Privacy Act Obligations for Small Healthcare Providers

Small healthcare practices — GP clinics, allied health providers, dental practices, psychology and counselling practices, physios, and more — sit at the intersection of two of Australia's most demanding regulatory frameworks: the healthcare compliance system and the privacy regime.

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), small healthcare providers handle some of the most sensitive personal information in existence. Getting it wrong doesn't just create regulatory liability — it can destroy the trust that is foundational to a healthcare relationship.

The Privacy Act applies to you from day one. There is no revenue threshold exemption for healthcare providers — unlike many other small businesses, which are exempt from the Privacy Act if their annual turnover is below $3 million.

What Information Is Covered?

The APPs apply to personal information — information that identifies or could reasonably identify an individual. In healthcare, this includes:

• Patient names, addresses, dates of birth, and contact details
• Medicare numbers, private health insurance details
• Medical histories, diagnoses, and treatment plans
• Mental health records
• Prescription information
• Clinical notes and progress notes
• Referral letters and specialist reports
• Pathology and radiology results

This type of information is also sensitive information under the Privacy Act — a category that receives stronger protections because of the particular harm that could result from its misuse.

The Australian Privacy Principles — What You Must Do

The 13 APPs govern how personal information must be handled. The most relevant for small healthcare providers are:

APP 1 — Open and Transparent Management

You must have a Privacy Policy that describes:

• What information you collect and how you collect it
• How you use and disclose information
• Whether you disclose information overseas
• How individuals can access and correct their information
• How to make a privacy complaint

Your Privacy Policy must be available free of charge, typically on your website and at your reception.

APP 3 — Collection of Solicited Information

You may only collect personal information that is reasonably necessary for your functions. For healthcare providers, this means collecting information necessary to provide healthcare services to the patient.

You must collect information directly from the individual where reasonable, and you must take reasonable steps to ensure the patient is aware of why you're collecting their information and how you'll use it.

APP 5 — Notification of Collection

At or before collection, patients must be told:

• Your identity and contact details
• The purpose of collection
• Any third parties to whom information may be disclosed
• Whether collection is required by law
• Their right to access their information and correct errors
• Your Privacy Policy

This is typically handled through a patient consent form or information brochure at registration.

APP 6 — Use and Disclosure

Health information can generally only be used or disclosed:

• For the primary purpose for which it was collected (i.e., providing healthcare to the patient)
• For secondary purposes where the patient has consented, where it's directly related to the primary purpose, or where an exception applies (legal obligation, serious threat to health/safety, etc.)

The primary purpose rule is important for referrals. When you refer a patient to a specialist, you're disclosing their health information. Patients generally expect this and it falls within the primary purpose of healthcare delivery. But disclosing information to an employer, a family member, or a marketing company is a different matter and generally requires explicit consent.

APP 7 — Direct Marketing

You cannot use patient health information for direct marketing without consent, unless the patient would reasonably expect it and there's an opt-out mechanism. Cold-calling patients to promote services, or using health data to target advertising, would be a breach.

APP 11 — Security of Personal Information

You must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

In practical terms, this means:

• Secure physical storage for paper records
• Password-protected electronic systems
• Access controls limiting who can view what records
• Secure disposal of old records (shredding paper, secure digital deletion)
• Network security (firewalls, encrypted data transmission)
• Staff training on data security

APP 12 — Access to Personal Information

Patients have a right to access their health records. You must provide access:

• Within a reasonable time
• At no excessive cost (small reasonable fees may apply in some circumstances — check the guidance)
• In the manner requested (e.g., paper copy, electronic record)

Access can be refused only in limited circumstances — e.g., where providing access would create a serious threat to the patient's health or safety, or where it would reveal information about another person who hasn't consented.

APP 13 — Correction of Personal Information

If a patient believes their health record contains an error, they can request a correction. You must take reasonable steps to correct the information, or note the patient's request on the record if you disagree with the correction.

The Notifiable Data Breaches Scheme

Under the Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act), healthcare providers must notify:

• The Office of the Australian Information Commissioner (OAIC)
• Affected individuals

...when a data breach is likely to result in serious harm to individuals.

A data breach includes:

• Unauthorised access to or disclosure of personal information
• Loss of personal information (e.g., a lost laptop, misdirected email)
• Ransomware attacks that encrypt but also potentially expose patient data

The notification obligation is not triggered unless the breach is likely to cause serious harm — a test that considers the sensitivity of the information (health information is highly sensitive, so the bar for serious harm is low), the number of people affected, and whether the breach has been contained.

Notification must happen as soon as practicable after the practice becomes aware of the breach — there is no formal 72-hour deadline in the Act, but the OAIC recommends prompt action.

Important: "As soon as practicable" has been interpreted in context. For healthcare providers with highly sensitive patient data, delay in notification without genuine justification is likely to increase regulatory risk, not reduce it.

Record-Keeping Obligations

Healthcare providers must retain patient records for significant periods. The minimum retention periods vary by state and by the type of record:

• Adult patient records: Generally 7 years from the date of last entry
• Records relating to minors: Generally until the patient turns 25, or 7 years from last entry, whichever is later
• Mental health records: May have specific retention requirements under state mental health legislation

These periods are minimums. Many practices retain records longer as a matter of professional practice.

Privacy and Telehealth

Telehealth has expanded significantly since 2020 and brings specific privacy considerations:

• The video or phone platform used must meet data security requirements — not all commercial video conferencing platforms have adequate privacy controls for healthcare use
• Recordings of consultations (where taken) must be managed as patient health information
• Clinical records of telehealth consultations must be maintained to the same standard as in-person consultations

Staff Training and Governance

Your privacy obligations are not just about systems — they're about people. Most data breaches in healthcare are caused by human error: misdirected faxes, emails sent to the wrong address, staff accessing records of patients they're not treating.

All staff who access patient records should:

• Understand the APPs and their specific obligations
• Know the practice's Privacy Policy
• Know how to respond to a suspected data breach (who to notify, what not to do)
• Never access patient records outside the scope of their clinical role

How Reguladar Helps

Privacy Act compliance is one of many regulatory obligations for small healthcare providers — alongside AHPRA registration, Medicare compliance, WHS, and employment law. Reguladar gives healthcare business owners a single compliance dashboard tracking all their obligations in one place.

Start your free compliance check at Reguladar →