Dental AI Blueprint printable guide

The NSW Privacy Law Dental Practices Forget (HRIP Act)

Most AI privacy guidance only talks about the Commonwealth Privacy Act. If you practise in NSW, a second health-privacy law also applies to you — today.

Download PDF Back to guide

The NSW Privacy Law Dental Practices Forget (HRIP Act)

Most AI privacy guidance talks about the Commonwealth Privacy Act. If you practise in NSW, there is a second rulebook that also applies — and many practices have never heard of it.

This is general educational material for dental practice owners and managers, not legal advice. The specifics of the HRIP Act should be confirmed with a qualified adviser for your situation.

Two privacy laws apply in NSW. As well as the Commonwealth Privacy Act 1988 and its Australian Privacy Principles (APPs), dental practices in NSW are also bound by the NSW Health Records and Information Privacy Act 2002 (HRIP Act) and its Health Privacy Principles (HPPs). Read the considerations here against both. General information, not legal advice.

The short version

There are two privacy laws over your practice, at the same time:

If your AI and privacy thinking only covers the APPs, it covers about half of what applies to a Sydney practice.

What the HRIP Act is

The HRIP Act is NSW legislation governing how health information is collected, held, used and disclosed by organisations that provide health services in NSW — which includes dental practices. It sets out a set of Health Privacy Principles (HPPs), and NSW has its own privacy regulator and complaint pathway, separate from the federal system.

The practical point: a patient who feels their health information was mishandled has more than one avenue, and your practice has obligations under more than one law.

"We're too small for privacy law" — not for health information

Some small businesses are exempt from parts of the Commonwealth Privacy Act on the basis of turnover. A dental practice should not assume that exemption applies to it, for two reasons that are worth confirming with an adviser:

In short: handling patient health records is exactly the activity these laws are built around. Practise on the assumption that both apply.

The HPPs cover familiar themes — and map onto the AI risks

The HPPs cover similar ground to the APPs — collection, use and disclosure, data quality, security, openness, access and correction, identifiers, anonymity, transborder (overseas) disclosure, and linkage. They are a separate set of obligations, not a copy of the APPs.

For AI, the useful thing is that every risk in the other guides is also an HRIP question, not just an APP one:

AI risk Federal NSW (HRIP)
Sending patient data to an overseas AI/cloud tool APP 8 the HPP covering disclosure outside NSW/Australia
Securing health information APP 11 the HPP covering security
A hallucinated or wrong clinical note APP 10 the HPP covering data quality/accuracy
Using data for a new purpose (e.g. looking up a reviewer) APP 6 the HPP covering use and disclosure

(The exact HPP numbering and wording should be confirmed against the current Act — this guide gives the shape, not the citation.)

What to actually do

You do not need to become an expert in two statutes. You need to:

  1. Assume both laws apply to every patient-data decision in the practice.
  2. Apply the same core rule as the rest of this library: keep patient information inside the protected system; the moment a workflow needs to take it out is the moment to stop and check. That rule serves both the APPs and the HPPs.
  3. When you get advice, make sure it covers both the Commonwealth Privacy Act and the NSW HRIP Act — not just one.

See the foundational guide, Where Patient Data Is Protected — and Where It Escapes, for the underlying principle.

This guide is educational material only. It is not legal advice. The HRIP Act's scope, the HPPs, and how they interact with the Commonwealth Privacy Act should be confirmed with a qualified adviser. Seek qualified advice for your specific circumstances.