When a patient books an appointment online or receives a reminder from your clinic, their personal contact details (name, phone number, email address) pass through software you've chosen to trust.
That moment is easy to overlook. It doesn't feel as weighty as a clinical record. But patient contact data is still personal information, and under New Zealand's Privacy Act 2020, your clinic is accountable for how it's handled, including by the third-party platforms you use every day.
This is where SOC 2 compliance becomes relevant. Heron has achieved SOC 2 Type I certification, an independently audited assessment of how we protect the data your clinic entrusts to us. In this post, we'll explain what that actually means, how SOC 2 audits work, and what questions every clinic should be asking any software vendor before they sign up.
What You'll Learn
What SOC 2 compliance is and how the audit process works
The difference between SOC 2 Type I and Type II — and why Type I still matters
What data patient communication platforms actually hold — and what that means for your obligations
The security questions worth asking any healthcare software vendor
Your Clinic's Data Responsibility Extends Beyond Your PMS
Most practice managers and clinic owners think of data security in terms of their practice management system. If MedTech or Gensolve is handling clinical records securely, the rest feels like someone else's problem.
But the data picture is broader than that.
Patient communication platforms, the tools sending appointment reminders, handling inbound messages, routing calls, and managing follow-ups, also hold patient information. It may not be clinical notes or lab results, but it includes names, phone numbers, email addresses, and appointment details. That's personally identifiable information. And under the Privacy Act 2020, you're responsible for how it's handled by any third party acting on your behalf.
This means that when you adopt a new communications platform, you're not just evaluating features. You're also taking on a degree of accountability for how that vendor manages your patients' data.
What "patient contact data" actually means
There's an important distinction worth drawing clearly. Not all healthcare software holds the same type of information.
A platform like Heron handles patient contact data, the information needed to send a reminder, confirm an appointment, or follow up after a visit. That means:
Patient names
Phone numbers and email addresses
Appointment date, time, and location
Basic communication preferences
It does not hold clinical records, diagnoses, treatment notes, prescriptions, or anything from within the patient's medical file. That data stays in your PMS.
This distinction matters for risk assessment. A communications platform that only holds contact data has a meaningfully different risk profile from one that integrates with clinical records. Understanding what each tool actually holds helps your clinic make proportionate, informed decisions.
What SOC 2 Compliance Is and What the Audit Tests
SOC 2 (System and Organisation Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It's widely adopted as a baseline security credential for software companies, particularly those handling data on behalf of businesses in regulated industries.
The key word is audited. SOC 2 isn't a self-assessment or a badge you apply for. It requires an independent third-party auditor to examine your systems, controls, and processes against defined criteria.
The five Trust Services Criteria that SOC 2 evaluates are:
Criteria | What It Tests |
|---|---|
Security | Is the system protected against unauthorised access? |
Availability | Is the system reliably accessible when needed? |
Processing Integrity | Is data processed accurately and completely? |
Confidentiality | Is confidential information appropriately protected? |
Privacy | Is personal information handled in line with stated commitments? |
Most software companies pursue SOC 2 against the Security criteria at minimum. This covers how access is controlled, how data is protected, how incidents are detected and responded to, and how infrastructure is managed.
SOC 2 Type I vs Type II: An Honest Explanation
This distinction matters, and it's worth understanding clearly before evaluating any vendor's credentials.
SOC 2 Type I is a point-in-time assessment. An independent auditor reviews your security controls and confirms they are appropriately designed, that the right policies, processes, and technical safeguards are in place at a specific moment in time.
SOC 2 Type II is a period-based assessment, typically covering 6 to 12 months. The auditor doesn't just confirm that controls are designed correctly, they confirm that those controls actually operated effectively and consistently over an extended period.
Heron has achieved SOC 2 Type I certification. This means an independent auditor has verified that our security controls are appropriately designed.
For clinics, this is a meaningful starting point: it confirms Heron has subjected itself to external scrutiny, has documented and implemented security controls, and is committed to the formal compliance process. It is not the ceiling of where we're heading.
What a SOC 2 Audit Actually Examines
Understanding what auditors look at helps make sense of what the certification actually signals. A SOC 2 audit for a patient communications platform typically reviews:
Access controls — who can access which systems, how access is provisioned, and how it's revoked when a staff member changes roles or leaves the company. This matters directly: if your clinic's data is held on a vendor's platform, you want to know that access to it is tightly controlled.
Encryption — whether data is encrypted in transit (as it moves between systems) and at rest (as it's stored). For contact data travelling between your clinic's systems and a communications platform, this is a foundational protection.
Incident response — what happens when something goes wrong. Does the company have a documented, tested process for detecting, containing, and notifying affected parties about a security event?
Change management — how code updates and system changes are reviewed and tested before deployment. Poorly managed changes are a common source of security vulnerabilities.
Monitoring and logging — whether suspicious activity is detected and recorded. This enables both proactive protection and post-incident investigation.
Vendor management — whether the company holds its own third-party dependencies to equivalent security standards.
Each of these has a direct bearing on how your patients' contact information is protected when it sits on a software platform you've chosen to use.
Questions to Ask Any Healthcare Software Vendor
SOC 2 is a useful lens for a broader vendor conversation. Before adopting any platform that will handle patient information (even contact data) these are the questions worth raising:
Do you have a SOC 2 report, and is it Type I or Type II? Any vendor with a genuine security posture should be able to answer this directly. Type II indicates the more established, operationally sustained standard.
What data does your platform actually hold? Ask them to be specific. Contact details? Clinical notes? Appointment history? Knowing exactly what sits on their platform helps your clinic assess proportionate risk.
How is data encrypted, in transit and at rest? Look for TLS 1.2 or higher for data in transit and AES-256 for data at rest as reasonable baseline answers.
Where is data stored, and under which jurisdiction? Data stored offshore may be subject to foreign privacy laws and government access powers. Understand where your patients' information physically resides.
What is your process if a security incident occurs? A vendor should be able to tell you how quickly they'd notify you, what remediation looks like, and who your point of contact is.
Do you conduct independent penetration testing? Pen tests go beyond compliance frameworks to actively probe for vulnerabilities. Regular independent testing is a sign of genuine ongoing security investment.
A vendor who answers these questions confidently, with documentation available on request, is one taking their responsibilities seriously.
Making Informed Decisions About the Software Your Clinic Uses
Choosing healthcare software isn't only a workflow decision. When a platform touches patient information — even just contact details — it becomes a data governance decision too.
SOC 2 certification, at any level, is a signal that a vendor has moved beyond informal security practices into independently verified, documented controls. For clinics navigating the Privacy Act 2020 and increasing patient expectations around how their information is handled, that signal has real value.
Heron's SOC 2 Type I certification reflects where we are in a continuing process. Our security controls have been independently reviewed and confirmed as appropriately designed.
For your clinic, that means you can review our certification, ask us direct questions about our security posture, and make a genuinely informed decision. That's what this process is designed to enable.
Want to understand exactly how Heron handles your clinic's data and see the platform in action? Book a Free Demo.
Frequently Asked Questions
What is SOC 2 compliance for healthcare software? SOC 2 (System and Organisation Controls 2) is an independently audited security standard that evaluates how software companies protect data. For healthcare software, it confirms that a vendor's security controls, access management, and data handling processes meet a verified standard, providing clinics with documented, third-party evidence of how a vendor manages the information entrusted to them.
What is the difference between SOC 2 Type I and SOC 2 Type II? SOC 2 Type I is a point-in-time assessment confirming that a company's security controls are appropriately designed at a specific moment. SOC 2 Type II is a period-based audit, typically 6 to 12 months, confirming that those controls operated effectively and consistently over time. Type II is the more rigorous credential; Type I is the first formal step in the process.
Does Heron hold patient clinical records? No. Heron holds patient contact data only: names, phone numbers, email addresses, and appointment details needed to deliver communications on your clinic's behalf. Clinical records, diagnoses, treatment notes, and medical history remain in your practice management system. Heron integrates with PMS platforms like MedTech, Elixir, and Gensolve but does not store clinical content.
Why does patient contact data matter for clinic data compliance? Patient names, phone numbers, and appointment details are personally identifiable information under New Zealand's Privacy Act 2020. Even though this data is less sensitive than clinical records, clinics are still responsible for how it's handled by any third-party software they use. Choosing vendors with verified security credentials is part of meeting that obligation.
What security questions should a clinic ask a patient communication software vendor? Key questions include: Do you have a current SOC 2 report, and is it Type I or Type II? What data does your platform specifically hold? How is data encrypted in transit and at rest? Where is data stored and under which jurisdiction? What is your incident response process if a security event occurs? Vendors who answer these questions clearly and with documentation available are demonstrating genuine security accountability.
