In brief: digital healthcare in New Zealand

Data protection, privacy and digitisation in healthcare

Digitisation

What are the legal developments regarding digitisation in the healthcare sector and industrial networks or sales channels?

New Zealand statutes are generally technologically neutral so the digitisation in the healthcare sector, industrial networks and online sales channels can mostly be accommodated by the existing legislation.

The Ministry of Health (MoH) has implemented a number of digital health initiatives in recent years, including:

Online Patient Portal: patients can access their health information and interact with their general practice doctor;
ePrescription: a secure digital messaging channel for prescribing and dispensing systems to exchange prescription information electronically; and
Telehealth: enables patients to access various publicly funded health and disability services via online integrated platforms.

These digital health initiatives are part of the MoH’s broader Digital Health Strategic Framework to harness the benefit of digital technologies and data to support the provision of health and disability services in New Zealand.

Most recently, the government has announced an investment of up to NZ$385 million over the next four years (and a further $15 million in capital funding in 2025/26) to implement Hira, formerly known as the National Health Information Platform, as well as other health sector data and digital infrastructure and capability, to modernise the experience for patients, service users and the health and disability sector workforce.

Provision of digital health services

Which law regulates the provision of digital health services, and to what extent can such services be provided?

The majority of New Zealand statutes are drafted to be technologically neutral so there is no legislation that specifically governs the provision of digital health services.

The provision of digital health services is permitted in New Zealand provided that the usual legislative requirements that apply to all other types of health services, regardless of the nature of the delivery platform, are complied with.

Authorities

Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation? Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

The Office of the Privacy Commissioner (Privacy Commissioner) is the statutory body responsible for the protection of personal information in New Zealand. The Privacy Act 2020 sets 13 Information Privacy Principles (IPP) relating to the collection, use, disclosure, storage and security of an individual’s personal information. The Privacy Act applies to any individual or entity (whether or not in the private or public sector) that collects personal information.

The Health Information Privacy Code 2020 (HIPC) sets the specific rules relating to how health information is to be collected, used, disclosed to third parties and stored. Of significance, certain rules under the HIPC apply to health information about a deceased individual, whereas the IPP only applies to personal information about a living individual.

The Health (Retention of Health Information) Regulations 1996 sets the minimum retention period in which health information is to be retained for by a healthcare provider.

Requirements

What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

Broadly, a healthcare provider is required to:

collect an individual’s personal and health information directly from the individual (unless the healthcare provider is authorised otherwise);
take reasonable steps in the circumstances to ensure that the individual is aware that his or her personal and health information is being collected;
only use the personal and health information for the purposes in which the information was collected; and
not disclose the personal and health information to a third party, unless authorised to do so by the individual or the law.

The Privacy Act 2020 requires every agency to appoint a privacy officer to encourage compliance with the privacy requirements and to deal with requests for personal and health information made under the Privacy Act and/or the Health Information Privacy Code, whether by the individual or by a third party.

Healthcare providers are required to retain health information for a minimum period of 10 years from the date the health information was collected.

Common infringements

What are the most common data protection and privacy infringements committed by healthcare providers?

The types of circumstances in which breaches of privacy occur are many and varied. The investigations conducted by the Privacy Commissioner indicate that unauthorised disclosure and use of sensitive health information tends to be the subject of privacy complaints and investigations.

Register now for your free, tailored, daily legal newsfeed service.

In brief: digital healthcare in New Zealand

Filed under

Popular articles from this firm

Q&A: marketing authorisation for pharmaceuticals and medical devices in New Zealand *

Q&A: the promotion and sale of pharmaceuticals and medical devices in New Zealand *

Q&A: the promotion and sale of pharmaceuticals and medical devices in New Zealand *

Q&A: marketing authorisation for pharmaceuticals and medical devices in New Zealand *

Q&A: pharma & medical device regulation in New Zealand *

Related practical resources PRO

Related research hubs

New Zealand

Healthcare & Life Sciences