Health information privacy in NZ — the rules your organisation must follow
Privacy Act 2020Health Information Privacy Code 2020Updated April 2026⚡ Live legislation content
Quick answer
Health information is governed by the Health Information Privacy Code 2020 — 13 rules covering collection, use, disclosure, storage, and access. Health information can only be collected for a lawful purpose and shared in limited circumstances. Individuals have the right to access their own information.
The 13 rules — summary
Rule
Core requirement
1–4. Collection
Lawful purpose, from the individual where reasonable, with notification, not by unlawful means
5. Storage and security
Protect against loss, misuse, unauthorised access, or disclosure
6–7. Access and correction
Individuals can access and correct their own health information
8–9. Accuracy and retention
Keep accurate and up to date; don't retain longer than necessary
10–11. Use and disclosure
Use only for purpose collected; share only with consent or in permitted circumstances
12–13. Identifiers and overseas transfer
Strict rules on NHI numbers; overseas transfer only to comparable jurisdictions
⚠️
Health information is sensitive by default
Under the Privacy Act 2020, health information requires heightened protections. The threshold for an "interference with privacy" is lower for health information than for general personal information.
Health information privacy queries arise in every organisation that handles patient or client records.
Upload your privacy policies and give staff instant, cited answers to privacy compliance questions.
When health information can be shared (without consent)
To the individual themselves
To prevent or lessen a serious threat to public health or safety
For maintenance of the law
To another health provider for the treatment of the individual (where obtaining consent is not reasonably practicable)
For authorised research
Notifiable privacy breaches
Organisations must notify the Privacy Commissioner of a breach reasonably likely to cause serious harm — and notify affected individuals — as soon as practicable after becoming aware.
💡
Retention: many health records must be kept 10 years
Under the Health (Retention of Health Information) Regulations 1996, many health records must be kept for at least 10 years from the last entry. Check the specific retention rules for your record type before destroying records.
Common questions
Yes. Under Rule 6 of the HIPC, individuals have the right to access their own health information within 20 working days. Limited exceptions apply.
Generally no. Employers can collect occupational health information for specific connected purposes but cannot access general medical records without consent.
Contain the breach, assess harm risk, notify the Privacy Commissioner if serious harm is likely, notify affected individuals, document your response.
The Privacy Act primarily covers living individuals. Health information about deceased persons remains sensitive — family may have limited access rights in certain circumstances.
Rule 13 permits overseas transfer if the recipient country has comparable protections, or the individual consents, or transfer is otherwise authorised. US-based cloud services require careful assessment.
What happens when staff ask this question at 11pm?
"A patient is asking to see their full clinical notes — what are we required to provide and in what timeframe?"