Privacy policy

Privacy Policy

Epic Health

Last Updated: 01/05/2026

This Privacy Policy explains how Epic Health collects, stores, uses, discloses, and protects your personal and health information.

We are committed to protecting your privacy and handling your information in accordance with:

  • the Privacy Act 2020
  • the Privacy Amendment Act 2025 (including Information Privacy Principle 3A)
  • the Health Information Privacy Code 2020
  • applicable New Zealand healthcare legislation and standards

1. Information We Collect

We may collect personal and health information including:

Personal information

  • Full name
  • Date of birth
  • Address
  • Phone numbers
  • Email address
  • NHI number
  • Emergency contact details
  • Next of kin information
  • Community Services Card details
  • Occupation (where relevant)

Health information

  • Medical history
  • Medications
  • Allergies
  • Consultation notes
  • Test results
  • Referral information
  • Treatment plans
  • ACC information
  • Family medical history where relevant
  • Immunisation records

Financial information

  • Billing details
  • Payment history
  • Health funding eligibility
  • Outstanding balances

2. How We Collect Information

We may collect information directly from you when you:

  • enrol with the Practice
  • attend appointments
  • use our patient portal
  • request prescriptions
  • communicate with our team
  • complete forms
  • make payments

We may also collect information indirectly from third parties involved in your care, including:

  • other healthcare providers
  • hospitals
  • specialists
  • laboratories
  • radiology providers
  • pharmacies
  • ACC
  • Primary Health Organisations (PHOs)
  • government agencies
  • family members or caregivers where authorised
  • referral agencies

3. Notification of Indirect Collection (IPP 3A)

Where we collect personal information indirectly from another source, we will take reasonable steps to notify you in accordance with Information Privacy Principle 3A (effective 1 May 2026), unless an exception under the Privacy Act applies.

Notification may not be required where:

  • you already know the information has been provided
  • notification would prejudice your health or safety
  • the information is publicly available
  • notification would be unreasonable or impractical
  • another legal exception applies

4. Why We Collect Your Information

We collect information to:

  • provide healthcare services
  • assess and manage your health needs
  • coordinate care with other providers
  • process referrals
  • manage prescriptions
  • communicate with you
  • manage appointments
  • process payments and accounts
  • meet funding and reporting requirements
  • improve services
  • meet legal and regulatory obligations

5. How We Use and Share Information

Your information may be shared where appropriate with:

  • healthcare professionals involved in your care
  • hospitals and specialists
  • laboratories and radiology providers
  • PHOs
  • ACC
  • government agencies where required by law
  • external service providers supporting our operations
  • debt collection agencies for unpaid accounts
  • auditors or accreditation bodies
  • other parties where authorised by you

We will only share information where permitted or required by law.

6. Patient Portal and Online Services

We may provide online services including:

  • appointment bookings
  • repeat prescription requests
  • secure messaging
  • access to health records
  • account payments
  • test results

Patients are responsible for maintaining the security of their login credentials.

While we use secure systems, no online system can be guaranteed completely risk free.

Email communication should not be used for urgent medical matters.

7. Storage and Security

We take reasonable steps to protect your information from:

  • unauthorised access
  • disclosure
  • misuse
  • alteration
  • loss

Security measures may include:

  • secure practice management systems
  • password protection
  • staff confidentiality agreements
  • restricted access permissions
  • encrypted communications where available

8. Retention of Information

We retain health information in accordance with legal and professional requirements.

Medical records are generally retained for the minimum periods required under New Zealand legislation and healthcare standards.

9. Access and Correction

You have the right to:

  • request access to your personal information
  • request correction of information that is inaccurate
  • ask questions about how your information is used

Requests should be made in writing where possible.

10. Complaints

If you have concerns regarding your privacy or personal information, please contact:

Privacy Officer
Epic Health
Email: admin@epichealth.co.nz
Phone: 07 2620086

If you are dissatisfied with our response, you may contact the:

Office of the Privacy Commissioner

Office of the Privacy Commissioner

11. Changes to this Policy

We may update this Privacy Policy periodically. Current versions will be available:

  • at reception
  • on our website
  • through our patient portal

"By using Epic Health services, including our patient portal and online systems, you acknowledge this Privacy Policy."