Medical Practice Compliance Checklist: Complete Guide for Australia

Most practice owners discover compliance requirements the hard way. A missed renewal, a failed audit, or a letter from a regulator that ruins your Tuesday morning.

Running a medical practice in Australia means answering to at least 12 regulatory bodies. AHPRA, the OAIC, Safe Work Australia, state health departments, Medicare, the TGA, the ACCC, infection control standards bodies, your medical defence organisation, your accreditation body, workers compensation authorities, and your professional college. That's before you factor in local council requirements.

This checklist breaks it all down into categories you can actually work through. Print it, share it with your practice manager, and use it as the basis for your annual compliance review.

What registration and licensing do you need?

This is the foundation. You can't open the doors without these sorted first.

Practitioner registration

[ ] Current AHPRA registration for all practitioners (doctors, nurses, allied health)
[ ] Specialist registration where applicable
[ ] Check registration conditions and any notifications
[ ] Set calendar reminders for annual renewal dates (they vary by profession)
[ ] Verify registration status of all locums and contractors before they start

Business registration

[ ] Australian Business Number (ABN)
[ ] GST registration (mandatory if turnover exceeds $75,000)
[ ] Business name registration with ASIC (if trading under a name other than your own)
[ ] State or territory business licence (requirements vary by jurisdiction)
[ ] Local council permits and approvals

Medicare and provider numbers

[ ] Medicare provider number for each practitioner at each practice location
[ ] PBS prescriber number
[ ] My Health Record registration (Healthcare Provider Identifier, Organisation and Individual)
[ ] PRODA account setup for online Medicare claiming
[ ] Bulk billing or mixed billing arrangements documented

| Registration | Authority | Renewal | |---|---|---| | AHPRA practitioner registration | AHPRA | Annual (varies by profession) | | ABN | ATO | Ongoing (review annually) | | Medicare provider number | Services Australia | Per location, ongoing | | PBS prescriber number | Services Australia | Ongoing | | HPI-O and HPI-I | Australian Digital Health Agency | Ongoing |

What are the premises and equipment requirements?

Your building needs to meet specific standards, and some equipment carries its own compliance obligations.

[ ] State or territory health department registration of premises (required in most jurisdictions)
[ ] Private health facility licence if performing procedures under sedation or anaesthesia
[ ] Radiation licence and radiation safety officer appointment (if using X-ray, CT, or other ionising radiation equipment)
[ ] Biomedical equipment testing and tagging schedule
[ ] Emergency equipment checked and maintained (resuscitation trolley, defibrillator, oxygen)
[ ] Cold chain management for vaccines (National Vaccine Storage Guidelines compliance)
[ ] Sterilisation equipment validation and routine testing (if processing reusable instruments)
[ ] Fire safety compliance and annual fire equipment servicing
[ ] Disability access compliance (Disability Discrimination Act 1992)
[ ] Adequate consultation room size and layout per accreditation standards

If you're setting up a new practice, get your state health department requirements sorted early. The approval process can take months, and operating without registration carries serious penalties.

What staff compliance obligations apply?

Your team members each carry their own compliance requirements. Tracking these across multiple staff is where things get messy fast.

Pre-employment checks

[ ] National Police Check (renewed every three years as best practice)
[ ] Working With Children Check for any staff who may interact with minors
[ ] AHPRA registration verification for all registered health practitioners
[ ] Qualification verification (original documents sighted and copied)
[ ] Right to work in Australia check
[ ] Referee checks documented

Ongoing staff compliance

[ ] CPD tracking for all registered practitioners (requirements vary by profession)
[ ] Annual performance reviews documented
[ ] Credentialing and scope of clinical practice reviews for visiting practitioners
[ ] Immunisation records current (Hepatitis B, influenza, COVID-19 per state requirements)
[ ] Mandatory training completed and documented:
- CPR and basic life support (annual)
- Fire safety and evacuation
- Manual handling
- Infection control
- Cultural safety
- Privacy and confidentiality
- Workplace bullying and harassment

Tracking CPD and training across a team of 10 or more gets unwieldy in spreadsheets. If you're still using Excel, consider switching to a purpose-built staff compliance tracking system before your next accreditation assessment.

Employment documentation

[ ] Employment contracts or contractor agreements for all staff
[ ] Position descriptions current and signed
[ ] Fair Work compliance (awards, NES, pay rates)
[ ] Superannuation obligations met
[ ] Payroll tax registration (if applicable in your state)

What are the privacy and records management requirements?

Healthcare practices handle some of the most sensitive personal information there is. The obligations here are non-negotiable.

Privacy Act compliance

[ ] Privacy policy published and accessible to patients
[ ] Collection notices displayed or provided at point of collection
[ ] Compliance with all 13 Australian Privacy Principles (APPs)
[ ] Privacy impact assessment completed for new systems or processes
[ ] Data breach response plan documented and tested
[ ] Notifiable Data Breaches scheme obligations understood (report eligible breaches to the OAIC within 30 days)
[ ] Staff trained on privacy obligations annually

For a deeper look at privacy obligations specific to healthcare, read our privacy compliance guide.

Health records management

[ ] Clinical records meet professional standards (legible, contemporaneous, accurate)
[ ] Electronic health record system meets relevant standards
[ ] My Health Record obligations understood and documented
[ ] Record retention periods understood and enforced:

| Record Type | Minimum Retention Period | |---|---| | Adult patient records | 7 years from last entry | | Paediatric patient records | Until patient turns 25 | | Records relating to mental health | 7 years from last entry (longer in some states) | | Diagnostic imaging | 7 years (adults), until patient turns 25 (children) | | Financial and Medicare records | 5 years |

[ ] Secure destruction process for records past retention period
[ ] Backup and disaster recovery plan for electronic records
[ ] Patient access request process documented (respond within 30 days)

Consent

[ ] Informed consent processes documented for all procedures
[ ] Consent forms reviewed by a legal professional
[ ] Telehealth consent processes in place
[ ] Consent for collection, use, and disclosure of personal information

What insurance do you need?

Gaps in insurance coverage can end a practice. Don't rely on assumptions here.

[ ] Professional indemnity insurance for all practitioners (mandatory for AHPRA registration)
[ ] Public liability insurance
[ ] Workers compensation insurance (mandatory in all states and territories)
[ ] Building and contents insurance
[ ] Business interruption insurance
[ ] Cyber liability insurance (increasingly important given data breach obligations)
[ ] Management liability or directors and officers insurance (if operating as a company)
[ ] Motor vehicle insurance for any practice-owned vehicles
[ ] Annual review of all insurance policies for adequate coverage

| Insurance Type | Mandatory? | Notes | |---|---|---| | Professional indemnity | Yes | Required for AHPRA registration | | Workers compensation | Yes | State-based schemes | | Public liability | Highly recommended | Often required by landlords | | Cyber liability | Recommended | Covers data breach costs | | Business interruption | Recommended | Covers lost income from unexpected closures |

What are your WHS obligations?

Work health and safety is governed by state and territory legislation, most of which mirrors the model WHS laws from Safe Work Australia.

[ ] WHS policy documented and communicated to all workers
[ ] Risk assessments completed for all workplace hazards
[ ] Risk register maintained and reviewed quarterly
[ ] Incident and hazard reporting system in place
[ ] Workers compensation claims process documented
[ ] Health and safety representative elected (if 5+ workers request one)
[ ] WHS committee established (if 20+ workers, or as required)
[ ] Hazardous chemicals register and Safety Data Sheets maintained
[ ] Manual handling risk assessments completed
[ ] Psychosocial hazard risk assessments completed (now a specific requirement in most jurisdictions)
[ ] Emergency evacuation plan documented and practised (at least annually)
[ ] First aid kits stocked and accessible
[ ] Sharps injury prevention and management protocol

WHS is one area where obligations are expanding. Psychosocial hazards, including workload, bullying, and occupational violence, are now explicitly covered in most state WHS regulations. If your risk assessments don't address these, they're out of date.

What infection control standards apply?

Infection prevention and control (IPC) is a core compliance area, particularly for practices that perform procedures or process reusable instruments.

[ ] Infection control policy aligned with current NHMRC guidelines
[ ] Hand hygiene program in place (5 Moments for Hand Hygiene)
[ ] Personal protective equipment (PPE) available and staff trained in correct use
[ ] Reprocessing of reusable medical devices compliant with AS/NZS 4187:2014
[ ] Sterilisation records maintained
[ ] Single-use items used once and disposed of correctly
[ ] Clinical waste management plan (compliant with state regulations)
[ ] Sharps disposal containers correctly located and maintained
[ ] Environmental cleaning schedule documented
[ ] Outbreak management plan in place
[ ] Staff immunisation program
[ ] Antimicrobial stewardship awareness (relevant for prescribers)

Sterilisation compliance (if processing reusable instruments)

[ ] Designated clean and dirty zones
[ ] Staff trained and competency assessed
[ ] Washer-disinfector and steriliser validated annually
[ ] Routine monitoring (chemical indicators, biological indicators)
[ ] Instrument tracking system in place
[ ] Water quality testing for sterilisation equipment

What are the advertising and marketing rules?

This catches a lot of practices off guard. AHPRA takes advertising complaints seriously, and the rules are stricter than general consumer law.

[ ] All advertising complies with AHPRA advertising guidelines (Section 133 of the National Law)
[ ] No testimonials used in advertising of regulated health services
[ ] No misleading or deceptive claims (ACCC, Australian Consumer Law)
[ ] Before and after photos used appropriately (if at all) and with documented consent
[ ] TGA compliance for any advertising of therapeutic goods
[ ] Social media content reviewed for compliance before posting
[ ] Website content reviewed annually for accuracy
[ ] Google Business Profile and directory listings accurate and compliant
[ ] No use of protected titles by unregistered staff
[ ] Informed financial consent clear in all advertising about costs

Key things that trip practices up:

Patient testimonials on Google Reviews can trigger an AHPRA complaint, even if the patient posted it voluntarily. You're expected to take reasonable steps to remove them from your own advertising.
Claims about being "the best" or "number one" without evidence breach the Australian Consumer Law.
Discounted pricing or time-limited offers can be problematic for regulated health services.

How do you stay compliant with Medicare and billing?

Medicare billing compliance is a serious area. Incorrect billing can result in audits, repayment demands, and Professional Services Review referrals.

[ ] Practitioners understand MBS item descriptor requirements for items they bill
[ ] Informed financial consent provided for all services (verbal for bulk billed, written for privately billed)
[ ] No inappropriate initiation of services (compliance with Professional Services Review thresholds)
[ ] Bulk billing and private billing practices documented
[ ] Medicare claiming software current and correctly configured
[ ] Regular internal audits of billing patterns
[ ] Practice Incentives Program (PIP) requirements met (if participating)
[ ] Chronic disease management plans (GPMPs, TCAs) meet MBS requirements
[ ] Telehealth items billed correctly per current MBS rules
[ ] Health assessments billed at correct frequency

If your practice bills significantly above the peer average for any MBS item, expect scrutiny. Regular internal billing audits are the best defence against an unexpected letter from Medicare.

What accreditation do you need?

Accreditation is technically voluntary for most general practices. In reality, you need it for PIP payments, GP registrar placements, and patient confidence.

General practice accreditation

[ ] Accreditation against RACGP Standards for General Practices (5th Edition) or equivalent
[ ] Accreditation body selected (AGPAL or QIP are the main two)
[ ] Self-assessment completed
[ ] Policies and procedures aligned with accreditation standards
[ ] Mock assessment conducted before the real thing
[ ] Staff awareness of accreditation standards and their role

Specialty-specific accreditation

[ ] Day procedure centre accreditation (NSQHS Standards) if applicable
[ ] Diagnostic imaging accreditation (DIAS) if applicable
[ ] Pathology laboratory accreditation (NATA) if applicable
[ ] Specialist college requirements met for training posts

For a detailed walkthrough of the RACGP accreditation process, see our RACGP accreditation guide.

| Accreditation Body | Applies To | Cycle | |---|---|---| | AGPAL | General practices | 3 years | | QIP | General practices | 3 years | | NSQHS (via accrediting agency) | Day hospitals, procedure centres | 3 years | | NATA | Pathology labs | Varies |

How do you keep compliance on track long term?

Getting compliant is one thing. Staying compliant is the real challenge. Requirements change, staff turn over, and things slip through the cracks.

Annual compliance review checklist

[ ] All practitioner registrations current
[ ] Insurance policies reviewed and renewed
[ ] Privacy policy reviewed and updated
[ ] WHS risk assessments reviewed
[ ] Infection control policies reviewed
[ ] Emergency equipment checked and serviced
[ ] Staff training records reviewed for gaps
[ ] Medicare billing audit completed
[ ] Advertising and website content reviewed
[ ] Accreditation action plan progress reviewed
[ ] Business continuity and disaster recovery plans tested
[ ] Regulatory changes identified and policies updated

Quarterly tasks

[ ] Risk register review
[ ] Incident log review and trend analysis
[ ] Staff CPD progress check
[ ] Equipment maintenance schedule check
[ ] Cold chain audit (if storing vaccines)

Ongoing monitoring

[ ] Subscribe to AHPRA regulatory updates
[ ] Monitor MBS changes (published quarterly)
[ ] Track state-specific regulatory changes
[ ] Document all compliance activities in a central register

Managing all of this manually is possible for a small solo practice. For anything larger, the volume of tracking, reminders, and documentation becomes a full-time job in itself. The AHCRA compliance platform automates tracking across all these categories, with 1,000+ ready-to-use policy templates and automated staff compliance monitoring.

Frequently asked questions

How many regulatory bodies does a medical practice report to?

Most Australian medical practices answer to 12 or more regulatory bodies, including AHPRA, the OAIC, Services Australia (Medicare), Safe Work Australia (via state regulators), state health departments, the TGA, the ACCC, and their relevant professional college. The exact number depends on the services you provide and your state or territory.

Is accreditation mandatory for general practices in Australia?

Accreditation is technically voluntary. However, practices need it to receive Practice Incentives Program (PIP) payments, host GP registrars, and meet the expectations of most patients and insurers. In practice, it's essential for any viable general practice.

How long do you need to keep patient medical records in Australia?

For adult patients, the minimum retention period is 7 years from the date of the last entry. For children, records must be kept until the patient turns 25. Some states have longer requirements, and certain record types (such as those relating to controlled drugs) may have specific retention rules.

What happens if you fail a Medicare billing audit?

Outcomes range from a request to repay incorrectly claimed amounts, through to referral to the Professional Services Review (PSR). The PSR can impose reprimand, repayment, partial disqualification from Medicare, or full disqualification in serious cases. Regular internal audits are the best prevention.

Do you need cyber insurance for a medical practice?

Cyber insurance isn't legally mandatory, but it is strongly recommended. Under the Notifiable Data Breaches scheme, practices must report eligible data breaches to the OAIC. A breach involving patient health records can result in significant costs for notification, investigation, remediation, and potential legal action. Cyber insurance helps cover these costs.

Sources

AHPRA, "Registration Requirements", https://www.ahpra.gov.au/Registration.aspx
RACGP, "Standards for General Practices 5th Edition", https://www.racgp.org.au/running-a-practice/practice-standards/standards-5th-edition
Safe Work Australia, "Model WHS Laws", https://www.safeworkaustralia.gov.au/law-and-regulation/model-whs-laws
OAIC, "Australian Privacy Principles", https://www.oaic.gov.au/privacy/australian-privacy-principles
Avant, "Practice start-up essentials checklist", https://avant.org.au/resources/checklist-setting-up-practice