Privacy obligations for healthcare providers in Australia

Introduction

Health information carries the strictest privacy obligations of almost any business in Australia, and the small-business exemption many owners rely on does not apply to health practices. For a medical clinic, allied health practice, dental surgery or specialist rooms, that means the consent rules are tighter, the stakes of getting a breach wrong are higher, and a patient now has a personal right to sue where their information is seriously misused.

That combination raises the stakes for any practice that has not looked closely at its privacy and breach-response position. This article sets out the obligations, what has changed recently, and the practical steps a practice can take.

Health information is sensitive information

Under the Privacy Act 1988, health information is “sensitive information”, the category that attracts the highest level of protection under the Australian Privacy Principles. Sensitive information generally cannot be collected unless the individual consents and the collection is reasonably necessary for the practice’s functions or activities, subject to limited exceptions (APP 3). The consent requirement is more demanding than the rules for ordinary personal information, and it applies from the very first point of contact with a patient.

That higher standard runs through the whole information lifecycle. It affects how the information is collected, how it is stored and secured, who it can be disclosed to, and how long it is kept. A practice that treats patient records the same way it treats general business contact details is working to the wrong standard.

You are probably not covered by the small-business exemption

Many businesses with an annual turnover of $3 million or less are currently exempt from the Privacy Act. That exemption is under review and is expected to narrow. More importantly for health practices, it already does not apply to health service providers.

A practice cannot rely on its size to sit outside the Privacy Act. If it provides a health service and holds health information, it is an APP entity and the full set of obligations applies, regardless of turnover. This is one of the most common misunderstandings we see among smaller practices, and it is worth correcting early, because the obligations it triggers, including notifiable data breach reporting, are significant.

Patient data breach: the notifiable data breach obligations

The Notifiable Data Breaches scheme, in Part IIIC of the Privacy Act, applies to health practices in full. An eligible data breach is unauthorised access to or disclosure of personal information, or loss of personal information, that is likely to result in serious harm to an affected individual.

If a breach is an eligible data breach, the practice must notify the Office of the Australian Information Commissioner and the affected individuals as soon as practicable after it becomes aware of the breach. Where there are reasonable grounds to suspect an eligible breach but the practice is not yet certain, it must carry out a reasonable and expeditious assessment, generally within 30 days, to decide whether the threshold is met.

Health is consistently among the top sectors for notifications under the scheme, which reflects the volume and sensitivity of the information the sector holds. The serious-harm assessment is a judgement, and it is a legal one: it turns on the kind of information involved, who accessed it, and whether any remedial action has reduced the risk. Because health information is so sensitive, that threshold can be reached more readily than it is for less sensitive data, which is one reason a clinic benefits from having legal input on the assessment rather than treating a breach as a purely technical event.

My Health Records carries its own rules

Practices connected to the My Health Record system have obligations that sit alongside the Privacy Act. The My Health Records Act 2012 governs how records in that system are accessed, used and disclosed, and unauthorised access to the system can attract civil and criminal penalties. A practice that uses My Health Record needs internal controls over who can view records and a clear understanding that access is limited to the purpose of providing healthcare to the patient.

The practical point is that My Health Record access should be governed by the same access-control discipline as the rest of the practice’s systems: named users, appropriate permissions, and a record of who accessed what. Casual or shared access is a risk under both that framework and the broader privacy regime.

The new statutory tort raises personal exposure

Since 10 June 2025, Australia has had a statutory tort for serious invasions of privacy. An individual can now personally sue for a serious invasion of privacy, whether by intrusion upon seclusion or by misuse of information. This is a relatively new right, about a year old as at June 2026, and it changes the picture for health practices in a concrete way.

A patient whose health information is seriously misused now has a direct avenue to bring a claim, separate from any regulator action by the OAIC. For a practice, that means a privacy failure can generate two distinct lines of exposure: a regulatory one and a private one. It sharpens the case for getting collection, storage, access and breach response right, and for being able to show that the practice took reasonable steps.

If you would rather have someone test your practice’s position with you, most engagements begin with a no-obligation 30-minute scoping call. You can book one by calling (07) 4802 0080 or emailing info@grmlaw.com.au.

Retention and secure destruction

Holding patient records is necessary, but holding them indefinitely and without security is a liability. Health practices are subject to professional and jurisdictional retention requirements that set how long clinical records must be kept. Minimum periods differ by state and territory and can depend on the patient’s age, and they have to be reconciled with the privacy principle that personal information should not be kept once it is no longer needed for a lawful purpose.

The discipline is twofold: retain records for as long as the law requires, then destroy or de-identify them securely once that period has passed. A clear retention schedule, applied consistently, reduces both the volume of information at risk in any breach and the chance of a complaint that information was kept too long.

Practical steps for a practice

A health practice does not need a large compliance function to put itself in a defensible position. A focused set of measures covers most of the exposure:

• Confirm the practice accepts it is covered by the Privacy Act and is not relying on the small-business exemption.
• Keep an up-to-date privacy policy and collection notices that reflect how the practice actually handles health information, and obtain consent to collect properly at the point of collection.
• Map where patient information lives, who can access it, and where it flows, including to third-party software, cloud providers and outsourced services.
• Apply access controls so staff see only the records they need, and keep an access record for sensitive systems including My Health Record.
• Have a documented process for responding to patient access and correction requests under APP 12 within a reasonable period, including the limited grounds on which access can be refused.
• Put a written breach-response plan in place, with the serious-harm assessment and the OAIC and individual notification steps built in, and identify in advance who will act as legal lead if a breach occurs.
• Set a retention schedule and destroy or de-identify information securely when it is no longer required.
• Review contracts with software vendors and service providers for data-handling and breach-notification terms.

These steps do not guarantee that a breach will never happen. What they do is reduce the likelihood, contain the impact, and put the practice in a position to show it took reasonable steps, which matters under both the regulatory regime and the new statutory tort.

How GRM LAW helps health practices

GRM LAW advises medical and allied health practices on their privacy, data and cyber obligations. Through our Healthcare Vertical Cyber Program, a year-long sector program, we run a structured gap assessment against the obligations that apply to health providers, build the policies the practice needs, conduct quarterly reviews, and produce an annual report that evidences the practice’s position. For practices that want breach-response cover specifically, our Breach + Drill Subscription holds a breach-coach retainer, keeps a plain-English incident-response plan current, and tests it with two facilitated drills a year, so the serious-harm assessment and notification steps are rehearsed before they are needed. Run under a properly scoped breach-coach retainer, legal professional privilege can attach to forensic work-product where we direct it for the dominant purpose of legal advice, though that is never automatic and depends on how the engagement is set up.

The practice is supervised by founding partner Gavin McInnes, an Accredited Specialist in Business Law. We advise on controls we actually run: our own environment is aligned to APRA CPS 234, self-mapped to ISO 27001 controls, and targeting Essential Eight Maturity Level 2.

Most engagements begin with a no-obligation 30-minute scoping call. If you run a medical or allied health practice and want to be confident your privacy and breach-response position is sound, contact the cyber and privacy lawyers at GRM LAW.

Frequently Asked Questions

Disclaimer: This is general information only and is not legal advice. For advice on your circumstances, contact GRM LAW.