Health Information Privacy Fact Sheet 5 : Storage, security, retention and disposal of health information

Health Information Privacy Code 1994

The code regulates how health agencies (such as doctors, nurses, pharmacists, health insurers, Primary Health Organisations and District Health Boards) collect, hold, use and disclose health information about identifiable individuals.

Storage and security

One of the obligations that health agencies take on when they hold health information is to keep that information secure.

Rule 5 of the code requires health agencies to take ‘reasonable security safeguards’ to protect health information. This means keeping the information safe from loss, as well as from unauthorised access, use, modification or disclosure.

To comply with rule 5 agencies need to consider what risks there are for the health information they hold, make a plan to address those risks and do whatever is necessary to carry it out.

Some areas that need to be considered when coming up with a security plan are:

  • electronic security – use of email, laptops and portable storage devices, passwords
  • operational security – confidentiality agreements with staff and contractors, document tracking and footprinting, staff training
  • physical security – entry controls, positioning of whiteboards and computer terminals, locked filing cabinets and storage rooms.

This list isn’t exhaustive. Security is an ongoing obligation rather than a ‘tick the box’ exercise.

The greater the risk of a security breach and the more serious the potential consequences for people whose information is in danger, the higher the standard will be for a ‘reasonable security safeguard’.

Retention and disposal

Health Act regulations require all health information held by providers to be retained for ten years from the last encounter with the patient, unless transferred to another doctor or to the patient.

The Public Records Act also requires retention by public sector agencies. The DHB General Disposal Authority lists how long each type of clinical record must be kept for and what must be done afterwards.

Once the obligatory retention periods have passed, rule 9 of the code says that health information should be disposed of, securely, unless the health agency has a lawful purpose to retain it.

Dealing with records after a clinician dies or ceases practice

When a ‘sole trader’ clinician such as a GP dies or ceases practice, his or her patient records should be either:

  • transferred to the new treating clinician
  • returned to the patient or
  • held securely in trust (for instance by the GP’s Primary Health Organisation) until one of the two things above can take place.

Where the statutory retention period has ended, the records may be securely destroyed.


Health agencies need to be careful to dispose of patient records securely, either by shredding or otherwise destroying records themselves or by hiring a secure destruction contractor.

Where to get additional assistance

There are four other health information privacy fact sheets that give a broad overview of how the code works in practice.

For more detailed information, a copy of the Health Information Privacy Code (with explanatory commentary) is available for free download from the Privacy Commissioner’s website at, as is On the Record: a Practical Guide to Health Information Privacy.

The Privacy Commissioner also has an 0800 number, 0800 803 909, and conducts regular workshops on health information privacy.

View HIPC Fact sheet #5 Storage, security, retention and disposal of health information.