The Health Records and Information Privacy Act 2002 (HRIP Act) outlines how New South Wales (NSW) public sector agencies and health service providers manage the health information of NSW public members.

The commentary on this page is not intended to provide legal advice or legal interpretation of any of the HRIP Act. The full text of the Act can be accessed from the Legislation NSW website at Health Records and Information Privacy Act 2002 (HRIP Act)

What agencies and or persons are bound by the HRIP Act?

The HRIP Act applies to organisations (public sector agencies or a private sector person) that are health service providers or that collect, hold or use health information. This includes hospitals both public and private, doctors, other health service providers and any other organisations that handle your health information. This can include universities that undertake research, a gym that records information about your health, or even your physiotherapist. More specifically the Act applies to:

  • Public sector agencies
  • Private sector organisations that provide a health service or collects, holds or uses health information
  • Private sector organisations including some businesses that are related to another business, with an annual turnover of more than $3 million that collect, store or use your health information.

Please contact us if you are unsure if the laws apply.

Definition of health information

The legal definition of health information is provided in Section 6 of the HRIP Act.

Exemptions from the definition

There are some circumstances where individuals and organisations do not have to abide by the HPPs; these are outlined in the Health Privacy Codes of Practice and Health Public Interest Directions.

Role of the NSW Privacy Commissioner

The HRIP Act also gives powers to the NSW Privacy Commissioner to receive, investigate and conciliate complaints made against an agency, health service provider or organisation holding health information.

Special rules about your health information

In addition to the HPPs, the HRIP Act sets out special rules for private sector organisations about:

  • holding health information by health service providers; 
  • giving people access to their health information, including when access can be refused; and 
  • allowing people to amend their health information held by the organisation.

This is outlined in more detail in Part 4 of the HRIP Act.

Statutory guidelines

The NSW Privacy Commissioner has developed four statutory guidelines under the HRIP Act. The statutory guidelines are not a plain English guide to the HRIP Act. They are legally binding documents that define the scope of particular exemptions in the HPPs. They describe how the exemption applies and what you need to do in order to comply with the exemption. They are as important as the exemption itself. They relate to the:

  • Use or disclosure of health information for the management of health services
  • Use or disclosure of health information for training purposes
  • Use or disclosure of health information for research purposes (see appendix C for HREC report form)
  • Use or disclosure of information from a third party

To access these statutory guidelines visit our Privacy Resources for Public Sector Agencies page. For more information about statutory guidelines, please see our Fact sheet: Statutory guidelines HRIP Act August 2019

Health Privacy Principles

The 15 Health Privacy Principles (HPPs) are the key to the HRIP Act. They are legal duties that describe what NSW public sector agencies and private sector organisations (such as health service providers, businesses, private hospitals, GPs, gyms etc) must do when they handle your personal health information. The 15 HPPs detail how your health information must be collected, stored, used, and disclosed as well as your rights to access your health information. Read more about the 15 Health Privacy Principles.

What exemptions are there to the HRIP Act?

There are four major sources of exemptions to the HRIP Act:

  • Exemptions written in the Health Privacy Principles (HPPs) directly 
  • Exemptions written in a regulation made by the Minister for Health 
  • Exemptions written in a Health Privacy Code of Practice, made by the Minister for Health 
  • Exemptions written in a Health Public Interest Direction, made by the Privacy Commissioner.

Each exemption could affect one or more of:

  • the definition of 'health information' 
  • whether the Act affects specific functions 
  • whether the HPPs apply to a particular agency or organisation 
  • one or more of the HPPs.
Further reading

You can find more detailed information about the HRIP Act by reading:

Last updated: September 2022