Tel 09 419 0450

|

Email info@osteopathsnz.co.nz

Facebook LinkedIn Instagram
Osteopaths New Zealand - Ngā Mātanga Wheua ō Aotearoa - official logo on white background
Find an Osteopath
Become a Member
Privacy Law Update Effective 1 May 2026

IPP3A and Indirect Collection of Health Information

Practical guidance for osteopaths on your new notification obligations under the Health Information Privacy Code. What changes, what you must have in place, and how to implement it in your clinic from tomorrow.

View Full Guidance View Core Requirements

Overview

What has changed

IPP3A extends your notification obligations beyond direct collection. Most osteopathic clinics are routinely affected through these common workflows.

GP and Specialist Referrals

Any clinical notes or referral documentation received from another provider is indirect collection. Patient notification is required.

ACC Documentation

Claim details and injury information received from ACC are indirect collection. Notification is required even though ACC is part of the care pathway.

Shared Care Arrangements

Notes shared between co-treating providers are indirect collection. The patient must be aware that information is being shared and used as part of their care.

Family-Provided Information

Information provided by a parent, partner, or carer (outside of formal legal arrangements) is indirect collection and triggers notification obligations.

Online Intake and Referral Platforms

Information flowing from a third-party booking or referral system into your clinic is likely indirect collection, even if it arrives digitally.

Admin and Front Desk Processes

Non-compliance risk sits primarily in intake and front desk workflows, not just in having a privacy policy. Active notification is required.

Legal Requirement

Six required notification elements

When health information is collected indirectly, you must take reasonable steps to ensure the patient is aware of all six of the following. A privacy policy alone is not sufficient.

  1. The fact that information has been collected — specify what kind of information has been received

  2. The purpose for which it has been collected — specific enough that the patient understands how it will be used

  3. The intended recipients of the information — who the information will be shared with

  4. Your clinic's name, address, and contact details — including email or website so patients can make contact

  5. Any legal authority for the collection — for example, ACC collection authorised under the Accident Compensation Act 2001

  6. The patient's right to access and correct their information — including how to make such a request

Practical Application

Notification by practice type

The right approach depends on your practice setting. The examples below are a guide only. Notification should feel natural and proportionate, not clinical or alarming.

Scenario A

Sole Practitioner

In a sole practice, the treating osteopath may handle both clinical and administrative functions. Notification will typically happen either by emailing the patient that you have received their report, or verbally at the start of the first consultation.

At the start of the first appointment "I received a referral from your [GP / x-ray report from radiology / other healthcare provider] before today's appointment. I will be using that information as part of your assessment. You are welcome to access that information or request any corrections at any time."

Adjust the source reference to reflect what was actually received — a GP referral, imaging report, or notes from another treating provider.

When notification is not required: If the patient has already been notified (for example via a booking confirmation email) or if they brought the information in themselves, no further acknowledgement is needed. Notification is a one-time requirement.

Scenario B

Practice with an Administration Team

Where a reception or admin team handles intake separately from the treating clinician, notification can be done by simply emailing the patient directly to say the clinic has received documentation from [GP / radiology / other healthcare provider], or when they arrive for their appointment.

Clinician at start of consultation "You may have been emailed or told that we received your referral notes. I have had a look through those and we will use them as part of today's assessment."

Splitting notification across admin and clinician touchpoints avoids placing the full burden on clinical time while still satisfying the reasonable steps requirement.

Implementation

Five steps to compliance

Work through these steps to ensure your clinic is ready. Each step builds on the last.

  1. Map your information flows

    Identify where patient information comes from, who receives it in your clinic, and whether the patient is currently notified at each point.

  2. Update your privacy statement

    Ensure it includes all six required notification elements: indirect collection sources, purpose, intended recipients, clinic contact details, any legal authority, and patient access and correction rights.

  3. Introduce notification points

    Implement at least one: an intake form acknowledgement, an automated email when a referral is received, or verbal confirmation at first consultation.

  4. Brief your team

    All staff involved in intake must understand what indirect collection is, when notification is needed, and how to deliver it in natural, plain language. Use the scenario guides above as a reference point, not a script to read verbatim.

  5. Review third-party systems

    Check booking platforms, referral systems, and ACC workflows. If a third party notifies patients on your behalf, confirm their notification specifically names your clinic and covers all six required elements.

Exceptions

When notification may not be required

IPP3A includes limited exceptions. In most routine osteopathic practice, these will not apply. Do not rely on an exception without clear justification and documentation.

Exception When it may apply in osteopathic practice
Individual already awareThe referring agency has specifically named your clinic in their own notification, and you have evidence of this
Information publicly availableInformation comes from a public register or publicly accessible source
No prejudice to the individualLow-risk situations where the person would suffer no detriment — use this exception narrowly
Prejudice to purpose of collectionNotification would undermine a legitimate investigation — unlikely in routine osteopathic practice
Not reasonably practicableYou do not hold patient contact details and it is not reasonable to collect them solely for notification. Cost and inconvenience alone are not sufficient grounds
Serious threat to public health or safetyNotification would delay action needed to address an immediate and serious public health or safety risk
Information not used in identified formInformation will be de-identified or used only for aggregated statistical or research purposes

Full Guidance Document

Prepared by Anj Young 30 April 2026 Osteopaths New Zealand

The complete guidance document includes all clinical workflow examples, the Acting on Behalf provisions, third-party referral arrangements, and the full legal disclaimer. Download and share with your team.

View Document

Legal Disclaimer and Important Notice

This document has been prepared by Anj Young on behalf of Osteopaths New Zealand for the purpose of member education and general guidance only. It does not constitute legal advice. The information provided is intended as a general overview of the obligations introduced by IPP3A and is not a substitute for specific legal advice tailored to your individual practice circumstances.

The law in this area is relatively new and its application to specific scenarios may evolve as the Office of the Privacy Commissioner publishes further guidance. Members are strongly encouraged to:

  • Seek independent legal advice from a qualified New Zealand solicitor or privacy law specialist before making significant changes to your practice policies or procedures on the basis of this guidance
  • Review the primary sources listed in the full document, including the Office of the Privacy Commissioner's published guidance at privacy.org.nz, which is the authoritative reference
  • Consult your professional indemnity insurer regarding how IPP3A obligations may interact with your policy coverage

Osteopaths New Zealand has taken reasonable care in preparing this guidance but makes no representation or warranty, express or implied, as to its accuracy, completeness, or fitness for purpose. Osteopaths New Zealand accepts no liability for any loss or damage arising from reliance on this document.

Osteopaths New Zealand - Ngā Mātanga Wheua ō Aotearoa logo

Representing Osteopaths in
Aotearoa, New Zealand

Tel 09 419 0450
Email info@osteopathsnz.co.nz
Address PO Box 65503
Browns Bay
Auckland 0754, New Zealand

Home
About Osteopathy NZ
What is Osteopathy?
Become a member
Member log in
Classifieds
Events
Privacy Policy
Contact Us

Find an Osteopath
Facebook LinkedIn Instagram