Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

June 2009


Executive summary

The Privacy Commissioner has conducted an inquiry into the practice of some insurance companies of collecting full medical notes for a specified number of years.

The inquiry concludes that insurers that collect full medical notes - even for a specified period - are at risk of breaching the Health Information Privacy Code. This is because insurers can only collect personal health information that is necessary to make insurance decisions, such as calculating whether to insure someone or whether to pay out on a claim.

Insurers do need to collect detailed medical information to make insurance decisions, and their clients need to be completely open and honest about that information. However, this should usually take the form of asking for answers to particular questions. Not all the information contained in medical notes is necessarily relevant to an insurance decision. For instance, medical notes may contain family or relationship information - the medical practitioner may have treated a person as a whole, in their individual circumstances and context. This will not always be relevant to the decisions the insurer has to make about cover or claims.

Occasionally, an insurer will be entitled to collect full medical notes, if the more specific information does not provide the detail the insurer needs to make the decision. However, these situations should be rare.

The inquiry also concludes that insurers need to take care to ensure that their clients clearly authorise the insurer to collect their health information from their medical practitioner. In particular, the insurance client should be asked to provide a separate authorisation for collection of full medical notes. Also, for the authorisation to be reasonably 'informed', the insurer should tell the client why full medical notes are required in these circumstances.

This inquiry has had to traverse some difficult issues of law and practice. First, not all insurers have the same approach to collecting full medical notes: some do this relatively frequently, and others very rarely if at all. Secondly, medical practitioners already struggle with the time-consuming task of filling in questions relating to insurance applications and claims. Some choose to send full notes as a quick method of dealing with this, while others worry that their clients have not properly authorised such a disclosure. Thirdly, insurance clients, doctors and insurers alike want the transactions to proceed speedily. Lastly, and importantly, insurance law has strict rules relating to non-disclosure of information. Any non-disclosure of information that a prudent insurer might need to know can affect a person's entitlement to claim on their insurance, whether the non-disclosure was deliberate or inadvertent. There are therefore significant dynamics favouring the full disclosure of notes - it is easy and it is quick for all concerned, and there may be a measure of protection against legal risk.

However, insurance clients should still be entitled to some measure of privacy. They have little real choice in how they deal with insurers, and what they are required to provide if they are to get cover, or have a claim paid. The only real privacy protections that they have are where the collection of their health information is restricted to necessary information only, and where they are asked for authorisation and are aware of what they are authorising.

The current privacy law provides the insurance client with that protection, and it should not be easily read down.

A Background to the inquiry

1. In mid 2007, there was adverse publicity in the New Zealand media around the fact that some insurers were requesting copies of 'full' medical notes (usually notes covering a period of several years) when a person ('the client') applied for or was claiming on insurance. Following this, the New Zealand Medical Association asked for our views on the legality of this practice.

2. Over the past year, we have held discussions with many of the insurers that collect medical information. We have also talked to insurance representative bodies, to medical representatives and to the Insurance and Savings Ombudsman. We have received queries both from members of the public and from individual general practitioners expressing concerns about whether insurers can ask for full medical notes.

3. It has become apparent that there is a wide variety of practice, and of opinion, among insurers and medical practitioners.

  • Some insurers almost never seek full medical notes, while others do so more routinely. To some extent, this is because different insurance products require different information. Insurers also have different views on the need for notes.
  • Some insurers contact their clients to check that the clients are happy for them to get full notes, while others rely on the original authorisation that the client provided.
  • Some medical practitioners prefer to provide full notes. Doing so is easy for the practitioner; makes sure that the client can obtain insurance or have a claim paid quickly; and means that the insurer has all possibly relevant information at the outset, which forestalls any later arguments about whether the client disclosed all necessary information.
  • Clients have very strict obligations to disclose all information that is or could be material to the insurance decision. Failure to do so can result at the least in delays, and at worst in the complete cancellation of the insurance policy. There are therefore incentives to release more information rather than less.
  • Other medical practitioners are worried that not all the information in full notes is relevant to the insurance decision and are also unsure that the client has properly consented. They are seriously concerned not to breach the trust that their clients place in them.

4. There is also a variety of opinions among those who are applying for or claiming on insurance:

  • Most clients want the insurer to make a quick decision, particularly where paying a claim is involved.
  • Sometimes clients are willing to provide any information, even if they do not themselves know what that information is, in order to get quick service. They may also be taken by surprise if the insurer does not, in fact, get full notes from the practitioner.
  • Others are uncertain what it is that they are agreeing to. All they know is that they have to consent to the insurer getting information before they can get the service they want. They may not be happy about the situation but may think that they have no choice.
  • Some clients object to insurers collecting information about them that they see as irrelevant to the decision the insurer has to make. The more sensitive the information in the medical notes is, and the less obvious the connection to the insurance decision, the stronger the objections will be.

B Scope of the inquiry

5. We focused the inquiry on two major issues:

  • Authorisation:whether clients have properly authorised collection of full medical notes; and
  • Relevance:whether insurers that collect full medical notes (that is, complete notes for a specified period) are collecting personal information that is not necessary for the insurance decisions they have to make.

6. The inquiry was restricted to the activities of private insurers. I did not consider the position of ACC since, although the general principles about relevance and authorisation still apply, ACC's legislative environment creates some different issues.

C Law governing the issues

7. Any insurer that 'provides health, disability, accident or medical insurance, or which provides claims management services in relation to such insurance' is a health agency under the Health Information Privacy Code 1994 ('the Code') for the purposes of providing that insurance or those services.

8. An insurer will need authorisation to collect health information from a third party such as a medical practitioner.[1] This is governed by Rule 2(2)(a) of the Code. The validity of the authorisation will be dependent on the client being reasonably informed, for instance, about the purpose for which the information is being collected, and whether they have to provide it.

9. Medical practitioners also need client authorisation before they can disclose health information to insurers.[2] These responsibilities are governed by Rule 11(1)(b) of the Code, which states that:

A health agency that holds health information must not disclose the information unless the agency believes, on reasonable grounds:
(b) that the disclosure is authorised by:
(i) the individual concerned; or
(ii)the individual's representative where the individual is dead or is unable to give his or her authority under this rule

10. Rule 1 of the Code specifies that a health agency must not collect health information unless:

(a) the information is collected for a lawful purpose connected with a function or activity of the health agency; and
(b) the collection of the information is necessary for that purpose.

11. The obligation to collect only information that is necessary for the agency's purpose is a strict one. It cannot be overridden by client authorisation. Rule 1 provides the only real restriction in the Code on what health information can be collected by an agency. Once an agency has collected information in accordance with rule 1 then it may use and disclose that information in the future in accordance with the Code. Rule 1 can therefore be seen as the 'back stop' of privacy protection. The rule is intended to balance the need for the agency to be able to do its job, with the maximum possible protection of the individual's privacy. Authorisation, while important, is not a realistic check on what an agency may think it useful to collect.

12. The Code is not the only relevant law operating in this area. The other major legal consideration is insurance law on non-disclosure of information.

D Authorisation

13. Where an insurance client is willing to release their medical information to the insurer, in the knowledge of what that information is and what decisions may be made on the basis of that information, the privacy concerns are substantially reduced.

14. All insurers ask for the client's authorisation before asking their GP, or other health provider, for information about them. However, the wording of consent clauses varies and, as noted above, insurers also have different practices on when and how much information they collect.


15. Our inquiry has concluded that the main problem here is that it is not always clear that that clients know what they are authorising. While 'authorisation' is not as high a standard as medical concepts of 'informed consent', a client does need to have an adequate level of knowledge about what they are agreeing to before an authorisation will be valid.

16. All parties - insurers, doctors and clients - bear some responsibility for making sure that clients know what it is that they are authorising. The insurance forms must be clear; clients must read them, check their medical notes if they do not know what they contain, and ask questions where they are unsure; and doctors who are in doubt about the level of client consent should check with that client.

17. In our discussions with doctors and insurers, it became apparent that there is a need for more easily accessible information for clients on this subject. We are therefore working with representatives from the insurance industry and medical profession to produce a brochure that will better inform clients about their rights and responsibilities.

18. Insurers also need to check the clarity of their authorisation clauses. If they collect full medical notes they should say so, and should also specify under what circumstances they will do so. This will provide the client with greater knowledge about what they are consenting to.

19. The clearer the authorisation clause is, the easier it will also be for a doctor to see that the client has authorised them to disclose the information to the insurance company.

20. Ensuring that authorisation is clear at the outset will help to reduce the delays caused by uncertainty. It will benefit clients, doctors and insurers alike.

E Relevance

21. While authorisation deals with many privacy issues, an additional and important privacy safeguard in this situation is that insurers are only allowed to collect the information that they need for their legitimate business purposes. The fact that the client has authorised the collection does not entitle the insurer to collect irrelevant information.

22. Medical notes frequently contain information that, at least at first glance, appears to have little relevance to a decision to insure a client on particular terms, or to pay on a claim. Insurers that collect full notes are therefore at risk of being found to have collected information where it is not necessary to do so.


23. From a privacy perspective, it is strongly preferable for the insurer to ask specific questions - that is, to ask directly for any information that is material to the decision the insurer has to make. If the client cannot remember the answer to a question (such as when their last appointment with a doctor was for a particular condition, or what the precise medical details were), the client can say so and insurer (with their consent) can approach the doctor for any further information that it needs.

24. Where an insurer can demonstrate that it truly is necessary to see all the medical notes for a specified period, then it will not breach privacy by requesting those notes. However, these situations are rare even in the case of insurance products such as income protection that require a lot more information before the insurer can make a decision.

25. Requests for full notes must therefore be the exception rather than the rule and must be clearly justified in the circumstances.

26. Moreover, it may be advisable to inform the client before seeking a full copy of medical notes, to check that they know this will occur, and give them an opportunity to discuss the matter with their doctor. The client is then in a position to have a discussion with the insurer about whether the material is relevant.



[1] There are other exceptions in rule 2 that allow a health agency to collect information from people other than the individual concerned. However, these will not apply to the insurance situations with which this inquiry is concerned.

[2] Again, there are other exceptions in rule 11 that allow a medical practitioner to disclose information, but these will not apply to the insurance situations with which this inquiry is concerned.