All staff must comply with the following rules when collecting, using, storing or disclosing
information about patients’ health or the treatment that they are receiving.
Collecting health information
When you collect health information from patients you must:
o only collect the information for the purpose of treating the patient or for some other
o collect the information directly from the patient unless he/she has consented to you
collecting the information from someone else or one of the other exceptions to this
rule applies; and
o let the patient know why you are collecting the information, who will have access to
the information and that the patient is entitled to access and correct the information.
You will not need to tell patients this if you have collected the same type of
information from them before.
Using health information
Before using patients’ health information you must do what you can to make sure that the
information is accurate and up to date. The steps that you will need to take will vary
depending on how old the information is and the risk of relying on inaccurate information in
You must only use patients’ health information for the purpose for which you have collected
the information unless the patient has consented to you using the information for another
purpose, or one of the other exceptions in the Health Information Privacy Code applies. You
must consult our practice’s Privacy Officer before using a patient’s health information
without the patient’s consent.
Storing health information
You must ensure that the health information that our practice holds is stored securely so that
it cannot be accessed or used by unauthorised people.
When you transfer patients’ health information to someone else, you must do what you can
to prevent unauthorised people from accessing or using the information.
Our practice can keep patients’ health information for as long as we need the information to
treat patients and must keep patients’ health information for a minimum of 10 years from the
date that treatment was last provided.
Our practice must destroy patients’ health information in a way that ensures the
confidentiality of the information. All patient health information to be destroyed must be
marked as “Shred” or placed directly in the Document Shredding bin.
Patients are entitled to ask our practice to confirm whether we hold information about them
and to access the information unless we have lawful reasons for withholding the
Patients are also entitled to ask our practice to correct the information that we hold about
You must assist patients who ask to access their health information.
Disclosing health information
You must not disclose a patient’s health information without his/her consent (or the consent
of his/her representative) unless you reasonably believe that it is not possible for you to get
the patient’s consent and:
o the disclosure is for the purposes of the patient’s treatment (e.g. a referral);
o the disclosure is to the patient’s caregiver and the patient hasn’t objected to the
o it is necessary for you to disclose the information to prevent a serious and immediate
threat to the patient or another person’s life or health;
o the disclosure is made for the purposes of a criminal proceeding;
o the patient is, or is likely to become dependent on a drug that you need to report
under the Misuse of Drugs Act or the Medicines Act;
o the disclosure is to a social worker or the police and concerns suspected child
o the disclosure is made by a doctor to the Director of Land Transport Safety and
concerns the patient’s ability to drive safely.
There are other situations where disclosure without consent may be justified, such as
disclosing information to agencies such as CYFS and the Police. You must discuss any
proposed disclosure with our practice’s Privacy Officer before disclosing the information.
You must consult with our practice’s Privacy Officer before disclosing a patient’s health
information without his/her consent.
When a patient verbally consents to you or your practice disclosing information about his/her
health to another person (including other health providers) make sure that:
o the patient is competent to consent;
o the patient understands why you are disclosing his/her information; and
o the patient has been informed about all of the people to whom you are disclosing
You should record your discussion with the patient in the patient’s notes.
Please contact our practice’s Privacy Officer if you have any queries about this policy.