Health Information Privacy Fact Sheet 2 : Collection of health information

Health Information Privacy Code 1994

The code regulates how health agencies (such as doctors, nurses, pharmacists, health insurers, Primary Health Organisations and District Health Boards) collect, hold, use and disclose health information about identifiable individuals.

Key concepts in the code

The two key concepts in the code are:

  • Purpose: Agencies must know why they are collecting health information and collect only the information they need. Once health information has been collected from a patient for a particular purpose, it can be used or disclosed for that purpose without additional consent.
  • Openness: Agencies need to let patients know how their information is going to be used and disclosed so the patients can make decisions about whether to provide it.

Regulating collection: Rules 1-4

There are twelve health information privacy rules in the code. Rules 1 to 4 deal with collection. Health agencies must:

  • only collect information they need for a specific purpose (rule 1)
    • collect information directly from the person concerned, where possible (rule 2)
  • tell the person concerned why the information is needed, who else will see it and where it will be stored (rule 3)
  • not be devious, misleading or unnecessarily intrusive in collecting that information (rule 4).

Rule 1: Only collect health information if you really need it

‘Health information may only be collected … for a lawful purpose connected with a function or activity of the health agency where the collection is necessary for that purpose’

Rule 1 requires agencies to decide their purposes – in other words, how the information is going to be used – before they start collecting information. Once collected for a purpose the information can always be used for that purpose.

Another benefit of being clear about purpose before starting collection is that unnecessary information is not collected, saving time and money. More importantly, though, an agency that knows its purposes for collecting information can then be open about those purposes.

Although rule 1 does require a clear purpose for collection it puts few restrictions around what that purpose might be – as long as it is connected with a function or activity of the agency.

For instance, the main purpose for collection of health information is always likely to be care and treatment, but other purposes might include administration, training and education and monitoring of service quality.

Rule 2: Get it straight from the people concerned where possible

‘Where a health agency collects health information, the health agency must collect the information directly from the individual concerned, unless an exception applies’

Most of the time, the best way to get information about a person will be to ask them. Rule 2 makes the patient the first port of call for information about him or herself. It also gives health agencies the opportunity to be open about why they are collecting the information, so the individual can make an informed decision about whether to provide it.

However, there are exceptions to this rule. For example, a health agency does not have to collect information directly from the individual if he or she has agreed that it can be collected from somewhere else. In addition, a health agency does not have to collect the information directly from the person if this would:

  • •undermine the reason for collecting it in the first place
  • prejudice the interest of the individual concerned
  • prejudice the safety of any person.

There are some other exceptions to this rule, which can be found in the code.

Rule 3: Tell them what you’re going to do with it

Where a health agency collects health information directly from the individual concerned… the health agency must take steps to ensure that the individual … is aware of:
(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information;
(d) the name and address of –
(i) the health agency that is collecting the information; and
(ii) the agency that will hold the information;
(e) whether or not the supply of the information is voluntary or mandatory and if mandatory the particular law under which it is required;
(f) the consequences (if any) for that individual if all or any part of the requested information is not provided;
(g) the rights of access to, and correction of, health information provided by rules 6 and 7.

Rule 3 lists what health agencies have to tell people when they are collecting health information. This explanation should help people decide what information, if any, to provide to health agencies.

The explanation could be a paragraph or two on a form, a poster on the wall, or a conversation. It should happen before the health information is collected or as soon as possible afterwards. However, repeat explanations aren’t necessary.

Health agencies don’t need to explain if doing so would not be practical, would be against the patient’s interests or would prejudice the purpose of collection.

There are some other exceptions to this rule, which can be found in the code.

Rule 4: Be considerate when you’re getting it

Health information must not be collected by an agency –
(a) by unlawful means; or
(b) by means that…
(i) are unfair; or
(ii) intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Rule 4 prohibits health agencies from collecting information unlawfully or unethically. It regulates how information is collected, rather than what is collected.

For instance, under the Crimes Act it is generally illegal to use a ‘bug’ to intercept private communications. There are also legal restrictions around making video or audio recordings of people committed under the Mental Health (Compulsory Assessment and Treatment) Act.

‘Unfair’ collection of health information covers a wide spectrum, from bullying, being evasive and devious or misrepresenting the purpose of collection.

Finally, in a healthcare context, an unreasonable intrusion on ‘the personal affairs of the individual concerned’ might come about where physical privacy, cultural needs or the preferences of the individual have not been respected.

Where to get additional assistance

There are four other health information privacy fact sheets that give a broad overview of how the code works in practice.

For more detailed information, a copy of the Health Information Privacy Code (with explanatory commentary) is available for free download from the Privacy Commissioner’s website at, as is On the Record: a Practical Guide to Health Information Privacy.

The Privacy Commissioner also has an 0800 number, 0800 803 909, and conducts regular workshops on health information privacy.

View HIPC Fact Sheet #2, collection of health information.