Health Records and Information Privacy Act 2002 No 71
38 Operation of health privacy codes of practice
(1) Health privacy codes of practice may be made for the purpose of protecting the privacy of health information with respect to individuals.(2) A health privacy code of practice may regulate any of the following matters:(a) the collection or retention of health information held by organisations,(b) the use or disclosure of health information held by organisations,(c) the transfer by organisations of health information from New South Wales to a jurisdiction outside New South Wales or to a Commonwealth agency,(d) the electronic or computerised linkage of health information held by organisations,(e) the procedures for dealing with health information held by organisations.(3) In particular, a health privacy code of practice may provide for the protection of health information contained in a record that is more than 30 years old, and any such provision has effect despite the provisions of any other Act that deals with the disclosure of, or access to, health information of that kind. Any such code must, to the extent that it relates to health information contained in a State record that is more than 30 years old, be consistent with any relevant guidelines issued under section 52 of the State Records Act 1998.(4) A health privacy code of practice can apply to any one or more of the following:(a) any specified class of health information,(b) any specified organisation or class of organisation,(c) any specified activity or class of activity.(5) Except in the case of a health privacy code of practice that is referred to in subsection (3), a code cannot affect the operation of any exemption provided under this Act.(6) A health privacy code of practice:(a) must provide standards of health information privacy protection that operate to protect organisations from any restrictions in relation to the importation of health information into New South Wales, and(b) must not impose on any organisation any requirements that are more stringent (or of a higher standard) than the Health Privacy Principles.