Security & Compliance

Our Commitment to Healthcare Data Security

Alfa AI is built from the ground up for healthcare. We understand that patient data is sacred, and we've designed our systems to meet or exceed Australian and New Zealand healthcare compliance requirements.

Privacy Act 1988

Compliant

NZ Privacy Act 2020

Compliant

ISO 27001

In Progress

Australian Hosting

AWS Sydney

Privacy & Data Protection

Australian Privacy Principles (APPs) Compliance

Alfa AI complies with the Privacy Act 1988 (Cth) and all 13 Australian Privacy Principles. We are committed to transparent data management and protecting patient privacy.

APP 1: Open and Transparent Management

Patients are clearly informed that Alfa AI is handling their call. Our privacy policy is publicly available and written in plain English.

APP 3: Collection of Solicited Information

We collect only the minimum information necessary for appointment booking: name, date of birth, phone number, and appointment reason. Nothing more.

APP 5: Notification of Collection

At the start of every call: "This call may be recorded for quality and healthcare coordination purposes." Patients can opt out at any time.

APP 6: Use or Disclosure

Patient information is used solely for appointment management purposes. We never sell patient data. Ever.

APP 8: Cross-border Disclosure

All patient data is stored exclusively on Australian AWS servers in the Sydney region. Your data never leaves Australia or New Zealand.

APP 11: Security of Personal Information

AES-256 encryption at rest, TLS 1.3 encryption in transit, multi-factor authentication, and regular security audits protect your patient data.

APP 12: Access to Personal Information

Patients can request access to their call recordings and transcripts within 30 days. We respond to all access requests promptly and free of charge.

New Zealand Privacy Act 2020 & Health Information Privacy Code

For New Zealand GP clinics, Alfa AI complies with the Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC), including all 13 privacy rules governing health information.

Key NZ Compliance Measures:

Rule 5 - Storage and Security: Australian-hosted servers with encryption and access controls
Rule 6 - Access Rights: Patients can access their information within 20 working days
Rule 9 - Retention: 10-year minimum retention for health information
Rule 12 - Disclosure: Information shared only with authorized healthcare staff with consent

Data Residency & Infrastructure

Australian Data Hosting

All patient data is stored exclusively on Australian servers. We use AWS Sydney (ap-southeast-2) region for all data processing and storage. Your data never leaves Australia or New Zealand.

Technical Security Measures

Encryption at Rest: AES-256 encryption for all stored data
Encryption in Transit: TLS 1.3 for all data transmission
Access Controls: Role-based access with multi-factor authentication
Network Security: Private VPC, network isolation, and DDoS protection
Monitoring: 24/7 security monitoring and intrusion detection
Backup & Recovery: Automated daily backups with 7-year retention
Penetration Testing: Annual third-party security audits

Voice Recording Consent

Call Recording Disclosure: At the start of every call, Alfa AI states: "This call may be recorded for quality assurance and healthcare coordination purposes."

Consent Approach: By continuing the call, the patient provides implied consent. Patients can opt out at any time by requesting to speak with human reception staffcalls are immediately transferred without recording.

Retention: Call recordings and transcripts are retained for 7 years in accordance with medical records retention standards in Australia and New Zealand.

Clinical Safety & AI Governance

Critical: Alfa AI is NOT a Medical Device

Alfa AI is designed for administrative tasks only. It does not provide medical advice, diagnoses, or treatment recommendations. It does not access patient clinical records. All clinical decisions remain with qualified healthcare professionals.

What Alfa AI Does (Administrative Only)

Answer general practice information questions (hours, location, services)
Book, reschedule, and cancel appointments
Verify patient identity using name, date of birth, and phone number
Detect emergency keywords and escalate to clinical staff
Take messages for non-urgent matters requiring human follow-up

What Alfa AI Does NOT Do (Clinical Boundaries)

Provide medical advice, diagnoses, or treatment recommendations
Access patient clinical records (diagnoses, visit notes, test results)
Prescribe or advise on medications
Interpret clinical data or test results
Make autonomous decisions affecting patient care

Emergency Handling Protocol

100% Emergency Detection Required: Alfa AI continuously monitors for emergency keywords indicating life-threatening situations (chest pain, difficulty breathing, stroke symptoms, severe bleeding, etc.).

Immediate Escalation (<10 seconds): When an emergency is detected, Alfa AI immediately:

States: "This sounds like a medical emergency"
Directs patient to call 000 (Australia) or 111 (New Zealand) if life-threatening
Transfers to clinical staff if less urgent but requires same-day assessment
Logs the call with full recording for clinical review

Never Delays Escalation: Alfa AI does not gather additional information, provide triage advice, or delay escalation when emergencies are detected.

Human Oversight & Accountability

Clinicians remain responsible for all clinical decisions. Alfa AI is a tool that handles administrative tasksit does not replace clinical judgment. Your practice maintains full control:

Turn Alfa AI on/off instantly via dashboard
Review all call recordings and transcripts
Daily emergency call reports for clinical review
Seamless transfer to human staff at any time

PMS Integration Security

How Alfa AI Accesses Your Practice Management System

Alfa AI connects to your PMS via secure FHIR R4 APIs using industry-standard OAuth 2.0 authentication. We integrate with:

Leading Australian PMS (Australia): Halo Connect API with secure API key authentication
Major ANZ PMS Platforms (Australia): Smart API+ via partnership program
New Zealand PMS Systems (New Zealand): ALEX API with Azure AD OAuth 2.0

What Alfa AI Can Access

Patient demographics (name, DOB, phone) for identity verification
Practitioner schedules and availability
Appointment booking, rescheduling, cancellation

What Alfa AI Cannot Access

Clinical records (diagnoses, visit notes, treatment plans)
Test results or pathology reports
Medication history or prescriptions
Billing or payment information
Modify practitioner schedules or clinic settings

Read-Only Clinical Data: Alfa AI has read-only access to basic patient demographics for verification purposes. It cannot modify or access sensitive clinical information.

Compliance Auditing & Reporting

Audit Trails

Every action taken by Alfa AI is logged with tamper-proof audit trails:

Complete call recordings and transcripts (7-year retention)
All PMS queries and updates with timestamps
Emergency detection events with escalation actions
User access logs (who accessed what patient data when)
System configuration changes

Compliance Reporting

Alfa AI provides comprehensive reporting for compliance purposes:

Daily Emergency Logs: All emergency calls requiring clinical review
Monthly Call Analytics: Volume, outcomes, patient satisfaction
Quarterly Security Reports: Access logs, security incidents (if any), system uptime
Annual Compliance Summary: Privacy compliance, data retention, security audits

Patient Data Access Requests

Patients have the right to access their information. Alfa AI supports:

Australia: 30-day response time to access requests (APP 12)
New Zealand: 20 working days response time (Privacy Act 2020)
Free of Charge: No fees for reasonable access requests
Secure Delivery: Call recordings and transcripts delivered via secure portal or encrypted email

Data Retention & Deletion

Retention Periods

Alfa AI follows Australian and New Zealand medical records retention standards:

Call Recordings & Transcripts: 7 years (medical records standard)
Appointment Records: 7+ years (per PMS policy)
Emergency Logs: Indefinite retention for patient safety and practice protection
Analytics Data: De-identified, indefinite retention for service improvement

Right to Deletion

Important: Healthcare information cannot be deleted during the retention period due to Australian and New Zealand medical records laws. After the retention period expires, data is securely deleted using industry-standard data destruction methods.

Data Breach Response

In the unlikely event of a data breach:

Immediate containment and investigation
Notification to affected practices within 24 hours
Notification to OAIC (Australia) or Privacy Commissioner (NZ) if required
Notification to affected patients if high-risk breach
Full incident report and remediation plan