HRIPA Compliance for NSW Medical Websites
The Health Records and Information Privacy Act 2002 (NSW) imposes strict requirements on how your practice website handles patient information. Avaaze builds HRIPA-compliant medical websites by design — not as an afterthought.
What HRIPA Requires of Your Website
- Clear, accessible Privacy Policy (Health Privacy Principles)
- Secure HTTPS transmission for all patient form data
- Consent mechanisms for health information collection
- Patient access and correction rights clearly stated
- Data retention and destruction policy disclosure
What is HRIPA?
The Health Records and Information Privacy Act 2002 (NSW) — commonly known as HRIPA — is NSW's primary legislation governing health information privacy. It applies to all organisations that collect, hold, use or disclose health information about individuals in connection with the provision of a health service in NSW.
Unlike the federal Privacy Act 1988, HRIPA applies to all NSW health service providers regardless of organisation size — including sole-practitioner GPs, specialist rooms, allied health sole traders, and small medical clinics. There is no small business exemption under HRIPA.
Your practice website falls under HRIPA whenever it collects health information via online forms — appointment requests, health history questionnaires, recall registrations, online bookings, or even a simple contact form where patients might disclose health conditions.
Compliance Note
Avaaze provides general information about HRIPA requirements. For formal legal advice about your specific obligations, consult a qualified health law solicitor or the NSW Privacy Commissioner.
HRIPA vs Australian Privacy Principles
Most Australian medical practices are subject to both HRIPA (NSW) and the federal Privacy Act 1988 / Australian Privacy Principles (APPs). Understanding the relationship between them is important for compliance:
HRIPA (NSW)
- Applies to all NSW health service providers
- No size threshold — covers sole practitioners
- 15 Health Privacy Principles (HPPs)
- Enforced by NSW Privacy Commissioner
Privacy Act 1988 / APPs (Federal)
- Applies to all private health service providers nationally
- No size threshold for health providers
- 13 Australian Privacy Principles (APPs)
- Enforced by Australian Information Commissioner (OAIC)
HRIPA Website Compliance Checklist
Is your current medical practice website compliant? Review these key requirements.
Accessible Privacy Policy
A Privacy Policy covering the HPPs must be clearly accessible from your website — typically linked in the footer and any data collection forms.
HTTPS Throughout
All pages of your website — especially any forms — must be served over HTTPS. An expired or missing SSL certificate is a compliance and trust risk.
Consent for Health Information
Any form that may collect health information requires clear consent language. Pre-ticked boxes are not sufficient — consent must be active.
Third Party Disclosure Disclosure
If your booking software (Hotdoc, Healthengine, Nookal, etc.) receives health information, this must be disclosed in your Privacy Policy.
Patient Rights Statement
Patients must be told how to access, correct or complain about their health information. This must appear in your Privacy Policy.
Data Retention Policy
Your Privacy Policy must explain how long health information is retained and how it is securely destroyed when no longer needed.
HRIPA FAQs for NSW Medical Practices
What is HRIPA?
HRIPA stands for the Health Records and Information Privacy Act 2002 (NSW). It's a New South Wales statute that governs the collection, use, storage, and disclosure of health information by health service providers operating in NSW. Health information includes medical records, test results, prescriptions, appointment history, billing records, and any other information about a person's physical or mental health. Any NSW-based health service provider — including GP practices, specialist clinics, hospitals, allied health providers, and telehealth services serving NSW patients — must comply with HRIPA.
How does HRIPA affect my medical practice website?
Your practice website is a data collection point — and that means HRIPA applies. Specifically, any web form that collects patient information (appointment requests, recall forms, health questionnaires, patient registration, online bookings) must comply with HRIPA's Health Privacy Principles (HPPs). Key requirements for your website include: (1) a clear, prominent Privacy Policy that explains how health information is collected, used, stored and disclosed; (2) consent mechanisms for any data collection forms; (3) secure transmission of form data (HTTPS); (4) clear information about your data retention and destruction policies; (5) contact information for patients to access or correct their health information.
What are the Health Privacy Principles (HPPs) under HRIPA?
There are 15 Health Privacy Principles under HRIPA, but the ones most relevant to your website are: HPP 1 (Collection) — you must only collect health information for a lawful purpose and tell patients what information is collected and why; HPP 2 (Anonymity) — patients must be given the option to interact anonymously where lawful and practicable; HPP 3 (Collection of sensitive information) — sensitive health information requires explicit consent; HPP 4 (Other collection requirements) — collected information must be relevant and from the individual directly where reasonable; HPP 5 (Use and disclosure) — health information collected for one purpose cannot be used for another without consent or legal authority; HPP 10 (Security) — health information must be protected from unauthorised access, modification, disclosure or misuse.
What should be in my practice's HRIPA-compliant Privacy Policy?
A HRIPA-compliant Privacy Policy for a NSW medical practice website should include: the name and contact details of the organisation; what types of health information are collected (and how); the purposes for collection; whether information is disclosed to third parties (and which ones — e.g. booking software, pathology providers, specialists); how patients can access, correct or make a complaint about their health information; data security measures; retention and destruction practices; and compliance with both HRIPA (NSW) and the Privacy Act 1988 (Cth) including the Australian Privacy Principles (APPs). Avaaze builds privacy policies into our medical website builds and can review existing policies.
Is HRIPA different from the Australian Privacy Act?
Yes — they overlap but are distinct. The Privacy Act 1988 (Cth) and its Australian Privacy Principles (APPs) apply to organisations with AUD $3M+ turnover and all private health service providers nationally, including small practices. HRIPA is a NSW-specific law that applies to all organisations that provide health services in NSW, regardless of size or turnover. For most NSW medical practices, both HRIPA and the Privacy Act/APPs apply simultaneously. The APPs and HRIPA's HPPs are broadly aligned but have some differences — your Privacy Policy must address both if you're an NSW-based health provider.
Can Avaaze make my existing medical website HRIPA compliant?
Yes. We offer a compliance review and remediation service for existing medical practice websites. We audit your website against the HRIPA HPPs and the Privacy Act APPs, identify non-compliance issues (missing or inadequate Privacy Policy, insecure forms, missing consent mechanisms, unencrypted contact forms), and implement the required fixes. For practices building a new website with Avaaze, HRIPA compliance is built in from the start — we don't add it as an afterthought.