All Systems Operational
Back to Resources | Compliance — Australia

Australian Privacy Principles & My Health Records: Your Website Obligations

What Australian healthcare providers must do to comply with the Privacy Act 1988, the APPs, and the My Health Records Act when operating online.

May 27, 2026 6 min read
Australian healthcare — Sydney Opera House and harbour representing Australian health compliance

Australian healthcare websites are not just digital brochures. If your practice collects patient details, handles health information, or connects to My Health Record-related workflows, your website and its supporting systems must follow Australia's privacy and health-record rules.

The practical answer is simple: treat your website as part of your health information handling environment, not just as a marketing asset. That means your forms, storage, vendors, policies, and security controls all matter under the Privacy Act 1988 and the APPs.

What Applies Online

The Privacy Act requires health service providers to establish and maintain privacy processes that protect personal information, including health information. The OAIC notes that health information is one of the most sensitive forms of personal information, and it carries extra protections.

If your website collects names, symptoms, appointment requests, referral notes, or any other patient details, the APPs become relevant to how that data is collected, used, disclosed, secured, and retained. This includes your website forms, booking systems, email routing, embedded tools, and any third-party services that process patient data.

My Health Record Online

My Health Record has its own legal framework under the My Health Records Act 2012. Registered healthcare provider organisations may access and use information in My Health Record for providing care, but those actions must follow the system's access controls and authorised-use rules.

A key point is that once information is downloaded from My Health Record into local systems, the usual My Health Record protections no longer govern that copy in the same way — the Privacy Act and other health privacy laws then apply. That means your website-connected systems, internal platforms, and storage methods must still be secure and privacy-compliant after data leaves the My Health Record environment.

Website Risk Points

The biggest website risks are forms, file uploads, booking tools, chat widgets, analytics, and third-party plugins. If any of these tools collect or process health information, they must be handled carefully and matched to your privacy obligations.

The OAIC also expects health service providers to take reasonable steps to protect information from misuse, interference, loss, and unauthorised access, modification, or disclosure. In practice, that means HTTPS, access control, least-privilege admin access, secure backups, and vendor review are not optional extras.

What to Do First

Start with a privacy management plan and clearly assign responsibility for privacy in the practice. Then document what personal information your website collects, where it goes, who can access it, and how long it is kept.

Next, make sure your privacy policy is available on the website in a clear and accessible format. Finally, create a breach response plan so you can quickly assess, contain, and respond if data is exposed.

Quick Checklist

Privacy management plan documented  ·  Website privacy policy published  ·  All data collection points mapped  ·  HTTPS and access controls in place  ·  Vendors reviewed for APP compliance  ·  Breach response plan ready

Frequently Asked Questions

Do the APPs apply to my healthcare website?
Yes, if you are a health service provider handling health information, the Privacy Act and APPs apply to how your website collects and handles that data. This includes online forms, booking tools, portals, and any third-party services that process patient information on your behalf.
Does My Health Record change my website obligations?
Yes. If your organisation is registered to use My Health Record, information collected from it is governed by the My Health Records Act while it remains in that system. Once that data is downloaded to local systems, the Privacy Act and other applicable laws govern how it must be handled and protected.
Do I need a privacy policy on my website?
Yes. The OAIC says your privacy policy should be available free of charge and in an appropriate format, which can include posting it on your website. It should explain what information is collected, why, how it is used, and how patients can access or correct their information.
What is the biggest compliance mistake?
The biggest mistake is assuming the website is separate from clinical privacy obligations. In reality, online forms, vendors, and storage systems are often where privacy risk starts. Treating your website as regulated health infrastructure — not just a marketing asset — is the right mindset.

The Bottom Line

Australia's privacy framework for healthcare is comprehensive and applies fully to online environments. The Privacy Act 1988, the Australian Privacy Principles, and the My Health Records Act collectively set a high standard for how patient information must be handled — including through your website.

Healthcare providers who build privacy and security into their digital infrastructure from the start are far better positioned to meet their obligations, maintain patient trust, and respond effectively if something goes wrong.

Back to Resources Get a Compliance Review
Book yourAppointment