Compliance · Health and aged care
Health information attracts the heaviest privacy obligations under Australian law, and the Notifiable Data Breaches scheme treats a medical record the same way it treats a bank detail. The practices we onboard usually have the clinical side under control and the IT side running on trust.
Live right now · health and aged care
Active regulatory pressures we're already working through with clients in your sector. Each card links to the detailed guide.
In force since 1 November 2025 for registered aged-care providers. Information Management is an explicit standard with audit-grade expectations on records, access, and cyber resilience. Captures aged-care providers, not broader medical or allied-health practices.
Read the full guideWhat's being asked of you · health and aged care
Health information attracts the heaviest privacy obligations under Australian law, and 2026 has tightened the operational expectations significantly. The Aged Care Act 2024 with its Strengthened Quality Standards is now in force, with the Information Management standard reaching directly into IT: records retention, access control, audit-grade evidence, cyber resilience. The Notifiable Data Breaches scheme treats a medical record breach the same way it treats a bank-detail breach; the difference is the breach in healthcare almost always involves sensitive information under the Privacy Act.
My Health Record participants face ADHA conformance expectations on top. The Share by Default 2026 changes mean more health data flows through more systems with more access points. For practices using clinical software (Best Practice, Medical Director, Genie, Pracsoft and others), the security expectations attach to the environment around the software as much as to the software itself.
The threat landscape has not been kind. Aged care has been the most-targeted sub-sector of Australian healthcare for several years running, and the threat does not care that the provider is a not-for-profit running on a thin margin. The Aged Care Quality and Safety Commission has signalled that cyber resilience is now an active part of provider assessment, not a deferred item.
What we do · compliance practice
What we do for a health or aged-care provider starts with privacy. The Australian Privacy Principles treat health information as a sensitive category, and the Notifiable Data Breaches scheme means a breach is not a private matter. We build the access, logging, and breach-response infrastructure that turns a notifiable event into a survivable one rather than an existential one.
For practices using My Health Record and the ADHA ecosystem, we implement the technical conformance the ADHA expects. For aged-care providers operating under the Aged Care Act 2024 and the Strengthened Quality Standards, the Information Management standard reaches directly into IT (record retention, access control, audit-grade evidence, cyber resilience). We map the obligation to the control and build the control into the stack.
Aged care has been the most-targeted sub-sector of Australian healthcare for several years running, and the threat does not care that the provider is a not-for-profit running on a thin operating margin. We build the cyber-resilience baseline (Essential Eight controls plus the identity and backup discipline that turn a ransomware event into an incident rather than a closure) before the Commission asks for it, so when the audit comes the answer is operational, not aspirational.
Across the engagement, the cycle is continuous: gap analysis against the Privacy Act, ADHA conformance and Aged Care Quality Standards in scope for the provider, monitoring across the clinical and administrative stacks, remediation when the monitoring surfaces a drift, evidence pipelines that produce the report the Commission, the ADHA or the OAIC expects without a fire drill.
The tools and the role · what we bring
Compliance frameworks have converged on roughly the same set of operational expectations. These are the five we run as a service so the framework cycle is a continuing operation rather than an annual scramble.
Log aggregation across your devices, identity, network and cloud services with the alerting that surfaces something unusual while it is still recoverable. The answer to 'are we under attack right now' rather than 'were we under attack last quarter'.
Allowlisting that prevents unauthorised executables from running on managed devices. One of the highest-impact Essential Eight controls and one of the hardest for in-house IT to operate without breaking the business. We run it as a service, including the day-to-day exception handling.
Most providers run a scanner and email you a list. We run the scanner and do the labour-intensive remediation work that actually closes the vulnerabilities inside the thirty-day window most frameworks expect. Scanning without remediation is a list of known problems with no closure.
Annual training your staff actually complete, phishing simulations that escalate rather than scold, and the completion reporting your compliance officer can show to an auditor or insurer. The training is a compliance artefact and a real behaviour-change tool, not a tick-box.
Strategic IT advice, framework gap analysis, board-level reporting, risk register maintenance, vendor management oversight. The compliance-aligned strategic role most firms our size cannot resource internally. See /services/vcio/ for the standalone offering.
More on the vCIO offeringThe risk that matters · for health and aged care
The risk we have watched catch health and aged-care providers hardest is a control answered yes on a funder questionnaire or an ADHA conformance review because the policy document said yes, while the operational control was patchy or out of date. When the breach happens, the OAIC investigation and the funder review both ask for the evidence: who had access on the relevant dates, what the patch status was, when backups were last tested. If the evidence does not exist, the consequences cascade beyond the breach itself into funder relationships and licence conditions.
Where it fits · managed IT engagement
The Client Security Baseline covers the core of what the Privacy Act and the Aged Care Quality Standards expect from IT. Specialist overlays (clinical-system integration, ADHA conformance, aged-care-specific incident reporting, NDIS provider obligations where relevant) layer on per engagement.
Compliance is an overlay against the baseline, not a plan tier in isolation. The Managed IT + Compliance plan exists for providers with continuing regulator and funder obligations and an active evidence calendar. Smaller practices with simpler obligation surfaces can run the baseline plan and add the overlays where the regulator or insurer requires them.
What we do not do: clinical governance, the patient-care or resident-care decisions, the clinical-software training, or the policy-level conversations with the Aged Care Quality and Safety Commission. We provide the IT and compliance machinery the clinical governance function relies on to be defensible, alongside the clinical leadership that owns the care substance.
Common questions · health and aged care
Can you help us meet My Health Record and ADHA conformance?
What about the Aged Care Quality Standards Information Management standard?
Do you handle Privacy Act obligations on sensitive health information?
Can you help us prepare for a Notifiable Data Breaches scheme event?
What about NDIS provider obligations on data handling?
Can you support clinical-system integration security?
What about ISO 27001 if a hospital partner requires it?
Next step · start with the evidence
The Essential Eight self-assessment takes about ten minutes and gives you a branded PDF report you can hand to your compliance officer, your insurer, or your board the same day. If you want to confirm we're the right shop for the work, the fit check comes next.
