APP Compliant Medical Website Australia | Australian Privacy Principles

What Are the Australian Privacy Principles (APPs)?

The Australian Privacy Principles (APPs) are 13 principles contained in Schedule 1 of the Privacy Act 1988 (Cth) — Australia's primary federal privacy legislation. The APPs govern how organisations collect, use, disclose, store, and provide access to personal information, including health information.

Unlike many countries where healthcare privacy is governed by a single national law (such as HIPAA in the United States), Australia has a layered framework: the APPs apply nationally to all private health providers, while state-specific laws (like NSW's HRIPA or Victoria's Health Records Act) add additional requirements on top.

Which Organisations Must Comply with the APPs?

All private health service providers in Australia must comply with the APPs, regardless of size or annual turnover. This includes:

• GP and specialist medical practices — all states
• Dental practices — all states
• Allied health practitioners (physiotherapy, psychology, OT, speech pathology, chiropractic, podiatry, dietetics) — all states
• Hospitals and day surgeries
• Telehealth service providers
• Complementary health providers in many cases

Note: The general Privacy Act AUD $3 million turnover threshold does NOT apply to health service providers — all private health providers are covered regardless of revenue.

The 13 APPs: What Matters for Your Website

APP 1: Open and Transparent Management of Personal Information

You must have a clearly available Privacy Policy that describes how you manage personal information. For your website, this means a Privacy Policy that is easy to find (typically footer-linked), up to date, and written in plain English. It must describe what information you collect, why, how you use and disclose it, and how individuals can access or correct their information.

APP 3: Collection of Solicited Personal Information

You may only collect personal information (including health information via web forms) if it is reasonably necessary for your practice's functions. You must collect health information directly from the individual wherever reasonably practicable. Collection must be accompanied by notification of: who is collecting it, why it's being collected, the consequences of not providing it, and whether you'll disclose it to others.

APP 5: Notification of the Collection of Personal Information

At or before the time of collection (i.e., on the web form itself), you must notify individuals of the collection and its purpose. A generic 'we value your privacy' statement is not sufficient — specific notification is required for each collection point.

APP 6: Use or Disclosure of Personal Information

Health information collected for one purpose (e.g., booking an appointment) cannot be used for another purpose (e.g., marketing) without consent or a relevant legal exception. Your website's form data must only be used for the purpose stated at collection.

APP 11: Security of Personal Information

You must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. For your website, this means: HTTPS for all pages, secure form submission handling, regular security audits, and appropriate access controls on stored data.

APPs vs HRIPA vs Health Records Act (VIC): What's the Difference?

NSW practices must comply with both the APPs and HRIPA. Victorian practices must comply with both the APPs and the Health Records Act. Practices in all other states and territories are governed by the APPs as their health privacy framework.

What APP Compliance Requires on Your Medical Practice Website

• Privacy Policy: Clearly accessible, covering all 13 APPs in plain English. Must be linked from the footer and any data collection form.
• Form notification: At or before the collection point on each web form, notify individuals of the collection, its purpose, and who it may be disclosed to.
• HTTPS: All pages, especially forms, must be served over HTTPS (APP 11 security requirement).
• Consent mechanisms: Active (not pre-ticked) consent for health information collection.
• No secondary use: Form data collected for appointment booking cannot be used for marketing without separate consent.
• Access and correction: Your Privacy Policy must explain how patients can access or correct their information held by your practice.

Common APP Compliance Gaps on Australian Medical Websites

• Missing or generic Privacy Policy: A template Privacy Policy that doesn't reference your specific collection and disclosure practices
• No notification on forms: Forms that collect health information without a privacy notice above the form
• HTTP pages: Any non-HTTPS page on the website — especially if it has a form
• Third-party disclosure gaps: Not disclosing in the Privacy Policy that booking software (HotDoc, Healthengine, Cliniko) receives patient data
• No access/correction pathway: Not explaining how patients can access or correct their health information

APP Compliant Medical Website vs HIPAA Compliant Medical Website

Australian practices sometimes search for 'HIPAA compliant medical website' — HIPAA is the United States Health Insurance Portability and Accountability Act. HIPAA does not apply in Australia. The Australian equivalent for health privacy purposes is the combination of the Privacy Act 1988 APPs (national) plus any applicable state health records legislation (HRIPA for NSW, Health Records Act for VIC). An APP and HRIPA-compliant Australian medical website is the equivalent of a HIPAA-compliant US website in terms of health data protection requirements.

Getting an APP-Compliant Medical Website

Avaaze builds APP and HRIPA compliance into every medical website from day one. Every build includes a custom Privacy Policy addressing both the APPs and any applicable state legislation, HTTPS enforced across all pages, consent mechanisms on data collection forms, and clear third-party disclosure statements for all integrations.