Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Download a PDF of this factsheet here.
The code regulates how health agencies (such as doctors, nurses, pharmacists, health insurers, hospitals, Primary Health Organisations, ACC and the Ministry of Health) collect, hold, use and disclose health information about identifiable individuals.
One of the obligations that health agencies take on when they hold health information is to keep that information secure.
Rule 5 of the Code requires health agencies to take ‘reasonable security safeguards’ to protect health information. This means keeping the information safe from loss, as well as from unauthorised access, use, modification or disclosure.
To comply with rule 5, agencies need to consider what risks there are for the health information they hold, make a plan to address those risks and do what is necessary to carry it out.
Some areas that need to be considered when coming up with a security plan are:
This list isn’t exhaustive. Security is an ongoing obligation rather than a ‘tick the box’ exercise.
The greater the risk of a security breach and the more serious the potential consequences for people whose information is in danger, the higher the standard will be for a ‘reasonable security safeguard’.
Health Act regulations require all health information held by providers to be retained for 10 years from the last encounter with the patient, unless transferred to another doctor or to the patient.
The Public Records Act also requires retention by public sector agencies. The DHB General Disposal Authority lists how long each type of clinical record must be kept for and what must be done afterwards.
Once the obligatory retention periods have passed, rule 9 of the Code says that health information should be disposed of, securely, unless the health agency has a lawful purpose to retain it.
When a ‘sole trader’ clinician, such as a GP, dies or ceases practice, his or her patient records should be either:
Where the statutory retention period has ended, the records may be securely destroyed.
Health agencies need to be careful to dispose of patient records securely, either by shredding or otherwise destroying records themselves or by hiring a secure destruction contractor.
Where to get additional assistance
There are four other Health Information Privacy Code fact sheets that give a broad overview of how the Code works in practice.
For more detailed information, a copy of the Health Information Privacy Code is available from the Office of the Privacy Commissioner’s website at www.privacy.org.nz
For enquiries, please ring the Office of the Privacy Commissioner on 0800 803 909 or email enquiries@privacy.org.nz