Medical information is one of the most private and personal kinds of information for every individual. No one wants their medical information falling into the wrong hands. 

Therefore, it’s crucial that medical records are stored and even destroyed in a way that proactively protects the privacy of patients. 

Whether you’re running a telehealth business or a brick-and-mortar medical practice, it’s important to follow the relevant rules and regulations to make sure all your medical records are being dealt with in a legally compliant manner.    

Read on to learn more. 

What Are The Laws Around Medical Records?

The laws you are obligated to follow regarding medical records depends on the country you operate in. In New Zealand, you need to follow certain processes and rules when it comes to how you handle and destroy medical records. 

In New Zealand, you will need to look to the Health Information Privacy Code 1994 for guidance on dealing with medical records. 

Who Can Access Medical Records In New Zealand?

The only people that can access a patient’s medical records are those that are providing medical care to them. Doctors or any other hospital staff that are involved in the care of a patient can access their medical records without obtaining explicit permission from them. 

The only other people who are able to access a patient’s medical records are those that have been authorised or nominated by the patient to do so. 

Health Information Privacy Code 1994 And Medical Records

As we touched on above, the Health Information Privacy Code 1994 is the main regulation that determines how medical records should be handled in New Zealand. 

The Code also covers the limited circumstances in which health and personal information can be accessed for research purposes where the consenting individual is unable to provide their approval. 

These circumstances involve scenarios where accessing the information is needed for protecting public health or unexpected uses that go beyond healthcare.  

Is Your Business Handling Health Information?

If your business collects and handles any type of personal information, then the Health Information Privacy Code 1994 applies to you. This means you’ll likely need to have an appropriate Privacy Policy in place to assure consumers that you’re handling their information responsibly. 

However, this generally applies to businesses with an annual turnover that exceeds $3 million. But if your business is handling medical information, the Health Information Privacy Code applies regardless of your turnover, which goes to show how sensitive medical information is under privacy laws. 

Do I Need A Privacy Policy? 

The Health Information Privacy Code provides that any website that collects the private information of their users must have a Privacy Policy in place. For those collecting health information, the standard is even higher – you need to have the consent of your customers prior to getting their information.

There are a number of reasons why you could be handling health information as part of your business. You may not even be a medical provider, however, your customers may be giving their personal health information to buy certain products or sign up for courses. 

As they are sharing this information, you have a legal obligation to gain their permission and have a Health Service Provider Privacy Policy in place. 

A Privacy Policy lets consumers know what information is being done with their personal information, including:

  • The kind of information being collected
  • How that information is stored
  • The purposes it is collected for
  • How the information is used
  • For how long the information is kept
  • What consumers can do if they want to obtain their information 

Transferring Medical Records To A New Doctor In New Zealand

In some circumstances, you may need to find a new doctor. If you’ve moved to a different part of New Zealand, your current doctor has retired or you simply want a change, you can see a different doctor and have your current medical records transferred to them. 

You will need to provide a written request to have this done. If there are costs associated with transferring the records, the medical practice may charge you for it. 

I Manage Medical Records Online – What Do I Need To Know?

Managing medical records online has become one of the primary choices and most effective ways of recording health information. There’s no more having to deal with manual locks, pages of files, bad handwriting, storage issues and potentially misplacing a file. When it’s all in one secured network, it’s a much more functional system. 

However, having information online exposes it to different kinds of risks and challenges, primarily involving cyber security

If you’re managing medical health records with an online platform, then you will still need to comply with the relevant legislation and take reasonable steps to ensure the information is protected. In New Zealand, the Health Information Privacy Code 1994 applies.

As a safety measure, you may also wish to have a Cyber Security Policy in place. Our team of lawyers can help you craft a strong cyber security system through advice and the correct documentation – chat to us today. 

I’m A Telehealth Business – What Are My Obligations Around Medical Records?

A telehealth business is still subject to the same regulations regarding keeping private medical information secured. The information will most likely be stored online, so it’s important to make sure you’ve done everything in your power to keep it free from potential security breaches. 

Be sure to gain the consent of your patients first and have the correct online policies in place, such as Privacy Policies, Cookie Policies and Cyber Security Policies. 

You may also wish to have certain disclaimers on your website (or mobile app, if your business has one). 

Online Pharmacies And Medical Records

Online pharmacies may also keep medical records. The same concept applies to online pharmacies as it does to all medical health service providers. 

You will require the explicit permission of your customers to collect their information, have a Privacy Policy in place and a secure way of storing their information. 

For extra security measures, you can always look into getting a Data Breach Response Plan in case something goes wrong. This just means your business will have a clear process for staff to follow if there is a data breach, and how to inform affected individuals. 

Can Customers Opt Out Of Electronic Medical Records?

It’s not unknown for people to want to cease using electronic medical records. Some people may be hesitant when it comes to having their medical records stored on an online database, due to the level of risk involved. As a business, you might want to provide them with an alternative option.    

How Do Blockchain Medical Records Work?

Blockchain medical records are another way to store medical information online. It’s generally considered a relatively safe practice. However, even with block chain medical records, it’s important to ensure the patient’s privacy is being protected in the best way possible. 

Blockchain is a system that allows everyone with access to view the same records.  However, the information is encrypted and secure through programming. 

Amending Medical Records

At times, patients may come to you with a request to amend information on their medical records. This request is fine, however, it is your duty to ensure the information on those records are correct, up to date and not misleading in any way. 

Therefore, whether or not the information should be changed will be your call. For example, if a patient demands that part of their medical history be erased permanently, this cannot be granted. On the other hand, if the medical records have put down an incorrect date of birth for a patient, that should be corrected immediately. 

Can Any Doctor Access Medical Records?

No, doctors are able to access the medical records of their patients but in most cases, it would be deemed unethical for them to look through the medical records of a patient that is not their own. 

If they don’t have a valid reason or the permission of the patient, it is unlikely that just any doctor can access whatever medical records they want. 

Running A Medical Practice In New Zealand? Make Sure You’re Doing It Right

Medical records are just one aspect of running a medical practice. There’s so much more that goes into it such as staff contracts, medical equipment and even intellectual property. 

There’s no need to stress though! We’ve put together a Legal Guide to Running a Medical Practice in New Zealand, so you know which documents and laws you need to be aware of before you hit the ground running. 

Key Takeaways

Dealing with medical records the right way is an extremely important part of running a healthcare business or medical practice. To summarise what we’ve discussed: 

  • The laws around medical records in New Zealand are primarily governed by the Health Information Privacy Code 1994 
  • Doctors and other healthcare workers can access medical records as well as those with permission 
  • If your health  practice is online, it’s important to look into a Healthcare Provider Privacy Policy 
  • Online medical records should be stored as securely as possible. This applies to all medical businesses that are online, such as pharmacies and telehealth providers 
  • Customers should be given the option to opt out of electronic record keeping
  • Blockchain medical records are another way of storing them online 

Medical records can be amended only in certain circumstances i.e false information 

If you would like a consultation on who can access medical records, you can reach us at 0800 002 184 or [email protected] for a free, no-obligations chat.

Sapna Goundan
Sapna has completed a Bachelor of Arts/Laws. Since graduating, she's worked primarily in the field of legal research and writing, and she now writes for Sprintlaw.
About Sprintlaw

We're an online legal provider operating in New Zealand, Australia and the UK. Our team services New Zealand companies and works remotely from all around the world.

5.0
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

Access Request Form

Meet your obligations under New Zealand's privacy laws
Learn More

Medical Release Consent Form

Get a consultation for a Medical Release Consent Form.
Learn More
Related Articles
How Do I Protect Customer Data?
Posted 31st January, 2024
A Guide To The Privacy Act 2020
Posted 24th January, 2024
Business Call Recording Laws In New Zealand
Posted 24th January, 2024
Get A Cross-Border Data Processing Agreement
Posted 24th January, 2024
Is ChatGPT Copyright Free?
Posted 24th January, 2024
New Zealand Law Data Breaches: What You Need To Know
Posted 24th January, 2024