Last year the Privacy Amendment Act 2025 was passed which, among other things, introduced a new Information Privacy Principle (IPP) 3A, and corresponding amendment to the Health Information Privacy Code (HIPC) to insert Rule 3A, which reflects the new IPP3A requirements. Both are due to come into effect on 1 May 2026. So, what is changing? And what new obligations will this create for clinicians and practices who hold and use patients’ health information?
The current HIPC Rule 2 says agencies must collect information directly from the individual (i.e. the patient) unless an exception applies. There are many situations in clinical practice where we collect health information from agencies other than the patient – we are sent clinic letters, lab results, radiology reports and pharmacy updates. All of these are considered ‘indirect collection’. This is allowed under Rule 2, because the exceptions include situations where the patient has agreed that it can be collected from somewhere else, or where compliance is not reasonably practicable in the circumstances.
The current Rule 3 lays out that when we collect information directly from an individual, we must tell them that we are collecting their information, why we are collecting it, what we will do with it, and (among other things) that they have the right to access and request correction of it. However, Rule 3 is silent on any equivalent obligation for information where that information is collected indirectly from a source other than the patient.
The new amendment, IPP3A, corrects this anomaly. It means we will have a similar obligation to tell a patient whenever we indirectly collect information about them.
Most practices currently fulfil their Rule 3 obligations by providing patients with a Privacy Statement, that explains how their health information is used. It is also notable that when information is collected directly from the patient, there is already an obvious path of communication. For example, the patient can see you are writing notes during a consultation and therefore is aware you are collecting information in that situation.
We expect the majority of our obligations under IPP3A will similarly be met by an updated Privacy Statement. The Privacy Statement needs to describe the types of information collected and the purpose for which it is collected. This means that if a practice receives information from a source not explicitly mentioned in their Privacy Statement, they will not generally need to re-notify the patient, provided the information is of the same type and collected for the same purpose.
So, what do our updated Privacy Statements need to say? IPP3A requires the practice to take reasonable steps to ensure the patient is aware of
- the fact that the information has been collected,
- the purpose of the collection,
- the intended recipients of the information,
- the name and address of the agency that is collecting the information and the agency that holds the information,
- if the collection is authorised or required by law, which particular law, and
- their rights of access to, and correction of, their information.
The practice or clinician needs to take ‘reasonable steps’ to ensure the individual is aware of the indirect collection, and this this needs to occur as soon as is ‘reasonably practicable’ after the information is collected. While practicality is taken into account, an agency is not exempt from notification “just because it may be inconvenient, time-consuming or incur some cost to do so.”
There are some exceptions, where the practice may not need to notify the patient. These include situations where:
- the patient is already aware that the information has been collected – for example if a doctor providing a clinical letter specifically says “I have told the patient I am writing to you and that I will be providing you with this information”
- The information is publicly available
- notification would prejudice the interests of the individual – for example, a specialist calls the GP to say he is concerned that a patient is not taking medication as prescribed. The GP chooses not to tell patient, because it would damage their therapeutic relationship with specialist and potentially the GP as well
- telling the individual is not reasonably practical – for example if you do not have their contact details and can’t easily obtain them
- notification would cause a serious threat to public health or safety
There are a number of other exceptions, but we do not anticipate they will be commonly applicable in the context of clinicians collecting health information.
You can find more detailed information about the IPP3A notification requirements on the Privacy Commissioner’s website here.
So, what does this mean in practical terms for practices, clinics and clinicians who gather health information about patients from multiple indirect sources?
The first step is to ensure that Privacy Statements are updated to clearly explain where information is collected from, why, how it is used and that patients have the right to access and request correction of their information, if needed. MPS has developed an example/suggested starting point for content you may consider adding to your Privacy Statement (see attached). However, each practice will need to tailor this to its own circumstances to ensure it covers all routine sources of information.
Once the Privacy Statement has been updated, patients need to be alerted to these the changes in a multi-layered approach. This includes notifying patients that the Privacy Statement has changed and making it easily accessible - this can be done with emails to patients, portal messages, social media updates and notices in the waiting rooms.
Practices also need to be aware that there will always be occasional pieces of health information received that were not anticipated in the Privacy Statement. Where information has been received from an unanticipated source, it is not covered in the Privacy Statement, and the patient has not been previously made aware of the collection, the practice will need to notify the patient within a reasonable time.
Another area where IPP3A may require more careful consideration is when clinicians or practices receive unsolicited third-party information. This is the situation where, for example, a worried relative or neighbour approaches a clinician and provides information about the patient’s health, often without the patient’s knowledge. From 1 May 2026, this will trigger an obligation to notify the patient the information has been collected, unless one of the exemptions applies. This situation may be difficult to address fully in the Privacy Statement, as it may be hard to anticipate both the source and the potential use of such information. For this reason, it is important that the clinician or practice staff member collecting the information advises the informer that they may have an obligation under IPP3A to notify the patient about the collection, and that anonymity cannot be guaranteed. There may be exceptions to this in some specific circumstances, but this should be carefully considered. If there is any doubt, we would advise clinicians to call their indemnifier to discuss the specific facts of the situation.
IPP 3A also has implications for how health information is handled by Medical Protection Society when concerns or complaints are raised. A key underlying principle of the new requirement is transparency — ensuring that patients understand how their information may be used and shared, particularly in situations that may feel sensitive or unexpected.
To support this, we are advising practices to include a clear statement in their Privacy Statements, such as:
“If you make a complaint about the care or services we provide, we may disclose relevant health information to our insurers, indemnity providers, or legal advisers for the purpose of managing and responding to the complaint.”
Including this information helps ensure patients are aware, upfront, that their health information may need to be shared in these circumstances, and why that sharing may be necessary. This aligns with the intent of IPP 3A to avoid patients being taken by surprise about how their information is used.
In addition, to further support patients’ privacy and minimise the use of identifiable health information where it is not required, from 1 May 2026 we will be asking that any information provided to us is anonymised, with patient‑identifying details removed.