Skip to content
LegalVision New Zealand

My NZ Business Provides Health Services. What Are My Privacy Obligations?

Avatar photo

By Emma Lindblom

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

If your business handles clients’ sensitive and personal information, they need to know they can trust that you will handle it securely. Therefore, when you deal with any such personal information, the law imposes certain requirements on your business to protect every individual’s privacy. However, this is especially true if your business provides health services and deals with clients’ personal health information. Indeed, this is because you have obligations as an agency under New Zealand privacy law. But the practical functioning of these obligations can vary due to the added sensitivity of the information you deal with. This article will go through some of those obligations and how they may apply to your health services business.

What Is Health Information?

Health information is a kind of personal data that relates to the health of an identifiable person. Indeed, this means that the content of the information is something health-related, and you can identify who it is about.

For example, if your business provides counselling services the notes you take down during sessions will likely contain identifying aspects. Therefore, this is personal health data and you must protect it adequately.

In particular, this covers information:

  • regarding a person’s health, including their medical history;
  • about any disabilities an individual has or had;
  • about any health or disability services provided to an individual;
  • provided by an individual in connection to bodily donations, such as donating blood; and
  • gained incidentally from providing a health or disability service to an individual.

Examples of this information would include prescriptions, diagnoses, and records of any conversations about health with clients.

What Qualifies as Health Services?

Under the Privacy Act, any business that handles personal information is an agency and must abide by certain privacy obligations. A health agency is an organisation that deals with personal data related to health. This covers a broad sector of organisations and businesses, including those relating to:

  • health and disability service providers, including their administrative teams;
  • training, registration, and discipline of health workers;
  • health insurance;
  • the manufacture or supply of medicines, medical devices, and similar products; and
  • health and disability consumer advocacy services.

Under the Health Information Privacy Code, if you are an agency that provides services related to any health information, you need to comply with the law’s privacy requirements. Furthermore, this also applies if you only deal with this information under a contract or agreement with another agency. You may provide goods, services, or facilities that qualify as:

  • private health services, for the benefit of your clients as individuals; or
  • public health services, for the benefit of general public health.
Continue reading this article below the form

Health Information at Your Business

Your obligations relating to health data are largely the same as they would be when dealing with other kinds of personal data. However, you have to maintain a higher standard of compliance due to the increased sensitivity of the information you handle. Generally, how you do so will depend on the nature of the health information. 

When collecting health information, you need to have a clear purpose for doing so, which must be related to business function. Indeed, you also need to collect this information lawfully and directly from your clients or an appropriate representative. 

For example, you should not collect health information in an area where others might overhear, such as in a waiting room.

You need to reasonably ensure the client knows:

  • that you are collecting their data;
  • why you are collecting their data;
  • who you may share the data with;
  • your contact details;
  • whether they have to share this data, and whether the law requires it;
  • the consequences of giving you their data; and
  • their right to access this data.

You must store this information safely. Indeed, the more sensitive the data is, the more secure it must be. Therefore, you can only keep the data for as long as you need it and dispose of it safely when it no longer serves a purpose.

For example, you would expect more robust security around a client’s medical history than you would around a client’s email address.

Disclosure

Generally, you cannot disclose a client’s personal health information unless that was the purpose you collected it for, or you have their permission. However, an exception applies. You may be able to disclose that data if:

  • a specific law requires it;
  • you are discussing the information with another health professional or service provider, and they maintain the same confidentiality; 
  • it is about a minor, and the disclosure is to their parents or guardians; or
  • the disclosure is necessary for preventing imminent harm to the safety or health of the client or someone else.

In addition to these exceptions, there may be other situations calling for a legal disclosure. However this will depend on the context.

Access to Information

People have a right to ask you for access to their data, which you then have to respond to within 20 working days. Given that, if you are a private health sector agency, you may be able to charge for this access when:

  • you have already given them the same data, or very similar, within the past 12 months; or
  • they ask for copies of X-rays, video recordings, or MRI/PET/CAT scan photographs.

Key Takeaways

If your business deals with clients’ personal health data, you have an added responsibility to protect the privacy of that data. Indeed, a failure to maintain the required level of confidentiality will likely result in a loss of client trust and legal penalties.

If you would like more information or guidance around your health privacy obligations, contact LegalVision’s New Zealand privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is any information about an identifiable individual. Indeed, this applies to information from which you can identify a living individual. For example, names or phone numbers.

What is health information?

Health information is a kind of personal information. This is data relating to someone’s health. For example, prescriptions, diagnoses, or recordings of conversations about health.

What is an agency?

An agency is a legal name for any organisation, group, or business that handles personal information in NZ. Every agency needs to comply with the Privacy Act and implement reasonable safeguards for protecting privacy.

What is the Health Information Privacy Code?

The Health Information Privacy Code is an additional code to the Privacy Act, providing specific privacy guidance for those in the health sector.

Register for our free webinars

Responsible AI Use: Practical Tips For Businesses

Online
Learn how your business can manage AI’s legal risks effectively. Register for our free webinar.
Register Now

Redundancies and Restructuring: Understanding Your Employer Obligations

Online
Understand your obligations during redundancies and restructuring to protect your business. Register for our free webinar.
Register Now

Tips to Help Your Business Avoid Going to Court

Online
Learn how to resolve disputes efficiently and avoid costly court battles. Register for our free webinar.
Register Now

Supercharging Your Brand: How to Protect Your Brand And Drive Growth

Online
Build a stronger brand by protecting and using your trade marks effectively. Register for our free webinar.
Register Now
See more webinars >
Emma Lindblom

Emma Lindblom

Read all articles by Emma

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Health and Safety Committees in New Zealand

Do I Need a Privacy Officer at My NZ Business?

Can I Refuse a Personal Information Access Request From a Customer in NZ?

How Can I Avoid Privacy Breaches at My NZ Business?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards