Clinical AI governance for Aotearoa's health system under HIPC 2020 and Te Tiriti.
We build governance for Te Whatu Ora, primary care, private providers, and healthtech under the Health Information Privacy Code 2020, the Code of Health and Disability Services Consumers' Rights, Medsafe expectations, and Te Tiriti o Waitangi obligations.
Built for
What clinical leadership walks away with.
Full engagement methodologyHIPC compliance assessment
Every flow of health information through AI mapped, classified under the HIPC 2020 rules, and tied to consent and overseas-transfer documentation.
Cultural safety governance
Performance review across Māori and Pacific patient populations, training data gap analysis, and monitoring protocols grounded in kaitiakitanga.
Clinical translation protocols
Validation against NZ clinical practice, human oversight rules per use case, competency frameworks, and override procedures for AI recommendations.
Accountability framework
Documented responsibility allocation when AI fails, vendor change-of-control protections, and incident reporting aligned with Te Whatu Ora quality frameworks.
Why off-the-shelf AI governance fails in NZ healthcare.
Research from Waitematā Healthcare, published in Nature Digital Medicine, found that international AI governance frameworks are inappropriate for clinical practice in Aotearoa without significant adaptation. We start from the NZ regulatory and clinical environment, not an overseas template.
- 01Context
International models miss the NZ context.
Frameworks developed overseas do not account for New Zealand's regulatory environment, population health profile, or Te Whatu Ora's operational structure. Importing them wholesale creates governance gaps at the point of patient care. The Waitematā Healthcare research established that clinical AI governance must be context-specific, not translated from a US hospital system or a UK NHS trust.
Healthcare AI governance programme - 02Constitutional obligation
Cultural safety is not optional in Aotearoa.
AI tools trained on overseas datasets can produce outputs that are clinically unsafe for Māori and Pacific patients. Bias in risk prediction, diagnostic imaging, and treatment recommendations compounds existing health inequities. Kaitiakitanga demands governance that embeds cultural safety assessment from the outset, and Te Tiriti o Waitangi requires it.
Māori data governance for health - 03Accountability gap
Accountability gaps remain unresolved.
When a clinical AI tool fails, who is responsible? When the vendor is acquired, what happens to patient data? Who monitors ongoing performance under HIPC 2020? Who manages conflicts of interest with the vendor? These questions rarely have clear answers in current deployments. Governance frameworks need to answer them around the responsibilities Medsafe, the Office of the Privacy Commissioner, and Te Whatu Ora expect.
Vendor risk and accountability - 04In force
Consent under the Consumer Rights Code.
Right 6 (information) and Right 7 (informed consent) under the Code of Health and Disability Services Consumers' Rights mean patients have to be told when AI is involved in their care, what role it plays, and what the limitations are. Generic consent forms rarely meet this bar for AI scribes, decision-support tools, or diagnostic imaging.
Consent and explainability artefacts
The PolyGovern tracks that apply to healthcare.
Three practice tracks built from the NZ clinical and regulatory environment outward, with cultural safety and Te Tiriti obligations embedded.
Track A
Governance and strategy
Clinical AI governance committees, policy, and operating models that integrate with existing clinical governance and quality improvement, aligned to Te Whatu Ora system-level expectations.
Track B
Assessment and assurance
Clinical risk assessment covering safety, cultural safety, HIPC compliance, vendor risk, and accountability gaps, with bias testing across Māori and Pacific populations.
Track C
Compliance and advisory
HIPC 2020 and Privacy Act 2020 compliance, Māori data governance grounded in kaitiakitanga, Consumer Rights Code-ready consent artefacts, and ongoing clinical advisory support.
Clinical AI across the NZ health system.
AI is moving into clinical practice across every part of Aotearoa's health system. Each setting brings different governance pressure depending on scale, patient populations, and regulatory exposure.
Te Whatu Ora and public hospitals
System-level AI governance that integrates with existing clinical governance, quality improvement, and equity commitments across departments and specialties.
Primary care and general practice
AI scribes and clinical decision support spreading through general practice. Practitioners need consent, verification, and HIPC-aligned policies that fit a busy clinic.
Healthtech and medical device makers
Startups and established businesses building AI-powered clinical tools, needing Medsafe-aware governance, HIPC compliance, and cultural safety evidence to win NZ procurement.
Private hospitals and aged care
Southern Cross Healthcare, aged residential care, and specialist clinics deploying AI for clinical and operational purposes under the Privacy Act 2020 and quality-of-care obligations.
Healthcare AI questions from NZ organisations.
How is the HIPC different from the Privacy Act 2020 for AI?
The Health Information Privacy Code 2020 modifies several Information Privacy Principles for health data. It imposes stricter rules on collection, use, disclosure, and overseas transfer. For AI, that means HIPC-specific consent, tighter restrictions on secondary use for model training, and additional obligations when health information is processed by offshore vendors.
What does the Waitematā governance model mean for our organisation?
Waitematā Healthcare's research, published in Nature Digital Medicine, established that AI governance frameworks developed internationally are not appropriate for clinical practice in New Zealand without significant adaptation. Governance has to be built around the NZ regulatory environment, population health needs, and health system structure, including Māori and Pacific health priorities.
How do we address Māori data governance in clinical AI tools?
Most clinical AI tools are trained on datasets that underrepresent Māori and Pacific populations. Cultural safety governance requires assessing training data representativeness, testing tool performance across ethnic groups, monitoring for differential outcomes, and including cultural expertise grounded in kaitiakitanga. Te Tiriti o Waitangi requires this level of care for Māori health data.
What are our obligations under the Consumer Rights Code when using AI?
The Code of Health and Disability Services Consumers' Rights gives patients the right to be fully informed about the services they receive. Right 6 (information) and Right 7 (informed consent) require you to tell patients when AI is involved in their care, what role it plays, and what its limitations are. Generic consent forms rarely meet that standard.
What happens to our patient data if the AI vendor is acquired?
If a vendor is sold, merged, or goes into receivership, contractual protections for patient data may not transfer automatically. Vendor risk provisions should address change of ownership: what happens to the data, whether new owners inherit HIPC obligations, and your rights to retrieve or destroy data. Compliance-vetted protections need to be in vendor agreements before deployment.
Clinical AI governance built for Aotearoa.
We develop governance that addresses HIPC 2020 compliance, cultural safety, Māori data governance, accountability, and the specific questions your organisation needs answered before deploying AI in patient care.