Terms of service.

Information, Security and Access

In the course of intervention, personal information is collected as is required by law. All notes that are taken as well as all communications relating to intervention and appointments become a part of the client’s clinical records. Clinical records are stored electronically in the client's file on Power Diary, which you consent to as a guardian or client of this practice. You have a general right to access the client's records (subject to some exceptions which mainly relate to privacy, health, child consent or legal considerations) and a request must be made in writing. We are required to keep the client's personal information for 7 years after ceasing engagement with your treating clinician, and up to age 25 years for a young person under the age of 18.

Personal Information

With You Allied Health makes conscious decisions about the platforms we use to ensure we are meeting ethical and security standards. This includes storage of data, communication of notes, and assessment platforms.

  • All personal information gathered by With You Allied Health and your clinician during the provision of service will remain confidential and secure except when:

    • It is subpoenaed by a court, or disclosure is required or authorised by law; or

    • Failure to disclose the information would place you or another person at risk of harm; or

    •  Given your prior approval, or consent of a guardian who is legally authorised to act on your behalf in order to provide a written report to another professional or agency, or discuss information with another person e.g., parent or employer; or

    • You would reasonably expect your personal information to be disclosed to another professional or agency and disclosure is directly related to the primary purpose for which it was collected such as to inform your GP of intervention and progress; or

    • Clinical consultation with another professional is required to provide better clinical services (identifying details will remain confidential).

  • If you claim rebates from funding bodies, doctors and health practitioners are required to provide summary reports to referring doctors, specialists and/or agencies regarding the patient’s progress.

  • Should you engage with multiple practitioners (past or present) at With You Allied Health, this information is visible to all practitioners who have access to the client's file.

Power Diary

Power Diary is used by With You Allied Health as a booking system and for storage of client information, communication and confidential case notes, etc. Much thought was given to choice of platform and Power Diary was chosen given their high ethical and security standards.

See below information relating to Power Diary's security measures (sourced from Power Diary):

  • Governance, Risk and Compliance Platform

    • Power Diary uses the GRC (Governance, Risk and Compliance) platform. The GRC platform monitors privacy laws and regulations like HIPAA, GDPR, PIPEDA and CCPA as well as security frameworks like ISO 27000 and SOC II which means they're constantly assessing their compliance and security status against regulations and frameworks to flag inconsistencies between existing and new requirements. When there are proposed changes to regulations, anywhere in the world, Power Diary receive advanced notice so they can ensure proactive changes are rolled out before they become a requirement.

    • Power Diary is compliant with the relevant legislative and regulatory requirements in the main markets in which they operate; Australia, New Zealand, UK, Europe, South Africa, US, and Canada, which includes compliance with the Australian Privacy Act, GDPR and UK GDPR, HIPAA, and PIPEDA. As technology continues to evolve, they regularly update their infrastructure, security systems, and software to ensure they are also providing the highest levels of protection at all times for their customers.

  • Infrastructure Security and Complianc

    • Power Diary utilises Amazon Web Service (the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally) which provides an infrastructure environment that is optimised to run applications like Power Diary. The system means that they can split the data into different locations and ensure that it is spread across multiple data centres, so that they’re not likely to be impacted by an event that might happen in one area.

    • In addition, all Power Diary data hosted by Amazon Web Service infrastructure is backed up hourly and separate in secure storage devices with an additional separate daily backup.

    • Amazon Web Service complies with worldwide privacy regulations like GDPR, HIPAA and PIPEDA and security framework like ISO and SOC 2. I.

  • Automated Security System Alert.

    • The Power Diary system alerts are based on best practice processes outlined by the US Department of Defense, and their software applies the highest level of security framework available.

    • This includes automated alerts and monitoring for any unusual activity. The Power Diary security systems monitor user behaviour in real-time, making early identification of security threats possible.

    • Power Diary also has an audit trail of all modifications that are made to anything, whether that be code, configuration of systems or something different. This means there’s a log that’s maintained automatically tracking everything and it can’t be turned off.

  • Continuous System Testing

    • Power Diary contracts a third-party company to test for vulnerabilities. They check for deficiencies, for example, in operating systems, then check whether that deficiency makes the Power Diary software vulnerable. And it happens automatically, multiple times a day, and they receive notifications about all the checks and the implications for their software.

    • Data Transmission and Cryptography

    • Power Diary utilises the latest commercially accepted encryption protocols to secure data in rest and in transit. All information transferred from a browser to their services is encrypted using 256-bit SSL technology. There is also added protection with a Domain Validated Security Certificate.

  • Credit Card Processing and PCI Compliance

    • Power Diary enables customers to process client credit card payments via a secure and validated integration with Stripe Inc. Stripe is certified as a PCI Service Provider – Level 1.

    • To view Power Diary's Privacy Policy, please go here: https://www.powerdiary.com/au/privacy-policy/

To view information about Power Diary as an Australian Cyber Security Centre (ACSC) Partner, please go here: https://www.powerdiary.com/au/blog/australian-cyber-security-centre-partner/

Medical Objects

Medical-Objects is used by With You Allied Health as a secure and efficient way to communicate with other health professionals including General Practitioners (GP's), Psychiatrists and Paediatricians.

  • With You Allied Health clinicians are able to receive referrals directly from GP's, Psychiatrists and Paediatricians and complete the required reviews for Mental Health Care Plans.

  • To view Medical Object's Privacy Policy, please go here: https://www.medicalobjects.com/privacy/

Email

Communication via email in-between scheduled sessions will be kept to a minimum with an expectation that it is limited to administrative issues (i.e. organising appointments, advising of any recent changes, requesting information to be shared with specialists and sharing of resources).

  • Should you wish to provide information relating to intervention to your clinician in-between appointments you may do so, however be aware we cannot guarantee the security of this. All reports and confidential information sent by With You, will be sent via Power Diary and all reasonable attempts made to ensure confidentiality.

Other Platforms

There may be times where a client engages in additional services of With You Allied Health where additional platforms are required (such as a formal assessment, or the use of behavioural/observational questionnaires beneficial to treatment).

  • With You Allied Health makes conscious decisions about the platforms we use to ensure we are meeting ethical and security standards.

  • Should you have any questions or concerns about these additional platforms, please speak to your clinician.

Camera in the Waiting Room and The Forest room (sensory space)

With You Allied Health has a camera installed in the waiting room that provides a live feed to assist clinicians in knowing when a client has arrived.

  • With You Allied Health also have a camera installed in the Forest room (sensory space) that provides a live feed to assist clinicians and staff with monitoring any safety concerns while a person is accessing that space if required.

  • Please note that these cameras do not record any footage. It is purely for real-time awareness and does not compromise your privacy in any way.

STRIPE

See below information relating to STRIPE's security measures (sourced from STRIPE):

  • A PCI-certified auditor has audited Stripe. They’re a certified PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, they use the best-in-class security tools and practices to maintain a high level of security at Stripe.

  • HTTPS and HSTS for secure connections

  • Stripe forces HTTPS for all services using TLS (SSL), including their public website and the Dashboard to ensure secure connections:

  • Stripe.js is served only over TLS.

  • Stripe’s official libraries connect to Stripe’s servers over TLS and verify TLS certificates on each connection.

  • STRIPE regularly audit the details of their implementation, including the certificates they serve, the certificate authorities they use, and the ciphers they support. They use HSTS to ensure that browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for both Google Chrome and Mozilla Firefox.

  • Sensitive data and communication encryption

    • All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plain text card numbers but can request that cards are sent to a service provider on a static allow list. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services including our API and website.

  • To view STRIPE's privacy policy, please go here: https://stripe.com/au/privacy