<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=140756219714189&amp;ev=PageView&amp;noscript=1">

Key health privacy and confidentiality laws medical professionals must know

Patient data privacy is one of the crucial elements that we must protect in every practice. To help you learn more about confidentiality laws and health privacy, our Professional Education Manager, Cheryl, outlines the key requirements for each state.


A patient's privacy is an integral part of the healthcare system. It is of the utmost importance that medical professionals keep their patients' data private and with more data everyday stored in digital environments, there is a bigger notion to instill privacy and ensure patients their data is safe. Not only is it an ethical issue, but also a legal requirement for healthcare professionals to protect their privacy information. 

Here are key privacy laws you need to know as a medical professional. 


The Privacy Act 1988

The Privacy Act of 1988 outlines the privacy responsibilities select healthcare providers have to follow when managing health and personal information. 

This act applies to healthcare workers in the private sectors as those in the public system have state-based privacy laws to follow. 

The Privacy Act outlines the Australian Privacy Principles (APP), 13 rules and guidelines that are principles-based law. 

The APP outlines governing standards, rights and obligations around:

  • The collection, use and disclosure of personal information
  • An organisation or agency’s governance and accountability
  • Integrity and correction of personal information
  • The rights of individuals to access their personal information

Due to the APP being principles-based law, this means an organisation can tailor their personal information handling practices to their business models and the diverse needs of individuals, according to the OAIC. 

They are also technology neutral, which allows them to adapt to changing technologies.

The OAIC notes a breach of an Australian Privacy Principle is an ‘interference with the privacy of an individual’ and can lead to regulatory action and penalties.

The Act can be read here


My Health Record legislation

This is for those healthcare organisations that are participating in the My Health Record system. There are four pieces of legislation that they must comply with. These are as follows:

There are a number of obligations a participating organisation must comply with. Some of these include:

  • Not discriminate against an individual because they do not have a digital health record or because of their My Health Record's access control settings;
  • Take reasonable steps to ensure that their employees exercise due care and skill so that any record uploaded to the My Health Record system is at the time it is uploaded, accurate, up-to-date, not misleading and not defamatory;
  • Not upload a clinical document to the My Health Record system where an individual has withdrawn consent to the uploading of that clinical document;
  • Only upload a clinical document to the My Health Record system that has been prepared by a person who is a registered healthcare provider (i.e. has an HPI-I) and whose registration is not conditional, suspended, cancelled or lapsed.

The whole list can be found here.


State Policies 


NSW has the Health Records and Information Privacy Act 2002 No 71 in terms of health privacy legislation. This protects privacy rights in NSW by:

  • Making sure that your personal and health information is properly collected, stored, used or released via the Health Privacy Principles (HPPs)
  • Gives you the right to see and ask for changes to be made to your personal or health information
  • Allows you to make a complaint to the NSW Privacy Commissioner if you believe a NSW public sector agency, health organisation or health service provider has misused your personal or health information or breached one of the HPPs.


It applies to:

  • NSW public sector agencies, including local councils and universities
  • Public and private sector health organisations – e.g. a private or public hospital or medical centre
  • Health service providers – e.g. your GP, dentist, therapist, physiotherapist, chiropractor, optometrist
  • A larger-sized business with a turnover of over $3 million that holds health information – e.g. an insurance company.

Links to the NSW Health privacy legislation, privacy resources and manuals can be found here



The Victorian state government has the Health Records Act 2001, a framework to protect the privacy of individual's health information. 

According to Vic Health. The Act: 

  • Gives individuals a legally enforceable right of access to health information about them that is contained in records held in Victoria by the private sector; and
  • Establishes Health Privacy Principles (HPPs) that will apply to health information collected and handled in Victoria by the Victorian public sector and the private sector.

The access regime and the HPPs are designed to protect privacy and promote patient autonomy, whilst also ensuring safe and effective service delivery, and the continued improvement of health services. The HPPs generally apply to:

  • All personal information collected in providing a health, mental health, disability, aged care or palliative care service; and
  • All health information held by other organisations.

More information on Victoria's health regulation can be found here



The Queensland Health department is subject to privacy and confidentiality legislation which sets out how they handle individuals private health information. 

Under Part 7 of the Health and Hospitals Board Act, there is a strict duty of confidentiality imposed on the Department of Health and HHS staff in relation to the protection of confidential Information.

Queensland Health has a Health records and personal information page where it breaks down:

  • Information collected in health records
  • Protecting your information
  • Accessing your health records
  • Accessing prison health records
  • Amending information in your medical records
  • Sexual health records
  • More information

The privacy plan can be viewed here. 


South Australia 

South Australian residents are governed by the South Australian Public Health Act 2011. It guarantees a range of rights and responsibilities for citizens in regard to public health, one of which includes the protection of their privacy. 

The legislation can be viewed here



The Tasmanian Department of Health and Human Services (DHHS) holds personal information in accordance with the Personal Information Protection Act 2004 (the PIP Act)

Under this act, the DHHS is the custodian of personal information and the collection, use and disclosure of that information is governed by the Act.

The type of personal information it collects includes names, addresses and telephone numbers, together with any specific information about a person that may be required to enable the service. 

Read the legislation here.


Western Australia 

Healthcare professionals in WA are subject to privacy laws in the Health Services Act 2016. 

The Act states Health professionals have a duty to maintain the confidentiality of all information that is directly or indirectly acquired, created or disclosed to them in the course of providing treatment or care to patients. 

The patient confidentiality policy can be read here



The ACT has the Health Records (Privacy and Access) Act 1997 that covers health privacy and confidentiality within the territory. 

Health records held by ACT Government agencies (including public hospitals) are covered by the Health Records (Privacy and Access) Act 1997 (ACT). The ACT Human Rights Commission handles health record privacy complaints.


Northern Territory

In the Northern Territory, the collection of health information is authorised by legislation such as the Health Services Act (NT), the Information Act (NT) and the NT Information Privacy Principles (IPP)

According to the NT government, the information collected by the Department of Health is:

  • Maintained in the health data collections;
  • Stored in secure systems in secure locations;
  • Only accessed by authorised staff members;
  • Used for approved research by appropriately qualified researchers; and
  • Linked to other approved data sources.

For a more in-depth run down of privacy legislation in Australia federally and state-wide click here


For more information on Clinic to Cloud and how it can help transform your practice click here or contact us today.

Ready to transform your medical practice?
Cheryl Ladikos
Cheryl is the Professional Education Manager at Clinic to Cloud and has over 20 years’ experience in the healthcare industry with 10 years’ experience as a Practice Manager for private specialist clinics. She has also worked in other areas ranging from hospitals, medical device sales, case management for Workers’ Compensation, and training roles. She has a passion for sharing knowledge, having an inclusive environment, solving problems, and ensuring that everyone adopts a growth mindset. As a Registered Nurse with a Master of Business Administration, she curates and delivers educational content which is both clinically and commercially driven.