The Health Records and Information Privacy Act 2002 (HRIP Act) outlines how New South Wales (NSW) public sector agencies and health service providers manage the health information of NSW public members.

Health Records and Information Privacy Act 2002 (HRIP Act) (external website)

Who does the HRIP Act include?

The HRIP Act applies to organisations (public sector agencies or a private sector person) that are health service providers or that collect, hold or use health information. This includes hospitals both public and private, doctors, other health service providers and any other organisations that handle your health information. This can include universities that undertake research, a gym that records information about your health, or even your physiotherapist. More specifically the Act applies to:

  • Public sector agencies
  • Private sector organisations that provide a health service or collects, holds or uses health information
  • Private sector organisations including some businesses that are related to another business, with an annual turnover of more than $3 million that collect, store or use your health information.

Please contact us if you are unsure if the laws apply.

What does the HRIP Act include?

The HRIP Act includes 15 Health Privacy Principles (HPPs) and sets out the role of the NSW Privacy Commissioner. The Act sets up ways to enforce privacy measures and the methods for how to make a complaint if you believe your information has been misused.

The HPPs mentioned above apply to how your health information is handled. Put simply, the meaning of health information is:

  • personal information you give to any health organisation 
  • information about a health service already provided to you
  • some personal information about organ donation 
  • genetic information about you or your relatives. 

A more detailed definition is provided in Section 6 of the HRIP Act.

There are some circumstances where individuals and organisations do not have to abide by the HPPs; these are outlined in the Health Privacy Codes of Practice and Health Public Interest Directions.

The HRIP Act also gives powers to the NSW Privacy Commissioner to receive, investigate and conciliate complaints made against an agency, health service provider or organisation holding health information.

Special rules about your health information

In addition to the HPPs, the HRIP Act sets out special rules for private sector organisations about:

  • holding health information by health service providers; 
  • giving people access to their health information, including when access can be refused; and 
  • allowing people to amend their health information held by the organisation.

This is outlined in more detail in Part 4 of the HRIP Act and in the Handbook to Health Privacy (if you are having difficulties reading this document, please contact us on 1800 472 679 and we will provide another format for you).

Statutory guidelines

The NSW Privacy Commissioner has developed four statutory guidelines under the HRIP Act. The statutory guidelines are not a plain English guide to the HRIP Act. They are legally binding documents that define the scope of particular exemptions in the HPPs. They describe how the exemption applies and what you need to do in order to comply with the exemption. They are as important as the exemption itself. They relate to the:

For more information about statutory guidelines, please see our fact sheet: Statutory guidelines.

If you find that you are having difficulties reading our documents or other material, please contact us on 1800 472 679 so we can provide another option for you to access our material.

Health Privacy Principles

The 15 Health Privacy Principles (HPPs) are the key to the HRIP Act. They are legal duties that describe what NSW public sector agencies and private sector organisations (such as health service providers, businesses, private hospitals, GPs, gyms etc) must do when they handle your personal health information.

The 15 HPPs detail how your health information must be collected, stored, used, and disclosed as well as your rights to access your health information.

Below is a simplified summary of the 15 HPPs, divided into headings: Collection, Storage, Access and Accuracy, Use, Disclosure, Identifiers and Anonymity, Transferrals and Linkages. If you require more information on the 15 HPPs we encourage you to read our fact sheet: Health Privacy Principles.

An agency or organisation must:

Lawful 1 Only collect your health information for a lawful purpose. It must also relate directly to the agency’s activities. 
Relevant 2 Make sure that your health information is relevant, accurate, current and non-excessive.
Direct 3 Collect your health information from only you, unless exemptions apply.
Open 4

Tell you that the information is being collected, why and who will be using it and storing it. You must be told how to access it if you wish to make sure it’s correct.

Secure  5 Store your health information securely. It should not kept longer than needed, and disposed of properly.
Access and Accuracy 
Transparent  6 Provide you with details about the health information they are storing, why and how you can access it.
Accessible 7 Allow you to access your health information in a reasonable timeframe and without being costly.
Correct 8 Allow you to update, correct or amend your health information when needed. (Note: private sector organisations should also refer to s33-37 of the HRIP Act for further provisions).
Accurate 9 Make sure that your health information is correct and relevant before using it.
Limited 10 Only use your health information for the reason that is was collected, unless expemtions apply.
Limited  11

Only disclose your health information for the reason that is was collected otherwise separate consent is needed from you.

Identifiers and anonymity

Not identified 12 Can only give you an ID number if it is reasonably necessary. 
Anonymous 13 Give you the option of receiving information from you anonymously, where practicable. 
Transferrals and linkage 
Controlled  14 Only transfer health information outside NSW in accordance with the HPP 14. 
Authorised 15 Only use health records linkage systems if you have provided consent. 

Further reading

You can find more detailed information about the HRIP Act by reading:

If you find that you are having difficulties reading our documents or other material, please contact us on 1800 472 679 so we can provide another option for you to access our material.

1 out of 5 star rating
Average: 1 (1 vote)