Health Information Privacy Code 

What is health information?

Health information is information about you that is held by a health agency (for example your GP and specialists, your dentist, your pharmacy, your District Health Board, ACC and your health insurer). The information could include details about:

  • medical conditions or disabilities you have, or have had 
  • prescriptions you’ve been given
  • results of your medical tests
  • medical procedures you have had and medical donations you have made (e.g. of blood or organs)
  • records of consultations/conversations you have had with a health or disability provider.

Back to top

How is my health information protected?

The Health Information Privacy Code (HIPC) protects your health information by setting out rules for health agencies to follow when collecting, using and storing the information you give them. This includes ensuring that they have reasonable security safeguards for your information.  

Back to top

What are my rights under the Health Information Privacy Code?

There are two main ideas behind the code: that health agencies (e.g. doctor’s clinic, ACC) should only collect information they really need; and they should make sure that they are open with you about how they are going to use that information.

Once the health agency has your health information they must keep it secure, and only use it for the purpose that was given to you. They also have to ensure that the information is correct before they use it.

You have the right to access any personal information they hold about you, and correct any errors in this information.

The health agency can only disclose the information to someone else in very limited circumstances. They must securely dispose of the information once they no longer need it for the purpose for which it was taken.

Back to top

Can I access my medical records and how much will it cost?

You have a right to see your own health information. If you make a request to your doctor or other health agency they must respond within 20 days.

If the agency does not respond to your request to access your health information within 20 working days, or they have denied your request and you are unsatisfied with their reason, you can make a complaint.

If you made your request to a public health sector agency (e.g. your DHB), they cannot charge you a fee for this. Private sector agencies (e.g. your private sector dentist) can only charge you if they have provided you with the same information in the last twelve months. More about this is on this Privacy Commissioner website.

Back to top

Who else can access my medical records?

Generally other people will only be able to access your health information with your consent (eg, your insurance company), or because it relates to the reason your information was collected in the first place (eg, your doctor discussing your health information with other medical staff).

There are some exceptions to this, such as where releasing your information is necessary to avoid a serious threat to public health or public safety, or to the life or health of you or another person. 

Back to top

Can I access my child’s health information?

If you are the parent or guardian of a child (aged under 16 years), you do not have an automatic right to access your child's health information.

You are entitled to ask for your child’s health information but a health agency can refuse access to the information if they believe that:

  • this would not be in your child’s best interests, or  
  • your child doesn’t want you to access the information and they are considered competent to make this decision based on their age and maturity.

More about this is on the Privacy Commissioner's website.

Back to top

What is my National Health Index number, and what is it used for?

A National Health Index number is assigned to anyone who uses health and disability support services in New Zealand. This number corresponds to certain kinds of information about you that is securely stored on a National Health Index:  

  • your name (including alternative names such as maiden names)
  • address
  • date of birth
  • place of birth
  • gender
  • New Zealand resident and citizenship status
  • ethnicity
  • date of death (if appropriate).

This information is used to help with the planning and provision of health and disability services in New Zealand.

Your NHI number can also be used to pass on information between your health providers – for example, information about your immunisation status that is held on the National Immunisation Register; or any warnings or alerts on the Medical Warning System.

This information, which is managed by the Ministry of Health, can only be used within the health sector – you GP, pharmacies and the hospital patient management system.

If you want to find out what information about you is held against your NHI number, you’ll find information about how to make a request on the Ministry of Health website. 

Back to top

How do I complain about a breach of my health privacy rights?

If you’re not happy about how your health information has been handled (for example it has been wrongly given to someone, not securely stored or you have been refused your own health information without good reason), you should speak to the person or organisation involved first.

If you’re still unhappy you can complain to the Privacy Commissioner. You might find it helpful to discuss the complaints procedure with your local Citizens Advice Bureau because every health agency has a different way of dealing with these complaints.