Is your practice ready? AI, privacy and the compliance risks hitting healthcare providers in December 2026
AI in medical practices

Is your practice ready? AI, privacy and the compliance risks hitting healthcare providers in December 2026

New
Read time 4 min

Aston Chee, Avant Law - Special Counsel, Commercial & Corporate

Charlotte Boston, Avant Law - Associate, Commercial & Corporate

New
Read time 4 min

The gap

Most Australian healthcare practices now use AI tools, whether AI scribes, automated triage systems, recall platforms or clinical decision-support tools.

The problem is that many practices have adopted these technologies without updating their privacy documentation, patient consent processes, governance frameworks or practitioner agreements.

The regulatory environment has now caught up.

Healthcare is an OAIC enforcement priority and, from 10 December 2026, new Privacy Act requirements will apply to many AI-enabled healthcare workflows.

The gap between what your practice is doing and what it has documented is increasingly becoming a compliance risk.

Key takeaways

Before 10 December 2026, healthcare providers should:

  • Review and update your privacy policy before 10 December 2026
  • Update patient consent forms to specifically address AI tools
  • Review practitioner agreements and AI governance obligations
  • Review AI vendor contracts and offshore data arrangements
  • Confirm professional indemnity coverage extends to AI-assisted care
  • Check whether any AI tools used by the practice require ARTG registration

What has changed

The Privacy Act now covers automated decision-making.

From 10 December 2026, practices that use automated decision-making (ADM) which significantly affects patients will be required to disclose that use in their privacy policy.

This obligation is not limited to large hospital groups. It may apply to GP practices, specialist clinics and allied health providers using:

  • AI scribes for generating structured clinical notes
  • Triage and appointment tools that prioritise or sort patients by urgency
  • Recall and follow-up systems that determine which patients are contacted and when
  • Billing systems that auto-select MBS item numbers
  • Diagnostic support tools used in imaging, pathology, or risk prediction

Patients can now bring privacy claims

Privacy risk is no longer solely a regulatory issue.

Since June 2025, individuals have had a direct right to bring claims for serious invasions of privacy. Healthcare providers now face potential exposure from both regulators and patients.

Given the sensitivity of health information, AI systems that collect, process or store patient data warrant careful review.

AHPRA has made AI obligations explicit.

Existing professional obligations under your National Board's code of conduct now expressly apply to AI. You are responsible for every AI-generated output that influences patient care, regardless of whether the tool is TGA-approved or vendor-recommended.

You must inform patients when AI is involved in their care and obtain informed consent before any AI tool processes their personal information. AHPRA has flagged criminal implications where consent is not obtained before recording a consultation.

AHPRA has clarified practitioner responsibilities

AHPRA has made it clear that existing professional obligations apply equally to AI-assisted care.

Practitioners remain responsible for any AI-generated output that influences clinical decision-making, regardless of whether the tool is marketed, recommended or approved by a third party.

Practices should also ensure patients are appropriately informed where AI tools are used and that consent processes adequately address the collection and use of information through those systems.

Increased scrutiny of AI tools

Clinical responsibility remains with the practitioner. Since January 2026:

  • AI tools that merely transcribe conversations are generally not medical devices
  • AI tools that analyse, interpret or generate clinical recommendations may be medical devices and may require inclusion on the Australian Register of Therapeutic Goods (ARTG).

Many practices have implemented AI tools without assessing where they sit on this spectrum.

Increased OAIC enforcement activity

The OAIC has identified healthcare as a high-risk enforcement area.

The regulator's recent focus on AI and health information suggests that privacy compliance in healthcare will remain under close scrutiny throughout 2026 and beyond.

Compliance checklist:

What Your Practice Should Review Before 10 December 2026

1. Privacy policy, and website terms of use

Your privacy policy must be updated before 10 December 2026. If your website collects patient information, uses automated chat or booking tools, or directs patients to third-party platforms, your website privacy policy and terms of use must also accurately describe those data flows.

Your documentation needs to:

  • Identify each AI tool used, or clearly describe the categories of tools
  • Set out what personal information each tool collects and processes
  • Explain how that information is collected, stored, and for how long
  • Explain when, why and with whom personal information is disclosed
  • Set out whether individuals can deal with the practice anonymously or using a pseudonym
  • Provide information on how a privacy-related complaint can be made and how it will be handled
  • Disclose any third-party recipients, including offshore vendors
  • State whether automated processes make or assist in decisions about patients
  • Provide a clear contact point for privacy concerns.

A privacy policy that does not address AI will be non-compliant. This is a statutory requirement. Most practice websites are currently silent on AI.

2. Patient consent and disclaimer documentation

Patients must be informed that AI is used in your practice before it processes their information. Consent must be documented. Your consent forms and intake documentation should specify:

  • Which AI tools are used
  • What those tools do
  • How patient information is handled
  • Where the information is stored, including offshore storage

A general disclaimer that technology is used is not sufficient.

3. Practitioner and contractor arrangements.

Every practitioner and contractor is individually accountable under AHPRA guidance. Clinical responsibility cannot be delegated to an algorithm.

Existing confidentiality clauses are not sufficient. Agreements should:

  • Require compliance with the practice’s AI governance framework
  • Prohibit the use of unapproved AI tools with patient data
  • Set expectations for reviewing AI-generated outputs
  • Reinforce individual clinical accountability
  • Address appropriate insurance requirements

4. Vendor contracts and data handling agreements.

Default vendor terms are designed to protect the vendor, not your practice.

Agreements should address:

  • Where patient data is stored, including offshore locations
  • Whether data is used to train vendor models
  • Applicable security standards
  • Data handling on termination
  • Liability for breaches or unauthorised disclosures

Privacy Act obligations remain with your practice. Your contracts must reflect that.

5. Professional indemnity insurance.

AHPRA requires your policy to cover AI-assisted care.

Confirm with your insurer whether the following are covered:

  • AI-generated clinical notes
  • AI-assisted diagnoses
  • Automated treatment recommendations

You should also ensure that practitioners who provide services outside of the practice independently maintain appropriate professional indemnity insurance that covers AI-assisted care.

If coverage is unclear, assume it is not in place and address it proactively.

6. TGA registration.

Any tool that does more than transcribe, including analysing clinical content or generating recommendations, may be a medical device and must be listed on the ARTG.

Using an unregistered medical device is a separate regulatory breach, with its own consequences.

The deadline is real

10 December 2026 is a statutory obligation with active enforcement behind it. The OAIC now has expanded compliance and enforcement powers, including issuing compliance notices and financial penalties.

Healthcare practices are firmly in scope.

Practices that act now will spend limited time getting documentation in order. Those that delay are more likely to face significantly greater time, cost, and regulatory risk.

How We Can Help

Our team advises healthcare practices of all sizes on privacy law, AI governance, and regulatory compliance.

We assist with:

  • Privacy policies that reflect actual operations
  • Consent documentation aligned with AHPRA requirements
  • Vendor and contractor agreements that properly allocate risk
  • Website terms that accurately describe patient data handling

If your practice is not ready for 10 December 2026, now is the time to address it. Contact us to arrange a consultation. 

If you have any questions, or would like more information about how we can assist you or your practice, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here.

About the authors

Aston Chee

Aston is a corporate and commercial lawyer specialising in mergers and acquisitions, based in Sydney. She works with businesses at all stages, from founders and growing SMEs through to established operators, helping them set up their business, navigate acquisitions, equity schemes, structure deals, and manage risk in a commercially practical way.

Aston has broad general commercial experience and advises across the full lifecycle of a transaction, including due diligence, negotiations, equity investments, shareholder arrangements, and corporate structuring. In addition to transactional work, she regularly provides in-house general counsel support, working closely with founders, boards, and management teams on day-to-day commercial, contractual and strategic matters. Her generalist practice allows her to consider all aspects of a deal and provide clear, holistic advice.

Aston works extensively with clients in the medical and allied health sectors, as well as real estate, fitness, and retail (including food and apparel). She also advises on restructures, distressed transactions and PPSR matters, and is experienced in supporting clients operating under financial or operational pressure.

Aston is known for being down-to-earth, solutions-focused, and commercially minded.

Charlotte Boston

Charlotte Boston is an Associate in Avant Law's Commercial and Corporate Law practice, based in the Sydney office.

Charlotte has built a strong legal foundation from her broad experience in advising clients in both the private and public sectors across all stages of the business lifecycle. She has experience in business structuring, corporate governance, shareholder arrangements, commercial contracting, mergers and acquisitions and capital raisings across a range of industries in Perth and Sydney. Her practical, solutions-driven approach and commercial acumen make her a trusted advisor in supporting clients in navigating legal issues to deliver solutions which drive business growth and success.

Avant Law Pty Limited is an incorporated legal practice and not a partnership. Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.

The information in this publication does not constitute legal, financial, medical or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement and seek appropriate professional advice relevant to their own particular circumstances. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant and its related entities are not responsible to any person for any loss suffered in connection with the use of this information. Information is only current at the date initially published.