Home >>Practice >>Practice Policy >>Health Information Privacy Policy


The practice team members will understand, comply with and implement the privacy policy as outlined in the Policy Statements below and in the attached documents which state the processes to be followed by the staff in handling health information.

  • The practice will have a privacy officer who has received training and is aware of his/her responsibilities. The appointed privacy officer is responsible for monitoring privacy issues and acting on feedback from patients and staff.
  • The practice will collect health information in a manner that complies with the Health Information Privacy Code(HIPC) and personal information with the Privacy Act.
  • The practice complies with Health Information Privacy Code(HIPC) requirements when using health information and the Privacy Act when using personal information.
  • The practice complies with the Health Information Privacy Code(HIPC) when storing and destroying health information and the Privacy Act with personal information.
  • The practice complies with Health Information Privacy Code(HIPC) requirements when disclosing health information.
  • The practice complies with the Health Information Privacy Code(HIPC) when correcting health information
  • The practice will follow the procedures attached when dealing with requests for information.
  • The practice will ensure confidentiality of information.
  • The practice will follow the procedure attached to deal with transferring patient’s information.
  • The practice will display a privacy poster in the waiting room.
  • The practice will make available a brochure relating to privacy for patients on request.
  • All staff will have adequate training to ensure they comply with Privacy legislation.


The Privacy Officer is responsible for:

  • Ensuring that the practice complies with the Privacy Act in relation to employees, and the Health Information Privacy Code in relation to patients; and
  • Dealing with requests made to the practice about personal or employment information; and
  • Working with the Privacy Commissioner or investigating officer should the need arise.

Privacy Officer Responsibilities:

Each team member is responsible for ensuring that s/he is up to date and trained in privacy issues.

The responsibilities of the Privacy Officer include:

  • Ensuring that the practice has the required privacy policies and procedures up to date and stored in a readily accessible format (electronic or Eastmed Privacy Folder)
  • Ensuring that all team members have read and understood the policies and procedures and have updated their personal training record to that effect.
  • Be available to answer questions to do with privacy issues and know when to refer queries and problems
  • Briefing the practice team on changes to practice processes
  • Alerting the practice team to privacy complaints received and what will be done to prevent the same thing happening again.
  • Up skilling the practice team on workshop information / case studies (i.e. providing training in staff team meetings).
  • Overseeing the Orientation (privacy) process.
  • Advising the directors about recommended training opportunities to up skill the practice team.
  • Ensuring training records are up to date.
  • Ensuring that the privacy complaints received are dealt with in the correct manner.
  • Ensuring that there are clear guidelines on who can access patient information and that handling health information is done according to practice policies and procedures.


  • When you collect health information from patients you must:
  • Only collect the information for the purpose of treating the patient or for some other legal purpose;
  • Collect the information directly from the patient unless he/she has consented to you collecting the information from someone else or one of the other exceptions to this rule applies; and
  • Let the patient know why you are collecting the information, who will have access to the information and that the patient is entitled to access and correct the information.
  • You will not need to tell patients this if you have collected the same type of information from them before.


Before using patients’ health information you must do what you can to make sure that the information is accurate and up to date. The steps that you will need to take will vary depending on how old the information is and the risk of relying on inaccurate information in the circumstances. You must only use patients’ health information for the purpose for which you have collected the information unless the patient has consented to you using the information for another purpose, or one of the other exceptions in the Health Information Privacy Code applies. You must consult our practice’s Privacy Officer before using a patient’s health information without the patient’s consent.


You must ensure that the health information that our practice holds is stored securely so that it cannot be accessed or used by unauthorised people. Paper records are stored in the filing cabinets and rota-scans in the reception area away from public access. Computerised records are password protected. When you transfer patients’ health information to someone else, you must do what you can to prevent unauthorised people from accessing or using the information.


The practice policy is to follow the guidelines of the Medical Council of New Zealand (ref: 5 par 5 – a, b, c. Maintenance and retention of patient records) (attached)

In summary;

  • the practice may dispose of information at 10 years and 1 day following the date of the last consultation, if the designated patients doctor is satisfied this is reasonable.
  • Note is made of MCNZ – section 5 (b) regarding longer term retention of records for significant patient conditions.

Policy Statement.

If information is to be destroyed, e.g. it is not considered clinically important to retain or there is a copy of this information. When information is no longer needed any paper with patient identifiable information should be shredded. Computers that contain health information that are not being used or are leaving the practice should have the data rendered irretrievable.

Safe Management and Disposal of Health Information

Local terminals do not store information anymore as we are a thin client - our servers are based in the Cloud and Cloud Region disposes off unwanted information according to their protocols.


  • You must not disclose a patient’s health information without his/her consent (or the consent of his/her representative) unless you reasonably believe that it is not possible for you to get the patient’s consent and:
  • The disclosure is for the purposes of the patient’s treatment (e.g. a referral);
  • The disclosure is to the patient’s caregiver and the patient hasn’t objected to the disclosure;
  • It is necessary for you to disclose the information to prevent a serious and immediate threat to the patient or another person’s life or health;
  • The disclosure is made for the purposes of a criminal proceeding;
  • The patient is, or is likely to become dependent on a drug that you need to report under the Misuse of Drugs Act or the Medicines Act;
  • The disclosure is to a social worker or the police and concerns suspected child abuse;
  • The disclosure is made by a doctor to the Director of Land Transport Safety and concerns the patient’s ability to drive safely.
  • Policy Statement:
  • Where disclosure of information is required by law (see HIPC for these cases) then it would be prudent for the practice to inform the patient that this is going to happen and that we are required to disclose the information.
  • There are other situations where disclosure without consent may be justified, such as disclosing information to agencies such as CYFS and the Police. You must discuss any proposed disclosure with our practice’s Privacy Officer before disclosing the information.
  • You must consult with our practice’s Privacy Officer before disclosing a patient’s health information without his/her consent.
  • Patients are entitled to ask our practice to confirm whether we hold information about them and to access the information unless we have lawful reasons for withholding the information.
  • You must assist patients who ask to access their health information.
  • Patients are entitled to access their notes except in certain circumstances
  • Satisfy yourself of the identity of the person before releasing information
  • Requests for information by another party generally require a written consent except in cases where another health agency e.g. hospital requests information which relates specifically to the problem at hand.
  • Consider keeping a sample of signature on file for comparison
  • Give a copy to patient or other party, always keep the records intact
  • If in doubt don’t release the information - check first.

Children under 16

  • You can refuse to give information to a person under 16 if you think it not in their interest
  • Parents do not automatically have the right of access to their children’s files
  • Take care in situations where the child may have attended without their parent, in these circumstances the child should be treated as an adult in terms of confidentiality
  • Generally do not release information about a child to a non custodial parent e.g. separated parent who does not have custody except in certain circumstances.

Another Provider

If requested to provide information to another provider you must do so promptly. You cannot withhold the information on the grounds that you are owed money by the patient (s22F Heath Act 1993).

Insurance Company, ACC

Where health information is subject to a request by an insurance company, ACC or any other organisation where a significant amount of data (especially if the data might be considered sensitive or may have significant impact on that patient’s health or entitlements) is requested, confirmation (verbal adequate) should be obtained from the patient before complying.

In the case of requests for information by those unable to give consent themselves (deceased or incompetent) then all efforts must be made to confirm that consent is given by the appropriate legal representative such as the executor of the will. If in doubt consult the Privacy Officer, Medical Protection Society or the Privacy Commission.


Patients are entitled to ask our practice to correct the information that we hold about them. The doctor will add the correction to the notes. If this is unacceptable then advice should be sought from the Privacy Officer, MPS or Privacy Commission.


This will be ensured by the use of the Privacy legislation and with duty of medical practitioners to maintain confidentiality, and by having signed confidentiality agreements with all staff and contractors.


Notes are transferred using the procedure set out. Notes are reviewed by the nurses and doctors. Full copies of notes are kept unless advised otherwise by doctor. Transfer takes place within 10 working days. Electronic Notes are sent electronically via Healthlink to ensure confidentiality, Paper notes are sent by post to the nominated doctor after ensuring the address is accurate. Patients going overseas may be given a copy of their notes if it seems impractical to send them to their doctor overseas. A copy of their file should be kept if this is the case in the event of loss of the file.


The ProCare Health Information Privacy poster will be displayed in a prominent place on the waiting room notice board.


All staff are to undertake training and dates recorded. Privacy training should take place every 3 years or on induction of new staff member. Privacy training may take the form of an external training session e.g. ProCare, or internal session preferably run by someone who has recently undertaken external training. As new staff is employed they will need to demonstrate that they have undertaken recent training relevant to general practice .i.e. within the last 3y. In addition they will read the documents attached to this policy in connection with ensuring Privacy.


  • All practice team members will have signed Privacy agreements.
  • Contractors Confidentiality Agreement are stored in the Privacy folder.
  • All hard copy health information is stored in the back office accessible to staff only.


Eastmed Doctors clinical records are with servers hosted by Cloud Region - www.2onions.com. Cloud Region are responsible for security and back up of the data which is done automatically. Eastmed Doctors uses a dedicated High Speed Private Network to access the servers. In case of the failure of this network ADSL is deployed to access the servers. Local terminals are protected by antivirus software. There is a restriction of websites used by staff to prevent any malicious threats via the internet. Staff will not be able to upload information to USB Sticks or CD-ROMS thus preventing illegal copying or transfer of information.

Access to the health records is by password which is individual to each staff member. Currently all staff have access to the medical records but only clinical staff can alter the records.


  • Eastmed doctors does not store your information you provide on the online forms.
  • To make the online forms safeguard your personal information on transaction the pages are encrypted, thus making it many times secure than a 'text based email'. Eastmed Doctors do not give out your personal information to others.
  • Eastmed Doctors do not store cookies on your machine.
  • Eastmed Doctors monitor the usage of the website for improving services.

Relevant Resources:

  • Privacy Act 1993
  • Health Information Privacy Code 1994
  • On the Record, a Practical Guide to Health Information Privacy 2nd edition.

Other important Resources

Other resources available through ProExcellence

  • Checklist for General Practice: Complying with the “Health Information Privacy Code”
  • ProExcellence “Principles for Disclosure of Health Information” Mar 2004
  • ProExcellence Flowchart: “Health Information Privacy: Handling request for Information.
  • Health Information Privacy: Handling request for Information
  • Medical Council of New Zealand – The maintenance and retention of patient records

Review Date: Health Information Privacy, April 2012