What personal information we collect and why

When you register as a patient of our practice, your osteopath and/or their support team will need to collect your personal information so that they can provide you the best possible healthcare services. We also use your information for directly related business activities, such as financial claims and payments, practice audits, accreditation and normal business processes.

The personal information we collect and hold generally includes:
Your name, address, date of birth, contact details
Information about your health condition, medical history, social and family history, risk factors, medications, allergies, adverse events, immunisations and treatment you may have already received
NHI and ACC numbers for identification and naming purposes
Private Health fund details

Only practice staff who need to see your personal information will have access to it. All practice staff have signed a confidentiality agreement as part of their employment contract with us.

Who we share your personal information with and when

Other healthcare providers and only with your consent. 

Third parties who work with our practice for business purposes such as;

• IT when system repairs or upgrades are required

• ACC or insurance providers and other accreditation agencies that may require information to complete claims. Please note in these instances your consent is typically given when you make an application for an ACC or insurance claim

• Platforms that link government agencies e.g. ACC to our practice management sytems for the transfer of data

Statutory requirement to lawfully share certain personal information, such as manditory notification of certain diseases. Court subpoenas required or authorised by law. When necessary to lessen or prevent a serious threat to a patients life, health or safety, or public health and safety, or if it is impractical to obtain the patients consent.

Our practice will not use your personal information for marketing any of our goods and services directly to you without your consent. If you do consent to our newsletter you may opt out at any time by notifying our practice by email – [email protected]

Only those people that need to access your personal information will be able to do so. Other than in the course of providing osteopathic services or as otherwise described in this policy, our practice will not share personal information with any third party without your consent.

Controlling your personal information

Our practice will take reasonable steps to correct your personal information where the information is not accurate or up to date.

You have the right to access and correct personal information that we hold about you.

If you wish to access or update your personal information we request that you do so at the time of your booking.

Alternatively you can contact our practice manager on 09 638-7831 or by email at [email protected]

1. About This Addendum

This section is an addendum to our existing Privacy Statement. It sets out how we meet our obligations under Information Privacy Principle 3A (IPP3A) and Rule 3A of the Health Information Privacy Code 2020 (as amended), which came into force on 1 May 2026 under the Privacy Amendment Act 2025.

These rules extend our notification obligations beyond the direct collection of your information. They now also require us to tell you when we receive health information about you from other sources — such as another health provider, ACC, or a third-party system — and the information has been collected on or after 1 May 2026.

2. Who We Are (Collector Details)

We are a health agency as defined under the Health Information Privacy Code 2020. Our contact details are:

Clinic / Practice Name
Bodyworx Healthcare Limited

Street Address
17-13 Coles Ave, Mt Eden, Auckland 1024

Postal Address
P.O.Box 67-092 , Mt Eden, Auckland

Phone
09 638-7831

Email
[email protected]

Privacy Officer
Karen Gardner - Director

3. What Is Indirect Collection of Health Information?

We collect health information about you in two ways:

• Directly — when you give us information yourself, for example during a consultation, by completing a form, or in a phone call.

• Indirectly — when we receive health information about you from another person or organisation, rather than from you.

This section of our Privacy Statement deals with indirect collection. Rule 3A of the Health Information Privacy Code now requires us to notify you whenever we collect your health information indirectly (from 1 May 2026), unless an exception applies.

4. Sources of Indirectly Collected Health Information

We may receive health information about you from the following types of third parties:

4.1  Other Health Provider

• General practitioners (GPs) and primary care providers

• Hospital and specialist outpatient services

• Allied health professionals (physiotherapists, psychologists, occupational therapists, etc.)

• Laboratories and diagnostic imaging services

4.2  ACC (Accident Compensation Corporation)

• Claim-related information provided by ACC when managing or supporting an ACC treatment or rehabilitation plan

• ACC case notes, assessment reports, or correspondence shared for the purpose of coordinating your care

• Referral or authorisation information sent by ACC to support funded treatment

4.3  Other Agencies and Systems

• Third-party clinical software and cloud-based systems that hold or exchange your records (e.g. patient management systems, e-referral platforms, secure messaging services)

• Legal representatives or guardians acting on your behalf

• Insurers or other funders, where relevant to authorising or co-ordinating care

5. Why We Collect This Information (Purpose)

We collect health information about you indirectly for the following purposes:

• To provide you with safe, coordinated, and continuity-of-care health services

• To assess, diagnose, treat, or manage your health condition

• To process, support, or manage an ACC claim you have made or are involved in

• To fulfil obligations under a referral or care-coordination arrangement

• To meet our legal, regulatory, and professional obligations as a health provider

• To maintain accurate and complete medical records as required by law

• To communicate with other health providers involved in your care

We only collect the health information that is reasonably necessary for these purposes.

6. Who May Receive Your Information (Intended Recipients)

Health information we hold about you (including information collected indirectly) may be shared with:

• Members of your treating clinical team within our practice

• Other health providers directly involved in your care (e.g. specialists, hospitals, allied health)

• ACC, where the information relates to an active or potential ACC claim

• Our third-party clinical software providers, strictly for secure storage and system operation

• Your authorised representative or legal guardian

• Other agencies required or authorised by law (e.g. medical officers of health, courts)

We do not sell your health information. We only disclose it as described above, or where you have given consent, or where required or permitted by law.

7. Legal Authority for Collection

The collection and handling of your health information is authorised or required under one or more of the following:

• Health Information Privacy Code 2020 (as amended by Amendment No 2, March 2026)

• Privacy Act 2020 (including IPP3A, in force 1 May 2026)

• Health and Disability Commissioner (HDC) Act 1994 and the Code of Health and Disability Services Consumers' Rights

• Accident Compensation Act 2001 — ACC has statutory authority to collect and share information for the purpose of administering claims and funding treatment

• Any other legislation directly applicable to your treatment or care

8. How and When We Will Notify You

When we collect health information about you indirectly, we will take reasonable steps to make sure you are aware of the matters in section 9 below. We will typically notify you:

• At or before your next appointment, consultation, or point of contact with us after we receive the information

• By updating this Privacy Statement (which we publish on our website)

• By verbal notification during a consultation, where appropriate

• By written notice (letter, email, or patient portal message), where required

In some cases we may not be required to notify you — for example, where you have already been told (such as through a referral letter you received a copy of), where notification is not practicable, or where an exception under Rule 3A of the Health Information Privacy Code applies.

9. Summary: The Six IPP3A / HIPC Rule 3A Notification Elements

Below summarises the six elements we are required to communicate to you under Rule 3A, and how we address each one in this addendum:

Sources of collection
Section 4 — lists the third parties and types of organisations from which we may receive your health information

Purpose of collection
Section 5 — explains why we collect the information and how it is used in your care

Intended recipients
Section 6 — identifies who may receive or have access to your health information

Collector identity & contact
Section 2 — provides our clinic name, address, and privacy contact details

Legal authority
Section 7 — sets out the legislation that authorises or requires us to collect the information

Access & correction rights
Section 10 — explains how you can request access to, or correction of, your information

10. Your Rights — Access and Correction

You have the right under the Privacy Act 2020 and the Health Information Privacy Code 2020 to:

• Request access to health information we hold about you (Rule 6 of the HIPC)

• Request correction of health information we hold about you that you believe is inaccurate, incomplete, or misleading (Rule 7 of the HIPC)

• Attach a statement of correction to your record if we do not make a requested correction

• Complain to us, and ultimately to the Privacy Commissioner or Health and Disability Commissioner, if you believe your privacy rights have been breached

How to Make a Request
To request access to or correction of your health information, please contact our Privacy Officer using the details in Section 2. We will respond within 20 working days. We may ask you to verify your identity before we can process your request.

Complaints
If you have a concern about how we have handled your health information, please contact our Privacy Officer in the first instance. You may also contact the Office of the Privacy Commissioner at www.privacy.org.nz or by calling 0800 803 909, or the Health and Disability Commissioner at www.hdc.org.nz or by calling 0800 11 22 33.

11. Exceptions to Notification

Rule 3A notification is not required in all cases. We may not notify you where:

• You have already been informed of the collection (e.g. you received a copy of a referral letter sent to us)

• The information will not be used in a way that identifies you

• We reasonably believe that non-notification would not prejudice your interests

• Notification would be prejudicial to the health or safety of any individual

• Notification is not reasonably practicable in the circumstances

• An exemption applies under the Health Information Privacy Code 2020 or the Privacy Act 2020 (e.g. for serious public health or safety reasons, law enforcement, or national security)

12. Review of This Statement

This addendum will be reviewed and updated whenever there is a material change to our collection practices or to the applicable law. The current version is always available at our reception desk and on our website.