid, documented patient consent, in accordance with the Health Information Privacy Code 2020 (HIPC).

We are committed to protecting the privacy of individuals’ health information in accordance with the Privacy Act 2020, the HIPC, the Health and Disability Commissioner Act 1994, and relevant provisions of the Health Act 1956.

We act on the authorised request of a licensed health insurer, who in turn acts with the individual’s express consent, to facilitate the secure and one-time transfer of their health information.

2. How We Receive Health Information

We receive health information from two sources, solely for the purpose of providing it to the insurer or other requestor that the individual has authorised:

  1. Direct extraction from Practice Management Systems, where the individual has given authorisation to the authorised requestor, e.g. the insurer; or
  2. Upload of PDF documents (e.g. medical records) by the GP practice on the individual’s behalf.

We do not initiate any health information requests independently and only act once valid authority has been provided by the individual to the authorised requestor, e.g. the insurer.

3. What Health Information We Handle

When acting under the individual’s authorisation, we may receive or extract:

  • National Health Index (NHI) Number
  • Medical history and consultation notes
  • Diagnoses and treatment plans
  • Prescriptions and known allergies
  • Laboratory or radiology test results
  • Relevant demographic information held by GP practices

Health information is automatically and permanently deleted within 72 hours of successful transmission. No backups or archives of health records are retained.

4. Purpose and Authority for Use

Purpose

Health information is handled only to transmit it from the individual’s GP or other provider to the authorised request, as explicitly authorised by the individual that the health information pertains to.

Authority

We act on the documented authority of the insurer.  We ensure this authority is valid through our contractual agreements with the licensed health insurer, which requires them to warrant that they have obtained the individual’s express, informed, and specific written consent for the transaction. The insurer confirms that:

  • The individual has been identified and provided informed and written consent, and
  • That consent is specific to the transaction in question (i.e. insurance underwriting or eligibility).
Identity Verification

We rely on the insurer to verify the identity and consent of the individual. We conduct supplementary checks to ensure the integrity of the requester.

5. Disclosure of Health Information

Health information is only disclosed to the request, consistent with the individual's authorisation.

We do not:

  • Access or view the contents of the health information internally
  • Share information with any other party
  • Reuse information for any purpose
  • Retain the information longer than is necessary to deliver the Surely service

The only exceptions to this are as required by law (e.g. to prevent serious harm), as provided for under HIPC Rule 11.

6. Storage, Security and Destruction

Although we do not retain health information long-term, we take all necessary steps to protect it during handling:

  • Encryption: All data is encrypted in transit and (if briefly stored) at rest.
  • Access Controls: Only authorised staff can view request metadata (e.g., applicant and clinic info) to provide support. Health information is never accessible. All access is tightly controlled and logged.
  • Audit Trails: We maintain audit logs of system activity for oversight and compliance.
  • Secure Destruction: Health information is permanently deleted from the system 72 hours after it has been made available to the requester. Request metadata, including applicant details, is also redacted from the system.

We do not retain or archive health records.

7. Your Rights

As an individual, you have the right to:

  • Access any health information we hold about you during the processing period.
  • Withdraw your consent to the sharing of your information.
  • Raise concerns or make complaints about our handling of your health information.

If you have concerns about how your information is handled, please contact us at support@eightwire.com.  We will acknowledge your complaint within 3 business days and aim to resolve it within 20 business days.

If you're not satisfied, you can escalate to:

8. Privacy Breach Notification

In the unlikely event of a privacy breach that causes or is likely to cause serious harm, we will:

  • Notify the affected individual (via the requestor where appropriate), and
  • Notify the Privacy Commissioner, in accordance with the Privacy Act 2020

We treat all breaches seriously and are committed to transparency and accountability.

9. Further Information

This Privacy Policy is based on:

  • The Health Information Privacy Code 2020 (HIPC)
  • The Privacy Act 2020
  • The Code of Health and Disability Services Consumers’ Rights
  • Section 22F of the Health Act 1956

For more information or questions, please contact us at: support@surely.nz.