AVAAZE Medical Consultancy Logo
ABOUT
SEO
MAINTENANCE
PRICING
PORTFOLIO
BLOG
CONTACT
Specialized Services
General Practice Websites
Specialist Surgeon Websites
Medical Centre Websites
Dental Practice Websites
Allied Health Websites
SEO & Compliance
Healthcare SEO Agency
SEO for Doctors
HRIPA Compliance
Next.js vs WordPress
Locations
Sydney NSW
Western Sydney
Bankstown
Parramatta
Liverpool
Melbourne VIC
Brisbane QLD
Professional Medical Consultancy &
Healthcare Solutions
Back to Blog
Healthcare Compliance22 March 20268 min read

HRIPA Compliance for Medical Websites Explained | NSW Health Privacy

The Health Records and Information Privacy Act 2002 (NSW) imposes specific requirements on how NSW medical practice websites collect, display, and handle health information. This is what you need to know.

What is HRIPA?

The Health Records and Information Privacy Act 2002 (NSW) — known as HRIPA — is New South Wales' primary legislation governing the privacy of health information held by health service providers operating in NSW.

HRIPA applies to any organisation that provides health services in NSW and holds health information about individuals. Unlike the federal Privacy Act's AUD $3 million turnover threshold for general businesses, HRIPA applies to all NSW health service providers regardless of size or revenue — including sole-practitioner GPs, specialist rooms, and small allied health practices.

Who Must Comply with HRIPA?

HRIPA applies to 'health service providers' — organisations that provide health services in NSW. This includes:

  • General practice (GP) and specialist medical practices
  • Medical centres and multi-practitioner clinics
  • Allied health practitioners (physiotherapy, psychology, OT, speech pathology, podiatry, dietetics, chiropractic, optometry)
  • Dental practices
  • Pathology and radiology providers
  • Telehealth services serving NSW patients

The Key Health Privacy Principles (HPPs) for Your Website

HPP 1: Collection

When you collect health information through your website (appointment forms, health questionnaires), you must tell the individual what information is being collected and why, whether collection is required by law or voluntary, what happens if they don't provide the information, and who else the information might be disclosed to. This must appear at the time of collection — on or near any form that collects health information.

HPP 2: Anonymity

Where lawful and practicable, individuals must be given the option to interact anonymously. Your general contact form should not require health information for a basic enquiry.

HPP 3: Collection of Sensitive Information

Health information requires explicit consent before collection. A pre-ticked 'I agree' box or implicit consent is not sufficient. Consent must be active, informed, and specific.

HPP 10: Security

Health information must be protected against loss, unauthorised access, modification, disclosure, or other misuse. For your website: all form submissions must use HTTPS encryption, form data must be transmitted to a secure destination, and any third-party services handling form submissions must have adequate data security.

What Your HRIPA-Compliant Website Needs

1. A Comprehensive Privacy Policy

Your Privacy Policy must be easily accessible from your website and must cover all 15 HPPs. At minimum, it must explain: what health and personal information you collect and why, how information is stored and protected, who information is disclosed to (booking software, pathology, specialists), how patients can access and correct their health information, how to make a complaint, and your practice's contact details for privacy matters.

2. Consent Mechanisms on Data Collection Forms

  • A clear privacy notice explaining what information is being collected and why
  • An active consent tick-box (not pre-ticked) for health information collection
  • A link to your full Privacy Policy

3. HTTPS Throughout the Entire Site

All pages — especially any forms — must be served over HTTPS. An insecure HTTP page is a HPP 10 security risk and also a negative Google ranking signal.

4. Secure Form Submission

Form data must be transmitted securely and stored with appropriate access controls. Many WordPress contact form plugins store submissions in the WordPress database — which may be inadequately secured.

HRIPA vs Australian Privacy Principles (APPs)

NSW medical practices are subject to both HRIPA and the federal Privacy Act 1988 / APPs simultaneously. A common misconception is that complying with the APPs means you've complied with HRIPA. This is not necessarily the case — HRIPA has some stricter requirements, particularly around anonymity and consent for sensitive information.

HRIPA (NSW)Privacy Act / APPs (Federal)
Applies toAll NSW health service providersAll private health providers nationally
Size thresholdNone — covers sole practitionersNone for health providers
Principles15 Health Privacy Principles (HPPs)13 Australian Privacy Principles (APPs)
EnforcementNSW Privacy CommissionerAustralian Information Commissioner (OAIC)

Compliance Note

Avaaze provides general information about HRIPA requirements. For formal legal advice about your specific obligations, consult a qualified health law solicitor or the NSW Privacy Commissioner.

Getting a Compliant Medical Website

Avaaze builds HRIPA/APP compliance into every medical website from the ground up — custom Privacy Policies, HTTPS enforced, secure form handling, consent mechanisms, and data handling documentation as part of the delivery package.

More Articles

Ready to Grow Your Medical Practice Online?

Free strategy session with Avaaze's healthcare web specialists. No obligation.