AHCRA
Back to Blog
Privacy & Data

Healthcare Privacy Compliance in Australia: Complete Guide for Clinics

Justine Coupland·25 March 2026·16 min read
Healthcare Privacy Compliance in Australia: Complete Guide for Clinics

The healthcare sector reported more data breaches than any other industry in Australia during the second half of 2023. According to the OAIC's Notifiable Data Breaches Report, health service providers accounted for 104 notifications in that period alone. That is not a blip. Healthcare has topped the breach statistics consistently since the scheme started in 2018.

If you run a clinic, GP practice, allied health service, or specialist rooms, you are sitting on one of the most sensitive data sets in the country. Patient records contain health information, Medicare numbers, contact details, and sometimes financial data. A single breach can trigger regulatory action, destroy patient trust, and cost you tens of thousands in remediation.

This guide breaks down exactly what healthcare privacy compliance in Australia requires of you. The legislation, the principles, the practical steps, and the penalties if you get it wrong.

What does the Privacy Act 1988 require of healthcare providers?

The Privacy Act 1988 is the foundational piece of federal privacy legislation in Australia. It applies to most private sector healthcare providers, including GPs, specialists, dentists, allied health professionals, pharmacists, and private hospitals.

The Act covers organisations with an annual turnover of more than $3 million. But here is the critical detail most people miss: health service providers are covered regardless of turnover. A sole-practitioner physiotherapist earning $180,000 a year is subject to the same privacy obligations as a large hospital group. The small business exemption does not apply to you.

The Privacy Act 1988 establishes the Australian Privacy Principles (APPs), creates the role of the Australian Information Commissioner, and sets out the Notifiable Data Breaches scheme. It also defines "health information" as a subset of sensitive information, which attracts stronger protections than ordinary personal information.

Health information under the Act includes information about a person's health or disability, expressed wishes about future health services, and health services provided to an individual. This definition is broad. Clinical notes, pathology results, referral letters, mental health records, allied health assessments, and even appointment histories all qualify.

The OAIC's Guide to Health Privacy provides detailed guidance on how the Act applies specifically to health service providers. It is worth bookmarking.

Which Australian Privacy Principles matter most for healthcare?

There are 13 Australian Privacy Principles in total. All of them apply to you. But six are particularly high-stakes for healthcare providers. Understanding these is the foundation of your healthcare privacy compliance in Australia.

APP 1: Open and transparent management of personal information

You need a clearly expressed, up-to-date privacy policy. It must explain the kinds of health information you collect, how you collect it, why you hold it, and how patients can access or correct it. A generic template downloaded in 2015 will not cut it. Your policy needs to reflect your actual practices, including any use of cloud-based practice management software, telehealth platforms, or third-party billing services.

AHCRA offers privacy policy templates designed specifically for Australian healthcare providers, updated to reflect current legislative requirements.

APP 3: Collection of solicited personal information

You can only collect health information that is reasonably necessary for your functions or activities, and the individual must consent. For health information specifically, the individual must also consent to the collection, or the collection must fall within a recognised exception (such as being required by law, or necessary to prevent a serious threat to life or health).

APP 6: Use or disclosure of personal information

This is where most clinics trip up. You can only use or disclose health information for the primary purpose it was collected, or for a directly related secondary purpose the patient would reasonably expect. Sharing a patient's mental health diagnosis with their employer because the employer asked? That is a breach. Discussing a patient's condition with a family member without the patient's consent? Also a breach, unless a specific exception applies.

APP 11: Security of personal information

You must take reasonable steps to protect health information from misuse, interference, loss, and unauthorised access, modification, or disclosure. "Reasonable" is doing a lot of heavy lifting in that sentence. What counts as reasonable depends on the sensitivity of the information (health data is highly sensitive), the consequences of a breach, and the practical measures available to you. Leaving paper files unlocked, using shared passwords for practice management software, or failing to encrypt patient data in transit are all failures under APP 11.

APP 12: Access to personal information

Patients have a right to access their health records. You must provide access on request unless a specific exception applies (for example, if providing access would pose a serious threat to someone's life or health). You cannot charge excessive fees for access, and you must respond within 30 days.

APP 13: Correction of personal information

If a patient's health information is inaccurate, out of date, incomplete, irrelevant, or misleading, and you are asked to correct it, you must take reasonable steps to do so.

The OAIC provides the full text and guidance notes for all Australian Privacy Principles. Read them. They are surprisingly accessible for legislation.

How does the My Health Records Act 2012 affect your clinic?

The My Health Records Act 2012 governs the My Health Record system managed by the Australian Digital Health Agency (ADHA). If your clinic uploads information to or accesses the My Health Record system, you have additional obligations on top of the Privacy Act.

Key requirements under the My Health Records Act compliance framework include:

| Obligation | What it means for your clinic | |---|---| | Authorised access only | Only authorised healthcare provider organisations and their nominated representatives can access a patient's My Health Record. You must have appropriate access controls in place. | | Upload accuracy | Clinical documents uploaded to My Health Record must be accurate and up to date. | | Patient controls | Patients can set access controls on their record, including restricting specific providers. You must respect these controls. | | Notification of breaches | Data breaches involving My Health Record information must be reported to the ADHA and the OAIC. | | Penalties | Unauthorised access or disclosure of My Health Record information carries penalties of up to 120 penalty units (currently $37,800 for individuals) or 2 years imprisonment. |

The penalties under the My Health Records Act are separate from and additional to those under the Privacy Act. Unauthorised access by a staff member is not just a disciplinary matter. It is potentially a criminal offence.

What are the state and territory health records laws?

Federal privacy law covers most healthcare providers, but three states and territories have their own health records legislation that may impose additional or different requirements. If you operate in NSW, Victoria, or the ACT, you need to understand the interaction between federal and state law.

NSW: Health Records and Information Privacy Act 2002

The HRIP Act applies to NSW public sector health organisations and private sector organisations that provide health services in NSW. It contains 15 Health Privacy Principles (HPPs) that overlap with but are not identical to the APPs. The HRIP Act covers health information handling by both public and private health service providers in NSW.

Key differences: the HRIP Act has specific provisions around health information held by public hospitals, community health centres, and other NSW Health entities. It also establishes the Health Privacy Principles, which in some areas are more prescriptive than the APPs.

Victoria: Health Records Act 2001

The Health Records Act 2001 applies to both public and private sector organisations in Victoria that handle health information. It contains 11 Health Privacy Principles. Victoria's Act is notable for covering a broader definition of "health information" that includes genetic information and predictive health information.

ACT: Health Records (Privacy and Access) Act 1997

The ACT's legislation was one of the first health-specific privacy laws in Australia. It applies to health service providers in the ACT and establishes privacy principles for the handling of health records.

Comparing federal and state health privacy frameworks

| Jurisdiction | Legislation | Number of principles | Covers private sector? | Covers public sector? | |---|---|---|---|---| | Federal | Privacy Act 1988 (APPs) | 13 | Yes | Yes (agencies) | | NSW | HRIP Act 2002 (HPPs) | 15 | Yes | Yes | | Victoria | Health Records Act 2001 (HPPs) | 11 | Yes | Yes | | ACT | Health Records Act 1997 | 14 | Yes | Yes | | Other states/territories | Privacy Act 1988 only | 13 | Yes | Varies |

The practical takeaway: if you operate across state borders, including via telehealth, you may be subject to multiple privacy regimes simultaneously. Federal law provides the baseline, but state law can add extra layers. Get advice specific to your jurisdiction.

What triggers a Notifiable Data Breach under Part IIIC?

Part IIIC of the Privacy Act 1988 established the Notifiable Data Breaches (NDB) scheme in February 2018. If you experience an eligible data breach, you must notify both the affected individuals and the OAIC.

An eligible data breach occurs when:

  1. There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by you.
  2. A reasonable person would conclude the breach is likely to result in serious harm to any of the affected individuals.
  3. You have not been able to prevent the likely risk of serious harm through remedial action.

For healthcare providers, the threshold for "serious harm" is almost always met. Health information is classified as sensitive information. The OAIC has consistently taken the position that breaches involving health information carry a high risk of serious harm by their nature.

Common breach scenarios in healthcare include:

  • Misdirected communications: Sending a referral letter, pathology result, or discharge summary to the wrong recipient. This is the single most common breach type in healthcare.
  • Ransomware attacks: Practice management systems encrypted by malicious actors, with patient data potentially exfiltrated.
  • Unauthorised access by staff: Employees accessing patient records without a legitimate clinical need, often involving records of colleagues, family members, or public figures.
  • Lost or stolen devices: Laptops, USB drives, or mobile phones containing unencrypted patient data.
  • Improper disposal: Paper records placed in general waste, or hard drives disposed of without secure wiping.

You must notify the OAIC and affected individuals as soon as practicable after becoming aware of an eligible breach. The notification must include a description of the breach, the type of information involved, and recommendations for steps individuals should take.

The OAIC's Notifiable Data Breaches publications provide detailed statistics and case studies. Reading the latest report is a good reality check on where breaches actually happen.

What does a practical compliance checklist look like?

Theory is one thing. Implementation is another. Here is a practical compliance checklist for patient data protection at your Australian clinic.

Governance and documentation:

  • Current, clinic-specific privacy policy published and accessible to patients
  • Privacy collection notice provided at first point of contact
  • Documented procedures for handling access and correction requests
  • Data breach response plan tested at least annually
  • Register of third parties who access patient information (pathology, billing, cloud providers)

Technical safeguards:

  • Unique user logins for practice management software (no shared accounts)
  • Role-based access controls limiting staff to records they need
  • Encryption of patient data at rest and in transit
  • Regular software updates and security patching
  • Secure backup systems with tested recovery procedures
  • Automatic screen locks on all clinic workstations

Staff training and culture:

  • Privacy training at induction for all staff, including reception and administration
  • Annual refresher training covering real-world breach scenarios
  • Clear policy on accessing records of family, friends, colleagues, and public figures
  • Signed confidentiality agreements for all staff and contractors

For ongoing compliance management, tracking these obligations in a spreadsheet gets messy fast. A dedicated compliance platform keeps everything in one place and alerts you when action is due.

Physical security:

  • Locked filing cabinets for paper records
  • Restricted access to server rooms or network equipment
  • Secure disposal procedures for paper records (cross-cut shredding)
  • Visitor sign-in procedures for areas where patient information is accessible

What are the most common privacy pitfalls in healthcare?

After years of OAIC enforcement actions and breach reports, clear patterns emerge. These are the mistakes clinics make repeatedly.

Sharing patient information without valid consent. The most frequent issue. A specialist sends a detailed report to a referring GP, which is fine. But then the GP's reception staff forwards it to a workers' compensation insurer without checking the patient consented to that specific disclosure. Or a clinic shares patient details with a family member who calls claiming to be the patient's carer. Good intentions do not override the law.

Inadequate data security for digital systems. Many clinics run practice management software with default passwords, share login credentials between staff, or fail to apply security updates. Some still use unencrypted email to send patient information between providers. The OAIC does not accept "we are a small practice" as a defence. The sensitivity of the data determines the standard of protection required.

Staff accessing records without clinical need. Curiosity-driven access is a genuine problem. A receptionist looks up a neighbour's records. A nurse checks the file of a local celebrity admitted to the ward. These are breaches under both the Privacy Act and, if the My Health Record is involved, potentially criminal offences under the My Health Records Act.

Failing to respond to access requests properly. Patients have a right to access their records. Some clinics delay, charge excessive fees, or refuse access without citing a valid exception. The OAIC takes complaints about access refusals seriously.

Poor data disposal practices. Old patient files in general waste bins. Decommissioned computers donated to charity with hard drives intact. USB drives left in drawers. If patient data protection obligations mean anything to your practice, secure disposal must be built into your processes.

If your clinic needs structured staff compliance training covering these scenarios, AHCRA provides courses designed for Australian healthcare teams.

What enforcement powers does the OAIC have?

The OAIC is not a toothless regulator. Its enforcement powers have been strengthened significantly in recent years.

The OAIC can:

  • Investigate complaints: Any individual can lodge a privacy complaint with the OAIC. The Commissioner can also initiate own-motion investigations.
  • Make determinations: After investigation, the OAIC can make a determination that includes declarations, orders for compensation, and orders requiring specific actions.
  • Accept enforceable undertakings: Organisations can agree to binding commitments to address privacy failings.
  • Seek civil penalty orders: For serious or repeated interferences with privacy, the OAIC can apply to the Federal Court for civil penalties of up to $50 million for body corporates (under amendments effective from December 2022).
  • Issue infringement notices: For specific breaches of the NDB scheme.

The $50 million penalty cap (or three times the value of any benefit obtained, or 30% of adjusted turnover, whichever is greater) was introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. This brought Australian privacy penalties closer to the GDPR regime in Europe. The days of privacy being a low-risk compliance area are over.

Recent OAIC enforcement actions in healthcare have addressed inadequate security measures, failure to notify breaches, and unauthorised disclosures. The Privacy Act amendments continue to expand the regulatory framework, with further reforms expected.

How can your clinic stay ahead of health information privacy obligations?

Healthcare privacy compliance in Australia is not a set-and-forget exercise. Legislation evolves. Technology changes. Staff turn over. The clinics that manage privacy well treat it as an ongoing operational function, not an annual checkbox.

Three things make the biggest difference:

  1. Assign clear responsibility. Someone in your practice needs to own privacy compliance. Not as a side task bolted onto their reception duties, but as a defined responsibility with time allocated.

  2. Build privacy into workflows. Every new system, process, or third-party integration should be assessed for privacy impact before implementation. Not after a breach forces the question.

  3. Use purpose-built tools. Generic project management software was not designed for healthcare compliance tracking. The AHCRA compliance platform gives you privacy policy templates, obligation tracking, breach response workflows, and audit-ready documentation in one place.

If you are unsure where your clinic stands, get in touch with AHCRA. A quick conversation can identify your biggest gaps and the fastest path to closing them.

Frequently asked questions

Does the Privacy Act apply to sole practitioners and small clinics?

Yes. Health service providers are covered by the Privacy Act 1988 regardless of their annual turnover. The small business exemption (for organisations under $3 million turnover) does not apply to any organisation that provides a health service. This includes sole-practitioner GPs, physiotherapists, psychologists, dentists, and all other registered and unregistered health practitioners.

How long must healthcare providers retain patient records?

Retention periods vary by jurisdiction and record type. As a general rule, adult patient records should be retained for at least seven years from the date of last entry. For patients who were children at the time of treatment, records should be kept until the patient turns 25, or for seven years from the last entry, whichever is later. Some state legislation and professional standards impose longer periods. Check with your professional body and state health department for specific requirements.

What should you do if a staff member accesses patient records without authorisation?

Treat it as a potential data breach. Assess whether the unauthorised access is likely to result in serious harm to the patient. If it meets the threshold for an eligible data breach under the NDB scheme, notify the OAIC and the affected individual. Internally, take disciplinary action in accordance with your employment policies, retrain the staff member, and review your access controls to prevent recurrence. If the access involved My Health Record information, it may constitute a criminal offence.

Can you use patient information for marketing purposes?

Generally, no. Health information collected for the purpose of providing a health service cannot be used for direct marketing without explicit consent. APP 7 restricts the use of personal information for direct marketing, and the higher protections afforded to sensitive information (including health information) make this a particularly risky area. If you want to send appointment reminders or health newsletters, ensure you have clear, specific consent and provide an easy opt-out mechanism.

What is the difference between a privacy complaint and a notifiable data breach?

A privacy complaint is made by an individual who believes their privacy has been interfered with. It is lodged with the OAIC or directly with your organisation. A notifiable data breach is an event where personal information is accessed, disclosed, or lost without authorisation, and a reasonable person would consider it likely to cause serious harm. The NDB scheme requires you to proactively notify the OAIC and affected individuals. Both can result in regulatory action, but the NDB scheme imposes specific timeframes and obligations on the organisation that experienced the breach.

Sources

JC

Justine Coupland

Founder & Healthcare Compliance Specialist

Justine Coupland is the founder of AHCRA (Australian Healthcare Compliance Regulatory Agency), helping Australian healthcare clinics navigate AHPRA, TGA, and privacy compliance.

Share this article

Want more compliance insights?

Browse our full library of articles on healthcare compliance, regulatory updates, and best practices.

View All Articles