Sapna is a content writer at Sprintlaw. She has completed a Bachelor of Laws with a Bachelor of Arts. Since graduating, she has worked primarily in the field of legal research and writing, and now helps Sprintlaw assist small businesses.
Contents
Medical records can feel intensely personal - because they are. They can include your diagnoses, prescriptions, test results, mental health notes, ACC or insurance documents, and sometimes even sensitive details you shared in confidence.
So it’s completely normal to ask: who can actually access my medical records in New Zealand?
This guide (updated to reflect current practice and privacy expectations) breaks down who can request or view medical records, when access is allowed, and what you can do if you think your information has been accessed or shared improperly.
Note: This article is general information only. Medical record access can turn on the specific circumstances, who is holding the records, and why they’re being requested - so it’s always worth getting tailored advice if things get tricky.
What Counts As “Medical Records” In New Zealand?
In NZ, “medical records” isn’t just your GP’s notes. In practice, it can include any information a health provider holds about your health or care.
Common examples include:
- GP and specialist clinical notes
- Hospital records and discharge summaries
- Lab results and imaging (x-rays, MRIs, ultrasounds)
- Prescription history and medication charts
- Mental health and counselling notes (with some important nuance)
- ACC medical certificates and treatment reports
- Dental records
- Physio, occupational therapy, and allied health notes
- Correspondence between providers (referrals, consult letters)
From a legal perspective, medical records are generally treated as personal information (and often sensitive personal information), which means the rules around collection, access, and sharing are strict.
Access is mainly governed by:
- the Privacy Act 2020 (including Information Privacy Principles), and
- the Health Information Privacy Code 2020 (a privacy code that modifies how the Privacy Act applies to health information).
If you run a business that handles health information (even indirectly), getting your Privacy Policy and internal privacy practices right from day one is essential.
Can You Access Your Own Medical Records?
In most situations, yes - you generally have the right to request access to medical records about you.
This is a key feature of NZ privacy law: if an organisation holds personal information about you, you can ask for access, and you can also ask for corrections if something is inaccurate.
How Do You Request Your Medical Records?
There’s no single “one size fits all” process, but in practice you can usually:
- ask your provider (GP clinic, hospital, physio, etc) for a copy of your records
- make the request in writing (email is often easiest)
- provide identification if asked (this is normal - it protects you)
- be specific about what you want (e.g. “all clinical notes from 2023–2025” or “my MRI report from July 2024”)
Some providers will provide access through a patient portal; others will provide PDFs, printouts, or a secure electronic transfer.
Can A Provider Refuse Access?
They can refuse or limit access in some situations, but it’s not meant to be the default. Examples (in plain English) can include where:
- giving you access would be likely to pose a serious threat to your life or health (or someone else’s)
- the information contains details about another person and it can’t reasonably be separated
- providing access would breach another law or legal obligation
- the information is subject to legal professional privilege (this is more common in medico-legal contexts)
If access is refused, you can usually ask for an explanation and, if needed, make a complaint to the Office of the Privacy Commissioner.
If you’re navigating a sensitive situation - for example, you’re trying to get records for a dispute with an insurer, former employer, or another provider - it can help to get legal guidance on the request and your next steps.
Who Else Can Access Your Medical Records (And When)?
As a starting point, your medical information shouldn’t be shared freely. Generally, your consent is a key requirement for others to access your records.
But there are exceptions - and understanding them helps you protect yourself and avoid surprises.
Other Healthcare Providers Involved In Your Care
Your health information is often shared between providers for the purpose of your treatment.
For example:
- your GP refers you to a specialist and shares relevant clinical history
- a hospital sends a discharge summary back to your GP
- a radiology clinic sends imaging results to the doctor who ordered them
This kind of sharing is usually allowed because it’s directly connected to providing care, and it’s within what you’d reasonably expect when you seek treatment.
Family Members, Whānau, Or Carers
Family members don’t automatically have a right to access your records, even if they’re close to you or helping care for you.
In most cases, providers will only share your records with family or a carer if:
- you’ve given consent (verbally or in writing), or
- you can’t consent and it’s necessary to share information for your immediate care or safety, or
- another legal basis applies (for example, a court order).
Practically speaking, if you want a particular family member to be able to request information, it’s often best to tell the clinic/hospital clearly and ask what authorisation they need.
Employers
This one catches a lot of people out: your employer generally cannot access your medical records just because they employ you.
Even if you’re off work sick, employers typically only need limited information (for example, a medical certificate confirming you’re unfit for work, and sometimes expected duration). They generally don’t need - and shouldn’t receive - your diagnosis or full clinical history unless you’ve expressly consented.
If you’re an employer, it’s important to set expectations in your workplace documents and avoid over-collecting health information. Privacy missteps can quickly become an employment issue too, especially if you’re dealing with sick leave, performance, or safety management. Having fit-for-purpose Employment Contract terms and clear privacy processes can help prevent disputes.
Insurers (Health, Life, Income Protection, Trauma)
Insurers often request medical information to:
- assess an application (underwriting)
- assess a claim
- confirm eligibility or ongoing entitlement
In most cases, they’ll rely on your signed authority to request records from your providers.
Before you sign anything, it’s worth slowing down and checking what you’re consenting to. Some authorities are broad and can request “any and all medical records” for long time periods - and while that can be relevant in some claims, it shouldn’t be automatic.
If you’re a business offering services that involve personal information handling (including liaising with insurers), it’s smart to document responsibilities clearly in your client-facing Service Agreement, including privacy and consent steps.
ACC
ACC can request and collect medical information relevant to an injury claim, rehabilitation, or entitlements. Again, this is usually grounded in ACC’s statutory role and often involves consent and/or specific ACC processes.
If you’re unsure whether a request is legitimate or too broad, you can ask the provider or ACC what information is needed and why.
Police And Other Government Agencies
Police and some government agencies may be able to access health information in limited circumstances, typically where:
- there is a serious threat to health or safety
- it’s needed to investigate or prevent offending
- a specific law authorises the collection
- a warrant or court order applies
Providers shouldn’t just “hand it over” casually - they still have to consider privacy law, necessity, and proportionality.
Courts, Lawyers, And Litigation Contexts
Medical records commonly become relevant in:
- personal injury claims
- employment disputes (e.g. stress-related claims, unjustified dismissal issues)
- relationship property and care of children matters
- criminal proceedings
Access in these contexts might occur through:
- your consent (e.g. you authorise release to your lawyer)
- court orders requiring disclosure
- formal disclosure processes in litigation
It’s also worth remembering: even if your medical records become relevant to a dispute, it doesn’t mean everything is automatically fair game. Relevance and scope matter, and that’s where tailored advice can be valuable.
How Does Consent Work For Medical Record Access?
“Consent” sounds simple, but in practice it’s one of the most misunderstood parts of medical privacy.
Good consent is usually:
- informed (you understand what you’re agreeing to)
- specific (it’s clear what records are being shared and for what purpose)
- voluntary (you’re not being unfairly pressured)
- current (it reflects your present wishes)
Verbal Vs Written Consent
Consent can be verbal or written, depending on context. But when it comes to sensitive information and third-party requests (insurers, employers, lawyers), written consent is common because it creates a clear record of what was authorised.
Can You Withdraw Consent?
Often, yes - but it depends on timing and what’s already happened.
For example, if you sign an authority for an insurer to collect records and they’ve already obtained and relied on them, withdrawing consent later may not “undo” the disclosure.
The practical takeaway: treat consent forms seriously, and ask questions if the scope looks broader than necessary.
If You’re A Business Collecting Health Information
If your business model involves collecting health information (for example, a health service provider, wellness provider, or a platform handling patient bookings and clinical notes), your consent wording and collection notices matter a lot. A clear Privacy Collection Notice can reduce risk by telling people upfront what you collect, why, who you share with, and how they can access it.
This is also where “DIY templates” can create real risk - health information is high-stakes, and a generic privacy statement often won’t match your actual data flows.
Special Situations: Children, Deceased Patients, And Mental Health Notes
Some medical record access questions come up again and again because the answer depends heavily on the circumstances.
Can Parents Access A Child’s Medical Records?
Not automatically in every case.
In general, the key issue is whether the child or young person is considered capable of making decisions about their own health information (often described as having sufficient maturity and understanding).
In practice:
- for younger children, parents/guardians are more likely to be given access and be involved in decisions
- for teenagers, providers may treat certain health information as confidential to the young person, depending on maturity and the nature of care
Providers may also limit parental access if disclosure could create a risk of harm, or if the young person has expressly asked for confidentiality and is competent to do so.
Who Can Access Medical Records After Someone Has Died?
Access after death is a common (and sensitive) issue, especially for families managing estates, investigating cause of death, or dealing with insurance.
Often, access is considered for:
- the executor/administrator of the estate
- next of kin (in some contexts)
- insurers (depending on policy and authority)
- courts, Coroners, or other agencies where legally required
However, privacy obligations don’t necessarily disappear immediately. Providers may still need to consider confidentiality, the purpose of the request, and whether disclosure is appropriate under the rules that apply.
Can You Access Therapy Notes Or Mental Health Records?
Usually you can request access to mental health records as personal information about you. But there can be additional sensitivities.
For example, a provider might consider whether releasing certain notes could:
- create a serious risk to your safety or wellbeing
- unreasonably reveal information about another person
- undermine someone else’s privacy or safety
If you’re dealing with a workplace mental health situation, it’s also worth remembering that you can usually take sick leave for mental health reasons on the same basis as physical health reasons. (A mental health day is still a health issue.) If you need a practical overview, Mental Health Day Off Work covers the basics in a workplace context.
What Should You Do If Your Medical Records Were Shared Without Permission?
If you suspect your medical information has been accessed or disclosed improperly, don’t ignore it. Even if it turns out to be a misunderstanding, it’s worth clarifying quickly - health information is highly sensitive, and mishandling can have real consequences.
Step 1: Ask For Clarification (And A Copy Of What Was Shared)
You can ask the provider:
- what information was disclosed
- when it was disclosed
- who it was disclosed to
- on what basis it was disclosed (consent? legal requirement? urgent safety?)
If a third party claims they have your information (for example, an employer or insurer), you can also ask them how they obtained it.
Step 2: Request A Correction If Something Is Wrong
If the information is inaccurate or misleading, you can ask for a correction. If the provider disagrees with the correction, you can usually ask them to attach a statement of correction (your version) to the record.
Step 3: Make A Privacy Complaint If Needed
If you believe there’s been a privacy breach, you can:
- complain directly to the organisation first (many have a privacy officer or complaints process)
- escalate to the Office of the Privacy Commissioner if you’re not satisfied
If the situation involves a business (especially one collecting or sharing sensitive personal information), it’s also a good moment to review internal privacy processes and incident response steps. A documented data breach response plan can make a huge difference when something goes wrong - it helps you respond quickly, reduce harm, and meet your legal obligations.
Step 4: Get Tailored Legal Advice Where There’s Risk Or Dispute
Sometimes medical record access disputes overlap with other legal issues - employment problems, insurance disputes, professional complaints, or even litigation.
That’s when it’s worth getting advice early, so you understand:
- your rights to access and correction
- whether the disclosure was lawful
- what remedies or complaint pathways are available
- how to protect your position if there’s an ongoing dispute
And if you’re a business owner, getting advice can also help you tighten your processes so you’re not exposed to repeat issues.
Key Takeaways
- You generally have the right to request access to your own medical records under the Privacy Act 2020 and the Health Information Privacy Code 2020.
- Healthcare providers can share relevant information with other providers involved in your care, but medical records aren’t meant to be freely accessible to third parties.
- Employers usually can’t access your medical records and typically only need limited information such as a medical certificate confirming you’re unfit for work.
- Insurers and ACC often access medical information through written authorities, so you should read consent forms carefully and check how broad they are.
- Special rules and practical considerations often apply for children’s records, deceased patients’ records, and sensitive mental health notes.
- If you believe your medical records were shared without permission, you can ask what was disclosed and why, request corrections, and escalate to the Privacy Commissioner if needed.
- If you’re a business handling health information, strong privacy foundations (including proper collection notices and breach response planning) help keep you compliant and protect trust.
If you’d like help navigating a medical records issue or setting up privacy processes for your business, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
Sapna Goundancontent writer
