Privacy compliance designed for Australian medical practices

As a medical business, compliance with privacy laws is not optional, there's no $3 million annual revenue starting point - as is the case for many non-healthcare businesses. You're expected to have a 'privacy framework' - right from $1. If you don't know where to start, or require assistance to develop your privacy framework - we can assist.

Our services


Why focus on privacy compliance?

Firstly, it's the law! Failing to have a 'privacy framework' in simple terms is a breach of the legislation. Should a practice come to the attention of the privacy commissioner - failing to be able to demonstrate the practice takes patient privacy seriously, exponentially increases the risks of privacy fines (which at the time of writing are up to $2.1 million for entities and $420,000 for individuals).  

Secondly, and equally important - doctors have ethical obligations to 'do no harm' - and to inform patients about adverse events, including breaches of privacy and confidentiality. So even if a breach is not deemed to require mandatory reporting under the Notifiable Data Breach  (NDB) scheme, the patient may still need to be informed under the doctor’s ethical obligations. Failing to take patient privacy seriously can create a PR disaster, along with the potential fines and other costs.

Complying with privacy law just makes good business sense. A good privacy framework can help prevent things going wrong in the first place, and if they do, then the practice is far better prepared to manage the breach. 

privacy compliance mistakes we commonly see

Privacy Act responsibilities

Failing to take the time to understand obligations under the Privacy Act (ignorance is no excuse). No appointed ‘Privacy Officer’ - so nobody takes overall accountability, nor is privacy a regular topic at management meetings and it’s only when something goes wrong, does management get involved. 

Basic Privacy Documentation

Not even the basic privacy documentation or processes in place. Patient consent to collect their health information and an accessible ‘Privacy Policy’ which complies with the ‘Australian Privacy Principles’ is the starting point – and many fail even at this stage.

Zero staff training

Staff have received no induction or ongoing privacy training - both in terms of privacy law obligations (e.g. what to do when a patient has a complaint or requests a copy of their medical record) – and on areas including IT security training to identify phishing emails.

Privacy breach handling

No idea what to do in the event of WHEN, not IF, a privacy breach or suspected breach occurs. Having a 'Breach Response Plan' and understanding areas like mandatory reporting of privacy breaches under the NDB scheme is a fundamental requirement.

Poor (or no) IT agreements

Signing poor (or no) contracts with their IT suppliers. There is no obligation in the contract to state the IT contractors must comply with the Privacy Act, or any confidentiality requirements written into the contract. Even worse, the IT contract often excludes any liability of the IT contractor, leaving the practice completely exposed (and potentially voiding any insurance they may have).

No IT security assessment

No IT security assessment – either from asking their IT providers to do this, or from having an independent company provide an assessment/audit report. They have no guarantee their back-up works (and how long it would take to get back online), the strength of their IT controls and whether they are taking reasonable steps to protect patient privacy.

Contact Us

For a confidential discussion contact us:

Privacy Risk Solutions

Chris Mariani

0419 017 011 or chris@privacyrisk.com.au