Health Records Privacy & Patient Access in New Zealand

This guide explains your obligations under New Zealand’s privacy laws when handling health information. It covers the Privacy Act 2020 (especially Information Privacy Principle 6 – IPP6), the Health Information Privacy Code 2020, who can access health records, and how patients can correct their information. Use this as a reference for day‑to‑day compliance.

1. The Privacy Act 2020 & IPP6

The Privacy Act 2020 sets out 13 Information Privacy Principles (IPPs). IPP6 (section 22) gives individuals the right to access information about themselves held by any agency, including health providers. You must respond to a request as soon as reasonably practicable and no later than 20 working days after receiving it (section 40).

2. The Health Information Privacy Code 2020

This Code (HIPC 2020) modifies the Privacy Act for the health sector. It applies to all health agencies – from GPs and DHBs to private specialists and allied health providers. Key rules include:

• Rule 6 (Access): Patients can request access to their health information. You must provide it in the way they request (e.g., electronic copy, printed) unless it is unreasonable to do so.
• Rule 7 (Correction): Patients can ask you to correct their health information if it is inaccurate, incomplete, or misleading.
• Rule 11 (Disclosure): You can only disclose health information with the patient’s authorisation, or as permitted by law (e.g., for public health purposes).

3. Who can access health records?

Generally, only the patient can access their own health information. However, the following people may also request access:

• Authorised representatives: A person with written authority from the patient (e.g., a lawyer, support person).
• Parents/guardians: For children under 16, unless the child is competent to consent themselves (see the Care of Children Act 2004).
• Enduring Power of Attorney (EPA): A person appointed under the Protection of Personal and Property Rights Act 1988 can access health information if the patient lacks capacity.
• Next of kin: Only if the patient has consented or if disclosure is necessary to prevent serious harm.

4. How to respond to an access request

1. Verify identity: Confirm the requester is the patient or an authorised person.
2. Clarify scope: Ask what information they want – it can be a specific record or all records.
3. Search and retrieve: Locate the information within your systems (including notes, test results, referrals).
4. Review for exceptions: Check if any of the refusal grounds apply (see warning box above).
5. Provide access: Give a copy in the requested format, or arrange for inspection. You may charge a reasonable fee (section 43) but not for the request itself.
6. Document everything: Record the request, your response, and any reasons for refusal.

5. Practical tips for staff

• Always ask for ID and written consent if someone else is requesting on behalf of the patient.
• Keep a log of all access requests and responses – this helps with audits and complaints.
• If you are unsure whether an exception applies, seek advice from your privacy officer or the Office of the Privacy Commissioner.
• Remember that patients can request access to their information even if they are in debt or have an outstanding bill – you cannot withhold records as leverage.

6. Complaints and enforcement

If a patient believes their privacy rights have been breached, they can complain to the Office of the Privacy Commissioner. The Commissioner can investigate, mediate, or refer the matter to the Human Rights Review Tribunal. Penalties for serious breaches can include fines up to $10,000 (section 112) and compensation orders.

Last updated: May 2026. This guide is for general information only and does not constitute legal advice. For specific situations, consult a privacy officer or legal professional.