Reading time: 6 minutes

When your business handles personal information (such as names and addresses), you need to observe New Zealand privacy law when you do so. This also applies to personal health information. This is any information related to an individual’s health that can identify them, which could cover diagnoses, interview notes, prescriptions, conversation recordings, medical history, and any other identifying information relating to an individual’s health or disability.

The Privacy Act applies to this kind of information. Still, there are also some additional rules specific to personal health information, which you can find in the Health Information Privacy Code. Your patients and clients will expect a higher standard when dealing with their sensitive health information, so you need to reflect this in your business’ privacy procedures. Therefore, this article will provide four tips for sharing patient health information.

1. Honour Information Access Requests

Under the Privacy Act, every individual has the right to access and correct any personal information that an organisation has about them. As the organisation, you must honour that right unless you have a legitimate reason to refuse access. These reasons include when such access would:

  • infringe on another person’s privacy;
  • compromise national defence or security;
  • threaten or harm an individual’s health and safety;
  • breach confidentiality;
  • negatively affect the requestor’s mental health;
  • release trade secrets; or
  • be particularly vexatious or trivial.

However, if one of these reasons does not apply to an access request, you need to share the relevant information with that individual. It is essential that your patients feel like they have control over their personal health information and that you are a responsible safeguard for them.

Ensure that you confirm the identity of the individual making the access request. Patients can only request protected health information about themselves unless they have nominated someone as their representative, with written consent. You may also be able to share personal information with a principal caregiver or near relative as long as: 

  • access aligns with appropriate professional practice; and 
  • it is not contrary to the original individual’s express request.

2. Understand When You Can and Cannot Share Information

Outside of honouring privacy access requests, you need to clearly understand when the law allows you to share your patients’ personal health information. There is a presumption that you should not share such information unless one of the following exceptions applies:

  • a specific law requires you to release a patient’s health information;
  • sharing information is a part of the regular procedure in your health services, such as referring a patient to a new clinic;
  • when you need to professionally discuss a patient with other medical staff, as long as they keep it confidential; and
  • disclosure is necessary to avoid an imminent threat of danger, and it is not practical to get a patient’s consent. You can only share this information with parties able to do something about the threat.

For example, under the Land Transport Act, you need to notify the relevant parties if you think a patient’s health or medical condition means they are unfit to drive and pose a danger to others.

Whenever you collect personal health information, you need to take reasonable steps to ensure the patient knows who you will share their information with. If you need to share information with a new party outside of these exceptions, you need to get the consent of the patient that the information is about.

Take steps to ensure unauthorised disclosure does not occur. Only discuss personal health information where unintended parties are unlikely to overhear and keep such conversations private.

3. Relay Important Disclosure Information in Your Privacy Policy

Any agency that handles personal health information needs to take reasonable steps to ensure their patients know:

  • when you collect their information, and how;
  • why you collect their information;
  • the intended usage for personal information;
  • whether any laws apply;
  • who has access to their information;
  • who you will share information with;
  • whether they can choose to give you their information, and that choice’s consequences;
  • about their right to access; and
  • how to contact your business for privacy concerns.

When sharing a client’s personal health information, you need to tell that client who you share it with. A helpful place to do this is in your privacy policy or privacy statement. Display this in an accessible area, such as on your website or by your front desk. This means your patients can easily refer to it at a later date

4. Highlight Privacy in Staff Training

Your patients’ privacy is only secure if it has the same safeguards across your organisation. Therefore, you need to ensure your staff know the appropriate standard for protecting client privacy and what they need to do to protect that standard. Develop appropriate training with your privacy officer to ensure your staff maintain the same privacy standards across the business.

For example, ensure that your medical staff know when it is inappropriate to discuss/share client personal health information.

Key Takeaways

The same rules for sharing personal information also apply to personal health information. However, personal health information may cover more sensitive topics, so you need to reflect this in improved privacy safeguards when sharing this kind of information. If you would like more guidance or help with your business’ sharing procedures for patient health information, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal health information?

Personal health information is any information about a person’s health that can identify that person. For example, a client file with their name and medical details would qualify as personal health information.

What is an access request?

Under the Privacy Act, every individual in New Zealand has the right to request access and correct their personal information that an organisation may hold. An access request is when they exercise this right.

Can I charge for an access request to my business?

If you are a public sector health agency, you cannot charge for access requests in most cases. If you are in the privacy sector, you can only charge if the request requires CAT scans or similar, or if the individual has made a similar request very recently.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards