Health information privacy in New Zealand — obligations for health providers
Health information is among the most sensitive personal information collected in New Zealand. The Privacy Act 2020 and the Health Information Privacy Code set strict rules on how it can be collected, used, and shared.
What is health information?
Broadly defined
Health information includes any information about a person's physical or mental health, disabilities, health services received, and donated body parts. It also includes genetic information and any opinions about a person's health.
Health information is sensitive personal information — agencies handling it must comply with the Health Information Privacy Code (HIPC) as well as the Privacy Act.
Key obligations under the Health Information Privacy Code
Rule 1 — Collection must be necessary
Health information may only be collected if it is necessary for a lawful purpose connected with the health agency's functions. You cannot collect health information just because it might be useful one day.
Rule 2 — Collect directly from the individual
Health information must generally be collected directly from the individual concerned. Collection from a third party is only permitted in specific circumstances — for example, when the individual cannot provide it themselves, or when collecting from them would prejudice the purpose of collection.
Rule 3 — Individual must be informed
When collecting health information, the agency must tell the person: who is collecting it, why it is being collected, whether it is voluntary or compulsory, and who the agency may disclose it to.
Rule 10 — Limits on disclosure
Health information can only be disclosed in limited circumstances:
- With the individual's authorisation
- To another health provider directly involved in the person's care
- To prevent or lessen a serious threat to health or safety
- For a legally authorised purpose (e.g. court order, coroner's inquiry)
- For research, where specific criteria are met
Sharing health information with family members requires the patient's consent — family members do not automatically have a right to a patient's health information.
Individual rights under the Privacy Act
Right of access (IPP 6)
Individuals have the right to access their own health information held by an agency. The agency must respond within 20 working days and may charge a reasonable fee for providing the information.
Right of correction (IPP 7)
Individuals can request that incorrect health information be corrected. If the agency disagrees, they must attach a statement of correction to the information.
Privacy breach obligations
Notifiable privacy breaches
If a privacy breach is likely to cause serious harm, the agency must:
- Notify the Privacy Commissioner as soon as practicable
- Notify the affected individual(s) as soon as practicable
Agencies can notify the Privacy Commissioner at privacy.org.nz. Failure to notify a notifiable breach is an offence under the Privacy Act.
Frequently asked questions
Health and social service providers: manage your privacy obligations
Workstep gives your team instant answers from the Privacy Act, Health Information Privacy Code, and your own privacy policies — with exact references.
Try Workstep free → Book a 20-minute demo for your team