What is healthcare data compliance?
Healthcare data compliance means building your app to meet the legal and regulatory requirements for handling health information in Australia. This primarily covers the Privacy Act 1988, the Australian Privacy Principles (APPs), and for health information specifically, additional obligations under the My Health Records Act 2012 if your app connects to My Health Record.
In practice, it means: encrypting health data at rest and in transit, implementing access controls so only authorised people see patient records, maintaining audit logs of who accessed what, providing patients the right to access and correct their data, and establishing data breach response procedures.
It's not a single checkbox — it's an approach to building that needs to be woven through the whole system from the start. Retrofitting compliance onto an insecure system is significantly more expensive than building it correctly from day one.
When does your app need it?
- You're building a patient portal, telehealth platform, practice management system, or clinical tool
- You handle personally identifiable health information about individuals
- You're integrating with My Health Record or Medicare
- Your users are healthcare providers who need to be confident their patient data is protected
- You need to meet obligations under state-based health records legislation (Victoria, NSW each have their own)
- You want to be taken seriously by hospital networks, GP clinics, or health funds as a vendor
How much does it cost?
Adding healthcare data compliance typically adds 11–21 hours of development — roughly $2,000–$5,000 AUD.
This covers the core technical requirements: encryption, access controls, audit logging, and data handling procedures. It doesn't include a formal security audit or pen test, which would be an additional line item.
Costs vary significantly based on:
- Whether you're connecting to My Health Record — integration via the FHIR API requires specific conformance testing and registration with the Australian Digital Health Agency (ADHA), which adds time and process overhead
- Sensitivity of data handled — a simple appointment booking app has lighter obligations than a platform that stores clinical notes or pathology results
- State-specific requirements — some states have additional health records legislation
How it's typically built
Technical implementation covers several areas:
Data encryption: Health data encrypted at rest (database-level encryption or field-level for particularly sensitive data) and in transit (TLS 1.2 or higher, always).
Access controls: Role-based permissions that enforce the "minimum necessary access" principle — clinical staff see patient records; reception sees appointment details; administrators see neither without reason.
Audit logging: Every access to a patient record is logged with timestamp, user identity, and action taken. This log is immutable and retained for the required period.
Data residency: Health data should be stored in Australia. AWS Sydney (ap-southeast-2), Azure Australia East, or Google Cloud Sydney all qualify.
Breach response: Processes for detecting and notifying the Office of the Australian Information Commissioner (OAIC) within the 72-hour window required by the Notifiable Data Breaches scheme.
Questions to ask your developer
- Where is health data stored geographically? It should be Australia-only.
- Is encryption applied at the field level for particularly sensitive data? (e.g. mental health records, HIV status, genetic information — these carry higher sensitivity under the Privacy Act)
- Is the audit log tamper-evident? Logs that can be modified after the fact aren't useful for compliance or incident response.
- What's your data breach response procedure? The developer should have a documented process, not just "we'll figure it out if it happens."
- Have you built for My Health Record before? ADHA conformance is a process, not just a coding task — experience matters here.
See also: GDPR / Privacy compliance · ID verification / KYC · Security audit & pen test · App cost calculator