4 Privacy Tips for Sharing Patient Health Information in NZ

When your business handles personal information (such as names and addresses), you need to observe New Zealand privacy law when you do so. This also applies to personal health information. This is any information related to an individual’s health that can identify them, which could cover diagnoses, interview notes, prescriptions, conversation recordings, medical history, and any other identifying information relating to an individual’s health or disability.
The Privacy Act applies to this kind of information. Still, there are also some additional rules specific to personal health information, which you can find in the Health Information Privacy Code. Your patients and clients will expect a higher standard when dealing with their sensitive health information, so you need to reflect this in your business’ privacy procedures. Therefore, this article will provide four tips for sharing patient health information.
1. Honour Information Access Requests
Under the Privacy Act, every individual has the right to access and correct any personal information that an organisation has about them. As the organisation, you must honour that right unless you have a legitimate reason to refuse access. These reasons include when such access would:
- infringe on another person’s privacy;
- compromise national defence or security;
- threaten or harm an individual’s health and safety;
- breach confidentiality;
- negatively affect the requestor’s mental health;
- release trade secrets; or
- be particularly vexatious or trivial.
However, if one of these reasons does not apply to an access request, you need to share the relevant information with that individual. It is essential that your patients feel like they have control over their personal health information and that you are a responsible safeguard for them.
Ensure that you confirm the identity of the individual making the access request. Patients can only request protected health information about themselves unless they have nominated someone as their representative, with written consent. You may also be able to share personal information with a principal caregiver or near relative as long as:
- access aligns with appropriate professional practice; and
- it is not contrary to the original individual’s express request.
2. Understand When You Can and Cannot Share Information
Outside of honouring privacy access requests, you need to clearly understand when the law allows you to share your patients’ personal health information. There is a presumption that you should not share such information unless one of the following exceptions applies:
- a specific law requires you to release a patient’s health information;
- sharing information is a part of the regular procedure in your health services, such as referring a patient to a new clinic;
- when you need to professionally discuss a patient with other medical staff, as long as they keep it confidential; and
- disclosure is necessary to avoid an imminent threat of danger, and it is not practical to get a patient’s consent. You can only share this information with parties able to do something about the threat.
For example, under the Land Transport Act, you need to notify the relevant parties if you think a patient’s health or medical condition means they are unfit to drive and pose a danger to others.
Whenever you collect personal health information, you need to take reasonable steps to ensure the patient knows who you will share their information with. If you need to share information with a new party outside of these exceptions, you need to get the consent of the patient that the information is about.
Take steps to ensure unauthorised disclosure does not occur. Only discuss personal health information where unintended parties are unlikely to overhear and keep such conversations private.
3. Relay Important Disclosure Information in Your Privacy Policy
Any agency that handles personal health information needs to take reasonable steps to ensure their patients know:
- when you collect their information, and how;
- why you collect their information;
- the intended usage for personal information;
- whether any laws apply;
- who has access to their information;
- who you will share information with;
- whether they can choose to give you their information, and that choice’s consequences;
- about their right to access; and
- how to contact your business for privacy concerns.
When sharing a client’s personal health information, you need to tell that client who you share it with. A helpful place to do this is in your privacy policy or privacy statement. Display this in an accessible area, such as on your website or by your front desk. This means your patients can easily refer to it at a later date
4. Highlight Privacy in Staff Training
Your patients’ privacy is only secure if it has the same safeguards across your organisation. Therefore, you need to ensure your staff know the appropriate standard for protecting client privacy and what they need to do to protect that standard. Develop appropriate training with your privacy officer to ensure your staff maintain the same privacy standards across the business.
For example, ensure that your medical staff know when it is inappropriate to discuss/share client personal health information.
Key Takeaways
The same rules for sharing personal information also apply to personal health information. However, personal health information may cover more sensitive topics, so you need to reflect this in improved privacy safeguards when sharing this kind of information. If you would like more guidance or help with your business’ sharing procedures for patient health information, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.
Frequently Asked Questions
Personal health information is any information about a person’s health that can identify that person. For example, a client file with their name and medical details would qualify as personal health information.
Under the Privacy Act, every individual in New Zealand has the right to request access and correct their personal information that an organisation may hold. An access request is when they exercise this right.
If you are a public sector health agency, you cannot charge for access requests in most cases. If you are in the privacy sector, you can only charge if the request requires CAT scans or similar, or if the individual has made a similar request very recently.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.
About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.
By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.
If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.