Technology Update
Privacy and Cybersecurity Rules for Health Professionals in Australia
Harvey Norman Technology for Business
Privacy Laws That Apply
Privacy Act 1988 (Cth)
This is the main law governing how health information must be collected, stored, used, and disclosed. It applies to:
- All private health service providers (whether or not you’re registered with AHPRA).
- Most businesses with a turnover of more than $3 million, but all health service providers are covered regardless of size.
Australian Privacy Principles (APPs):
These set out rules about how to manage personal and health information. They include requirements for:
- Collecting only what you need.
- Storing records securely.
- Giving patients access to their records.
- Not using or sharing information without consent (except in specific situations, like emergencies or law enforcement).
AHPRA vs Non-Registered Health Professionals
AHPRA-registered health professionals (doctors, nurses, psychologists, physiotherapists, etc.) have extra professional obligations including:
- Each national board has a code of conduct which requires compliance with privacy and confidentiality standards.
- Breaches of patient privacy can lead to professional misconduct investigations and disciplinary action in addition to legal consequences.
Non-registered health professionals (e.g. counsellors, massage therapists, some allied health workers not under AHPRA):
- They are still fully bound by the Privacy Act if they provide a health service.
- They do not face AHPRA disciplinary processes but can still face legal action and enforcement from the Office of the Australian Information Commissioner (OAIC) if they mishandle health records.
While legal privacy rules apply equally to all health professionals, AHPRA members may also face professional consequences through their registration boards.
Cybersecurity Expectations
Healthcare has become the number one target for ransomware and data breaches in Australia, and even small clinics have found themselves compromised. Privacy breaches not only invite investigation from the Office of the Australian Information Commissioner (OAIC), they can shatter trust between clients and professionals. Cybersecurity and privacy protection are no longer “IT issues”, they are core clinical risks. Understanding and meeting legal obligations protects your patients, your practice and the healthcare system.
The Essential Eight
Strategy
What It Means
Why It Matters
Application Control
Only allow approved apps and programs to run on your systems.
Stops malware from running in the first place.
Patch Applications
Regularly update software (e.g., browsers, Microsoft Office, PDF readers).
Fixes security holes that hackers can exploit.
Configure Microsoft Office Macro Settings
Block risky macros from running in documents.
Macros are a common way for viruses to get in.
User Application Hardening
Disable unnecessary features in apps (like Flash, ads, Java).
Reduces the number of ways hackers can get it.
Restrict Admin Privilege
Only IT/admin staff should have full access to systems. Regular users get only what they need.
Limits the damage if someone's account is hacked.
Patch Operating Systems
Keeps Windows, MacOS, or other operating systems updated
Prevents known security flaws from being used against you.
Multi-Factor Authentication (MFA)
Require users to enter a second code (e.g., from an app or SMS) when logging in.
Makes it much harder for hackers to br
Regular Backups
Automatically back up your data, and test restoring it.
Essential if you're hit by ransomware or system failure.
Reasonable Steps for a Small Practice
Even a small clinic or solo practitioner should be doing the basics, such as:
- Using a secure practice management system (ideally cloud-based with Australian data storage).
- Ensuring all staff use strong passwords and multi-factor authentication.
- Setting up automatic updates for all software and devices.
- Having antivirus software installed and updated.
- Backing up data at least daily, with offsite or cloud copies.
- Training staff regularly in phishing awareness and what to do if something looks suspicious.
- Incident response plan so you know what to do if there's a data breach.
Encryption – What You Need to Know
Encryption is one of the most important protections for health records.
What is it?
Encryption scrambles data so that even if someone steals it, they can’t read it without the correct key or password.
When to use it:
- Data at Rest: Health records stored on computers, servers, portable devices (like laptops or USBs) should be encrypted.
- Data in Transit: Emails, messages, or transfers of health records should be encrypted so the information isn’t exposed while being sent.
- Emailing Records: Normal email is not secure. If you must send records by email, use an encrypted messaging service or a secure file transfer system.
- Cloud Storage: If using cloud systems (e.g. for practice management), ensure the provider uses strong encryption standards (AES-256 is a common benchmark) and that data is stored in Australia or in compliance with Australian privacy law.
The OAIC and ACSC have both made it clear that encryption is not optional—it is now considered a baseline requirement for protecting health information.
What Happens If You Don't Comply
- Legal penalties: Breaches of the Privacy Act can lead to investigations, compensation claims, and significant fines.
- Reputation damage: Patients lose trust if their records are leaked or mishandled.
- Professional action (AHPRA members): Disciplinary proceedings, suspension, or even deregistration.
Key Takeaways
- All health professionals, AHPRA registered or not, must comply with the Privacy Act.
- AHPRA members face extra professional accountability.
- Encryption is now a must-have for both storage and communication of health records.
- Taking reasonable security steps protects your patients, your reputation, and your livelihood.