OrthoMetrics
Privacy Policy
Effective date: 13 May 2026
1. Purpose
OrthoMetrics is used to collect and manage patient-reported outcome measures (PROMs) before and after orthopaedic surgery. This Privacy Policy explains how personal and health information is collected, used, stored, and protected.
2. Regulatory Framework
OrthoMetrics is designed to operate consistently with the following New Zealand frameworks:
- The Privacy Act 2020, including the Information Privacy Principles and IPP3A for information collected from another source.
- The Health Information Privacy Code 2020 (HIPC 2020), which applies specifically to health information held by health agencies in New Zealand.
- The security design objectives of the HISO 10029:2022 Health Information Security Framework.
This Privacy Policy describes the practices the platform is designed for. OrthoMetrics has not undergone formal third-party privacy or security certification. The clinic or agency operating an OrthoMetrics deployment remains responsible for its own Privacy Impact Assessment, retention schedule, breach response plan, ethics review where applicable, and compliance attestation under these frameworks.
3. Information We Collect
We may collect:
- Patient name
- NHI number
- Mobile number and/or email address
- Operation details
- Surgical date
- PROMs questionnaire responses
- Relevant administrative details required to support outcome tracking
4. How Information Is Collected
Information may be collected:
- Directly from patients
- From treating clinicians or clinical practice staff
- From clinic booking, referral, theatre-list, operation note, or other clinical administration systems used by the treating service
- Through electronic PROMs questionnaires sent by email or SMS
When information is entered or imported from another source, the operating clinic or agency is responsible for ensuring patients receive the required collection notice, including why the information is collected, who will see it, how it will be used, and how patients can access or correct it.
5. Why Information Is Collected
Information is collected to:
- Monitor recovery after surgery
- Provide PROMs results to the treating clinician
- Support clinical follow-up
- Assist audit and quality improvement
- Support research using de-identified or aggregate data where appropriate
6. Hosting and Storage
OrthoMetrics is designed to be operated on New Zealand-hosted infrastructure. The clinic or agency operating a deployment is responsible for confirming and documenting the active hosting location, backup location, restore process, and supplier safeguards for that deployment.
Patient identifiers (NHI, mobile, email) are encrypted at rest before being written to the database. The encryption key is held outside the database and is rotated independently.
7. Third-Party Communication Providers
OrthoMetrics uses third-party providers to send patient-facing electronic communications:
- Brevo for email delivery
- Twilio for SMS delivery and inbound STOP / unsubscribe handling
Only the information required to deliver each message is transmitted to these providers. This may include the patient's email address or mobile number, patient name where needed, message content, operation or recovery wording included in the message, and a secure single-use link. NHI numbers and completed PROM questionnaire responses are not intentionally sent to Brevo or Twilio.
Both providers may process the contact information they receive outside New Zealand; each provider's own privacy policy applies to that processing. The operating clinic should maintain a supplier and cross-border processing register covering purpose, data categories, location, safeguards, retention, and exit arrangements. Patients may unsubscribe from any patient-facing message via the link in every email, or by replying STOP to any SMS. Unsubscribe is honoured immediately and recorded in the audit log.
8. Billing Provider
If paid clinician or clinic billing is enabled, OrthoMetrics uses Stripe for prepaid PAYG credit workflows and billing account management. Payment card details are handled by Stripe, not stored by OrthoMetrics.
Stripe should receive clinician or clinic billing metadata only, such as account email where available, billing account ID, credit pack size, Stripe customer/payment IDs, and invoice/payment status. Patient names, NHI numbers, PROM responses, operation details, and patient funding-source context must not be sent to Stripe.
Live billing should remain disabled until the operating clinic has reviewed payment terms, refund and cancellation handling, webhook security, Stripe supplier evidence, and any required patient/clinician notices.
9. Security
Patient health information is protected by the following technical and organisational measures:
- Patient identifiers (NHI, mobile, email) are encrypted at rest using AES-256-GCM, with the encryption key held outside the database.
- All client connections are served over HTTPS (TLS 1.2 or higher).
- Authenticator-based multi-factor authentication (MFA) is required before any clinician account can save real patient data.
- Passwords are hashed using scrypt with per-user salts; accounts lock after repeated failed sign-in attempts.
- Role-based access controls scope each clinician to their own patients, or to consultants who have explicitly approved access.
- Clinically meaningful actions are recorded in an audit log — including patient creation, consent changes, message sends, exports, and access events. The audit log supports accountability but should not be described as formally tamper-evident unless the operating deployment has implemented those controls.
- Automatic patient messaging is gated by patient consent; revocation or unsubscribe is honoured immediately and blocks future messaging.
No system is perfectly secure. These measures are designed to reduce risk to a level proportionate to the sensitivity of the data, but they do not guarantee that a breach cannot occur. Suspected security incidents should be reported using the contact details below.
10. Use and Disclosure
Identifiable patient information is used only for the purposes described in this policy. It is not sold or shared with third parties for commercial marketing purposes.
Information may be accessed by:
- The treating clinician
- Authorised clinical practice staff
- Authorised technical administrators where required for support, maintenance, or security
11. De-identified Data
De-identified or aggregate data may be used for audit, quality improvement, or service evaluation. Research, publication, identifiable export, or external data sharing should only occur under an appropriate governance pathway, such as ethics review, locality approval, documented export approval, or specific consent where required. Small cohorts may still carry re-identification risk even when direct identifiers are removed.
12. Patient Rights
Patients have the right to:
- Access their information
- Request correction of their information
- Withdraw participation
- Ask questions about how their information is used
- Complain to the Privacy Commissioner or, for concerns about health and disability services, the Health and Disability Commissioner
Withdrawal does not affect clinical care.
13. Retention
Clinical records are retained according to the operating clinic's retention schedule and applicable New Zealand health-record obligations. The current working schedule treats identifiable patient, operation, PROM, consent, and audit evidence as health information to be retained for at least 10 years after the most recent relevant service date, unless a longer lawful purpose applies. During the retention period, routine patient removal archives the record so it is hidden from ordinary registry views but not physically deleted. Hard deletion is restricted to administrators and is only available after the configured retention period unless a documented legal basis applies.
14. Contact
For privacy questions, contact: support@orthometrics.co.nz