H06: Privacy, HIPC & What Not To Do

🔒 What Heidi Health actually does with your recordings

This is the question every clinician has and almost nobody answers directly. Here is what Heidi Health states in their privacy policy as of 2025–2026:

Audio is processed in real time and deleted. The audio recording itself is not stored after transcription. Heidi does not retain voice recordings.
The transcription and generated note are stored. Heidi stores the text note, linked to your account. This is necessary for the product to work (so you can review and edit).
Data is processed on servers in Australia or the US. This is relevant to the HIPC (see below).
Heidi is SOC 2 compliant. This is a widely recognised security standard for cloud services handling sensitive data.
Patient identifiers in Heidi are under your control. Heidi doesn't require you to input a patient name or NHI — many practitioners use a consult number or abbreviated identifier rather than full name.

Always check the current Heidi privacy policy directly. Privacy policies update. The above reflects publicly available information at time of writing — verify at heidihealth.com/privacy before deploying in your practice.

📜 The Health Information Privacy Code — plain English

The Health Information Privacy Code (HIPC) is the NZ-specific privacy framework for health information. It builds on the Privacy Act 2020 with additional rules specific to health data. The rules most relevant to AI tools are:

📌

Rule 3 — Collection of health information

Health information should be collected directly from the patient where practicable. Using an AI scribe in a consultation with patient consent is consistent with this rule — the collection is still happening in the consult, with an AI tool assisting documentation.

🔐

Rule 5 — Storage and security

Health information must be protected against loss, unauthorised access, use, modification, or disclosure. This means you should use HIPC-aware tools (like Heidi, which is SOC 2 compliant), not paste identifiable patient information into free consumer AI tools without assessing their privacy posture.

🌐

Rule 12 — Disclosure overseas

Health information may only be sent overseas if the recipient has comparable privacy protections. When you use Heidi (which processes data in Australia/US) or a cloud AI like Claude, you are technically disclosing health information overseas. This is permitted where the overseas service has equivalent protections — which both Heidi and major AI providers (with their enterprise data handling agreements) meet. However, this is the rule that makes de-identification important when using general-purpose AI tools.

The practical implication: Heidi Health is designed for clinical use and meets the relevant standards. General-purpose AI tools (ChatGPT, Claude) are powerful but require de-identification before you paste patient information into them.

⚠️ What NOT to put in a general AI prompt

The distinction to remember: Heidi Health is a clinical tool with specific health data agreements. ChatGPT and Claude are general-purpose AI tools — powerful, but not designed to hold identifiable patient records.

When using general-purpose AI for referral letters, summaries, and ACC documents (as covered in H04 and H05), always de-identify first.

✗

Patient full name — replace with "the patient" or "a 45-year-old male"

✗

NHI number — remove entirely

✗

Date of birth — replace with approximate age ("mid-40s")

✗

Specific address or workplace — remove or generalise

✗

Names of family members mentioned in the consult — replace with "their partner," "their child"

✓

Age, sex, presenting complaint, clinical findings, medications, plan — this de-identified information is safe to use for drafting outputs

✓

Generic clinical scenarios for learning/training — no patient data at all, just clinical context

🩺 Clinical accuracy — your responsibility

AI generates fluent, confident-sounding text. It can be wrong. This matters more in health than almost any other domain.

AI does not know what it doesn't know. If the Heidi recording missed something important, the note will be missing it — and it will look complete anyway. The review step matters.
Numbers are the highest risk. BP readings, medication doses, follow-up intervals. Always verify these against what you actually said and intended.
AI-generated letters sound authoritative. A fluently written referral letter that contains an error is more dangerous than a slightly awkward letter that is accurate. You are the clinical author — the AI is the typist.
AI cannot assess — only document. Your clinical reasoning, differential diagnosis, and treatment decision are yours. The AI's job is to structure and express what you have already decided.

Medico-legal position: You sign the note. You sign the referral. You sign the ACC form. "The AI wrote it" is not a defence in an HDC complaint or malpractice proceeding. Review everything before it goes out.

🏢 Practice-level considerations

If you're introducing AI tools to your practice — rather than just using them yourself — there are a few extra considerations:

Update your practice privacy statement. If it doesn't mention AI documentation tools, add a brief statement. Your practice manager or PHO may have a template.
Inform your indemnity insurer. Medical Protection Society (MPS) and other NZ medical indemnity providers generally support AI documentation tools but want to know you're using them. A brief email notification is good practice.
Check your PHO requirements. Some PHOs have specific guidance on AI tools in primary care. Worth a 10-minute check.
Train all staff who will use it. Reception staff should not be using Heidi to transcribe sensitive phone conversations unless they understand the privacy framework.

🎉

Kua oti! Health Track complete.

You've covered everything you need to use Heidi Health and AI tools safely and effectively in your NZ clinical practice. The tools are ready — so are you.

← Back to Health Track

Privacy, HIPC& What Not To Do

🔒 What Heidi Health actually does with your recordings

📜 The Health Information Privacy Code — plain English

⚠️ What NOT to put in a general AI prompt

🩺 Clinical accuracy — your responsibility

🏢 Practice-level considerations

Kua oti! Health Track complete.

Privacy, HIPC
& What Not To Do