Health orgs to map data collection under new health privacy rule

NEWS  - eHealthNews editor Rebecca McBeth

Health organisations should start mapping how they collect patient information indirectly now, in preparation for compliance with the new Rule 3A of the Health Information Privacy Code, says Privacy Commissioner Michael Webster.

Speaking at the Future of Healthcare in Aotearoa Conference on June 25, he also said health organisations need to be sure of where patient data ends up before rolling out AI tools, saying sensitive health information could be feeding into AI training models without patient knowledge and consent.

Rule 3A came into force on May 1 as part of the Privacy Amendment Act and directly affects how health organisations handle information gathered from third parties, including referrals, other health agencies and external platforms.

Webster talked about health organisations creating an “information map” showing how they are collecting and receiving information and the need to notify patients about it.

"That might be as simple as having signage up at your business that notifies people of how information will be passed on and collected," he said. 

"Underneath that, the full description of what might happen can be found online."

An exception to Rule 3A is if an organisation has reasonable grounds to believe someone else has already notified the patient but Webster said that belief needs to be backed by evidence, not assumption.

When asked about AI he said the key concern is ensuring that confidential patient conversations do not end up training the large language models that underpin the tools clinicians rely on.

Webster recommended organisations do a privacy impact assessment before deploying any significant new AI tool, treating it as standard due diligence to understand what the tool does and how it handles data.

He noted that a cybersecurity advisory issued recently flagged increasing cyber threats driven by AI and said health organisations should start treating a data breach as an ‘when not if’ event.

He spoke about four privacy law reform priorities his office is advocating for which are; the right to erasure; financial penalties for serious breaches; stronger accountability provisions requiring organisations to publicly disclose their privacy practices; and oversight requirements for automated decision-making systems

A fifth priority has come from the Managed My Health inquiry, which involves extending liability for security failures to third-party service providers.

The Office of the Privacy Commissioner has published detailed guidance on Rule 3A, including worked examples, through its Poupou Matatapu resource hub. 

Image: Privacy Commissioner Michael Webster

If you would like to provide feedback on this news story, please contact the editor Rebecca McBeth.

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page