MEDICAL STORAGE & FILING

The Privacy Act reforms are here: What every Australian practice needs to know

A guide to the 2025 Privacy Act reforms for Australian health practices. Understand new patient rights, vendor risk, and how to ensure you are compliant.

Key Takeaways

  • The small business exemption is ending: The biggest change from the Privacy Act reforms means that all private practices, regardless of size, will soon be required to comply with the full extent of Australian privacy law.
  • Patient control is the new standard: Expect to manage new patient rights, including the "right to erasure" (deleting patient data upon request, subject to other legal retention laws) and the right to object to certain data uses.
  • Your privacy policy is now a critical tool: It must be a clear, easy-to-understand document that explicitly details what data you collect, why you need it, who you share it with, and how patients can exercise their new rights.
  • Cybersecurity basics are non-negotiable: With health data being a prime target for criminals, implementing multi-factor authentication (MFA) across all systems and conducting regular staff training on security are essential baseline measures.
  • Trust is your most valuable asset: Beyond legal compliance, these changes are about meeting the heightened expectations of your patients. Demonstrating you take their privacy seriously is now a critical part of building and maintaining patient trust.
  • Your vendors' risk is your risk: You are legally responsible for patient data handled by third-party software, so it's critical that you vet their security and privacy processes as part of your own compliance.

Introduction: The new privacy landscape in Australian healthcare

In 2025, the conversation around patient privacy in Australia has fundamentally changed. The high-profile data breaches of recent years, such as the Medibank and Optus incidents, have eroded public trust and dramatically heightened patient awareness of how their sensitive information is handled. Compounded by the sweeping reforms to the Privacy Act 1988, which are now being legislated, Australian healthcare practices are facing a new era of accountability.

This isn't just about ticking a compliance box; it's about meeting the new, non-negotiable expectations of your patients. They are more informed, more concerned, and expect more control over their personal and health information than ever before. For practice managers and clinicians, navigating this new landscape is critical for maintaining trust and mitigating significant legal and reputational risks. This article provides a practical guide to the key changes you need to be aware of and the steps you can take to protect your patients and your practice.

Beyond compliance: Why patient trust is your new bottom line

For years, privacy was often treated as a background administrative task. Now, it's front and centre. The Office of the Australian Information Commissioner (OAIC) consistently reports that the health sector is one of the highest sources of notifiable data breaches. The first half of 2025 was no exception, with the OAIC's report highlighting that human error remains a leading cause of these breaches in healthcare.

This matters because trust is the foundation of the patient-practitioner relationship. When patients feel confident that their data is secure and handled respectfully, they are more likely to engage openly with their healthcare providers, leading to better health outcomes. Inversely, a breach of this trust can cause irreparable damage to your practice's reputation.

The biggest change: The end of the small business exemption

One of the most significant reforms to the Privacy Act is the planned removal of the small business exemption. Previously, businesses with an annual turnover of less than $3 million were exempt from complying with the Act (though most health services were still covered by state laws or professional standards).

Soon, this exemption will be gone. This means that every private practice in Australia, including smaller allied health clinics, specialists, and dental practices, will need to comply with the full scope of the Australian Privacy Principles (APPs). For many, this will require a significant uplift in how they manage everything from patient records to marketing communications.

A new era of patient control

The legislative reforms are designed to shift power back to the individual, giving your patients more control over their health information. You need to be prepared to manage these new rights operationally.

  • Clearer, more specific consent: Gone are the days of bundled consent in long, jargon-filled forms. Your practice will need to obtain clear, unambiguous, and informed consent for the specific purpose of collecting data. This means reviewing your patient intake forms to ensure they are easy to understand.
  • The right to erasure: You will soon be legally required to delete a patient's data upon their request, provided there is no other legal reason to retain it (such as mandatory record-keeping periods).
  • The right to object: Patients will have the right to object to their data being used for secondary purposes, like marketing or de-identified research, even if they initially gave consent.

Furthermore, your practice will need to ensure all data handling meets a new "fair and reasonable" test. This means you must be able to justify not only that your data collection is necessary, but also that it is appropriate and doesn't create a negative impact on the patient.

A realistic scenario: The ‘right to erasure’ request

A patient who has moved to another city emails your practice manager requesting that all their records be deleted, citing their "right to be forgotten."

The 2025 response: Your practice manager can't simply refuse. They must follow a clear process:

  1. Verify the patient's identity to prevent fraudulent requests.
  2. Check the relevant state and federal health record laws to determine the minimum mandatory retention period for medical records (e.g., 7 years for an adult).
  3. Inform the patient clearly that while their data cannot be immediately deleted due to these legal obligations, it has been secured and will be permanently destroyed once the mandatory period expires.
  4. Document the request and the actions taken.

Securing your digital practice: From basics to best practice

With the rapid adoption of telehealth and cloud-based practice management software, your practice's digital security posture is more important than ever. The Australian Cyber Security Centre (ACSC) continues to identify the healthcare sector as a prime target for cybercriminals due to the high value of stolen health data.

Protecting this data doesn't require a massive budget, but it does demand a commitment to the fundamentals.

  • Multi-factor authentication (MFA): This should be non-negotiable. Ensure that MFA is enabled on all systems that access patient data, including your practice management software, email accounts, and any third-party telehealth platforms.
  • Regular staff training: As the OAIC data shows, human error is your biggest vulnerability. Conduct regular, practical training with your team on how to spot phishing emails, use strong passwords, and handle patient data securely, especially when working remotely. 
  • Vet your third-party software: When you use a third-party provider for services like online bookings or patient communication, you are still responsible for the security of that data. Ensure any provider you use has clear, robust security and privacy policies and that your data is stored securely in Australia.

Managing your third-party software risk

In a modern digital practice, one of your biggest privacy risks lies outside your own four walls. You rely on a network of third-party software providers for everything from online bookings to secure messaging, and it's critical to understand that under the Privacy Act, you are ultimately responsible for what happens to your patient data, even when it's in their hands. A data breach at your software vendor is a data breach for your practice.

Before signing any new contract, and as part of a regular review of your existing software, you must perform due diligence to ensure your partners take privacy as seriously as you do.

Key questions to ask your software vendors

  • Data Location & Security: Where is our patient data physically stored, and is it encrypted both in transit and at rest?
  • Security Certification: Have you completed any independent security audits or certifications, such as ISO 27001?
  • Breach Notification: What is your policy and timeline for notifying us in the event of a data breach on your platform?
  • Patient Rights: What is your process for helping us comply with a "right to erasure" request from one of our patients?

Conclusion

The shift in patient privacy expectations represents more than just a new set of rules; it marks a new standard for the patient-provider relationship in Australia. Moving beyond a mindset of passive compliance to one of active and transparent data stewardship is no longer optional. By embracing these changes, you not only protect your practice from significant legal and financial risks but also strengthen the most important asset you have: the trust of your patients.

Get 3+ quotes so you can compare and choose the supplier that's right for you

    Compare quotes for similar products

    Face & Surgical Masks in Bulk Pressure Care Mattress Medical Oxygen & Gas Stethoscopes Dental Autoclave Manual Wheelchair Patient Hoist Podiatry Chair Thermal Washer Disinfector

    Compare quotes for similar products

    Practice & Patient Management ... Veterinary Practice Fitout Face & Surgical Masks in Bulk Pressure Care Mattress Medical Oxygen & Gas Stethoscopes Dental Autoclave Manual Wheelchair Patient Hoist Podiatry Chair Thermal Washer Disinfector