Reading time: 6 minutes

If your business handles clients’ sensitive and personal information, they need to know they can trust that you will handle it securely. Therefore, when you deal with any such personal information, the law imposes certain requirements on your business to protect every individual’s privacy. However, this is especially true if your business provides health services and deals with clients’ personal health information. Indeed, this is because you have obligations as an agency under New Zealand privacy law. But the practical functioning of these obligations can vary due to the added sensitivity of the information you deal with. This article will go through some of those obligations and how they may apply to your health services business.

What Is Health Information?

Health information is a kind of personal data that relates to the health of an identifiable person. Indeed, this means that the content of the information is something health-related, and you can identify who it is about.

For example, if your business provides counselling services the notes you take down during sessions will likely contain identifying aspects. Therefore, this is personal health data and you must protect it adequately.

In particular, this covers information:

  • regarding a person’s health, including their medical history;
  • about any disabilities an individual has or had;
  • about any health or disability services provided to an individual;
  • provided by an individual in connection to bodily donations, such as donating blood; and
  • gained incidentally from providing a health or disability service to an individual.

Examples of this information would include prescriptions, diagnoses, and records of any conversations about health with clients.

What Qualifies as Health Services?

Under the Privacy Act, any business that handles personal information is an agency and must abide by certain privacy obligations. A health agency is an organisation that deals with personal data related to health. This covers a broad sector of organisations and businesses, including those relating to:

  • health and disability service providers, including their administrative teams;
  • training, registration, and discipline of health workers;
  • health insurance;
  • the manufacture or supply of medicines, medical devices, and similar products; and
  • health and disability consumer advocacy services.

Under the Health Information Privacy Code, if you are an agency that provides services related to any health information, you need to comply with the law’s privacy requirements. Furthermore, this also applies if you only deal with this information under a contract or agreement with another agency. You may provide goods, services, or facilities that qualify as:

  • private health services, for the benefit of your clients as individuals; or
  • public health services, for the benefit of general public health.

Health Information at Your Business

Your obligations relating to health data are largely the same as they would be when dealing with other kinds of personal data. However, you have to maintain a higher standard of compliance due to the increased sensitivity of the information you handle. Generally, how you do so will depend on the nature of the health information. 

When collecting health information, you need to have a clear purpose for doing so, which must be related to business function. Indeed, you also need to collect this information lawfully and directly from your clients or an appropriate representative. 

For example, you should not collect health information in an area where others might overhear, such as in a waiting room.

You need to reasonably ensure the client knows:

  • that you are collecting their data;
  • why you are collecting their data;
  • who you may share the data with;
  • your contact details;
  • whether they have to share this data, and whether the law requires it;
  • the consequences of giving you their data; and
  • their right to access this data.

You must store this information safely. Indeed, the more sensitive the data is, the more secure it must be. Therefore, you can only keep the data for as long as you need it and dispose of it safely when it no longer serves a purpose.

For example, you would expect more robust security around a client’s medical history than you would around a client’s email address.


Generally, you cannot disclose a client’s personal health information unless that was the purpose you collected it for, or you have their permission. However, an exception applies. You may be able to disclose that data if:

  • a specific law requires it;
  • you are discussing the information with another health professional or service provider, and they maintain the same confidentiality; 
  • it is about a minor, and the disclosure is to their parents or guardians; or
  • the disclosure is necessary for preventing imminent harm to the safety or health of the client or someone else.

In addition to these exceptions, there may be other situations calling for a legal disclosure. However this will depend on the context.

Access to Information

People have a right to ask you for access to their data, which you then have to respond to within 20 working days. Given that, if you are a private health sector agency, you may be able to charge for this access when:

  • you have already given them the same data, or very similar, within the past 12 months; or
  • they ask for copies of X-rays, video recordings, or MRI/PET/CAT scan photographs.

Key Takeaways

If your business deals with clients’ personal health data, you have an added responsibility to protect the privacy of that data. Indeed, a failure to maintain the required level of confidentiality will likely result in a loss of client trust and legal penalties.

If you would like more information or guidance around your health privacy obligations, contact LegalVision’s New Zealand privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is any information about an identifiable individual. Indeed, this applies to information from which you can identify a living individual. For example, names or phone numbers.

What is health information?

Health information is a kind of personal information. This is data relating to someone’s health. For example, prescriptions, diagnoses, or recordings of conversations about health.

What is an agency?

An agency is a legal name for any organisation, group, or business that handles personal information in NZ. Every agency needs to comply with the Privacy Act and implement reasonable safeguards for protecting privacy.

What is the Health Information Privacy Code?

The Health Information Privacy Code is an additional code to the Privacy Act, providing specific privacy guidance for those in the health sector.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards