YOU'RE IN AU (click to change)
Halaxy Security

Halaxy Security

Your data is managed safely, securely and responsibly with us.

Halaxy is a healthcare industry leader in data and privacy protection and transparency: protecting your data is at the core of everything we do. Here’s everything you need to know about how we handle data, security, and privacy at Halaxy, so you have the peace of mind to focus on what matters: health.

World-leading data protection:

Your data is protected by robust security and encryption

With Halaxy, your data is backed up daily and protected by bank grade security and encryption here in Australia, meaning that your data is secure at rest and in transit (where they are only accessible via TLS/SSL). Your data is stored safely here in Australia, or in the EU, if you are based there.

Halaxy is hosted on Amazon Web Services (AWS), one of the most used and well-regarded hosting services in the world. AWS physical access is controlled using human and video surveillance, intrusion detection systems, and world class security protocols. AWS has the following accreditations and certifications, among may more:

  • PCI DSS Level 1 (Payment Card Industry Data Security Standard)
  • ISO 27001 (Information Security Management System)
  • FIPS 140-2 (United States Federal Information Processing Standard)

Our infrastructure within AWS defaults to the strictest configuration levels.

When Halaxy first integrated with funding bodies (such as Medicare and DVA), Halaxy passed system-wide security and operational tests before being permitted to integrate with these governmental bodies. Halaxy was also the first major practice management software provider to integrate with Medicare’s latest web services online claiming systems.

In the event of a data breach, an internal policy and response plan has been prepared in accordance with the Notifiable Data Breaches Scheme.

24-hour monitoring, with phone and email customer support

The data you store in Halaxy is monitored 24 hours a day by threat detection systems, and logging and alert systems. So, if something happens, our technical team can handle any issues immediately. Importantly, we have 24 hour phone customer service Monday to Friday, so you can call us anytime during the week, giving you the security of knowing that urgent issues are known and followed up immediately.


For users in the EU, data is stored in the EU in accordance with GDPR requirements. This data is also protected by 256-bit bank grade encryption, with multiple backups in place.

Secure release processes

We peer review and test our code prior to release, including manual and automated checks for security issues. We only release software after comprehensive testing in our development and staging environments, and we aim to release new features at times that will minimise disruption for users.

We keep your data safe when you choose to integrate third-parties into your Halaxy

You can choose to integrate your Halaxy with third parties such as accounting packages like Xero and QuickBooks (for practitioners), medical devices (for consumers), and services like SMS providers. This sub-processors are listed in our Privacy Policy. Data is only shared with these third parties when you give your permission, and only shared for the purpose for which it was given. Our integration partners must meet the same stringent privacy standards that we do (you can read more in our Privacy Policy).

Payment details are safely managed in Halaxy

Halaxy's payments gateway is powered by Braintree in Australia and Hyperwallet globally, which are both owned by Paypal, one of the world's largest payments providers.

As a security measure, card details are stored through our partners and not stored by Halaxy directly, so payment data is not stored with patient records and Halaxy cannot retrieve card details.

When a patient's or client's card details are entered into Halaxy, the details are stored and tokenised by Halaxy's payments gateway. This means that once initially entered and captured, card details are not visible to anybody within the practice or at Halaxy, and cannot be retrieved by Halaxy. If card details need to be altered or updated, payment details need to be completely re-entered (as a tokenised card is unable to be edited).

For practitioners, Halaxy features a customisable authorised payment limit for transactions, giving you the added security of the cardholder being required to enter a verification code via SMS to authorise the transaction. This not only protects cardholders from unauthorised transactions, it also lowers the risk of disputed payments because the cardholder is required to actively authorise the payment. You also have the option to include a secure payment link that patients can click to pay the invoice online

Our blog provides more details on how to manage your patient's card details in Halaxy, as well as an FAQ page for patients about card security.

Next level access and protections:

As well as world class data storage and management, Halaxy’s design and architecture ensures that privacy and confidentiality are infused throughout the Halaxy platform and service, no matter whether you’re a practitioner user or a consumer user.

Extensive user access levels

For practitioners, there are four access levels for practitioners and three levels for administrative staff, including a number of specific options and restrictions within each level dependent upon the particular user. This means that access to sensitive clinical, practice or financial information (and system settings) can be limited only to those who need it.

For consumers using our personal health record, you can choose whether to give access to others (such as family members or practitioners).

Sophisticated anonymisation and protection for practitioners

Our practice management software accommodates the real-world needs of practitioners through our smart anonymisation options, such as:

  • Anonymisation of patient records, invoices and finance reports, so that you can provide invoices and reports to funding bodies and accountants without including patient names.
  • Anonymisation of your calendar, you can choose whether to show full patient names, first names, just their initials or have their identities completely anonymised with IDs, e.g. HX-299816.

Our team does not have access to your data

We’re only the guardians of your data, we do not have access to sensitive patient or practice information. When we access your account to assist with service queries, all confidential details are anonymised or removed. If Halaxy staff need to assist regarding a particular patient record for example, they will ask for an anonymised patient ID rather than a patient's name.

We do not market anything to your patients

Practitioners can be reassured and confident that Halaxy does not use patient data that you enter to market anything to patients, and we do not provide patients' data to others so that they can be directly marketed to - this is anathema to us.

If a non-practitioner does sign up to Halaxy to use our personal health record, they are governed by their own Terms (which you can read here).

How practitioners can use Halaxy to protect their data:

Here are some of the many security features that Halaxy offers to support your practice and ensure patients’ data is protected:

Set up the correct access levels

With several access levels for practitioners and administrative staff as well as customisable restrictions individual to a user, Halaxy’s extensive access levels enable you to limit access to confidential information to only those who need it.

Set up a strong password, two-factor authentication (2FA), and further password protections

Start with setting up a unique password for your Halaxy account and then set up two-factor authentication for extra protection. Two-factor authentication is a layer of additional security that means that even if someone does happen to guess your password, they will be unable to log in to your Halaxy account unless they also have physical access to your personal authentication method (such as through your mobile phone authenticator).

You can also set your password to be automatically refreshed at set intervals, as well as set up automatic logout after a specified period of inactivity.

User Action History

You can always track the action that users take in your Halaxy account - e.g.: who viewed a patient’s profile or changed appointment times.

Take advantage of Halaxy’s anonymisation features

With Halaxy you can completely anonymise your calendar (for example, display only patient initials or IDs), patient records (including patient profiles and clinical notes), as well as invoices and finance reports, so you can provide invoices and reports to funding bodies and accountants without breaching confidentiality.

Send secure messages via Halaxy

Halaxy integrates with Argus and ReferralNet to enable you to securely send and receive referrals and clinical notes via Halaxy.

Use encrypted credit/debit card details and/or a secure payment link

When a patient's or client's card details are entered into Halaxy, they are stored and tokenised by Halaxy's payments gateway. We also have customisable authorised payment limit for transactions, protecting cardholders from unauthorised transactions, and lowering the risk of disputed payments because the cardholder is required to actively authorise the payment. You also have the option to include a secure payment link that patients can click to pay the invoice online.

Terms and Conditions and Privacy Policy

For more information, please see our Terms and Conditions and Privacy Policy. Our Privacy Policy explains: how we store and use data, and how you may access and correct your personal information; how you can lodge a complaint regarding the handling of your personal information; and how we will handle any complaint.

If you would like any further information about our privacy policies or practices, or would like to report any issues, please contact us at

Read more about Halaxy Responsible Disclosure Program

Our latest news