Australian Privacy Principles & My Health Records: Your Website Obligations
What Australian healthcare providers must do to comply with the Privacy Act 1988, the APPs, and the My Health Records Act when operating online.
Australian healthcare websites are not just digital brochures. If your practice collects patient details, handles health information, or connects to My Health Record-related workflows, your website and its supporting systems must follow Australia's privacy and health-record rules.
The practical answer is simple: treat your website as part of your health information handling environment, not just as a marketing asset. That means your forms, storage, vendors, policies, and security controls all matter under the Privacy Act 1988 and the APPs.
What Applies Online
The Privacy Act requires health service providers to establish and maintain privacy processes that protect personal information, including health information. The OAIC notes that health information is one of the most sensitive forms of personal information, and it carries extra protections.
If your website collects names, symptoms, appointment requests, referral notes, or any other patient details, the APPs become relevant to how that data is collected, used, disclosed, secured, and retained. This includes your website forms, booking systems, email routing, embedded tools, and any third-party services that process patient data.
My Health Record Online
My Health Record has its own legal framework under the My Health Records Act 2012. Registered healthcare provider organisations may access and use information in My Health Record for providing care, but those actions must follow the system's access controls and authorised-use rules.
A key point is that once information is downloaded from My Health Record into local systems, the usual My Health Record protections no longer govern that copy in the same way — the Privacy Act and other health privacy laws then apply. That means your website-connected systems, internal platforms, and storage methods must still be secure and privacy-compliant after data leaves the My Health Record environment.
Website Risk Points
The biggest website risks are forms, file uploads, booking tools, chat widgets, analytics, and third-party plugins. If any of these tools collect or process health information, they must be handled carefully and matched to your privacy obligations.
The OAIC also expects health service providers to take reasonable steps to protect information from misuse, interference, loss, and unauthorised access, modification, or disclosure. In practice, that means HTTPS, access control, least-privilege admin access, secure backups, and vendor review are not optional extras.
What to Do First
Start with a privacy management plan and clearly assign responsibility for privacy in the practice. Then document what personal information your website collects, where it goes, who can access it, and how long it is kept.
Next, make sure your privacy policy is available on the website in a clear and accessible format. Finally, create a breach response plan so you can quickly assess, contain, and respond if data is exposed.
Quick Checklist
Privacy management plan documented · Website privacy policy published · All data collection points mapped · HTTPS and access controls in place · Vendors reviewed for APP compliance · Breach response plan ready
Frequently Asked Questions
Do the APPs apply to my healthcare website?
Does My Health Record change my website obligations?
Do I need a privacy policy on my website?
What is the biggest compliance mistake?
The Bottom Line
Australia's privacy framework for healthcare is comprehensive and applies fully to online environments. The Privacy Act 1988, the Australian Privacy Principles, and the My Health Records Act collectively set a high standard for how patient information must be handled — including through your website.
Healthcare providers who build privacy and security into their digital infrastructure from the start are far better positioned to meet their obligations, maintain patient trust, and respond effectively if something goes wrong.