NSW HRIPA: Health Records and Information Privacy Act 2002 and 15 HPPs

Scope of HRIPA

The Health Records and Information Privacy Act 2002 (NSW) (HRIPA) commenced on 1 September 2004. It establishes a legislative framework for the protection of health information held by NSW health service providers and NSW public sector agencies. This legislation operates alongside other relevant legislation, such as the My Health Records Act 2012 explained.

HRIPA’s application is broad, encompassing all NSW health service providers, whether public or private, and NSW public sector agencies that manage health information. The definition of 'health service' is extensive, covering medical, hospital, nursing, pharmacy, allied health, mental health, dental, optical, traditional Chinese, complementary and alternative health services.

'Health information' is also defined broadly under HRIPA. It includes personal information relating to an individual’s physical or mental health, disability, health services provided or to be provided, and genetic information. The NSW Privacy Commissioner, operating from the Information and Privacy Commission NSW (IPC NSW), administers HRIPA.

Health Privacy Principles 1-7

The Health Privacy Principles (HPPs) outline key obligations for organisations handling health information in NSW. HPP 1 requires organisations to only collect health information that is necessary for a lawful purpose directly related to the organisation's functions. Organisations must also, where reasonably practicable, collect information directly from the individual, as outlined in HPP 2. When collecting health information, organisations must provide notice to the individual, as detailed in HPP 3. This notice must specify who is collecting the information, the purpose of collection, who else will see it, and any law authorising or requiring the collection APP 1.3 privacy policy minimum content 2026.

HPP 4 mandates that organisations take reasonable steps to ensure the health information they hold is relevant, accurate, up-to-date, complete and not misleading. Following collection and storage, organisations are obligated to protect health information from loss, unauthorised access, use, modification or disclosure, as stipulated by HPP 5.

Individuals have rights regarding their health information. HPP 6 confirms an individual’s right to request access to their own health information, and HPP 7 allows individuals to request corrections to their health information.

Health Privacy Principles 8-15

Principles 8 to 15 of the Health Privacy Principles (HPPs) outline further obligations regarding health information management. HPP 8 requires organisations to take reasonable steps to ensure the accuracy of health information before it is used. HPP 9 places limits on the use of health information, stipulating that it should only be used for the primary purpose for which it was collected, a directly related secondary purpose within reasonable expectations, or with the individual’s consent. APP 11 reasonable steps security personal information

HPP 10 similarly restricts disclosure of health information, allowing it only for the purpose for which it was collected, with consent, or in specified exceptions, such as when lessening a serious threat. HPP 11 addresses the assignment of identifiers, stating it should only occur if reasonably necessary, and includes restrictions on the use of identifiers like Medicare numbers. HPP 12 mandates that organisations provide individuals with the option of not identifying themselves where it is lawful and practicable.

Further principles address specific concerns. HPP 13 restricts the transfer of health information outside of New South Wales. HPP 14 places limitations on participation in health record linkage systems without consent, and HPP 15 requires organisations to make information about their practices and policies generally available.

Enforcement and interaction with other laws

Complaints regarding breaches of the Health Records and Information Privacy Act 2002 (HRIPA) are directed to the NSW Privacy Commissioner. Individuals who believe their rights under HRIPA have been breached also have a right of review through the NSW Civil and Administrative Tribunal (NCAT) under section 49.

NCAT has the power to order compensation for individual breaches of HRIPA. This compensation can be up to $40,000.

HRIPA operates in conjunction with other legislation. NSW public sector agencies must also comply with the Privacy and Personal Information Protection Act 1998 (NSW). Private sector health service providers are typically subject to both HRIPA and the Federal Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs).