What Are My Medical Business’ Privacy Requirements?

In Short

Medical businesses that handle health information are usually APP entities under Australian privacy law. If so, you must have a clear, up-to-date privacy policy explaining how you collect, use, store and share personal and health information. You must also provide collection notices and implement privacy procedures to meet your obligations.

Tips for Businesses

Confirm whether your medical business is an APP entity and map what personal and health information you collect. Publish a clear privacy policy on your website and include collection notices in patient forms. Train staff on handling sensitive data, review documents annually, and maintain data retention and breach response procedures.

Summary

This article explains privacy policy requirements for Australian medical businesses handling personal and health information. It is a practical guide by LegalVision’s business lawyers, a commercial law firm that specialises in advising clients on privacy and data protection compliance.

Summarise with:

ChatGPT Gemini Perplexity Microsoft Copilot

Open now

---

On this page

• Is My Business an APP Entity?
• Does my Business Require a Privacy Policy?
• ​What Healthcare Data Protection Laws Do I Comply With?
• ​How Do I Implement a Privacy Policy?
• Compliance Monitoring Best Practices 
• ​Key Takeaways
• ​Frequently Asked Questions 

As a medical business, you will handle sensitive information about your patients or other individuals. Australian privacy laws, known as the Australian Privacy Principles (APP), dictate how you collect, handle and protect both personal and sensitive information.  

Your medical business must comply with the APP by maintaining good privacy practices when handling sensitive information, as patients value trust and transparency. This article explains your privacy requirements and how a privacy policy will help you meet your APP obligations.

Is My Business an APP Entity?

If your medical business provides health services and holds health information, it is an APP entity and must follow Australia’s privacy rules.

Your business may be an APP entity if you: 

• have an annual turnover of $3M or more; 
• buy or sell personal information; 
• provide services under a Commonwealth contract; or
• are a credit reporting body. 

Does my Business Require a Privacy Policy?

Yes. If your business is an APP entity, it must have a clearly expressed and up-to-date privacy policy.

Your privacy policy should specify how you collect, use, hold and disclose personal information, including health information. Health information is sensitive information that requires greater protection.

Your privacy policy must outline the types of information you collect. For example, a collection of :

• contact information, such as name, email and address;
• payment and service information, such as previous transactions and service preferences;
• marketing information, such as feedback and survey responses; 
• digital information, like searching behaviour and interaction with your website; and 
• health information such as medical history and current conditions. 

This extends beyond the information you collect from your patients. You may collect photographic ID from employees or phone numbers from the staff members of your business partners. Your privacy policy should explain how you handle the personal information of all individuals you interact with. 

The privacy policy must detail the different third parties to which you disclose information. This includes your employees and contractors, other service providers (such as your IT service providers), regulatory bodies and advisors. 

Legal Essentials for Healthcare Providers

Navigate healthcare legal challenges confidently with this essential guide on compliance, employment, privacy, and commercial obligations.

Download Now

​What Healthcare Data Protection Laws Do I Comply With?

In addition to Australia’s general privacy law, other health-specific laws may apply to your business. For example, the My Health Records Act regulates how organisations store and handle information in the My Health Record system and restricts where data can be stored in 

State and territory laws apply, together with the federal privacy law, and may require you to take additional steps when collecting, holding and using health information. For example, in NSW, health service providers must collect health information directly from the individual unless it is unreasonable or impractical to do so.  

​How Do I Implement a Privacy Policy?

There are three key steps for implementing a privacy policy:

1. making the privacy policy easily available;
2. providing a collection notice; and
3. implementing a privacy manual.

​You must also provide a Privacy Collection Notice when you collect personal information. This notice should explain:

• why you are collecting the information; and
• how you will handle it? For example, your new patient form collects personal information, so it must include and explain the Privacy Collection Notice. 

You may also implement an internal privacy manual to guide your staff and operations. Since you are handling sensitive information, it is essential that staff follow best privacy practices. 

Compliance Monitoring Best Practices 

Compliance monitoring helps you comply with privacy laws and protect health information. As best practice, you should review your privacy policy and related privacy documents annually or whenever you change how you handle personal information. 

​You should also implement:

• a document and data retention policy, setting out how long you can keep different types of data and information: and 
• a data breach response plan, to help you act quickly if there is any unauthorised access or disclosure to personal information. 

These will help ensure that your data-handling practices meet your privacy obligations. 

​Key Takeaways

If you are a medical business, you must protect personal and health information. It is crucial for both building patient trust and complying with your legal obligations. As an APP entity, you must have a privacy policy that explains how you will handle personal information. 

LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced privacy lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.

​Frequently Asked Questions 

What is the difference between a privacy policy and a Privacy Collection Notice?​

A privacy policy is a broad document that explains how you collect, manage, and use personal information from your patients, employees, and staff members of the businesses you interact with. It is publicly available and typically displayed on your website. A Privacy Collection Notice is a shorter, more specific statement you give to an individual when you collect personal information. It explains the specific purpose for that collection and should direct them to your privacy policy for more details. 

What happens if I do not have a privacy policy?

​If you are an APP entity, you must have a privacy policy. If you do not, you breach the rules and may face penalties of up to $66,000. The same penalty applies if you collect personal information without providing a  Privacy Collection Notice.