Dear Health New Zealand,

Please provide me with a list of HNZ hospitals who have implemented the standards set out in HISO 10064 and 10029, and have role-based-access to health records, which reduces the risk of unauthorized access (defined as access without the expressed consent of the individual with whom he records pertain or absolutely necessary for their role (i.e., physician and their nurse treatment of a patient).

I note that according to the University of Auckland Medica School Phase 3 (Year 6) Guidebook 2023, none of the teaching hospitals associated with the University of Auckland appear to meet these standards and are providing paid and unpaid staff unrestricted access to patient personal health information.

Here is what the guidebook states:
"Hospitals have adopted an ‘open access’ approach to electronic security. This means
the system does not limit access."

"Please check the Auckland policy on appropriate use. The hospital uses
Concerto as its ‘umbrella’ application, which allows integrated access to a number of
clinical applications. You may require additional authorisation to access applications
such as patient discharge summaries. Year 6 students are also provided with online
access to old patient records through 3M. You will be issued a separate password for
3M."

"Te Whatu Ora Counties Manukau has adopted an “open access” approach to security. This means the system does not limit access."

"Te Whatu Ora – Health New Zealand Waitemata has adopted an “open access” approach to security. This means the system does not limit access."

"Te Whatu Ora Hauora a Toi Bay of Plenty has adopted an ‘open access’ approach to
security."

"Te Whatu Ora Te Tai Tokerau has adopted an ‘open access’ approach to security. This means the system doesn’t limit user access to any patient, but it records who makes every access."

"Te Whatu Ora Lakes has adopted an ‘open access’ approach to security. This means the system doesn’t limit user access to any patient, but it records who makes every access.

"Te Whatu Ora Taranaki has an ‘open access’ approach to security. This means the system doesn’t limit user access to any patient, but records who makes every access."

"Te Whatu Ora Waikato has adopted an ‘open access’ approach to security. This means the system doesn’t limit user access to any patient, but it records who makes every access."

Health Information HISO 10064 have been in place since at least 2017. They require role-based-access, not "open access".

Meeting these standards are a legal obligation under Rights 1-7 of the Health and Disability Commissioner (Code of Health and Disability Services Consumers' Rights) Regulations 1996. Compliance with these standards are also legislative, consistent with legal obligations under rule 5 of the Health Information Privacy Code 2020 and section 22, IPP 5, of the Privacy Act 2020. These obligations were in the Privacy Act 1993.

Furthermore, patients are supposed to be informed of who will have access prior to care, pursuant to rule 3 of the Health Information Privacy Code 2020 and section 22, IPP 3, of the Privacy Act 2020. These requirements were in the previous legislation enacted in 1993. Yet, I only found this information today 14 years after moving to NZ.

Which, if any, hospital associated with Health NZ meet the HISO 10064 standards and legislative requirements regarding restricted access to personal health information and requirements of informed consent from the patient?

If any Health NZ hospital meet these standards and the legal privacy obligations, and have role-based-access to medical information which requires the informed consent of the patient, please provide me with the role-based-access descriptors for each role?

Thanks

AS Van Wey

Dear hnzOIA,

This is a follow up reminder that I am still waiting for your response to my OIA request from March 2023. The legislative timeframe for a response was 20 working days, HNZ has not responded within the legislative timeframe. Please provide the requested information or a legal reason for refusal.

Yours sincerely,

AS Van Wey