Health Information Act · checked July 2026

The Health Information Act, translated for clinics.

The Health Information Act passed Parliament on 12 January 2026, and its obligations phase in by batch from September 2027. This page says what that means for a clinic, in clinic language, not legal language. Forward it to whoever runs the practice.

Readiness record · private issue

Status AUDIT-READY AS AT JUL 2026
CSA mark area · issued separately
Scheme
CS/DS ESSENTIALS
Scope
CLINIC COHORT
Consultant
NAMED ON EVERY JOB
Reviewed
JUL 2026
A readiness record, not a certificate. Certification is issued by the scheme's appointed bodies.

The dates, as scheduling facts.

Treat these the way a clinic already treats vaccine cold-chain checks: a date on a calendar, checked and diarised, not a countdown to dread.

  1. September 2027

    Batch 1

    The first group of licensees takes on the obligations. We will confirm which licence types sit here as MOH publishes the list.

  2. September 2028

    Batch 2, including OMS clinics

    Outpatient medical service clinics with GP and specialist services join here. This is the batch most private clinics should diarise.

  3. March 2030

    Batch 3

    The final group. If your clinic has not been placed in Batch 1 or 2, this is the outside date to plan against.

HCSA licensees that do not contribute to NEHR still implement CS/DS Essentials by September 2028. Contribution status does not remove the obligation, it only changes which batch you diarise against.

What MOH actually asks for.

MOH’s Cybersecurity and Data Security (CS/DS) Essentials: required practices across cybersecurity, data security and common practices. Three buckets, in plain English.

  1. Cybersecurity controls

    The technical basics: access control, patched systems, protected networks. The same territory as Cyber Essentials, applied to a clinic’s systems.

  2. Data security practices

    How patient data is stored, shared and disposed of. Written policies a locum or new hire can follow without asking twice.

  3. Common practices

    Staff training and vendor management: the people and the suppliers around your systems, not just the systems themselves.

Most breaches begin with human error: a staff member clicking a malicious link. Security-awareness training measurably reduces this risk.

If a confirmed incident happens

Confirmed incidents: initial report to MOH within 2 hours, detailed report within 14 days. We state this once, calmly: it is a scheduling fact for your incident plan, the same as any other deadline in this checklist.

The Act asks for MOH's standard, not a CSA badge.

What the Health Information Act actually requires is MOH's CS/DS Essentials, and that is what we get your clinic to. Separately, MOH and CSA have co-developed a Cyber Essentials sub-scheme for healthcare entities that a clinic can choose to certify against. The two overlap heavily, so one engagement with us covers the CS/DS Essentials the Act requires and produces the evidence for that healthcare mark too, if you decide you want it, rather than two separate projects.

Built for clinic hours.

The scheduling cost sits with us, not you. (say real: you keep seeing patients, we work around your hours.)

Work happens around consults.

We plan sessions between patient slots or after hours, whichever your practice manager prefers. The clinic keeps seeing patients throughout.

Nothing requires closing the practice.

Assessment, evidence-gathering and staff training are scheduled in pieces that fit around a working clinic, not a shutdown day.

Documents a practice manager can maintain.

Policies and evidence are written in sentences, filed so the next review does not need us to explain what we did the first time.

The first clinic cohort is capped at 20.

Capped so every clinic in the cohort gets a named consultant, not a queue. Launch pricing is published to this list first, and it will follow the same one-sentence rule as everything else on this site.

Join the clinic list

Plain answers

When does the Health Information Act apply to my clinic?

It depends on your licence type and batch. Batch 1 obligations begin September 2027, Batch 2 (including OMS clinics with GP and specialist services) begins September 2028, and Batch 3 begins March 2030. We check your licence type against the batches free, before you commit to anything.

What is CS/DS Essentials?

MOH's Cybersecurity and Data Security Essentials: a set of required practices across three buckets, cybersecurity controls, data security practices, and common practices like staff training and vendor management. It is the working checklist behind the Act, in plainer form than the legislation itself.

Do we also need the Cyber Essentials Mark?

The Act itself requires MOH’s CS/DS Essentials, not the CSA Cyber Essentials Mark. Separately, MOH and CSA have co-developed a Cyber Essentials sub-scheme for healthcare entities that a clinic can choose to certify against. The two overlap heavily, so one engagement with us covers the CS/DS Essentials you must implement and produces the evidence for that healthcare mark if you decide you want it.

What about NEHR contribution?

Clinics contributing to the National Electronic Health Record follow the batch that applies to their licence type. HCSA licensees that do not contribute to NEHR still need to implement CS/DS Essentials by September 2028, so non-contribution does not mean the Act can be ignored.

How disruptive is this for a small practice?

We schedule around your consult hours. Nothing in our process requires closing the practice, and the documents we leave behind are written so a practice manager can maintain them without calling us every time something changes.

Send us your licence type. We'll send back your dates.

A named consultant replies with your batch, your dates, and a one-page plan. Free.