Does HIPAA Apply In Australia?

If you run a healthcare business, health tech startup or you simply handle sensitive customer data, you’ve likely heard of HIPAA. It’s a big deal in the United States - but what does it mean for Australian businesses?

In short, HIPAA is a US law and it generally doesn’t apply in Australia. However, there are situations where it can still affect you - especially if you have US clients or you process data for US healthcare providers.

Below, we’ll walk through what HIPAA actually covers, when it might touch your Australian operations, and - most importantly - which Australian privacy laws and documents you need to comply with day to day. By the end, you’ll know where to focus your effort and how to set up the right legal documents and policies.

What Is HIPAA And Who Does It Cover?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that governs the privacy and security of certain health information in the United States.

HIPAA applies to two main groups:

• Covered entities: US health plans, healthcare clearinghouses and most healthcare providers who transmit health information electronically in connection with certain transactions.
• Business associates: Service providers to covered entities (for example, software vendors, billing services, or cloud hosts) who access “Protected Health Information” (PHI).

US covered entities must ensure their business associates comply with HIPAA via a Business Associate Agreement (BAA). If you support US healthcare clients from Australia, you might see BAAs in your contracts even though you’re based here.

Does HIPAA Apply In Australia?

For Australian businesses serving Australian customers, the answer is generally no. HIPAA is a US law and does not automatically extend to businesses operating solely in Australia.

Australian privacy and health information is primarily regulated by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Some states and territories also have specific health records laws that sit alongside the Privacy Act.

That said, HIPAA can still be relevant to you in a few scenarios. If you contract with a US covered entity (or a US business associate) and you handle US PHI, HIPAA obligations can be imposed on you via contract - most commonly through a BAA or equivalent clauses in a master services agreement.

What Privacy Laws Do Australian Businesses Need To Follow Instead?

Even if HIPAA doesn’t apply, Australian privacy law has its own robust requirements. Here are the key frameworks most small businesses should understand.

Privacy Act 1988 (Cth) and the APPs

The Privacy Act applies to Australian Government agencies and many private sector organisations known as “APP entities.” The Australian Privacy Principles set out how you must collect, use, disclose and store personal information, and how individuals can access and correct it.

Some small businesses under $3 million annual turnover may be exempt - but there are important exceptions. Health service providers (including many allied health practitioners and health tech platforms) are often covered regardless of turnover.

If the Privacy Act applies to you, you should have an up-to-date Privacy Policy that accurately explains what personal information you collect and how you handle it, and a public contact point for privacy queries and complaints.

Notifiable Data Breaches (NDB) Scheme

APP entities must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if they suffer an eligible data breach that’s likely to result in serious harm.

A practical way to prepare is to implement a clear Data Breach Response Plan so your team knows how to identify, assess and respond quickly to incidents.

State And Territory Health Records Laws

Some states and territories have additional health privacy laws (for example, in NSW and Victoria). If you operate a healthcare practice or process health information in those jurisdictions, you may need to comply with both the Privacy Act and local health records legislation.

Other Laws That Commonly Apply To Customer Data

• Spam and direct marketing: If you send marketing emails or SMS, make sure your practices meet Australia’s rules as well as your obligations under your email marketing laws.
• Data retention and security: Depending on your industry, you may have specific retention requirements. It’s good practice to set (and follow) a written schedule that aligns with data retention laws and the APPs’ data minimisation principles.
• Payment data: If you handle card details, ensure you meet PCI DSS standards and Australian obligations around storing credit card details securely (or avoid storing them at all by using a compliant payment gateway).

When Might An Australian Business Need To Consider HIPAA Anyway?

While HIPAA isn’t part of Australian law, it can still matter to you in cross-border situations. Here are the most common scenarios for small businesses.

You Provide Services To US Healthcare Clients

If you’re a health tech vendor, software developer, cloud provider or virtual admin service supporting a US clinic or health plan, you may be asked to sign a BAA. In that case, HIPAA obligations will apply to the services you provide to that client.

Key steps to consider include:

• Contract terms: Expect a BAA or HIPAA clauses. You may also need a parallel Data Processing Agreement to allocate privacy and security responsibilities more broadly.
• Security measures: HIPAA requires administrative, physical and technical safeguards. In practice, this often overlaps with good Australian privacy hygiene - things like access controls, encryption, audit logs and breach response readiness.
• Data location: Confirm where PHI will be stored and processed, how it’s transmitted, and how you’ll segregate US PHI from other data if only part of your product is in-scope.

You Offer A Global Product That Handles Health Information

If your platform has users in the US as well as Australia, you may decide to support HIPAA compliance for your US customer segment. You would typically publish product documentation setting out HIPAA features and offer a BAA for eligible plans, while continuing to meet your APP obligations for Australian users.

You Receive US Health Data Through A Supply Chain

Sometimes HIPAA obligations flow down through a chain of service providers. If you subcontract for another vendor who supports a US covered entity, review your upstream contract terms and confirm whether you’re deemed a business associate and what safeguards you must implement.

HIPAA vs Australian Privacy Act: What’s The Practical Difference?

From a practical standpoint, there’s plenty of overlap. Both frameworks require you to protect personal information with reasonable security measures, limit use and disclosure, and notify certain breaches.

However, there are key differences:

• Scope of data: HIPAA focuses on PHI in the US healthcare ecosystem. The Privacy Act covers personal information more broadly across many industries in Australia, with additional protections for sensitive information (including health information).
• Who is covered: HIPAA applies to covered entities and business associates. The Privacy Act applies to APP entities, which include many private sector organisations and most health service providers regardless of turnover.
• Documentation: HIPAA often requires a BAA. In Australia, you’ll generally rely on a Privacy Collection Notice, internal policies and appropriate contract clauses to meet APP requirements.

If you operate in both environments, map requirements side-by-side, then implement the stronger safeguard where they differ. That way, you avoid two siloed compliance tracks and keep your security practical and consistent.

What Legal Documents And Policies Should You Put In Place?

Whether or not HIPAA is in the picture, having the right documents in place will help you manage privacy risk and meet your obligations in Australia.

• Privacy Policy: Public-facing statement explaining what you collect, why, how you use and share it, storage/retention and rights of access/correction. Keep it accurate and tailored to your data flows. You can get a tailored Privacy Policy that aligns with the APPs.
• Privacy Collection Notice: A concise notice provided when you collect personal information, covering key points like purpose and disclosures. See Privacy Collection Notice.
• Data Breach Response Plan: An internal playbook for assessing and responding to incidents and meeting NDB notification requirements. Consider a formal Data Breach Response Plan.
• Information Security Policy: Practical rules for your team around access control, encryption, logging, BYOD and vendor risk. An Information Security Policy helps embed safeguards and demonstrate compliance.
• Data Processing Agreement (DPA): If you process data for clients, a Data Processing Agreement allocates privacy/security responsibilities, sets breach notification windows and clarifies international transfers.
• Marketing Compliance: If you send newsletters or promos, align your consent, unsubscribe and record-keeping practices with Australia’s email marketing laws.
• Vendor and Platform Terms: Include privacy and security obligations in supplier contracts and platform Terms. If you run an app or platform, ensure your user-facing terms align with how your product actually handles data.

If you support US healthcare clients, expect to add a BAA on top of these. It will sit alongside your Australian privacy documents and security policies.

Building A Practical Compliance Program (Without The Overwhelm)

Legal compliance doesn’t have to be complicated. Focus on a few high-impact steps and build from there.

1. Map your data: Identify what personal and health information you collect, where it’s stored, who has access and which systems are involved. This informs your policies and security controls.
2. Prioritise security basics: Enforce MFA, least-privilege access, regular patching, secure backups and vendor due diligence. These measures address the most common breach risks in small businesses.
3. Publish and train: Roll out your Privacy Policy and internal procedures, and train your team on how to handle requests and incidents.
4. Plan for incidents: Use your Data Breach Response Plan to run a tabletop exercise so everyone understands their role.
5. Review annually: Update documents as your product evolves, adjust your data retention schedule and verify vendors remain appropriate.

If you accept payments, add PCI DSS-aligned practices and avoid storing full card numbers - a good payment gateway can help you meet your storing credit card details obligations without added risk.

Do You Need A Lawyer To “Be HIPAA-Compliant” From Australia?

If you’re only serving Australian customers, you typically won’t need HIPAA compliance - focus on the Privacy Act and APPs. If you support US healthcare clients, legal support can help you understand the scope of PHI in your services, negotiate BAAs, and ensure your documentation and safeguards align with both HIPAA and the APPs.

Either way, a quick chat with a data privacy lawyer can save you time and reduce risk by aligning your contracts, policies and product practices.

Key Takeaways

• HIPAA is a US law and generally doesn’t apply in Australia unless you handle US Protected Health Information for a US healthcare client under contract.
• For Australian operations, focus on the Privacy Act 1988 (Cth), the Australian Privacy Principles and, where relevant, state health records laws.
• Have the right documents in place: a tailored Privacy Policy, a Privacy Collection Notice, an Information Security Policy and a Data Breach Response Plan.
• If you support US healthcare clients, expect to sign a BAA and align your technical and organisational measures to HIPAA’s safeguards alongside APP requirements.
• Embed practical privacy and security basics, set a realistic data retention schedule and ensure your marketing is compliant with Australia’s email marketing laws.
• Getting targeted advice early can help you design a simple, effective compliance approach that scales as you grow.

If you’d like a consultation on whether HIPAA affects your Australian business and how to set up your privacy compliance the right way, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.