Patient records and privacy of health information practice standard

The new Privacy Act 2020 comes into force on 1 December 2020, with a revised Health Information Privacy Code (HIPC) 2020 alongside it. This required changes to the Dental Council’s Patient records and privacy of standard.

The key changes made to the practice standard included:

  • The Privacy Act 2020 introduces mandatory reporting obligations for privacy breaches that reach the threshold of a 'notifiable privacy breach'. 

A notifiable privacy breach means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so.  

The Privacy Commissioner has an online tool NotifyUs that is available to assist agencies in determining if a breach is notifiable, and to guide agencies through the notification process. The Privacy Commissioner expects that agencies will use this tool.

The key steps that the Privacy Commissioner says should be followed in the event of all incidents of a privacy breach are provided in the practice standard as Appendix B: Key steps in the management of a privacy breach. 

Practitioners should revisit their current practice procedures that deal with information breaches, and we strongly suggest you consider incorporating these new steps into your procedure.

The HIPC has an additional rule related to disclosure of patients' health information outside of New Zealand (Rule 14). 

This is reflected as a new standard in the Council's practice standard (Standard 14, page 27), which states: You must only disclose health information outside of New Zealand if you have taken reasonable steps to ensure the information is protected by acceptable privacy standards.

Guidance to help practitioners to meet the standard is provided which reflects the obligations described in the HIPC. This will apply to practitioners who for example seek clinical advice or send work off-shore. 

  • Other minor wording changes have been made to Standards 3, 6 and 10, to align with the revised HIPC. The new wording in the standards are underlined below: 
    • Standard 3: You must collect patients’ health information only for lawful purposes connected with your professional functions and activities. 
    • Standard 6: You must collect health information in a manner which is lawful, and fair in the circumstances, and which does not intrude to an unreasonable extent on patients’ personal affairs unnecessarily.
    • Standard 10: You must check that health information that is collected and recorded by someone else is accurate, up-to-date and complete before using or disclosing it.
  • Minor changes to existing guidance points have been made, or new guidance points added, for Standards 3, 4, 7 (in the area of security breaches), 8, 10, 11, 12, 13 and 15. 

These have been made to reflect new obligations under the HIPC 2020, or to provide greater clarity around existing obligations.

Since these changes all relate to legal requirements under the Privacy Act 2020 and HIPC, there was no need to consult with practitioners and our stakeholders.

Practitioners are encouraged to read the new Patient records and privacy of health information practice standard to ensure they know what the new requirements are. There are also very helpful guidance and tools on the Privacy Commissioner’s website to support putting some of these principles into practice.

Marie Warner

Chief Executive