Collecting Health Information? Here’s Why A Privacy Policy Is Important

If you collect or store health information in Australia - even something as simple as a patient’s name alongside their appointment reason - privacy law applies to you in a big way.

Health information is classed as “sensitive information” under the Privacy Act, which means the rules are stricter, the penalties are higher and the expectations from clients and regulators are stronger.

That’s exactly why a clear, compliant Privacy Policy isn’t just a nice-to-have. It’s essential. It helps you meet your legal obligations, sets expectations with clients and shows you take confidentiality seriously.

In this guide, we’ll explain what counts as health information, when you legally need a Privacy Policy, what it should include and how it fits into your broader compliance plan - whether you run a clinic, allied health practice, telehealth service, wellness app or NDIS business.

What Counts As Health Information In Australia?

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), health information is “sensitive information.” That means it’s subject to tighter rules than ordinary personal information.

Health information includes more than clinical notes. It generally covers any personal information about a person’s physical or mental health, disability, health services provided (or to be provided) to them, and related payments or claims. It can also include genetic information, prescriptions, pathology results, Medicare details and appointment records if they reveal health-related facts.

In practice, if you can link a specific person to information about their health status, healthcare interactions or care plans, you’re likely dealing with health information.

Typical examples include:

• Patient intake forms and medical histories
• Telehealth recordings, notes and transcripts
• Allied health progress notes (e.g. physiotherapy, psychology)
• NDIS support plans and case files
• Wellness or fitness app data (e.g. symptoms tracking, sleep, medication reminders)
• Invoices or claims that reveal the type of health service

Because this information is sensitive, the APPs impose higher standards for collection, use, disclosure and security. Your Privacy Policy is the front door to demonstrating how you meet those standards.

Do You Legally Need A Privacy Policy If You Collect Health Information?

In many cases, yes.

If you are a health service provider (broadly defined, and includes private sector providers of health services), the Privacy Act typically applies regardless of your annual turnover. Many small practices are captured because they provide a health service and hold health information, even if they make under $3 million a year.

APP 1 requires you to have a clearly expressed and up-to-date Privacy Policy about how you manage personal information. When that personal information includes health data, the risk profile is higher, so regulators expect your policy and practices to be robust.

Beyond the letter of the law, there are strong practical reasons to publish and follow a comprehensive Privacy Policy:

• Trust and transparency - Patients and clients want to know how their information is handled, stored and protected.
• Risk management - Clear rules for your team reduce mistakes and help you respond quickly to issues.
• Breach readiness - If something goes wrong, having documented practices and notifications in place can reduce harm and liability.

If you need a policy tailored to a clinical context, consider a dedicated Privacy Policy (Health Service Provider) that reflects consent, collection and retention requirements unique to health settings.

What Should A Health-Focused Privacy Policy Include?

Your Privacy Policy should be specific enough that a patient or user could read it and clearly understand what you collect and why - without turning it into a legal textbook. Aim for plain English and practical clarity.

At a minimum, cover the following areas in line with the APPs, with additional detail for health data:

1) What You Collect (And From Whom)

List the categories of personal and health information you collect, such as contact details, Medicare numbers, referral letters, clinical notes, test results, appointment histories and payment information. Be clear about whether you collect information directly from the individual, from third parties (e.g. referrers, pathology providers), or via integrations (such as practice management software or wearable devices).

2) Your Legal Basis And Purpose

Explain why you collect health information (e.g. to provide healthcare, manage bookings, process claims, meet legal obligations, improve services). For sensitive information, consent is often required unless a recognised exception applies. Clearly outline how consent is obtained and recorded.

3) Use And Disclosure

Describe how you use data for treatment, billing, recalls and clinical audits, and when you disclose it to third parties such as specialists, laboratories, insurers or government agencies. If you use overseas cloud services or offsite backup providers, say so and identify those locations where possible.

4) Security And Retention

Set out the steps you take to protect health information (physical, technical and administrative safeguards) and how long you retain records to comply with health record retention laws and professional standards. Direct readers to your retention approach and, where relevant, align with guidance covered in data retention laws.

5) Access And Correction

Explain how individuals can request access to their records, ask for corrections, and what proof of identity you require. Outline expected timeframes and any reasonable fees.

6) Complaints Handling

Tell people how to raise a privacy complaint, the steps you’ll take to investigate, and how they can escalate to the Office of the Australian Information Commissioner (OAIC) if needed.

7) Direct Marketing And Communications

If you send reminders, recalls, newsletters or promotional content, explain how you obtain consent and how people can opt out. Make sure your approach also aligns with the Spam Act and industry expectations.

8) Contact Details And Updates

Provide a privacy contact and state how you’ll notify individuals when your policy changes. If you operate multiple locations or brands, make sure it’s clear which entity is responsible for privacy compliance.

Remember, a Privacy Policy tells clients what you do - it doesn’t, by itself, make you compliant. You also need the right processes and supporting documents behind the scenes.

How Does A Privacy Policy Fit With The Rest Of Your Privacy Compliance?

Think of your Privacy Policy as the “external” story. It should be backed by internal processes, contracts and response plans. Here are the common pieces that sit alongside your policy when you handle health information:

Privacy Collection Notice

Give individuals notice at (or before) the time you collect their information. A short form notice can be embedded in your intake form, booking flow or app onboarding, and link to your full policy. Many health providers use a dedicated Privacy Collection Notice to make this simple and consistent across channels.

Data Breach Response Plan

Under the Notifiable Data Breaches scheme, serious breaches must be assessed and, if eligible, notified to the OAIC and affected individuals. A practical, tested Data Breach Response Plan helps your team act quickly, contain the issue and communicate lawfully in a stressful situation. You can complement this with workflows for data breach notifications when they’re required.

Privacy Impact Assessment (PIA)

Launching a new telehealth feature, integrating a wearable data feed or moving to a new practice management platform? A lightweight PIA can help you identify risks and mitigate them before go-live. A structured Privacy Impact Assessment Plan is especially useful for products and apps handling sensitive health data or children’s information.

Data Processing And Cloud Providers

If you use practice software, cloud storage, CRM, billing tools or AI transcription services, document how your suppliers handle personal information. A Data Processing Agreement (DPA) or equivalent clauses in your vendor contracts set requirements for security, sub-processors, breach notices and data location. This is crucial if any data leaves Australia.

Specialist Policies For Your Sector

Some services need privacy documents tailored to specific frameworks. For example, NDIS providers often adopt an NDIS Privacy Policy to reflect sector standards and participant rights. Health service providers may also need informed consent processes and signed releases when sharing records with third parties.

Consent Forms And Clinical Workflows

Your day-to-day forms need to match your policy. If you’re disclosing information to a third party or using recordings for training, ensure your consent flows are tight and documented - for example, a clinical consent or a targeted release when appropriate. Where you’re sharing specific records, some providers use a Medical Release Consent Form to make the request and consent clear.

Pairing a strong Privacy Policy with these operational tools creates a privacy program that stands up to scrutiny and actually works in a busy practice or product environment.

Common Scenarios: Clinics, Allied Health, Apps And NDIS Providers

How you apply these principles will vary slightly depending on your setting. Here are some typical scenarios and what to watch:

Private Clinics And Telehealth Practices

• Ensure your Privacy Policy explains telehealth-specific collection (e.g. call recordings, transcripts) and storage locations.
• Confirm your video platform and practice software meet your security standards and are covered by a DPA if they process personal data on your behalf.
• Document retention and back-ups for clinical records, and align with your sector’s minimum retention periods.

Allied Health (Physio, Psych, OT, Dietetics)

• Be explicit about what you collect from referrers and how you share updates back to referrers or GPs.
• Set clear parameters for family involvement and consent, especially when working with minors.
• Manage SMS and email reminders within your consent and communications settings to avoid unwanted direct marketing issues.

Health And Wellness Apps

• Disclose SDKs/analytics tools that access device data and whether data leaves Australia.
• Use layered notices and in-context prompts to collect meaningful consent for sensitive features (e.g. menstrual tracking, mental health check-ins).
• Embed a PIA in your development cycle so privacy and security are designed in, not bolted on.

NDIS Providers

• Map how information flows among participants, plan managers and support coordinators.
• Tailor your policy and collection notices to NDIS contexts, using an NDIS-specific policy where appropriate.
• Train staff on privacy, consent and incident response to reflect your real-world support environment.

Marketing And Patient Communications

• Stick to consented channels and respect opt-outs immediately.
• Only use patient contact details for marketing when you have appropriate consent - and ensure your practices align with email marketing laws.
• If you publish testimonials or case studies, obtain explicit consent and de-identify wherever possible.

How To Get Your Privacy Policy Working Day-To-Day

A policy is only as good as its implementation. Here’s a practical checklist to bring it to life:

1. Map your data: What health information do you collect, where does it go, who sees it and how long do you keep it?
2. Write (or refresh) your Privacy Policy so it matches your actual practices - not the other way around.
3. Embed a Privacy Collection Notice at key touchpoints: intake forms, online bookings, app onboarding.
4. Update supplier contracts and put a Data Processing Agreement in place with any third party processing personal information for you.
5. Train your team: who can access what, how to verify identity, how to respond to requests and complaints.
6. Prepare for incidents with a tested Data Breach Response Plan - run a tabletop exercise so everyone knows their role.
7. Schedule reviews: revisit your policy and processes at least annually, or whenever you launch a new service, app feature or vendor integration. If it’s a big change, run a Privacy Impact Assessment.
8. Align retention and deletion: confirm your schedules reflect your clinical and legal obligations as well as the approach to data retention laws.

It’s normal to feel unsure about the first draft. Start simple, cover the APPs and your real processes, and refine from there. The goal is clarity and consistency, not legalese.

Key Takeaways

• Health information is “sensitive information” under the Privacy Act, so the rules and expectations are higher.
• A clear, APP-compliant Privacy Policy is essential when you collect health information - it’s legally required for most health service providers and builds trust.
• Your policy should cover what you collect, why, how you use and disclose it, security, retention, access/correction and complaints.
• Back your policy with practical tools: a Privacy Collection Notice, Data Breach Response Plan, Data Processing Agreement with vendors and, for bigger changes, a Privacy Impact Assessment.
• Tailor documents for your setting - for example a dedicated Privacy Policy (Health Service Provider) or an NDIS Privacy Policy - and match them to your day-to-day forms and workflows.
• Make privacy operational: train staff, embed notices at collection points, and review regularly as your services or technology evolve.

If you’d like help drafting or reviewing a Privacy Policy for health information, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.