Loading article
How Australian privacy law protects your health data, what telehealth services are required to do, and what to check before sharing your health information online.

In this article
Medical information only. This article is for general information and does not constitute medical advice. Treatment decisions are made by an AHPRA-registered doctor after reviewing your circumstances.
Review
InstantMed Clinical Team
Clinical governance review for guide content
Updated
10 May 2026
General information only, not personal medical advice.
When you use a telehealth service, you share some of your most sensitive personal information: symptoms, medical history, medications, mental health status. Understanding how that information is legally protected - and what questions to ask before you share it - helps you make informed decisions about which services to use.
Australia has a comprehensive legal framework protecting health information. For telehealth services, the primary legislation is the Privacy Act 1988 (Cth), supplemented by state and territory health records legislation and professional obligations under AHPRA registration.
Under the Privacy Act 1988 (Cth), "health information" is classified as a subset of "sensitive information" - the highest-protection category. Health information includes:
Sensitive information attracts stronger protections than general personal information. Under Australian Privacy Principle 3 (APP 3), an organisation generally cannot collect sensitive information without your express (rather than merely implied) consent, and only when the collection is reasonably necessary for the organisation's functions.
For a telehealth service, this means: they can collect the health information you provide in order to deliver a medical consultation and any associated documents. They cannot collect additional sensitive information beyond what is needed, and they cannot repurpose that information without separate consent.
The 13 Australian Privacy Principles (APPs) are the core rules in the Privacy Act 1988. For telehealth specifically:
APP 1 - Open and transparent management: The organisation must have a clearly expressed, up-to-date privacy policy that covers what information is collected, how it is used, how it is stored, and how you can access or correct it. The privacy policy must be freely available on the website.
APP 3 - Collection of personal information: Health information can only be collected with your consent and when reasonably necessary for the purpose. Collecting more than needed is not permitted.
APP 6 - Use or disclosure for secondary purposes: Information collected for a telehealth consultation can only be used for that consultation and directly related purposes. Using your health data for marketing, selling it to third parties, or sharing it with unrelated entities requires your separate consent or must fall within one of the narrow legal exceptions.
APP 11 - Security of personal information: The service must take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure. For health information, this includes:
APP 12 - Access to personal information: You have the right to access personal information held about you. The organisation must respond within a reasonable time (typically 30 days) and may only refuse in limited circumstances defined in the Act.
APP 13 - Correction of personal information: If information held about you is inaccurate, out of date, incomplete, or misleading, you have the right to request correction.
If a telehealth service does not have a privacy policy, or the privacy policy does not address health information, that is a significant red flag. The Office of the Australian Information Commissioner (OAIC) provides model privacy policies, and any legitimate healthcare organisation will have a compliant policy accessible on their website.
Since 2018, the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 has required organisations to notify both the OAIC and affected individuals of eligible data breaches.
An eligible data breach occurs when there is unauthorised access to, or disclosure of, personal information, and the breach is likely to result in serious harm to any individual whose information was involved.
Health information breaches are more likely than most categories to meet the "serious harm" threshold, given the sensitivity of the data and the potential consequences (identity theft, insurance discrimination, employment consequences, personal distress).
Under the NDB scheme, telehealth services must:
If you are notified of a data breach by a telehealth service, you can make a complaint to the OAIC at oaic.gov.au.
Beyond legal requirements, reputable telehealth services implement technical security measures consistent with healthcare data standards:
Encryption: Health information should be encrypted both in transit (using TLS 1.2 or higher for all web communications) and at rest (AES-256 or equivalent for stored data). This means that even if data is intercepted in transit or if storage media is physically accessed, the information is unreadable without the encryption keys.
Access controls: The principle of minimum necessary access means only the practitioners and staff directly involved in your care can access your records. Administrative staff, billing teams, and technical staff should have access to different data layers appropriate to their function.
Authentication: Secure telehealth platforms require strong authentication for practitioner access - typically multi-factor authentication - to prevent unauthorised account access.
Audit logging: Legitimate services maintain logs of who accessed health records and when. This creates accountability and allows the service to investigate any suspected unauthorised access.
In addition to the federal Privacy Act, state and territory health records legislation adds further protections in some jurisdictions:
These state laws provide additional rights specific to health information and complement the federal Privacy Act framework. In states without specific health records legislation, the Privacy Act provides the primary framework.
The My Health Record system (established under the My Health Records Act 2012) is Australia's national shared digital health record. If you have a My Health Record, certain healthcare encounters may result in records being shared to it, subject to the specific settings you have configured.
Telehealth consultations can generate records that are uploaded to My Health Record. You control access to your My Health Record through the digital government portal (myhealth.gov.au), including which healthcare providers can access it, which records are visible, and whether documents can be uploaded.
Risk check
Shared devices, public Wi-Fi, visible screens, wrong email, and unnecessary data sharing can create risk.
You can:
Telehealth services that upload consultation records to My Health Record should explain this to you and it should be covered in their privacy policy.
Before using a telehealth service for the first time, verify the following:
AHPRA-registered practitioners: The service should confirm its doctors are AHPRA-registered and their registration should be verifiable at ahpra.gov.au. An unregistered practitioner holding your health data has no professional accountability for its use.
Privacy policy: Read it. Specifically look for: what data is collected, how it is stored, who it may be shared with, how long it is retained, and how to exercise your access and correction rights.
LegitScript certification: LegitScript is an independent certification body for online healthcare services. LegitScript-certified services have been verified as operating within applicable regulatory frameworks.
Data residency: For health data, Australian data storage is preferable (and may be required by some state legislation). Check whether the service stores data in Australia or offshore.
Breach notification procedure: Does the privacy policy describe what happens in the event of a data breach? A service that has not thought about this is less likely to have adequate security practices.
Your health data has significant sensitivity and long-term value. Take 3 minutes to read the privacy policy of any new telehealth service before your first consultation. The policy should be readable and specific, not a wall of generic legal text. If it does not specifically address health information, encrypted storage, and your rights to access and correction, the service may not have the governance standards appropriate for a healthcare provider.
If you believe a telehealth service has breached its privacy obligations, you have several options:
Raise it directly with the service: Most issues can be resolved at this stage. The service should have a formal complaints process described in its privacy policy.
Complain to the OAIC: If the issue is not resolved to your satisfaction, you can lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au. The OAIC can investigate, mediate, and take enforcement action including requiring the organisation to change its practices.
State health complaints bodies: Depending on the nature of the complaint, the Health Care Complaints Commission (NSW), Health Complaints Commissioner (VIC), or equivalent bodies in other states may also have jurisdiction.
AHPRA complaint: If the privacy concern relates to the conduct of a specific registered practitioner (rather than the platform), an AHPRA notification is the appropriate mechanism.
Legitimate Australian telehealth services are legally bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles, which impose binding obligations on how health information is collected, stored, used, and disclosed. Health information receives the highest level of protection as 'sensitive information' under the Act. However, the strength of protection depends on the legitimacy and security practices of the specific service.
Medical records must generally be retained for a minimum of seven years from the date of last service for adult patients, and until the patient turns 25 (whichever is longer) for patients who were minors when treated. This is set by state and territory health records legislation. After the retention period, records should be securely destroyed.
Under the Notifiable Data Breaches scheme (Privacy Act 1988, Part IIIC), if a breach is likely to result in serious harm, the service must notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable. The OAIC can investigate and take enforcement action.
Yes. Under the Australian Privacy Principles (APP 12 and 13), you have the right to request access to personal information held about you, and to request correction of information that is inaccurate, out of date, or misleading. The organisation must respond within a reasonable time and may only refuse access in limited circumstances specified in the Act.
InstantMed Medical Team

AHPRA registration is a live, checkable status on the national register. Learn what to verify before relying on a doctor's credentials.

The best online doctor service depends on the problem, not the brand. This guide explains how to compare Australian telehealth services by clinical fit, practitioner registration, pricing transparency, privacy, and safety boundaries.

Online medical forms can help collect history, but they are not a substitute for clinical judgment. Learn how doctors review telehealth requests, what information matters, and when real-time or in-person assessment is required.