The Health Information Privacy Code (HIPC) is a code of practice issued by the Privacy Commissioner pursuant to the Privacy Act 1993. The HIPC sets out a series of rules concerning the collection, use, storage and disclosure of health information.
On 30 April 2013 amendment number 7 came into force. There are only a small number of changes, and those likely to be of interest to health practitioners include the use and disclosure of health information derived from Guthrie Card bloodspots, and the threshold for disclosure to an appropriate authority to protect the health or safety of the public, or an individual.
Bloodspots are collected from newborn babies by the Newborn Metabolic Screening Programme and are held indefinitely on ‘Guthrie Cards’.
A new schedule to the HIPC requires all uses and disclosures of information derived from these cards to be conducted with the permission of the individual (or their representative or a close available relative), or to be for a permitted primary or secondary purpose.
Permitted primary purposes are purposes directly connected with the Programme. Permitted secondary purposes include complying with a court order, identifying a victim of crime where no other method is practicable, and carrying out research that has been approved both by the Ministry of Health and an ethics committee.
The HIPC also allows for disclosure of health information to prevent or lessen a threat to public health or safety, or the life or health of an individual. Previously the threat had to be “serious and imminent”. The latest amendment removes the requirement of imminence and defines a “serious threat”.
The health professional is required to analyse the risk posed, and reasonably believe the threat to be serious, having regard for the likelihood of the threat occurring, the timing of this, and the severity of the consequences if it does occur.
The other requirements for disclosure have not been altered by the amendment. The permission of the individual should ideally be sought first, but this can be dispensed with where it is not desirable or practicable to obtain an individual’s authorisation. This covers situations where the individual is not competent to give consent, is unable to be found, or has refused to give their consent.
Any disclosure made without the consent of the individual concerned should be made only to the extent necessary to meet the particular purpose, and to someone who can act to minimise the threat, such as the person at risk, or the police.
These decisions must not be made lightly, and it is strongly suggested that members first contact MPS for advice.