PART 1.- PRELIMINARY
1.- TITLE
This code of practice may be referred to as the Health Information Privacy Code 1994.
2.- COMMENCEMENT
This code is to come into force on 30 July 1994.
3.- INTERPRETATION
In this code:
commencement, in relation to this code, means the coming into force of the code disability services includes goods, services, and facilities:
(a) provided to people with disabilities for their care or support or to promote their inclusion and participation in society or independence; or
(b) provided for purposes related or incidental to the care or support of people with disabilities or to the promotion of the inclusion and participation in society, and independence of such people
ethics committee means:
(a) the Ethics Committee of the Health Research Council of New Zealand or an ethics committee approved by that committee; or
(b) the National Advisory Committee on Health and Disability Support Services Ethics; or
(c) an ethics committee constituted in accordance with the currently applicable Operational Standard for Ethics Committees promulgated by the Ministry of Health; or
(d) an ethics committee established by, or pursuant to, any enactment
health agency means an agency referred to in clause 4(2) and, for the purposes of rules 5 to 11, is to be taken to include:
(a) where an agency holds health information obtained in the course of providing health or disability services but no longer provides such services, that agency; and
(b) with respect to any health information held by a health agency (being a natural person) at the time of the person’s death, his or her personal representative
health information means information to which this code applies under clause 4(1)
health practitioner has the meaning given to it by section 5(1) of the Health Practitioners Competence Assurance Act 2003
health professional body means an authority empowered to exercise registration and disciplinary powers under the Health Practitioners Competence Assurance Act 2003
health services means personal health services and public health services
health training institution means a school, faculty, or department referred to in paragraph 4(2)(d)
personal health services means goods, services, and facilities provided to an individual for the purpose of improving or protecting the health of that individual, whether or not they are also provided for another purpose; and includes goods, services, and facilities provided for related or incidental purposes
principal caregiver, in relation to any individual, means the friend of the individual or the member of the individual’s family group or whanau who is most evidently and directly concerned with the oversight of the individual’s care and welfare
public health services means goods, services, and facilities provided for the purpose of improving, promoting, or protecting public health or preventing population-wide disease, disability, or injury; and includes:
(a) regulatory functions relating to health or disability matters; and
(b) health protection and health promotion services; and
(c) goods, services, and facilities provided for related or incidental functions or purposes
representative, in relation to an individual, means,:
(a) where that individual is dead, that individual’s personal representative; or
(b) where the individual is under the age of 16 years, that individual’s parent or guardian; or
(c) where the individual, not being an individual referred to in paragraphs (a) or (b), is unable to give his or her consent or authority, or exercise his or her rights, a person appearing to be lawfully acting on the individual’s behalf or in his or her interests
rule means a rule set out in clause 5.
the Act means the Privacy Act 1993
4.- APPLICATION OF CODE
(1) This code applies to the following information or classes of information about an identifiable individual:
(a) information about the health of that individual, including his or her medical history; or
(b) information about any disabilities that individual has, or has had; or
(c) information about any health services or disability services that are being provided, or have been provided, to that individual; or
(d) information provided by that individual in connection with the donation, by that individual, of any body part or any bodily substance of that individual or derived from the testing or examination of any body part, or any bodily substance of that individual; or
(e) information about that individual which is collected before or in the course of, and incidental to, the provision of any health service or disability service to that individual.
(2) This code applies in relation to the following agencies or classes of agency:
Health and disability service providers
(a) an agency which provides health or disability services; or
(b) within a larger agency, a division or administrative unit (including an individual) which provides health or disability services to employees of the agency or some other limited class of persons; or
(c) a person who is approved as a counsellor for the purposes of the Injury Prevention, Rehabilitation, and Compensation Act 2001; or Training, registration, and discipline of health professionals, etc
(d) a school, faculty or department of a tertiary educational institution which provides the training or a component of the training necessary for the registration of a health practitioner; or
(e) an agency having statutory responsibility for the registration of any health practitioners; or
(f) a health professional body; or
(g) persons appointed or designated under the Health and Disability Commissioner Act 1994; or
Health insurance, etc
(h) Revoked
(i) an agency which provides health, disability, accident, or medical insurance, or which provides claims management services in relation to such insurance, but only in respect of providing that insurance or those services; or
(j) an accredited employer under the Injury Prevention, Rehabilitation, and Compensation Act 2001; or Other
(k) an agency which provides services in respect of health information, including an agency which provides those services under an agreement with another agency; or
(l) a district inspector, deputy district inspector, or official visitor appointed pursuant to section 94 of the Mental Health (Compulsory Assessment and Treatment) Act 1992; or
(la) a district inspector or deputy district inspector appointed pursuant to section 144 of the Intellectual Disability (Compulsory Care and Rehabilitation) Act 2003; or
(m) an agency which manufactures, sells, or supplies medicines, medical devices, or related products; or
(n) an agency which provides health and disability services consumer advocacy services; or
(o) the department responsible for the administration of the Coroners Act 2006, but only in respect of information contained in documents referred to in section 29(1) of that Act; or
(p) the agencies specified in Schedule 1.
PART 2.- HEALTH INFORMATION PRIVACY RULES
5.- HEALTH INFORMATION PRIVACY RULES
The information privacy principles are modified in accordance with the Act by the following rules which apply to health information and health agencies:
RULE 1.- PURPOSE OF COLLECTION OF HEALTH INFORMATION
Health information must not be collected by any health agency unless:
(a) the information is collected for a lawful purpose connected with a function or activity of the health agency; and
(b) the collection of the information is necessary for that purpose
RULE 2.- SOURCE OF HEALTH INFORMATION
(1) Where a health agency collects health information, the health agency must collect the information directly from the individual concerned.
(2) It is not necessary for a health agency to comply with subrule (1) if the agency believes, on reasonable grounds, that:
(a) the individual concerned authorises collection of the information from someone else having been made aware of the matters set out in rule 3(1); or
(b) the individual is unable to give his or her authority and the health agency, having made the individual’s representative aware of the matters set out in rule 3(1), collects the information from the representative or the representative authorises collection from someone else; or
(c) compliance would:
(i) prejudice the interests of the individual concerned; or
(ii) prejudice the purposes of collection; or
(iii) prejudice the safety of any individual; or
(d) compliance is not reasonably practicable in the circumstances of the particular case; or
(e) the collection is for the purpose of assembling a family or genetic history of an individual and is collected directly from that individual; or
(f) the information is publicly available information; or
(g) the information:
(i) will not be used in a form in which the individual concerned is identified; or
(ii) will be used for statistical purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(iii) will be used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(h) non-compliance is necessary:
(i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or
(ii) for the protection of the public revenue; or
(iii) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(i) the collection is in accordance with an authority granted under section 54 of the Act.
RULE 3.- COLLECTION OF HEALTH INFORMATION FROM INDIVIDUAL
(1) Where a health agency collects health information directly from the individual concerned, or from the individual’s representative, the health agency must take such steps as are, in the circumstances, reasonable to ensure that the individual concerned (and the representative if collection is from the representative) is aware of:
(a) the fact that the information is being collected; and
(b) the purpose for which the information is being collected; and
(c) the intended recipients of the information; and
(d) the name and address of:
(i) the health agency that is collecting the information; and
(ii) the agency that will hold the information; and
(e) whether or not the supply of the information is voluntary or mandatory and if mandatory, the particular law under which it is required; and
(f) the consequences (if any) for that individual if all or any part of the requested information is not provided; and
(g) the rights of access to, and correction of, health information provided by rules 6 and 7.
(2) The steps referred to in subrule (1) must be taken before the information is collected or, if that is not practicable, as soon as practicable after it is collected.
(3) A health agency is not required to take the steps referred to in subrule (1) in relation to the collection of information from an individual, or the individual’s representative, if that agency has taken those steps in relation to the collection, from that individual or that representative, of the same information or information of the same kind for the same or a related purpose, on a recent previous occasion.
(4) It is not necessary for a health agency to comply with subrule (1) if the agency believes on reasonable grounds, that:
(a) Revoked
(b) compliance would:
(i) prejudice the interests of the individual concerned; or
(ii) prejudice the purposes of collection; or
(c) compliance is not reasonably practicable in the circumstances of the particular case; or
(d) non-compliance is necessary to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences.
RULE 4.- MANNER OF COLLECTION OF HEALTH INFORMATION
Health information must not be collected by a health agency:
(a) by unlawful means; or
(b) by means that, in the circumstances of the case,:
(i) are unfair; or
(ii) intrude to an unreasonable extent upon the personal affairs of the individual concerned.
RULE 5.- STORAGE AND SECURITY OF HEALTH INFORMATION
(1) A health agency that holds health information must ensure that:
(a) the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against:
(i) loss; or
(ii) access, use, modification, or disclosure, except with the authority of the agency; or
(iii) other misuse; and
(b) if it is necessary for the information to be given to a person in connection with the provision of a service to the health agency, including any storing, processing, or destruction of the information, everything reasonably within the power of the health agency is done to prevent unauthorised use or unauthorised disclosure of the information; and
(c) where a document containing health information is not to be kept, the document is disposed of in a manner that preserves the privacy of the individual.
(2) This rule applies to health information obtained before or after the commencement of this code.
RULE 6.- ACCESS TO PERSONAL HEALTH INFORMATION
(1) Where a health agency holds health information in such a way that it can readily be retrieved, the individual concerned is entitled:
(a) to obtain from the agency confirmation of whether or not the agency holds such health information; and
(b) to have access to that health information.
(2) Where, in accordance with subrule (1)(b), an individual is given access to health information, the individual must be advised that, under rule 7, the individual may request correction of that information.
(3) The application of this rule is subject to:
(a) Part 4 of the Act (which sets out reasons for withholding information); and
(b) Part 5 of the Act (which sets out procedural provisions relating to access to information); and
(c) clause 6 (which concerns charges).
(4) This rule applies to health information obtained before or after the commencement of this code.
RULE 7.- CORRECTION OF HEALTH INFORMATION
(1) Where a health agency holds health information, the individual concerned is entitled:
(a) to request correction of the information; and
(b) to request that there be attached to the information a statement of the correction sought but not made.
(2) A health agency that holds health information must, if so requested or on its own initiative, take such steps (if any) to correct the information as are, in the circumstances, reasonable to ensure that, having regard to the purposes for which the information may lawfully be used, it is accurate, up to date, complete, and not misleading.
(3) Where an agency that holds health information is not willing to correct the information in accordance with such a request, the agency must, if so requested, take such steps (if any) as are reasonable to attach to the information, in such a manner that it will always be read with the information, any statement provided by the individual of the correction sought.
(4) Where the agency has taken steps under subrule (2) or (3), the agency must, if reasonably practicable, inform each person or body or agency to whom the health information has been disclosed of those steps.
(5) Where an agency receives a request made under subrule (1), the agency must inform the individual concerned of the action taken as a result of the request.
(6) The application of this rule is subject to the provisions of Part 5 of the Act (which sets out procedural provisions relating to correction of information).
(7) This rule applies to health information obtained before or after the commencement of this code.
RULE 8.- ACCURACY ETC OF HEALTH INFORMATION TO BE CHECKED BEFORE USE
(1) A health agency that holds health information must not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.
(2) This rule applies to health information obtained before or after the commencement of this code.
RULE 9.- RETENTION OF HEALTH INFORMATION
(1) A health agency that holds health information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.
(2) Subrule (1) does not prohibit any agency from keeping any document that contains health information the retention of which is necessary or desirable for the purposes of providing health services or disability services to the individual concerned.
(3) This rule applies to health information obtained before or after the commencement of this code.
RULE 10.- LIMITS ON USE OF HEALTH INFORMATION
(1) A health agency that holds health information obtained in connection with one purpose must not use the information for any other purpose unless the health agency believes, on reasonable grounds,:
(a) that the use of the information for that other purpose is authorised by:
(i) the individual concerned; or
(ii) the individual’s representative where the individual is unable to give his or her authority under this rule; or
(b) that the purpose for which the information is used is directly related to the purpose in connection with which the information was obtained; or
(c) that the source of the information is a publicly available publication; or
(d) (1) that the use of the information for that other purpose is necessary to prevent or lessen a serious threat to:
(i) public health or public safety; or
(ii) the life or health of the individual concerned or another individual; or
(e) that the information:
(i) is used in a form in which the individual concerned is not identified; or
(ii) is used for statistical purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(iii) is used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(f) that non-compliance is necessary:
(i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or
(ii) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(g) that the use of the information is in accordance with an authority granted under section 54 of the Act.
(2) This rule does not apply to health information obtained before 1 July 1993
RULE 11.- LIMITS ON DISCLOSURE OF HEALTH INFORMATION
(1) A health agency that holds health information must not disclose the information unless the agency believes, on reasonable grounds, that:
(a) the disclosure is to:
(i) the individual concerned; or
(ii) the individual’s representative where the individual is dead or is unable to exercise his or her rights under these rules; or
(b) the disclosure is authorised by:
(i) the individual concerned; or
(ii) the individual’s representative where the individual is dead or is unable to give his or her authority under this rule; or
(c) the disclosure of the information is one of the purposes in connection with which the information was obtained; or
(d) the source of the information is a publicly available publication; or
(e) the information is information in general terms concerning the presence, location, and condition and progress of the patient in a hospital, on the day on which the information is disclosed, and the disclosure is not contrary to the express request of the individual or his or her representative; or
(f) the information to be disclosed concerns only the fact of death and the disclosure is by a health practitioner or by a person authorised by a health agency, to a person nominated by the individual concerned, or the individual’s representative, partner, spouse, principal caregiver, next of kin, wh ¯anau, close relative, or other person whom it is reasonable in the circumstances to inform; or
(g) the information to be disclosed concerns only the fact that an individual is to be, or has been, released from compulsory status under the Mental Health (Compulsory Assessment and Treatment) Act 1992 and the disclosure is to the individual’s principal caregiver.
(2) Compliance with subrule (1)(b) is not necessary if the health agency believes on reasonable grounds that it is either not desirable or not practicable to obtain authorisation from the individual concerned and that:
(a) the disclosure of the information is directly related to one of the purposes in connection with which the information was obtained; or
(b) the information is disclosed by a health practitioner to a person nominated by the individual concerned or to the principal caregiver or a near relative of the individual concerned in accordance with recognised professional practice and the disclosure is not contrary to the express request of the individual or his or her representative; or
(c) the information:
(i) is to be used in a form in which the individual concerned is not identified; or
(ii) is to be used for statistical purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(iii) is to be used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(d) (2) the disclosure of the information is necessary to prevent or lessen a serious threat to:
(i) public health or public safety; or
(ii) the life or health of the individual concerned or another individual; or
(e) the disclosure of the information is essential to facilitate the sale or other disposition of a business as a going concern; or
(f) the information to be disclosed briefly describes only the nature of injuries of an individual sustained in an accident and that individual’s identity and the disclosure is:
(i) by a person authorised by the person in charge of a hospital; or
(ii) to a person authorised by the person in charge of a news medium;
for the purpose of publication or broadcast in connection with the news activities of that news medium and the disclosure is not contrary to the express request of the individual concerned or his or her representative; or
(g) the disclosure of the information:
(i) is required for the purposes of identifying whether an individual is suitable to be involved in health education and so that individuals so identified may be able to be contacted to seek their authority in accordance with subrule (1)(b); and
(ii) is by a person authorised by the health agency to a person authorised by a health training institution; or
(h) the disclosure of the information is required:
(i) for the purpose of a professionally recognised accreditation of a health or disability service; or
(ii) for a professionally recognised external quality assurance programme; or (iii) for risk management assessment and the disclosure is solely to a person engaged by the agency for the purpose of assessing the agency’s risk;
and the information will not be published in a form which could reasonably be expected to identify any individual nor disclosed by the accreditation, quality assurance, or risk management organisation to third parties except as required by law; or
(i) non-compliance is necessary:
(i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or
(ii) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(j) the individual concerned is or is likely to become dependent upon a controlled drug, prescription medicine, or restricted medicine and the disclosure is by a health practitioner to a Medical Officer of Health for the purposes of section 20 of the Misuse of Drugs Act 1975 or section 49A of the Medicines Act 1981; or
(k) the disclosure of the information is in accordance with an authority granted under section 54 of the Act.
(3) Disclosure under subrule (2) is permitted only to the extent necessary for the particular purpose.
(4) Where, under section 22F(1) of the Health Act 1956, the individual concerned or a representative of that individual requests the disclosure of health information to that individual or representative, a health agency:
(a) must treat any request by that individual as if it were a health information privacy request made under rule 6; and
(b) may refuse to disclose information to the representative if:
(i) the disclosure of the information would be contrary to the individual’s interests; or
(ii) the agency has reasonable grounds for believing that the individual does not or would not wish the information to be disclosed; or
(iii) there would be good grounds for withholding the information under Part 4 of the Act if the request had been made by the individual concerned.
(5) This rule applies to health information about living or deceased persons obtained before or after the commencement of this code.
(6) Despite subrule (5), a health agency is exempted from compliance with this rule in respect of health information about an identifiable deceased person who has been dead for not less than 20 years.
RULE 12.- UNIQUE IDENTIFIERS
(1) A health agency must not assign a unique identifier to an individual unless the assignment of that identifier is necessary to enable the health agency to carry out any 1 or more of its functions efficiently.
(2) A health agency must not assign to an individual a unique identifier that, to that agency’s knowledge, has been assigned to that individual by another agency, unless:
(a) those 2 agencies are associated persons within the meaning of section OD 7 of the Income Tax Act 1994; or
(b) it is permitted by subrule (3) or (4).
(3) The following agencies may assign the same National Health Index number to an individual:
(a) any agency authorised expressly by statute or regulation; and
(b) any agency or class of agencies listed in Schedule 2.
(4) Notwithstanding subrule (2), any health agency may assign to a health practitioner, as a unique identifier, the registration number assigned to that individual by the relevant statutory registration body.
(5) A health agency that assigns unique identifiers to individuals must take all reasonable steps to ensure that unique identifiers are assigned only to individuals whose identity is clearly established.
(6) A health agency must not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or for a purpose that is directly related to one of those purposes.
(7) Subrules (1) to (5) do not apply in relation to the assignment of unique identifiers before the commencement of this code.
(8) Subrule (6) applies to any unique identifier, whether assigned before or after the commencement of this code.
PART 3.- MISCELLANEUS
6.- CHARGES
(1) For the purposes of charging under section 35 of the Act in relation to information privacy requests concerning health information, a health agency that is not a public sector health agency must not require the payment, by or on behalf of any individual who wishes to make a request, of any charges in respect of a matter referred to in paragraphs 35(1)(a) to (f) of the Act except in accordance with this clause.
(2) Where an individual makes an information privacy request to a health agency that is not a public sector health agency, the agency may, unless prohibited by a law other than the Act or this code, make a reasonable charge,:
(a) where, on a particular day, that agency has made health information available to that individual in response to a request, for making the same or substantially the same health information available in accordance with any subsequent request within the period of 12 months after that day; or
(b) for providing a copy of an x-ray, a video recording, an MRI scan photograph, a PET scan photograph, or a CAT scan photograph.
(3) Where an agency intends to make a charge under subclause (2) and the amount of the charge is likely to exceed $30, the agency must provide the individual with an estimate of the charge before dealing with the request.
7.- COMPLAINTS OF BREACH OF CODE
(1) Every health agency must designate a person or persons to deal with complaints alleging a breach of this code and facilitate the fair, simple, speedy, and efficient resolution of complaints.
(2) Every health agency to which this subclause applies must have a complaints procedure which provides that:
(a) when a complaint of breach of this code is received by the agency:
(i) the complaint is acknowledged in writing within 5 working days of receipt, unless it has been resolved to the satisfaction of the complainant within that period; and
(ii) the complainant is informed of any relevant internal and external complaints procedures; and
(iii) the complaint and the actions of the health agency regarding that complaint are documented; and
(b) within 10 working days of acknowledging the complaint, the agency must:
(i) decide whether it:
(A) accepts that the complaint is justified; or
(B) does not accept that the complaint is justified; or
(ii) if it decides that more time is needed to investigate the complaint, determine how much additional time is needed; and
(iii) if that additional time is more than 20 working days, inform the complainant of that determination and of the reasons for it; and
(c) as soon as practicable after a health agency decides whether or not it accepts that a complaint is justified, it must inform the individual of:
(i) the reasons for the decision; and
(ii) any actions the agency proposes to take; and
(iii) any appeal procedure the agency has in place; and
(iv) the right to complain to the Privacy Commissioner.
(3) Subclause (2) applies to any health agency specified in clause 4(2)(a), (c), (d), (e), (h), (i), (j), and (k) or the sixth and eighth item of Schedule 1.
(4) Nothing in this clause is to limit or restrict any provisions of Parts 4, 5, 8, or 9 of the Act or sections 55 to 57.
SCHEDULES
SCHEDULE 1.- SPECIFIED HEALTH AGENCIES
Ministry of Health
Health Research Council
New Zealand Council on Healthcare Standards
Institute of Environmental Science and Research Limited
The Interchurch Council on Hospital Chaplaincy
Health Benefits Limited
The Mental Health Commission
Accident Compensation Corporation
The Regulator under the Accident Insurance Act 1998 and the Injury Prevention,
Rehabilitation and Compensation Act 2001
SCHEDULE 2.- AGENCIES APPROVED TO ASSIGN NHI NUMBER
1 Ministry of Health
2 District Health Boards
3 Hospitals
4 Primary health organisations
5 Independent practitioner associations
6 Health practitioners
7 New Zealand Blood Service
8 Accident Compensation Corporation
9 Department of Corrections health services
10 New Zealand Defence Force health services
11 Pharmaceutical Management Agency of New Zealand
11A (3) MedicAlert Foundation New Zealand
12 Any health agency which has a contract with the Accident Compensation Corporation or a District Health Board or the Ministry of Health to provide health or disability services.
——————————————————————-
(1) (Health Information Privacy Code 1994. Amendment nº 7 on 18 March 2013)
(2) (Health Information Privacy Code 1994.Amendment nº 7 on 18 March 2013)
(3) (Health Information Privacy Code 1994.Amendment nº 7on 18 March 2013 )