Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Download a PDF of this factsheet here.
The code regulates how health agencies (such as doctors, nurses, pharmacists, health insurers, hospitals, Primary Health Organisations, ACC and the Ministry of Health) collect, hold, use and disclose health information about identifiable individuals.
Rule 11 of the Code prohibits disclosure except where one or more of its exceptions apply. The rule is quite detailed, and this fact sheet is only a very brief overview.
Disclosure is always allowed when the person concerned, or their representative (if the individual is dead or is unable to give their authority), has given their permission or where disclosure was one of the purposes for which the information was originally obtained.
If a doctor collects information from a patient to pass on to a specialist, then there is no need to get the patient’s permission for that disclosure, because disclosure is one of the reasons for collection. However, the patient should have been told the disclosure was going to occur at the time of collection (see Rule 3).
Hospitals can disclose basic information about their patients’ presence, location and condition to anyone on request, as long as the patient has not vetoed this disclosure.
Disclosure is permitted where it is not practicable or desirable to get the patient’s authorisation, and the disclosure is made by health practitioner a person nominated by the individual concerned, or to the principal caregiver or near relative of the patient in accordance with “recognised professional practice” and the disclosure is not contrary to the express wish of the patient or their representative.
Disclosure to prevent risk
Health agencies can disclose information if this is necessary to prevent or lessen a serious threat to public health or public safety, or to the life of health of the individual concerned or another individual. The disclosure must be to someone who can do something about the threat.
If the representative of a person or their treating clinician makes a request for health information, section 22F of the Health Act requires the health agency holding the information to provide it unless:
If any of the above apply then the holder of the health information may refuse the request.
Official Information Act requests can be made, by anybody, to any public sector health agency and must be responded to within 20 working days. However, requests for health information about identifiable individuals may be refused where the disclosure would breach the individual’s privacy and there is no strong public interest in disclosure.
Many of the laws around disclosure of health information allow health agencies to disclose in certain circumstances. However, health practitioners need to consider both their legal obligations under the code and any ethical obligation of confidentiality they may have to their patients. Just because the law allows a disclosure doesn’t mean it would always be ethical to disclose.
There are four other Health Information Privacy Code fact sheets that give a broad overview of how the Code works in practice.
For more detailed information, a copy of the Health Information Privacy Code is available from the Office of the Privacy Commissioner’s website at www.privacy.org.nz
For enquiries, please ring the Office of the Privacy Commissioner on 0800 803 909 or email enquiries@privacy.org.nz
