Home | Search | Contact us | Maps | Professional development | Staff login

The Privacy Act 1993 and the Health Information Privacy Code 1994

Duties Under the Privacy Act

The Privacy Act establishes that information concerning an identifiable individual should be collected, stored, used and destroyed in a manner which ensures that the individual concerned (and in certain circumstances their relatives) are not either actually, or potentially harmed. Failure to comply with the 12 Information Privacy Principles in the Privacy Act (which became operative on 1 July 1993) can result in severe legal penalties for the individual and/or organisation breaching the principles.

Health Information Privacy Code 1994

The Privacy Act allows The Privacy Commissioner to promulgate Codes of Practice which tailor the Privacy Principles of the Act to a particular activity or occupation. Such a Code (The Health Information Privacy Code 1993 [Temporary]) came into force on 10t August 1993 and was replaced by a permanent Code on 28th June 1994.

The Code applies to all “Health Agencies” (which include DHBs and General Practitioners) and individuals (including Students and Trainees) who use Health Information. Whilst under the supervision of a hospital or other health agency students must comply with the policies and regulations developed for staff of that agency. The Code covers, for example, information about an individual’s medical and treatment history, any disabilities they may have or have had, their contact with any health or disability providers and information about donation of blood, organs etc. The Code does not apply to statistical or anonymous information which does not enable the identification of an individual.

Application of the Code and Penalties for Breaches

The Code does not supersede standards of Ethical and Professional Conduct of the Health Professions (which may be “higher”) but sets minimum standards with which all individuals and organisations have to comply.

Failure to comply with the Code can result in severe legal penalties for both the organisation and the individual.

You must comply with the Code in all of your contacts with patients or patient information in all circumstances.

Contents of the Health Information Privacy Code 1994

The Code consists of 3 parts and an Appendix.

Part 1: Introduction

Part 2: The 12 Rules of the Code
(Based on the 12 Privacy Principles of the Privacy Act)

Part 3: Miscellaneous Provisions
(Related to Charges for copies of Information, appointment of Institutional Privacy Officers, Complaints and Schedules)

Appendix: Excerpts from the Privacy Act

The following guidelines on the application of the Code are not exhaustive and do not replace the Code but indicate general approaches which you should adopt to comply with the Code and Directives from the DHBs.

In case of any doubt consult the full Code and/or your immediate Supervisor for guidance.

The Components of the Code

Rules 1 – 4: Collection of Information

Most Health Information is collected in a situation of confidence and trust and the manner of collection should reflect that confidence and trust by:

  • Ensuring that Health Information is only collected from a person if it is for a lawful purpose connected with a function or activity of the Health Agency and is necessary for that purpose (e.g. Care and Treatment, Administration, Training and Education, Quality Assurance) [Rule 1]
  • Information shall be collected directly from the person concerned or from a person who he/she authorises or who is their legal representative. Non compliance (under special circumstances) requires approval from your immediate supervisor and then specific explanation and consideration (this provision confirms the Informed Consent Principle) [Rule 2]
  • All reasonable steps must be taken to ensure that the person knows:
    • That the information is being collected
    • The purpose for which the information is being collected
    • The intended recipients of the information
    • The name and address of the agency collecting and holding the information
    • The consequences to that individual and/or representative if all or any part of the requested information is not provided. [E.g. that failure to provide information for education and training purposes will not prejudice treatment]
    • The rights of access to correction of Health Information [Rule 3]
  • Patient information shall not be collected by unlawful or unfair means or intrude to an unreasonable extent upon the personal affairs of the individual concerned. (A sensitively taken History would NOT constitute “intrusion”. However areas that the individual regard as intrusive should not be pursued).[Rule 4]

Rules 5 – 9: Storage Accessibility and Retention of Health Information

  • The Health Agency shall ensure that the Patient Information is protected against loss, access, use, modification or disclosure or misuse. All efforts will be made to prevent unauthorised use or unauthorised disclosure of the information [Rule 5]

N.B. Patient notes/records must not be taken from the places specified for their secure storage.

  • The Health Agency shall not keep information for longer than is required for the purpose for which the information may be lawfully used [Rule 9]
  • The Health Agency shall provide to the patient on request confirmation of whether or not the Agency holds information about them and also provide access to that health information. [Rule 6]

Rules 10 – 12: Use of Health Information

  • The Health Agency shall not use the information for any other purpose unless the Health Agency believes that:
    • · Use of the information is authorized by the individual or their representative where the individual is unable to give his or her authority under the rule.
    • · That the disclosure of information is for one of the purposes in connection with which the information was obtained
    • · The information is a publicly available publication.
    • · Use of the information is necessary to prevent or lessen a serious or imminent threat.
    • · The information is used or will be published in a form in which the individual concerned is not identified [Rule 10]
  • A Health Agency shall not disclose information to a person or body or agency except as listed in 10 above. [Rule 11]
  • A Health Agency shall not assign a unique identifier unless it is necessary to carry out any one or more of its functions efficiently.
    • If information is identifiable [in any manner, e.g. hospital number, post mortem number or any other way] where it will be stored and who will have access to it. [Rule 12]

N.B. If the information is stored in a totally anonymous manner and the individual is not identified then some of these components become unnecessary.

# 5 While collecting information monitor the person’s responses to identify areas that may appear to intrude to an unreasonable extent and explain why you are asking for such information. If after explanation the person still feels that these areas are unreasonably intrusive they should not be pursued.

# 6 Accessing information held in Medical Records Departments. For various parts of the course (e.g. Child Development and Family Study, Ward Attachments, Clinic Pathological Conferences and Pathology) it may be necessary to consult either all or part of a person’s Medical Record.

Because of the ease with which it would be possible for individuals to represent themselves as Health Professional Trainees, Health Agencies have introduced procedures for ensuring that illegal access to information is prevented. Procedures differ slightly from Agency to Agency and according to whether the subject of the information is alive or dead.

If the person is alive

When you go to the Medical Records Office take with you the following:

  1. The Course Instructions explaining that you need to have access to the information (this may be handouts or a letter from the supervising Department).
  2. Your name badge.
  3. Evidence that you have consent from the person (or their representative) whose information is to be accessed (this might be verbal but would be better to be a signed consent for example a copy of the Child Development and Family Study Parent Consent Form.

If the person is dead

In dealing with information of people who died before 10th September 1993 you should take with you to the Medical Records office:-

  1. The course instructions explaining that you need to have access to the Information (this may be handouts or a letter from the Supervising Department).
  2. Your name badge.
  3. Some evidence from the Supervising Department that you have been asked to access information on this specific patient.

Accessing of information on persons who died after 10th September 1993 requires specific directions from the Supervising Department.

You may then be asked to fill out an “Access to Patient Information Form”.

If there are any problems ask the Medical Records Officers to contact the specific staff who are supervising the relevant part of your Course.