Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Download a PDF of this factsheet here.
The code regulates how health agencies (such as doctors, nurses, pharmacists, health insurers, hospitals, Primary Health Organisations, ACC and the Ministry of Health) collect, hold, use and disclose health information about identifiable individuals.
The two key concepts are:
Regulating collection: Rules 1-4 (brief overview)
There are thirteen health information privacy rules in the Code. Rules 1 to 4 deal with collection. Health agencies must:
“Health information must not be collected by a health agency unless:
(a) the information is collected for a lawful purpose connected with a function or activity of the health agency; and
(b) the collection of the information is necessary for that purpose.”
Rule 1 requires agencies to decide their 'purposes – in other words, how the information is going to be used – before they start collecting information. Once collected for a purpose the information can always be used for that purpose.
Another benefit of being clear about purpose before starting collection is that unnecessary information is not collected, saving time and money. More importantly, though, an agency that knows its purposes for collecting information can then be open about those purposes.
Although rule 1 does require a clear purpose for collection it puts few restrictions around what that purpose might be – as long as it is connected with a function or activity of the agency.
For instance, the main purpose for collection of health information is always likely to be care and treatment, but other purposes might include administration, training and education and monitoring of service quality.
“If a health agency collects health information, the information must be collected from the individual concerned.”
Most of the time, the best way to get information about a person will be to ask them. Rule 2 makes the patient the first port of call for information about them. It also gives health agencies the opportunity to be open about why they are collecting the information, so the individual can make an informed decision about whether to provide it.
However, there are exceptions to this rule. For example, a health agency does not have to collect information directly from the individual if they have agreed that it can be collected from somewhere else (the individual must be made aware of the matters set out in Rule 3(1) before giving this authorisation). In addition, a health agency does not have to collect the information directly from the person if this would:
There are some other exceptions to this rule, which can be found in the Code.
“If a health agency collects health information from the individual concerned, or from the individual’s representative, the health agency must take any steps that are, in the circumstances, reasonable to ensure that the individual concerned (and the representative if collection is from the representative) is aware of —
(a) the fact that the information is being collected; and
(b) the purpose for which the information is being collected; and
(c) the intended recipients of the information; and
(d) the name and address of—
(i) the health agency that is collecting the information; and
(ii) the agency that will hold the information; and
(e) whether or not the supply of the information is voluntary or mandatory, and if mandatory, the particular law under which it is required; and
(f) the consequences (if any) for that individual if all or any part of the requested information is not provided; and
(g) the rights of access to, and correction of, health information provided by rules 6 and 7.”
Rule 3 lists what health agencies have to tell people when they are collecting health information. This explanation should help people decide what information, if any, to provide to health agencies.
The explanation could be a paragraph or two on a form, a poster on the wall, or a conversation. It should happen before the health information is collected or as soon as possible afterwards. However, repeat explanations aren’t necessary.
Health agencies don’t need to explain if doing so would not be practical in the circumstances of the particular case, would be against the patient’s interests or would prejudice the purpose of collection.
There are some other exceptions to this rule, which can be found in the Code.
“A health agency must collect health information only —
(a) by a lawful means; and
(b) by a means that, in the circumstances of the case (particularly in circumstances where personal information is being collected from children or young persons),
(i) is fair; and
(ii) does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.”
Rule 4 prohibits health agencies from collecting information unlawfully or unethically. It regulates how information is collected, rather than what is collected.
For instance, under the Crimes Act it is generally illegal to use a ‘bug’ to intercept private communications. There are also legal restrictions around making video or audio recordings of people committed under the Mental Health (Compulsory Assessment and Treatment) Act.
“Unfair” collection of health information covers a wide spectrum, from bullying, being evasive and devious or misrepresenting the purpose of collection.
Finally, in a healthcare context, an unreasonable intrusion on “the personal affairs of the individual concerned” might come about where physical privacy, cultural needs or the preferences of the individual have not been respected.
There are four other Health Information Privacy Code fact sheets that give a broad overview of how the Code works in practice.
A copy of the Health Information Privacy Code is available here.
For further enquiries, we have an 0800 number, 0800 803 909 or email us an enquiries@privacy.org.nz