EOFY Sale · Save up to $750 off your legals · Ends 30 June

Claim offer

Individual Health Identifiers: Privacy Obligations for Australian Healthcare

Alex Solo
byAlex Solo11 min read
Data & PrivacyRegulatory Compliance
Contents

If your healthcare business collects or uses an individual health identifier, privacy compliance is not a small admin task. It sits right at the point where patient identity, sensitive information, software systems and day to day staff behaviour all meet. The common mistakes are usually practical ones: using an IHI for the wrong purpose, assuming your ordinary privacy policy covers everything, or giving too many staff members access because it feels easier operationally.

Those mistakes can create real risk. A mishandled identifier can lead to privacy complaints, contractual issues with service providers, internal confusion about access rules, and extra scrutiny if your practice, clinic, allied health business or digital health platform is audited or investigated.

This guide explains what an individual health identifier is, when Australian businesses are likely to deal with one, what privacy obligations usually follow, and what founders and practice owners should sort out before they sign software contracts, expand services, or spend money on setup.

Overview

An individual health identifier, often called an IHI, is a unique number used within Australia’s health system to accurately match healthcare information to the right person. If your business handles IHIs, the legal issue is not just collection. You also need to control access, limit use and disclosure, and make sure your systems and staff practices fit the rules that apply to health information and healthcare identifiers.

  • Confirm whether your business is actually collecting, verifying, storing or transmitting IHIs.
  • Identify the legal basis for using an IHI, and whether the use is tied to healthcare delivery or a related permitted purpose.
  • Check your privacy policy, collection notices, staff procedures and software settings for identifier-specific handling.
  • Limit access so staff only see or use IHIs where they need them for their role.
  • Review agreements with practice management platforms, telehealth providers, IT vendors and other service providers.
  • Have a process for data breaches, patient access requests and correction requests involving identifiers or linked health records.

What Individual Health Identifier Means For Australian Businesses

An individual health identifier is not just another customer reference number. It is a regulated healthcare identifier used to support accurate identification in the Australian health system, and businesses that handle it need to treat it more carefully than ordinary admin data.

In Australia, healthcare identifiers are part of a system designed to reduce mismatching and support safe information sharing. For a healthcare business, that usually means an IHI may be used when confirming a patient’s identity, connecting records across providers, using certain digital health systems, or integrating software that relies on standardised healthcare identity data.

The reason this matters is simple. An IHI is tied closely to a person’s health information, and health information is already one of the most sensitive categories of personal information under Australian privacy law. When you add a regulated identifier into the mix, the business needs tighter control over how that identifier is collected, stored, used and disclosed.

This is where founders often get caught. They assume that because they are already handling medical histories, booking details or treatment notes, the IHI can just be folded into existing workflows without much thought. In practice, identifier use should be purpose driven and restricted.

Which businesses may be affected

You do not need to be a large hospital to have obligations in this area. A wide range of healthcare and health adjacent businesses may come across IHIs, depending on their services and systems.

  • General practices and specialist clinics.
  • Allied health providers such as physiotherapy, psychology, speech pathology and occupational therapy businesses.
  • Telehealth providers and digital health startups.
  • Medical centres with integrated booking, billing and clinical record systems.
  • Pharmacies and medication management services in some workflows.
  • Aged care or disability service providers where health service coordination is involved.
  • Health technology businesses that build, host or support software used by healthcare providers.

If you are building a health business in Australia, this issue can sit alongside other startup legal tasks such as choosing a business structure, company registration, contracts with software providers, employment contracts, privacy documentation, and trade mark protection for your brand. The presence of an IHI does not replace those legal requirements. It adds another layer to them.

Privacy law and identifier rules usually work together

For many businesses, the relevant obligations come from more than one place. General privacy law may apply, especially where you handle personal information and health information. Separate rules about healthcare identifiers may also shape what you can do with the IHI itself.

That means a business should not ask only, “Are we covered by the Privacy Act?” The better question is broader: “What are all the rules that apply to this identifier in our actual workflow?” For example, your obligations may touch:

  • collection practices at onboarding or patient intake,
  • clinical software configuration,
  • staff access permissions,
  • record retention and destruction procedures,
  • outsourcing arrangements, and
  • responses to privacy incidents or patient complaints.

What businesses are usually allowed to do

The usual starting point is that an IHI should be used for a permitted healthcare related purpose, not as a convenient all purpose customer number. If your reception staff, clinicians, support teams or product developers are using the identifier in ways that go beyond the reason it was collected, the business may drift into risky territory.

For example, using an IHI to support identity matching within a patient care workflow may be legitimate. Reusing it for unrelated marketing segmentation, broad internal tracking, or unnecessary third party sharing is much harder to justify.

When This Issue Comes Up

This issue usually appears when a business changes systems, expands services or connects more deeply into the digital health ecosystem. It often becomes visible only after a founder signs a software contract or a clinic starts onboarding patients at scale.

When you adopt new health software

A common trigger is a move to a new practice management system, clinical records platform, telehealth tool or patient app. The sales process may focus on features and integrations, but before you sign a contract, you should check exactly how the platform handles IHIs and related health data.

Questions to ask include:

  • Does the system collect or verify IHIs automatically?
  • Where is the data stored and who can access it?
  • Can staff permissions be limited by role?
  • What logs exist for access and changes?
  • What subcontractors or cloud providers are involved?
  • What support is available if there is a data breach or system error?

A software agreement that says very little about privacy, security responsibilities or incident response can leave a healthcare business exposed.

When you launch telehealth or a digital health product

Digital health businesses often build workflows around identity verification and record matching. That can be useful, but it can also create legal risk if the product team treats the IHI like a standard account identifier.

Before you launch online, map the user journey from sign up through treatment or consultation. Look closely at where the identifier appears, who can see it, whether it is copied into support tools, and whether third party integrations receive more data than they need.

When you share information with other providers

Healthcare businesses often need to coordinate with specialists, pathology providers, pharmacies, hospitals or referrers. That coordination can involve an IHI, especially where systems are designed to match records accurately.

The legal question is not just whether sharing is helpful. The business needs to ask whether the disclosure is permitted, limited to what is necessary, and supported by proper process. Staff should not be improvising based on habit or convenience.

When your business grows quickly

A founder led clinic with five team members can often rely on informal habits for a while. Once the business adds locations, contractors, outsourced admin support or offshore technical teams, those habits stop being safe.

This is a common moment for privacy gaps to appear, such as:

  • shared logins,
  • broad admin access across all patient records,
  • no written collection notice for online intake forms,
  • unclear procedures for correcting patient records, and
  • weak contractual protections with IT and software providers.

When a privacy complaint or breach occurs

A complaint from a patient about incorrect matching, unauthorised access or unexplained disclosure often forces a business to confront identifier handling practices. The same is true after a phishing attack, lost device incident or software sync error.

If your response plan only covers general cybersecurity steps, it may not be enough. A healthcare business should be ready to investigate what identifier data was involved, who had access, whether other linked health information was affected, and what notification steps may be required.

Practical Steps And Common Mistakes

The safest approach is to treat IHIs as a controlled part of your health information system, not as a convenient field that every team can use. Good compliance usually comes from a mix of targeted documents, staff training, system settings and carefully drafted contracts.

1. Work out your exact data flow

You cannot manage identifier risk if you do not know where the data goes. Map the full life cycle of the IHI in your business.

  • How is it collected or verified?
  • Which systems receive it?
  • Which staff roles can view or edit it?
  • Is it exported, synced or backed up elsewhere?
  • Do contractors, software vendors or support teams ever access it?
  • How long is it kept?

This exercise often reveals hidden duplication, such as an IHI appearing in appointment software, shared spreadsheets, customer support tools or reporting dashboards that do not need it.

2. Limit use to the purpose that actually fits

A common mistake is function creep. The business collects an identifier for a proper healthcare purpose, then gradually reuses it for admin shortcuts, analytics, or internal matching tasks that are not necessary.

Set a clear internal rule about when the IHI can be used and when it cannot. If a team cannot explain why use of the identifier is necessary, that is a warning sign.

3. Update privacy documents properly

Your privacy policy should reflect the fact that the business handles health information and, where applicable, healthcare identifiers. For many businesses, a broader set of privacy documents is also needed, not just a policy sitting on the website.

Depending on your operations, you may need:

  • a collection notice for patients or users,
  • internal privacy and data handling procedures,
  • a data breach response plan,
  • staff confidentiality terms, and
  • clear retention and destruction rules.

A generic privacy policy copied from a non healthcare business is rarely enough.

4. Lock down access controls

Not every staff member needs access to every identifier field. Reception, clinical, billing, support and technical teams often need different levels of visibility.

Role based access, audit logs and secure authentication matter here. If your software cannot support granular permissions, that is a procurement issue as well as a privacy issue.

This is especially important before you spend money on setup for a new platform. A system that cannot separate access cleanly may create ongoing compliance problems that are expensive to fix later.

5. Review supplier and contractor contracts

If third parties host, process, support or store data that includes IHIs, your contracts should deal with privacy and security clearly. Founders often focus on price, implementation timing and service levels, but data handling terms deserve equal attention.

Review agreements for issues such as:

  • confidentiality obligations,
  • permitted data use limits,
  • security standards and access controls,
  • subcontracting restrictions,
  • data breach notification timing,
  • assistance with investigations and regulatory requests, and
  • data return or deletion when the contract ends.

If you are a health tech startup selling software to clinics, these issues also affect your customer terms and product promises. You need to be careful about what you say your platform does, who is responsible for compliance settings, and how liability is allocated if the system is misused.

6. Train staff on real scenarios

Policies help, but staff behaviour is where most mistakes happen. Training should cover real moments your team faces, not just abstract privacy language.

Examples include:

  • a receptionist verifying patient details over the phone,
  • a clinician correcting a mismatched record,
  • an admin team member emailing information to another provider,
  • a contractor asking for broad database access to fix a technical issue, and
  • a support team member viewing production data during troubleshooting.

Short, practical training is often more effective than long manuals that nobody reads.

7. Prepare for access, correction and breach issues

Patients may ask to access or correct their information, and sometimes the issue involves identity matching or identifier records. Your team should know who handles these requests, what timeframe applies internally, and how to verify the request safely.

The same goes for data incidents. If there is an accidental disclosure or system breach, move quickly to contain the problem, investigate what information was affected, and assess whether notification obligations are triggered.

Common mistakes to avoid

Most businesses do not get into trouble because they deliberately misuse an IHI. Problems usually come from weak systems, vague responsibility and rushed implementation.

  • Treating the IHI as just another CRM field.
  • Allowing broad access because limiting permissions is inconvenient.
  • Relying on verbal staff instructions instead of written process.
  • Signing vendor contracts without checking privacy and security clauses.
  • Collecting more identifier related data than the workflow needs.
  • Failing to review whether older systems or spreadsheets still contain copies.
  • Ignoring privacy compliance during expansion, acquisitions or new service launches.

FAQs

Does every healthcare business in Australia handle an individual health identifier?

No. Some businesses will never collect or use an IHI directly. The answer depends on your services, software, integrations and whether you operate in workflows connected to the healthcare identifier system.

Is an individual health identifier the same as a Medicare number?

No. They are different identifiers used for different purposes. Businesses should not assume the rules are interchangeable just because both relate to healthcare administration.

Can we use an IHI as our internal customer account number?

Usually, that is not a safe assumption. An IHI should be used only where the purpose fits the legal and operational reason for handling it. Replacing your ordinary account number with an IHI can create unnecessary privacy risk.

Do small clinics and allied health providers need privacy documents for this?

Often, yes. Even smaller healthcare businesses should consider whether their privacy policy, collection notices, staff procedures and supplier contracts properly reflect how health information and identifiers are handled.

What should we review before signing with a new health software provider?

Check how the provider collects, stores, secures and shares identifier related data, what access controls exist, where data is hosted, what happens in a breach, and what assistance the provider must give if you need to investigate a privacy issue.

Key Takeaways

  • An individual health identifier is a regulated healthcare identifier, not just a convenient customer reference number.
  • Australian healthcare businesses should use IHIs only for permitted healthcare related purposes and avoid broader reuse.
  • Your legal obligations may involve both general privacy law and specific rules around healthcare identifiers.
  • The biggest risks usually come from software setup, broad staff access, weak contracts and unclear internal processes.
  • Before you sign contracts or launch new services, review data flows, privacy documents, vendor terms and staff procedures carefully.
  • If your business is dealing with individual health identifier and wants help with privacy policies, software and supplier contracts, data breach response planning, and healthcare compliance documents, you can reach us on 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
Alex Solo
Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Can Employers See Employees’ Search History in Australia?

Can Employers See Employees’ Search History in Australia?

If you run a small business, it’s normal to want visibility over what’s happening on your systems. You might be thinking about productivity, cybersecurity, customer privacy, or simply whether company time and...

22 June 2026
Read more
Confidentiality Forms for Businesses in Australia: When to Use Them

Confidentiality Forms for Businesses in Australia: When to Use Them

If you run a small business, you’ll inevitably share valuable information with people outside your “inner circle”. That might be a contractor helping you build your website, a supplier quoting on manufacturing,...

18 June 2026
Read more
Privacy Rules for Australian Animation Studios

Privacy Rules for Australian Animation Studios

Australian animation studios often collect more personal information than they realise, from website enquiries and auditions to client feedback tools and

18 June 2026
Read more
Security Policy Template For Australian Businesses: Practical Steps

Security Policy Template For Australian Businesses: Practical Steps

When you’re building a startup or running a small business, you’re usually moving fast: onboarding new team members, setting up systems, handling customer data, and juggling suppliers. In the middle of all...

17 June 2026
Read more
Covert Recording Laws for Australian Businesses: Legal Risks and Compliance

Covert Recording Laws for Australian Businesses: Legal Risks and Compliance

If you run a small business or startup, you’ve probably had at least one moment where you’ve thought: “I wish I had proof of what was said.” Maybe it’s a tense customer...

17 June 2026
Read more
AI Governance Policies: What Australian Businesses Should Include

AI Governance Policies: What Australian Businesses Should Include

Using AI at work without clear rules can create privacy, confidentiality, contract and consumer law risks. Here’s what Australian businesses should

15 June 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call