HIPC & Privacy Act 2020 Compliance
How ClientForms meets the Health Information Privacy Code 2020 and NZ Privacy Act 2020. Detailed compliance information for practitioners across Aotearoa New Zealand.
Compliance at a Glance
NZ health practitioners have specific obligations under the Privacy Act 2020 and HIPC 2020 when using clinical software. Here's how ClientForms supports your compliance.
Health Information Privacy Code 2020
ClientForms is built to comply with the HIPC 2020, which applies specific rules to health agencies handling health information. All 13 health information privacy rules are addressed.
NZ Privacy Act 2020
Full compliance with all 13 Information Privacy Principles (IPPs). Collection, storage, use, and disclosure of patient data follows NZ privacy law.
Australian Data Hosting
All clinical data hosted in Sydney, Australia. Australia's Privacy Act 1988 provides comparable safeguards, meeting NZ IPP 12 cross-border requirements.
AES-256 Encryption
Enterprise-grade encryption for data at rest (AES-256) and data in transit (TLS 1.2+). All patient responses encrypted from browser to database.
Access Controls
Role-based access ensures patient data is only visible to authorised practitioners. Multi-factor authentication available. Audit logging for access events.
No Third-Party Data Sharing
Patient data is never shared with advertisers, data brokers, or third parties. Assessment results are visible only to the sending practitioner.
The 13 Information Privacy Principles
The NZ Privacy Act 2020 establishes 13 Information Privacy Principles (IPPs) that govern how organisations handle personal information. Here's how ClientForms addresses each one.
1IPP 1: Purpose of collection
IPP 1: Purpose of collection
Health information is collected only for lawful purposes directly related to clinical assessment. Practitioners define the assessment purpose; patients are informed before completing forms.
2IPP 2: Source of information
IPP 2: Source of information
Information is collected directly from the individual (patient) or their parent/whānau for child assessments — never from third-party sources without consent.
3IPP 3: Collection of information
IPP 3: Collection of information
Patients are informed of the purpose of collection, who will access the data, and their rights. Assessment forms include clear explanations of data use.
4IPP 4: Manner of collection
IPP 4: Manner of collection
Information is collected lawfully and fairly through secure, encrypted assessment links. No deceptive practices — patients complete assessments voluntarily.
5IPP 5: Storage and security
IPP 5: Storage and security
All data stored with AES-256 encryption in Australia (Sydney). Enterprise-grade infrastructure with regular security audits. Access controls limit data to authorised practitioners.
6IPP 6: Access to personal information
IPP 6: Access to personal information
Practitioners can access their own patient data through their secure dashboard. Patients can request access to their information through their practitioner.
7IPP 7: Correction of information
IPP 7: Correction of information
Practitioners can correct patient information in their dashboard. Patients can request corrections through their practitioner.
8IPP 8: Accuracy of information
IPP 8: Accuracy of information
Auto-scoring reduces transcription errors. Structured assessments ensure consistent data collection. Practitioners can verify and validate results.
9IPP 9: Retention of information
IPP 9: Retention of information
Clinical data is retained in accordance with professional requirements. Practitioners control their own data retention. Account deletion removes all associated data.
10IPP 10: Use of information
IPP 10: Use of information
Health information is used only for the purpose for which it was collected — clinical assessment and treatment support. No secondary use without consent.
11IPP 11: Disclosure of information
IPP 11: Disclosure of information
Patient data is not disclosed to third parties. Assessment results are visible only to the practitioner who sent the assessment. No data sharing with advertisers or data brokers.
12IPP 12: Cross-border disclosure
IPP 12: Cross-border disclosure
Data hosted in Australia — a jurisdiction with comparable privacy safeguards under IPP 12. Australia's Privacy Act 1988 provides equivalent protections. No data sent to the US or EU.
13IPP 13: Unique identifiers
IPP 13: Unique identifiers
ClientForms does not assign government-issued identifiers. Internal identifiers are system-generated and not derived from NHI numbers or other unique identifiers.
Data Hosting & Cross-Border Transfer
Under IPP 12, health information can only be transferred to jurisdictions with comparable privacy safeguards. Australia meets this requirement.
Why Australia?
- Australia's Privacy Act 1988 provides comparable privacy protections to NZ
- Australian Privacy Principles (APPs) mirror NZ IPPs in key areas
- Office of the Australian Information Commissioner (OAIC) provides regulatory oversight
- Sydney data centres meet enterprise security standards
- Low-latency access from New Zealand (~20ms)
Where Data Is Not Stored
- No data stored in or transferred to the United States
- No data stored in or transferred to the European Union
- No data shared with or sold to third-party services
- No data stored on practitioner devices (browser-only access)
- No data processed by AI models or machine learning systems
Security Infrastructure
Enterprise-grade security protects patient health information at every layer.
Encryption
AES-256 encryption for all stored data including assessment responses, patient information, and practitioner data.
TLS 1.2+ encryption for all data transmission between patient browsers, the application layer, and database.
Access Controls
Secure authentication with support for multi-factor authentication (MFA). Session management with automatic expiry.
Row-level security ensures practitioners can only access their own organisation's patient data. Database-enforced isolation.
Your Obligations as a NZ Practitioner
ClientForms provides the technical safeguards — but as a health practitioner, you also have responsibilities under the HIPC 2020.
Inform your patients
Let patients know that you use ClientForms to collect and store their assessment responses. Explain the purpose of the assessment and how their data will be used in their care.
Maintain your own security
Use a strong password and enable multi-factor authentication on your ClientForms account. Don't share your login credentials. Log out of shared or public computers.
Respect patient rights
Patients have the right to access and correct their health information under the Privacy Act 2020. Facilitate access requests promptly.
Follow your professional code
Clinical assessment data should be handled in accordance with your professional body's code of ethics — whether NZ Psychological Society, NZCCP, RNZCGP, or other relevant body.
Compliance FAQ
Is ClientForms HIPC compliant?
ClientForms is built to comply with the Health Information Privacy Code 2020 (HIPC). We address all 13 health information privacy rules through technical safeguards including AES-256 encryption, Australian data hosting (IPP 12), access controls, and data minimisation principles. See the IPP breakdown above for details on each principle.
Where is my patient data stored?
All clinical data is stored on enterprise-grade infrastructure in Sydney, Australia. Australia provides comparable privacy safeguards to NZ under Information Privacy Principle 12. No data is stored in or transferred to the United States or European Union.
What encryption does ClientForms use?
AES-256 encryption for all data at rest (stored data) and TLS 1.2+ for all data in transit (between browsers, application, and database). This is the same encryption standard used by banks and government agencies.
Can I use ClientForms for ACC-funded assessments?
ClientForms provides the clinical assessment tools — billing and funding arrangements (including ACC) are managed by the practitioner. The platform supports standard clinical assessment workflows and produces structured reports suitable for clinical documentation.
What happens if there is a data breach?
ClientForms has a documented breach notification procedure in line with the Privacy Act 2020 mandatory breach reporting requirements. In the event of a notifiable privacy breach, affected practitioners and the Privacy Commissioner would be notified as required by law.
Does ClientForms meet the Privacy Commissioner's expectations?
ClientForms is designed with the NZ Privacy Commissioner's guidance in mind. We follow best practice for health information management, including data minimisation, purpose limitation, encryption, and access controls. Our privacy and security documentation is publicly available for review.
NZ Privacy Resources
Official NZ government and regulatory resources for health information privacy.
Privacy Commissioner — HIPC 2020
The official Health Information Privacy Code 2020 from the NZ Privacy Commissioner.
Visit → (opens in new tab)Privacy Act 2020 — Full Text
The NZ Privacy Act 2020 legislation from the Parliamentary Counsel Office.
Visit → (opens in new tab)Privacy Commissioner — Guidance
Practical guidance for organisations handling personal information under NZ privacy law.
Visit → (opens in new tab)Notifiable Privacy Breaches
Information about mandatory breach reporting requirements under the Privacy Act 2020.
Visit → (opens in new tab)Compliant Clinical Assessments
Start using HIPC-compliant clinical assessment tools today. Free tier available — no credit card required.