AHPRA Cosmetic Clinic Crackdown 2026: What's Actually Changed and What to Fix on Your Website This Week

If you run a cosmetic clinic in Australia, you are operating in the strictest regulatory climate the industry has ever seen. AHPRA has stepped up its enforcement activity throughout 2025 and 2026, and a court ruling in Western Australia in early 2026 marked the first successful prosecution under the National Law for non-compliance with an AHPRA investigation. The case did not centre on a practitioner directly — it was on a business supporting clinical practice. That detail matters. Practice managers and clinic owners are now in the regulatory crosshairs alongside the practitioners themselves.

This article covers what's changed, what's being prosecuted, and the audit you should be running on your own website this week — before AHPRA does it for you.

What's actually changed in AHPRA's 2026 enforcement?

The regulatory pressure on cosmetic clinics has shifted in three ways:

Enforcement is more frequent and more targeted. Complaints are rising, audits are more frequent, and online conduct now attracts the same level of scrutiny as in-clinic behaviour. AHPRA is no longer waiting for patient complaints — they are running keyword scans across clinic websites and social media, and sharing data with Medicare, employers, and police.
The first prosecution under National Law has set a precedent. AHPRA CEO Justin Untersteiner stated that the case "serves as a clear reminder to practitioners and businesses of the importance of cooperating fully with Ahpra investigations, and that Ahpra will take enforcement action, including prosecution, where necessary." Failing to comply with an investigation is now a criminal offence with a real conviction record.
Detection methods have multiplied. AHPRA's published list of detection methods now includes patient and staff notifications, advertising audits and keyword scans, monitoring of clinic websites and social media, data sharing with other agencies, and anonymous reports. As one industry publication put it, "If you actively market your services, your digital footprint is visible."

The implication for cosmetic clinics is uncomfortable but specific: the things you have been doing for years — the ones every other clinic in your suburb is also doing — may now actively trigger an investigation.

The seven things AHPRA is currently targeting on cosmetic clinic websites

Based on the current AHPRA cosmetic procedure advertising guidelines and the published website audit checklist, seven categories account for the majority of breaches.

1. Patient testimonials — including embedded reviews

This is the one most clinics get wrong. AHPRA has stated explicitly that "all patient testimonials about clinical services are banned, even if anonymised or neutral in tone." The published audit checklist requires clinics to:

Delete patient quotes, case studies, and "real patient stories"
Remove embedded Google or Facebook reviews — even when published by patients themselves
Avoid reposting influencer or patient content that contains praise or treatment outcomes
Stop using language like "tell us how we did" if it relates to clinical services

If your homepage has a Google reviews widget showing five-star treatment praise, that is a breach. If your Instagram reposts patient selfies after injectables, that is a breach. The platform doesn't matter. The fact that the patient consented doesn't matter. Testimonials about clinical services are out.

2. Schedule 4 product brand names

Schedule 4 prescription-only medicines — including botulinum toxin and dermal fillers — cannot be advertised to the public, either directly or indirectly. The trap most clinics fall into is the indirect reference. Treatment category descriptors like "anti-wrinkle injections", "dermal fillers", or "lip flip" are commonly used to indirectly refer to specific Schedule 4 products. Even hashtags and image captions count. The TGA's Therapeutic Goods Advertising Code is the authority here, and a breach of the Schedule 4 prohibition is one of the easier breaches for AHPRA to identify because it can often be triggered by a single keyword.

3. Promotional language and "miracle" claims

Phrases that imply guaranteed or exaggerated results are a regular target. The audit checklist names specific examples to eliminate: "perfect skin", "no pain", "instant results", "miracle procedure". Adjacent issues include language that pathologises normal features ("fix your flaws"), promotional language targeting under-18s, and casual treatment framing like "lunchtime makeover".

The tone test is simple: clinical, not commercial. If your website wording would feel at home in a fashion magazine ad, it does not belong on a healthcare website.

4. Before-and-after image issues

Before-and-after photography is permitted, but the requirements are strict:

Use only actual patient images, not stock photos
Document patient consent for every image
Use consistent lighting, angles, and expressions across the pair
Don't use only the "after" image
Remove airbrushed or edited photos
Avoid sexualised, glamourised, or sensational content (no bikini-clad models, no unrealistic depictions)
Never use images of minors in a cosmetic context
Include a prominent disclaimer that individual results vary

If your before-and-afters were uploaded before the new disclaimer requirements came in, they are likely non-compliant. The fix is a quarterly website review — the published guidance specifically recommends scheduling one to "catch non-compliant copy that may creep in over time, especially after updates or changes in staff."

5. Free consultations as a sales tactic

Free consultations can still be advertised, but only if "clearly positioned as general information sessions, and not used as a sales tactic or implied endorsement of a treatment." If your free-consultation banner sits next to a treatment menu and a "book now" button, the framing is sales, not information. Restructure or remove.

6. Discounts, package deals, and inducements

The new advertising guidelines for high-risk non-surgical cosmetic procedures explicitly prohibit financial incentives that may encourage patients to undergo treatments. That includes discounts, giveaways, competitions, "limited-time offer" framing, "$50 off your first treatment", and "bring a friend and save". Payment plans are still allowed, but only described "factually and neutrally — not marketed as special or exclusive offers".

7. Social media that doesn't follow the same rules

This is where most clinics inadvertently breach. AHPRA has confirmed that the same advertising rules apply on social media as on your website. Inappropriate use can result in harm to patients and the profession, and information posted on social media is "often impossible to remove or change". The breach lives forever, even if you later delete the post.

Your Instagram, Facebook, TikTok, and any influencer collaborations need to meet the same standards as your website — testimonials, Schedule 4 references, before-and-afters, promotional inducements, all of it.

What clinic owners and practice managers should actually do

Three concrete steps, in order of urgency.

Step 1: Run a real audit on your website this week

Don't rely on memory. Open every page on your website, every Instagram post in the last six months, every TikTok video, and every embedded review widget. For each, ask:

Is there a patient testimonial? (Including reviews, quotes, and "stories.")
Does it name a Schedule 4 product brand or imply a specific Schedule 4 product?
Does it use exaggerated or "miracle" language?
Are the before-and-afters consistent, consented, and disclaimed?
Does it advertise a discount, package, or competition?
Is the social media version held to the same standard?

Document every issue. You'll need the list for the next step.

Step 2: Fix the high-risk items first

Testimonials and Schedule 4 references are the highest-risk items because they are the easiest for AHPRA's keyword scans to detect. Remove or replace those before anything else. Promotional language and inducements are next. Before-and-after disclaimers can be addressed in batches.

For multi-site groups: do one location end-to-end first, document the fixes, then roll the same playbook across the group. Trying to fix everything everywhere at once is how things get missed.

Step 3: Make compliance ongoing, not annual

The published advice is to schedule a quarterly website review. The reality is that staff changes, new product launches, and seasonal campaigns introduce non-compliance more often than that. Build the audit into your ongoing operations — not as an annual fire drill.

This is where dedicated tooling matters. Manual audits across a multi-site cosmetic group take days each quarter, and most clinics don't have the time. AHCRA's website compliance audit runs 51 checks against AHPRA, TGA, ACCC, and Privacy Act requirements with specific fix recommendations for every flagged issue. Run it on your own website — and on the websites of any clinics you've acquired or partnered with — to surface the breaches before AHPRA does.

What this means if you've already received an AHPRA notice

If a notification has landed on your desk in 2026, do not start by searching for cheap ways out. Cooperate with the investigation, get your evidence in order, and engage proper legal advice. The WA prosecution case showed exactly what happens when a business decides to ignore an AHPRA request — a criminal conviction, a fine, and a public record. The cost of cooperation is always lower than the cost of obstruction.

Document everything you've fixed since you received the notice. Document every compliance review you've ever conducted. If you've used a compliance platform like AHCRA, the audit history is automatically preserved — that pattern of ongoing review is exactly the evidence AHPRA wants to see.

Frequently asked questions

Is AHPRA actively monitoring our website right now?

Possibly, yes. AHPRA has confirmed it runs advertising audits, keyword scans, and ongoing monitoring of clinic websites and social media. They do not rely solely on patient complaints. If you actively market cosmetic services online, your content has been indexed by their detection systems.

What's the difference between a patient testimonial and a case study?

Both are banned for clinical services. AHPRA's guidance covers patient quotes, case studies, "real patient stories", and embedded reviews — even anonymised or neutral in tone. The distinction is not based on format. It is based on whether the content relates to clinical services.

Can we still use Google reviews on our cosmetic clinic website?

Not when they relate to clinical services. The published audit checklist explicitly says to "remove embedded Google or Facebook reviews, even if published by patients themselves". Reviews about non-clinical aspects (parking, reception experience, billing clarity) may be permissible, but reviews praising treatment outcomes are not.

Is "anti-wrinkle injections" actually banned?

The phrase itself isn't banned — but using it to indirectly refer to specific Schedule 4 products is. If "anti-wrinkle injections" appears on a treatment menu next to pricing, with imagery and outcomes that imply botulinum toxin, the indirect reference rule is likely triggered. The safer phrasing avoids both the brand name and any descriptor that points to a specific Schedule 4 product.

How often should we audit our website for compliance?

The published industry guidance recommends quarterly. In practice, anytime you make a website change, run staff onboarding, or update treatment offerings, a re-audit is appropriate. Build it into your operations.

What's the actual penalty for advertising breaches?

Penalties vary. Outcomes can include education, fines, conditions on registration, suspension, deregistration, and — as the WA case showed — criminal prosecution for non-compliance with the investigation itself. Reputational damage from a publicised AHPRA finding often exceeds the financial penalty.