Privacy Policy

Purpose

This document outlines the Northland Health & Weight Ltd (NHW) policy related to the Privacy, in line with the Privacy Act 2020, which promotes and protects the privacy of individual personal information and the Health Information Privacy Code, which specifically relates to the management of health information.

Northland Health & Weight Ltd and its related bodies corporate (“we”, “our” and “us”) respects individual privacy and the rights of individuals to control their personal information. We are committed to protecting your personal information. This Privacy Policy sets out our policies and practices regarding the collection, use and disclosure of personal information that you provide to us and which we collect from you. By accessing or otherwise using the website at www.northlandhw.co.nz (the “Website”), contacting us by email or telephone or acquiring our services you agree to the terms and conditions set out in this Privacy Policy and consent to the processing of your personal information in accordance with this Privacy Policy and any other arrangements that apply between us.

Scope

Northland Health & Weight Ltd will comply with the following rules when collecting, using, storing, or disclosing information about patients’ personal or health or the treatment that they are receiving.

The policy applies to:

  • All staff, contractors and subcontractors who use our premises, technology and systems.
  • Wherever and whenever our premises, technology, systems and devices are used — on-site or away from work.
  • During work time and out of work time.

Policy

Northland Health & Weight Ltd understands, complies with and implements the requirements of the Privacy Act 2020 and the Health Information Privacy Code 2020, as outlined in this document which state the processes to be followed by our staff in handling personal and health information.

  • Northland Health & Weight Ltd will collect personal and health information in a manner that complies with the Privacy Act and the Health Information Privacy Code.
    • Only collect the information for the purpose of treating the patient (e.g. a referral to NHW or getting copies of your health information from another professional that you may have seen before us or for some other legal purpose). Incidental patient information may be collected from time to time for administration purposes and monitoring of service quality.
    • Collect the information directly from the patient or another health provider unless they have consented to you collecting the information from someone else or one of the other exceptions to this rule applies (by signing NHW patient health questionnaire you give implicit consent for all manners of collecting information);
      and
    • Collect information from children and young people in a fair manner
    • Northland Health & Weight collects and keeps information about the patients’ health for the purpose of making sure that they receive appropriate care and treatment and for associated administrative tasks. Information is shared with other health professionals if relevant to the management of the patients health (such as referral for investigations and other specialist reviews). In addition, information and medical records are released to insurers and ACC if requested to support an insurance claim. Patients are aware of this by signing their Patient Health Questionnaire.
    • Collect information in an unidentifiable way if appropriate
    • Patients consent to receive electronic communications by signing the Patient Health Questionnaire.
  • Northland Health & Weight Ltd complies with the Privacy Act and Health Information Privacy Code requirements when using personal and health information.
    • When we have collected personal information from an individual for one purpose, it cannot used for any other purpose without the individual’s consent.
    • There are some exceptions to this principle. These exceptions include where the information is publicly available, or where you use the information in a way that does not identify the individual. You will find a full list of the exceptions to this principle in the Privacy Act 2020.
    • Before using individuals’ personal information, Northland Health & Weight Ltd will do whatever it can to make sure that the information is accurate and up to date.
  • Northland Health & Weight Ltd complies with the Privacy Act and Health Information Privacy Code when storing and destroying personal and health information.
    • We will ensure that the personal information that our practice holds is stored securely so that it cannot be accessed or used by unauthorised people. We may store your information in cloud or other types of networked or electronic storage.
    • When transferring patients’ health information to someone else, we will do what we can to prevent unauthorised people from accessing or using the information. We will take reasonable technical and organisational precautions to prevent the loss, misuse or unauthorised alteration of your personal information. However, due to the nature of email and the internet, we cannot guarantee the privacy or confidentiality of your personal information.
    • Northland Health & Weight Ltd can keep patients’ health information for as long as we need the information to treat patients and must keep patients’ health information for a minimum of 10 years from the date that treatment was last provided.
    • Northland Health & Weight Ltd will destroy patients’/clients’ information in a way that ensures the confidentiality of the information.
    • Patients/clients are entitled to ask our practice to confirm whether we hold information about them and to access the information unless we have lawful reasons for withholding the information.
    • Patients/clients are also entitled to ask our practice to correct the information that we hold about them. We encourage you to take time to fill out the Patient Health Questionnaire and review any documents and letters sent to you to ensure accuracy of these.
    • We will assist patients/clients who ask to access their information.
  • Northland Health & Weight Ltd complies with the Privacy Act and Health Information Privacy Code requirements when disclosing health information.
    We will not disclose a patient’s information without their consent (or the consent of their representative) unless we reasonably believe that it is not possible to get the patient’s consent or:
    • the disclosure is for the purposes of the patient’s treatment (e.g. supporting a referral to NHW or referring you to another specialist, clinic or health service for continuation of care, or prescribing medication and electronically submitting to a pharmacy, tests requests, or supporting NHW by obtaining copies of your health information from another professional that you may have seen before us and administration and managerial functions such as billings and audits, financial internal quality assurance and personnel decisions);
    • the disclosure is to the patients’ health insurance provider or ACC
    • the disclosure is to the patient’s caregiver or NOK (you will document permission for this is the Patient Health Questionnaire) and the patient hasn’t objected to the disclosure;
    • it is necessary to disclose the information to prevent a serious and immediate threat to the patient or another person’s life or health;
    • the disclosure is made for the purposes of a criminal proceedings, subpoenas or orders of courts or administrative agencies;
    • the patient is, or is likely to become dependent on a drug and we need to report under the Misuse of Drugs Act or the Medicines Act;
    • the disclosure is to a social worker or the police and concerns suspected child abuse, neglect or domestic violence;
    • disclosure for law enforcement purposes such as to provide information about someone who is a victim of a crime or if a crime were to occur at our office;
    • the disclosure is made by a doctor to the Director of Land Transport Safety and concerns the patient’s ability to drive safely.
    • when a law mandates that certain health information be reported for a specific purpose;
    • for public health purposes, such as a contagious disease reporting, investigation or surveillance and notices to and from food and drug administration regarding drugs or medical devices;
    • disclosure to a medical examiner to identify a dead person or to determine cause of death or to funeral directors to aid in burial or to organise tissue donation;

      • NHW will routinely use health information in this context without obtaining further permission. Our Privacy Officer must be consulted before disclosing a patient’s health information without his/her consent if the scope of disclosure is classed as an exception and you have not previously given written permission.
  • Northland Health & Weight Ltd complies with the Privacy Act and Health Information Privacy Code when correcting health information.
  • Sharing and Communication – Under the Privacy Code, disclosure is allowed when disclosure is for the purposes for which the information was originally obtained. NHW may disclose health information without formal written authority:
    • to the patient via email, phone or text message or post as a clinical communication to provide both scheduled appointment reminders and details and copies of clinical health information, test requests or test results;
    • to other health providers involved in the patient’s care on request via email or via e-referral system for purposes of ( sharing a referral to NHW or referring you to another specialist, clinic or health service for continuation of care, or prescribing medication and electronically submitting to a pharmacy, tests requests, or getting copies of your health information from another professional that you may have seen before us and administration and managerial functions such as billings and audits, financial internal quality assurance and personnel decisions);
    • to the patient’s health insurance provider or ACC.
  • The practice will ensure confidentiality of information

Privacy officer: Melissa Liddle

The Privacy Officer has overall responsibility for privacy issues in the practice, but all staff are responsible for ensuring they keep up to date with their obligations under this legislation.

Role and responsibilities of the Privacy Officer:

  • Ensure that the practice has a current privacy policy and procedures and that all staff can easily access these documents.
  • Ensure that all staff members have read and understood the policy and procedures, and this has been documented (see Contractor & Employee Agreement).
  • Ensure that the practice complies with the Privacy Act, both in regard to personal patient information and employee information.
  • Make sure that your practice responds to requests for information for access to, or correction of, both regarding personal information and employment information in the timeframe required (20 working days).
  • Ensure compliance with the Health Information Privacy Code in relation to patient information.
  • Help manage privacy breaches if they do occur. If a breach were to occur, coordinating reporting the privacy breach to Health Commissioner within 72 hours.
    https://privacy.org.nz/responsibilities/privacy-breaches/notify-us/
  • If a computer breach occurs notifying CERTnz as well for cyber security issues.
    www.netsafe.org.nz
  • If a third party writes something harmful about your reputation or company reputation online, reporting this privacy breach “Harmful Digital Communications Act”.
  • Brief the practice team on changes to legislation and/or practice processes.
  • Use team meetings to discuss privacy complaints received, the part of the procedure that failed and ways to improve the process.
  • Continuous improvement process and education.
  • Induction of new staff on Privacy and HIPC.
  • Source suitable training opportunities.
  • Ensure that any complaints received are dealt with in accordance with legislation. If referred to Privacy Commission work with them to resolve.
  • Have an active Complaints Policy that is regularly updated.
  • Provide clear guidelines to staff around who has access to health information and how it is handled.
  • Review Privacy Policy every 3 years.
  • Ensure staff have 2 factor identification and an 8 digit password which is changed regularly.
  • Ensure physical premise has a privacy poster in the waiting room in relation to Privacy Act and HIPC.
  • Implement a clear desk policy.
  • Ensure all sensitive information is in a locked cabinet in physical premise.

Privacy Breaches

We note that agencies are now legally required to notify breaches in privacy if the breach poses a risk of serious harm or causes serious harm to an individual or group. There are three reasons why this is important:

  • People cannot protect themselves from the impact of privacy breaches if they do not know a breach has occurred
  • The speed at which data can be transferred and copied means the potential for harm is much greater
  • Sharing the lessons from privacy breaches that have already occurred can help to prevent similar beaches in the future

If a Notifiable Privacy Breach occurs, Northland Health & Weight Ltd will notify the affected people. If the breach poses a risk of serious harm or causes serious harm to an individual or group, the Privacy Commissioner will be notified.

Examples of likelihood of serious harm being caused by a breach include:

  • Physical harm or intimidation 
  • Financial fraud including unauthorised credit card transactions or credit fraud 
  • Family violence
  • Psychological, or emotional harm

When assessing whether a privacy breach is likely to cause serious harm to decide whether the breach is a notifiable privacy breach, Northland Health & Weight Ltd will consider the following:

  • any action taken by the agency to reduce the risk of harm following the breach:
  • whether the personal information is sensitive in nature:
  • the nature of the harm that may be caused to affected individuals:
  • the person or body that has obtained or may obtain personal information as a result of the breach (if known):
  • whether the personal information is protected by a security measure:
  • any other relevant matters.

If Northland Health & Weight Ltd think a data breach has occurred, we will:

  1. Inform the Privacy Officer/management as soon as you are aware of a data breach
  2. Privacy Officer/Management will notify the Privacy Commissioner and potentially affected individuals of the privacy breach, where the breach caused or is likely to cause serious harm
  3. The breach notice made by Privacy office/management must contain:
    1. Your contact details,
    2. Timeline,
    3. Information around the breach itself,
    4. Likely harm
    5. What you have done about notifying affected people, or organisations
    6. Any other relevant information

Confidentiality

All staff members have understood and signed a confidentiality agreement as part of their employment agreement or contract of service. The obligations under this clause extend after the agreement or contract has ended.

Destruction of Confidential material

All confidential material is either shredded on site or placed in secure destruction bin.

IT Security

Each staff member should have their own unique login name and it is protected by at least 8 characters passwords mixed of letters and numbers and changing this password regularly. Two factor identification is required.

Patient Management Software

Northland Health & Weight Ltd uses Elixir Software Ltd and is hosted in a secured offsite sever by the company. This is a secured cloud-based patient management software system.

Staff access to Elixir is through secured PMS login.

Staff login is password protected with two factor identification.

Complaints

If you think that we have not properly upheld the privacy of your health information, you are free to complain to us or Health Commissioner. If you wish to make a complaint please email melissa@northlandhw.co.nz who is the privacy officer.

Disclosure of Health Information outside New Zealand

As privacy law indicates that the country where the information is being sent to has the exact privacy laws as New Zealand there is no feasible way to ensure this. Therefore, NHW agree to either send you the information directly to your personal email or print out the health information which can be collected at NHW premises.

Health information privacy rules

Cover:

  1. The purpose of collection of health information
  2. Source of health information
  3. Collection of health information from an individual
  4. Manner of collection of health information
  5. Storage and security of health information
  6. Access to personal health information
  7. Correction of health information
  8. Accuracy of health information to be checked before use
  9. Retention of health information
  10. Limits on use of health information
  11. Limits on disclosure of health information
  12. Disclosure of health Information outside New Zealand
  13. Unique identifiers

Last updated: Nov 2024

Policy review date: Jan 2027