If your Australian healthcare business collects personal or health information through your website, you must comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs).
This applies to most healthcare providers—GPs, allied health practitioners, psychologists, and therapists—regardless of business size or turnover.
Website Compliance Checklist for Australian Healthcare Providers
1. Publish a Privacy Policy
Your privacy policy must be easy to find and written in plain English. It should explain:
- What personal or health information you collect
- Why and how you collect it
- How the information is stored and secured
- Whether any data is stored overseas (e.g. in the US or EU)
- How patients can access or correct their information
2. Get Informed Consent
Before collecting health-related information via forms, you must get clear consent.
Use a checkbox or consent statement like:
“By submitting this form, you agree to our collection and use of your information as outlined in our privacy policy.”
3. Use HTTPS for Security
Your website must use HTTPS (not HTTP) to encrypt information sent between users and your site. This is a basic requirement for protecting sensitive data and building trust.
How to Collect and Store Website Data Safely
Use a Secure Hosting Provider
Choose a host with built-in encryption and secure infrastructure. We recommend Cloudways (DigitalOcean), which includes:
- SSL certificates
- Encrypted backups
- Data encryption at the server level
Use Secure Form Plugins
For WordPress websites, we use Formidable Forms and JetFormBuilder. These tools provide:
- SSL encryption in transit
- CAPTCHA and anti-spam features
- Field visibility control for staff
Important: WordPress stores form data in plain text by default. For general contact info (name, phone, appointment requests), this is usually fine. But do not collect diagnoses, Medicare numbers, or other highly sensitive medical details through standard forms. Use a secure, medical-grade platform instead.
Avoid Sending Sensitive Info by Email
Email is not encrypted by default. To protect privacy:
- Avoid including sensitive details in notification emails
- Use messages like: “New submission received. Please log in to view.”
- Store submissions securely in your website or CRM
Delete Data You No Longer Need
If your website stores form submissions, schedule regular clean-ups. Many tools allow you to auto-delete entries after 30, 60, or 90 days.
Frequently Asked Questions
Do I need to store patient data in Australia?
No, but if you use offshore tools (like US-based CRMs or email platforms), you must disclose this in your privacy policy and get informed consent.
Do Australian healthcare businesses need to follow HIPAA?
No. HIPAA is a US law. Australian healthcare providers must comply with the Privacy Act 1988 and APPs.
Is storing contact form data in WordPress legal?
Yes—if you take reasonable security steps and avoid storing sensitive health data without proper encryption.
What if I need to collect more detailed medical information?
Use a specialised, secure platform like Cognito Forms (Enterprise), JotForm (HIPAA) or Formstack. These are built for healthcare compliance.
Example of a Compliant Website Data Flow
- User visits site using HTTPS
- User completes a secure form with consent checkbox
- Data is encrypted and submitted
- Data is stored in WordPress (general contact info only), or sent securely to a CRM
- Email notification is sent (no sensitive data included)
- Submissions are deleted after a set time (e.g. 30 days)
Summary
To meet privacy and data collection requirements for healthcare websites in Australia, you must:
- Have a clear, accessible privacy policy
- Get informed consent before collecting personal or health data
- Use secure, encrypted connections (HTTPS)
- Store and manage data responsibly
- Avoid collecting unnecessary sensitive information through basic website forms
