IronSights
All insights

compliance

Your medical practice is not covered by the small business privacy exemption

Most practice owners assume the $3 million small business exemption covers them. If you hold health information, it never did. Here is what actually applies, and why it matters now.

By IronSights Editorial, Practitioner team16 July 20265 min read
ByIronSights Editorial16 July 20265 min read

Ask most practice owners whether the Privacy Act applies to them and you tend to get the same answer: we are too small for that. Australia exempts many businesses turning over $3 million a year or less, and a single doctor surgery or a small allied health clinic sits well under that line. The reasoning is sound. The conclusion is wrong.

The exemption is not available to a business that provides a health service and holds health information. That is written into the Act. A solo GP, a two room physiotherapy practice and a part time psychologist carry the same Australian Privacy Principles as a public hospital. Turnover does not come into it. If you keep clinical records, you are covered, and you have been the whole time.

Why this is worth reading now

Health service providers were the most breached sector in Australia in 2025, at around 19 percent of all breaches notified to the , ahead of finance and government. That was against a record year: 1,205 breaches reported nationally, the highest since the scheme began in 2018, most of them criminal attacks rather than staff mistakes.

The pattern showed up again in July 2026, when a national network of medical clinics was breached. Clinics across Sydney, Melbourne, Canberra and Queensland were caught, and the stolen data ran to consultation notes, diagnoses, referrals and pathology results alongside Medicare and insurance numbers. Patients were told more than three weeks after the intrusion. That delay is the part worth sitting with. Establishing what an intruder actually reached is slow work, and it is slower still if nobody has thought about the question before the morning it matters. The duty to assess a breach does not wait for a practice to be ready.

Who counts as a health service provider

The definition is broader than most people expect, and it is not only doctors. General practice, specialists, dentists, physiotherapists, psychologists, chiropractors, podiatrists, optometrists and a long list of allied health and aged care providers are all captured. The test is plain. If you assess, maintain or improve someone's health and you keep a record of it, you are holding health information under the Act.

Plenty of small allied health practices are covered without ever having been told. Nobody sends a letter. The obligation simply exists from the first patient.

What the Act actually asks of you

The Australian Privacy Principles run to thirteen, but two do most of the work for a practice.

The first is the requirement to take reasonable steps to protect from misuse, loss and unauthorised access. Reasonable is judged against what you hold, and clinical records sit at the sensitive end of the scale. The bar for a practice full of patient histories is higher than for a business holding a mailing list.

The second is the , which comes attached to being covered. If a breach is likely to cause serious harm, you have to assess it promptly, and within 30 days at the outside, then notify both the OAIC and the affected patients. With clinical data the serious harm test is usually met, because the damage from a diagnosis being exposed is obvious and cannot be undone.

If your practice connects to My Health Record, there is a second obligation on top. The My Health Records Act 2012 has its own breach rules, and they are stricter. Unauthorised access to My Health Record information triggers a mandatory notification that does not wait on a serious harm judgement. Many practices do not realise they carry two duties rather than one.

The software vendor does not cover you

A common assumption is that the practice management vendor takes care of security. They take care of their part of it. The vendor secures the product. You are responsible for who has an account, whether staff share a login, whether is switched on, what happens on a lost laptop, and what a receptionist can see on a screen that faces the waiting room.

Almost every breach we are called to involves an account or a device, not a flaw in the clinical software. The weak point is rarely the system. It is who can get into it.

What is actually worth doing

None of the controls that matter are expensive, and none of them need a security team. The list is unremarkable, which is exactly why it gets left undone.

Give every staff member their own login and switch off shared accounts. Turn on multi-factor authentication everywhere. It is free with a licence you probably already hold, and it defeats the overwhelming majority of account takeovers on its own. Keep devices managed, so a lost laptop is not a lost patient list. Hold backups you have actually restored from at least once, because a backup nobody has tested is a hope, not a plan. And write down what happens in the first hour of a breach: who assesses whether it is notifiable, who calls the insurer, who speaks to patients. A practice that has decided this in advance moves in days. One that works it out on the spot takes weeks, and the clock is running the whole time.

The honest summary is that the exemption most practices lean on was never theirs to use. The obligations apply from the first patient, and they always have. The better news is that meeting them is mostly a matter of switching on protection you are already paying for, and deciding a few things before the day you are forced to.

If you want to know where your practice actually stands, a security review is the sensible first step. We look at how your staff log in, how patient data is stored and backed up, and whether your breach plan would satisfy the Act. You come away with an ordered list of what to fix first, and no obligation to go further.

General guidance, not legal advice. Obligations turn on your own circumstances, and it is worth confirming yours rather than assuming either way.

Keep reading

More from the IronSights team.