Health Information Privacy Fact Sheet 3 : Disclosure of health information – the basics

Health Information Privacy Code 1994

The code regulates how health agencies (such as doctors, nurses, pharmacists, health insurers, Primary Health Organisations and District Health Boards) collect, hold, use and disclose health information about identifiable individuals.

Rule 11

Rule 11 of the code prohibits disclosure except where one or more of its exceptions apply. The rule is quite detailed, and this fact sheet is only a very brief overview.

Disclosure with authorisation or for purpose

Disclosure is always allowed when the person concerned or their representative has given their permission or where disclosure was one of the purposes for which the information was originally obtained.

In other words, if a doctor collects information from a patient to pass on to a specialist, then there is no need to get the patient’s permission for that disclosure, because disclosure is one of the reasons for collection. However, the patient would normally have to be told the disclosure was going to occur.

Also, even if a patient has given their permission to disclose information about them the agency holding the information isn’t required to disclose.

Disclosure to friends and family

Disclosure is permitted where a health practitioner discloses the information to a contact person, principal caregiver or relative of the patient in line with ‘recognised professional practice’ and the patient has not vetoed the disclosure.

Disclosure of presence in hospital

Hospitals can disclose basic information about their patients’ presence, location and condition to anyone on request, as long as the patient has not vetoed this disclosure.

Disclosure to prevent risk

Health agencies can disclose information if this is necessary to avert a serious threat to someone’s health or safety. The disclosure must be to someone who can do something about the threat.


A person’s representative has a degree of access to, and control over, that person’s health information. ‘Representative’ means:

  • • the parent or guardian of a child under 16
  • the administrator or executor of the estate of a dead person
  • someone with a lawful authority (such as a power of attorney) over a person’s affairs
  • someone who is clearly acting on behalf and in the best interests of a person who is unconscious or otherwise incapable.

Section 22F

If the representative of a person or their treating clinician makes a request for health information, section 22F of the Health Act requires the health agency holding the information to provide it unless:

  • •the person does not (or would not) want the information disclosed or
  • where the requester is a representative, then the disclosure would not be in the best interests of the person concerned.

If either of the above is true then the holder of the health information may refuse the request.

See Factsheet 4: Dealing with Requests for more detail.

Official Information Act

Official Information Act requests can be made, by anybody, to any public sector health agency and must be responded to within 20 working days. However requests for health information about identifiable individuals may be refused where the disclosure would breach the individual’s privacy and there is no strong public interest in disclosure.

Privacy and confidentiality

Many of the laws around disclosure of health information allow health agencies to disclose in certain circumstances. However, health practitioners need to consider both their legal obligations under the code and any ethical obligation of confidentiality they may have to their patients. Just because the law allows a disclosure doesn’t mean it would always be ethical to disclose.

Where to get additional assistance

There are four other health information privacy fact sheets that give a broad overview of how the code works in practice.

For more detailed information, a copy of the Health Information Privacy Code (with explanatory commentary) is available for free download from the Privacy Commissioner’s website at, as is On the Record: a Practical Guide to Health Information Privacy.

The Privacy Commissioner also has an 0800 number, 0800 803 909, and conducts regular workshops on health information privacy.

View HIPC Fact sheet #3, disclosure of health information – the basics.