Healthcare: privacy compliance when accessing patient data from third-party sources

The health sector has its own privacy framework — the Health Information Privacy Code 2020 (HIPC) — which modifies the Information Privacy Principles for health information. However, the core obligation to notify individuals about third-party data collection remains.

Health information vs personal information

Health information is a subset of personal information and receives additional protection. When a health agency collects health information from a third-party source (e.g., another provider, ACC, or a PHO), the HIPC rules apply in addition to the Privacy Act.

Rule 3A of the HIPC

Rule 3A of the HIPC is the health-specific equivalent of IPP3A. It requires health agencies to take reasonable steps to ensure individuals are aware when their health information is collected from a third party. The exceptions are similar but include additional health-specific grounds.

Common scenarios

• GP accessing hospital discharge summaries — collecting health information from a third-party source.
• Insurer accessing ACC claims data — collecting health information for insurance assessment.
• Employer accessing pre-employment health screening results — collecting health information from the screening provider.

DEIS and health data

While DEIS's primary data sources are non-health (credit, vehicle, company, property), some lookups — particularly in insurance contexts — may intersect with health information. DEIS allows users to flag lookups that involve health information and apply the HIPC pathway requirements.