Health Privacy Principles (HPPs) explained for members of the public
Read the document below or download it here Fact sheet - Health Privacy Principles for the public, updated April 2023
The 15 Health Privacy Principles (HPPs) are the key to the Health Records and Information Privacy Act 2002 (HRIP Act).
These are legal obligations which organisations, defined to include NSW public sector agencies and private sector organisations, must abide by when they collect, hold, use and disclose a person’s health information.
As exemptions may apply in certain circumstances, it is suggested that you contact the Privacy Contact Officer or the Health Information Manager in the organisation in the first instance. You can also contact the Information and Privacy Commission NSW (IPC) for further advice.
An organisation can only collect your health information for a lawful purpose. It must also be directly related to the organisation’s activities and necessary for that purpose. An organisation should not collect health information by any unlawful means.
An organisation must ensure that your health information is relevant, accurate, complete, up to date and not excessive. The collection should not unreasonably intrude into your personal affairs.
An agency or organisation must collect your health information directly from you, unless it is unreasonable or impracticable to do so.
An organisation must inform you of why your health information is being collected, what will be done with it and who else might access it. You must also be told how you can access and correct your health information, and any consequences if you decide not to provide it.
An organisation must ensure that health information is stored securely, not kept any longer than necessary, retained, and disposed of appropriately. Security safeguards should be in place so that health information is protected against loss, unauthorised access, use, modification, disclosure or any other misuse.
Access and accuracy
An organisation must provide you with details regarding the health information they are storing, why they are storing it and what rights you have to access it.
An organisation must allow you to access your health information without unreasonable delay or expense.
An organisation must allow a person to update, correct, delete, add or amend their personal information where necessary. This will ensure that your health information is accurate, is being collected or used for its directly related purpose, and is relevant, complete and not misleading.
An organisation must ensure that the health information is relevant, up to date, accurate, complete, and not misleading before being used.
An agency or organisation can only use your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exemptions in HPP 10 applies). Otherwise separate consent is required.
An organisation can only disclose your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exceptions in HPP 11 applies). Otherwise separate consent is required.
Identifiers and anonymity
- Not identified
An organisation can only give you an identification number if it is reasonably necessary to carry out their functions efficiently.
An organisation must give you the opportunity of receiving services from them anonymously, where this is lawful and practicable.
Transferrals and linkage
An orgnisation can only transfer health information outside New South Wales in accordance with HPP 14.
An organisation can only use health records linkage systems if you have expressly consented to this information being included (this includes the disclosure of an identifier).
For more information
Contact the Information and Privacy Commission NSW (IPC):