My Health Account terms and conditions

At My Health Account, we know how important privacy is to all people in Aotearoa New Zealand. This Privacy statement explains how we collect and use your personal information for a My Health Account (‘Account’).

• It is voluntary for you to sign up for an Account.
• My Health Account is designed to make it easy for you to access your health information, and to connect with New Zealand digital health services.
• If you are 16 years or older, you can create your own My Health Account.
• Some parents aged 16 years and over may also access some information about their child or children aged under 12 years if they use the ‘Add a child’ feature to establish a relationship between their NHI number and the NHI number of their child or children.
• If one parent disputes the right of the other parent to access a child's or children’s information, access to the child’s or children’s information will be immediately suspended for both parties until the matter is resolved.
• The information and services you can access and share via your Account are limited by the level at which you have verified your identity.

Privacy Impact Assessment (PIA)PDF2.3 MB

We collect information you provide to us as part of confirming who you are. The information you provide and how you verify your identity sets up an 'Identification Level' for your account. This enables you to connect with digital health services that match your Identification Level. The higher your Account Identification Level, the surer we can be about who you are, and the more services you can access.

Identification Level 1

At Level 1, you only need to provide an email address to sign up. You have very limited access to digital health services at this level because you still need to confirm who you are. At Level 1, My Health Account stores the following information about you:

• Your email address
• Your preferred name (if provided)
• Your mobile phone number (if provided).

Identification Level 2

At Level 2, you have entered your details from one of the eligible identity documents or you have used information held by your general practice (GP) to verify who you are. At Level 2, My Health Account stores the same information as Level 1, plus:

• Your first name, middle name/s (if you have them), and last name
• Your date of birth
• Your HPI number (CPN) if you have added it.

You must use either the identity document check or the healthcare provider check to reach Level 2.

Identification Level 3

At Level 3, we check that it is really you that has created the account and that the right person has been connected to the account. At Level 3, My Health Account stores the same information as for Levels 1 and 2, plus:

• Your HPI number (CPN) if you have added it.

To reach Level 3, you must use:

• your RealMe® Verifiedexternal link account, or
• the combination of the identity document check and the healthcare provider check.

Identification Level 2N or 3N

Your account will be upgraded from Level 2 to 2N or Level 3 to 3N if you decide to add your NHI number to your account. This allows you to access your health information and digital health services related to your NHI information. At Levels 2N and 3N, My Health Account stores the same information as for Levels 1, 2, and 3 plus:

• Your NHI number
• Your address, temporarily (if provided)
• Your gender, temporarily (if provided).

Identity document check

When you use the identity document check, we verify your identity document details provided such as your name, date of birth, document number, and other details (depending on the document – for example, your NZ driver licence).

We send the information you give us to our document-checking partners, Cloudcheck from Verifiexternal link or Kiwi Access Cardexternal link Verification for verification that the document matches the details you provide.

Verifi is a New Zealand subsidiary to GBG company that provides Cloudcheck, a service to check records such as passports, driver licences, birth certificates, and other records with the Department of Internal Affairs, Waka Kotahi NZTA, and Australian authorities, on our behalf. We do record when and how you verified your identity, and the type of document you used, but do not retain the unique identifiers associated with those forms of ID.

The Kiwi Access Card is a Government recognised form of photographic ID and evidence of age card. Managed by Hospitality New Zealand, the Kiwi Access Card makes access to goods and services easier for everyone in New Zealand. An alternative to a Drivers Licence or Passport, the Kiwi Access Card is valid for 10 years. It is available to both NZ nationals and international visitors who are over the age of 18.

As with Cloudcheck, we do record when and how you verified your identity, and that you used your Kiwi Access Card, but do not retain the unique identifiers associated with your card.

Healthcare provider check

When you use the healthcare provider check, we verify your identity using details held by the general practice with which you are enrolled.

If you have not already added your NHI number to your account, we check the details you give us against the NHI database to link those details to a unique NHI number.

We then check the contact details held about you by your general practice with which you are currently enrolled (if you authorise us to do so). We send you a one-time code challenge to the mobile phone number that your general practice has on their records.

If you have that mobile phone, you will be able to get and input the one-time code into My Health Account. If you do this successfully, the Identification Level of your account will be updated.

Health workforce

Workers who support the health-related needs of people in New Zealand can set up a health workforce digital identity account using My Health Account. This allows them to connect with digital health services in their health-related role. This may include health practitioners with a Common Person Number (CPN), otherwise known as an HPI Number, or other industry-recognised identifier, if approved by My Health Account for this purpose.

We use your CPN or other approved identifier, together with the name and contact details you have given us to give you access to health-related digital health services, and to record what health-related digital health services you access.

My Health Account Workforce is Health NZ's digital service specific for workers who support the health-related need of people in New Zealand.

My Health Account Unified is an updated service that supports an individual who provides services to health consumers but does not have unique work email (e.g. jane.jones@healthprovider.co.nz), or works with more than one service, to use their preferred email to add one or more workforce profiles to their My Health Account.

As a health workforce member, where you use your My Health Account Unified to access work-related digital health services, we specifically exclude sharing your NHI if it is a health workforce-related application, and we specifically exclude sharing your CPN if it is a health consumer service application.

Your My Health Account information is used to:

• respond to your requests and inquiries made through or about your Account
• protect against and identify fraud and other criminal activity. Note: it is an offence under section 212(2)(c) of the Privacy Act 2020 to falsely pretend to be an individual or falsely claim to be acting under their authority to obtain access to that individual’s personal information
• comply with and enforce applicable legal requirements, relevant standards, and our policies, including this Privacy statement
• enable us to prepare reports of statistical information about how services are used (you will not be identified in the reports produced) so that we can monitor and improve the performance of My Health Account and monitor interactions with participating third-party applications and services using My Health Account.

The Account allows you to connect with and use participating third-party apps and services:

• You need to review relevant information from those other services before you sign up to them, and grant permissions to sharing your information with those other services at the time you first access the services.
• We disclose to those participating apps and services your documented identity attributes, such as your first name, middle name, preferred name (if one is provided), last name, date of birth, email address, mobile phone number, NHI number, HPI number (CPN), related family member NHI numbers (if applicable), and identification level associated with your account.
• Attributes will only be shared with digital health services as necessary for that service. If the details are not necessary for operation of the application, they will not be supplied.
• The list of which attributes digital health services can receive is agreed upon and configured during the application onboarding process. My Health Account will ask you to grant permissions when first accessing the service and those permissions will be displayed to you as part of the Account services.
• You can also choose to stop sharing your information within your My Health Account to an application if you have previously given permission. They may retain any information supplied about you while the permission was granted but will not be able to access your Account information in future.
• Some services that require My Health Account verification apply age restrictions. If your date of birth is outside the permitted age range, you will be refused access to those services.

Connected digital health servicesexternal link

Your email address

To help keep your Account secure, we may email you a verification code to use when you log in. This can also be used to help maintain your Account, for example, when you change your password. The email address must be one that is unique to you, and that you have control over, and cannot be already linked to another Account. We will use this email address to contact you and may email you with updates to the My Health Account Privacy statement, and services and applications that you can access via My Health Account.

Your mobile number

We can communicate with you via SMS (text message), rather than email, for ‘One-Time Passwords’ (OTPs). We will verify your mobile number with you before we send a text message. Your mobile phone number details held within My Health Account may be shared with digital health services that are authorised and linked to the My Health Account service. These digital health services may display your stored mobile phone number from My Health Account to allow you to give permission for that digital health service to communicate with you via text message.

We take your privacy seriously.

We have discussed the My Health Account service with the Office of the Privacy Commissionerexternal link and the Government Chief Privacy Officerexternal link . We continue to take their advice as we develop the service further.

A Privacy Impact Assessment (PIA) has been completed. The PIA is updated to reflect new My Health Account features and functionality as they become available.

Privacy Impact AssessmentPDF2.3 MB

Your personal information is held and managed in accordance with the Privacy Act and Health Information Privacy Codeexternal link .

Information you share with Health New Zealand may be shared with other Government agencies with your permission or as authorised by law. This may happen:

• if you have authorised this sharing
• if we think it is necessary for your care and treatment
• If there is an incident we need to investigate, or a technology issue
• for your safety or the safety of others, or
• if authorised by law.

We may provide information to other government agencies where the account is used by both agencies, such as ACC ProviderHub. In these instances, we would share information to authenticate your account, identify you, help you access your account or to troubleshoot any account issues identified by us or the agency using the account. We may also provide your information to the Ministry of Health and other government agencies that require us to provide information for administrative, legal, contractual, statistical, research or public health purposes.

Information you choose to share with us will be held securely in compliance with Health NZ standards. Security measures are in place to protect your information from unauthorised access.

We use Microsoft Azure Services in Australia to deliver the Service. Use of other third-party services is detailed in the current Privacy Impact Assessment (PIA)PDF2.3 MB .

We use Google reCAPTCHA v3 as a security measure to defend My Health Account against bots. reCAPTCHA collects information such as IP address, hardware and software information, and device and application data. This information is only used to provide, maintain, and improve reCAPTCHA and for general security purposes.

Once a My Health Account is created, the following information is retained: Applicant name, date of birth, preferred name, email, mobile phone number, and supplied and verified NHI number or HPI number (CPN). Related child NHI numbers are also retained until the relationship is removed (not when the My Health Account that established the relationship is deleted). These details are supplied to authorised services connecting to the My Health Account service as identified in the PIA for each of those services (and as approved by the My Health Account service).   

You can ask for your account to be closed by calling the Contact Centre on 0800 222 478 or +64 9 307 6155. Once closed, your account is not able to be used for any further activities and all details, other than those required for audit activity, will be deleted. The email associated with the account, the Identification Level obtained, and the related dates and the NHI number and / or CPN (if added) are retained.

• Do not share your account details with other people.
• Keep your password safe.
• We recommend using a screen lock on your device.

If you believe your password may have been compromised, please change it. If you believe your account has been compromised, please call the Contact Centre on 0800 222 478 or +64 9 307 6155 as soon as you can.

To view any personal information held by us about you, or if you have any concerns or questions about the personal information that we hold and wish to request a correction, please write to:

The Privacy Officer
Health New Zealand | Te Whatu Ora
PO Box 793
Wellington 6140
Email: hnzprivacy@health.govt.nz

We may require proof of your identity before being able to provide you with any personal information.

When you contact us for help, your communications, including any information you provide regarding your identity and the matter you are contacting us about, are collected.

Feedback is important and is used to evaluate and improve My Health Account. If you provide feedback by email, that feedback is sent to the appropriate Health NZ staff. This could include your email address and other identifying information that you have provided.

• Phone: 0800 222 478 or +64 9 307 6155 during standard office hours, 8 am to 5 pm Monday to Friday
• Email: support@identity.health.nz

We may collect statistical information to help us improve the Service and understand how it is being used. In summary, this includes the event type and session, timestamps, and the type of device being used. This information is aggregated and does not identify you personally. Full details about the statistical information collected is addressed in our Privacy Impact AssessmentPDF2.3 MB .

Your My Health Account details (including NHI number, and related attributes of age, address (suburb, town, and postcode and relevant Health New Zealand district), ethnicity, gender, New Zealand citizenship / residency status) may be used for statistical reporting on the performance of My Health Account to enable performance monitoring and service improvement. It may also include interactions with integrating applications, such as My Health Record, to identify usage statistics. Your personal information will remain securely contained in our systems and only aggregated information (without your name details, NHI number, or contact details) will be used in reports created, to preserve individual privacy for reporting purposes.

My Health Account uses temporary session cookies. The session cookies are limited to the lifetime of the session and provide support for features such as single sign-on (SSO), as well as enhancing the user experience within the My Health Account self-service portal. My Health Account does not use third-party or “tracking” cookies.

Please contact us by email: hnzprivacy@tewhatuora.govt.nz.

If you are not satisfied with the response to any privacy concern, you can contact the Office of the Privacy Commissioner.

Privacy Commissioner - Te Mana Mātāpono Matatapuexternal link

This Privacy statement may be updated to let you know about changes in how we collect and process your information in the Services or changes in related laws. The date when the document was last updated is shown at the top of this Privacy statement.