Key Takeaways
- Compliance for a new Australian medical practice runs across five parallel streams: business and tax registrations, Medicare and provider numbers, Privacy Act and NDB readiness, clinical governance foundations, and Fair Work employment obligations. Miss any one, and you are non-compliant the day you open.
- Apply for Medicare provider numbers and your practice Minor ID at least six to eight weeks before opening. Provider numbers are location-specific. A number issued for one address cannot be used to bill from another.
- Enrol with an accreditation agency (QPA, AGPAL, or GPA) in the first three months, but plan your first RACGP on-site assessment for months 12 to 18. Assessors need to see 12 months of live evidence, which cannot be manufactured retrospectively.
- From 1 July 2026, every Australian employer must pay superannuation on the same cycle as wages. Build payday super into your payroll system from day one rather than migrating under pressure.
- Privacy Act 1988, the Notifiable Data Breaches scheme, and state health records legislation (Victoria Health Records Act, NSW HRIP Act) apply from the moment you collect your first piece of health information. Your privacy policy, consent forms, and NDB breach plan need to exist before your first patient walks in.
Opening a medical practice in Australia is one of the most heavily regulated small-business undertakings in the country. Between the Royal Australian College of General Practitioners, the Medical Board and AHPRA, Services Australia, the Office of the Australian Information Commissioner, Fair Work Australia, and state public health regulators, a new practice owner has to satisfy more than a hundred distinct compliance obligations before the first patient walks through the door. It is a lot to track, and almost nobody hands you a single checklist.
This guide is that checklist. It walks through every compliance stream a new Australian medical practice needs to tackle, in the order you need to tackle it, with 2026-specific updates (payday super, continuing Fair Work changes, and the evolving accreditation landscape). By the end you will know exactly what needs to be done, when, and what evidence to keep.
If you want the whole compliance picture in one platform from day one, ClinicComply's new-practice compliance playbook maps every obligation below to a live checklist inside the platform. Free 30-day trial, no credit card required.
The Five Compliance Streams Every New Practice Must Get Right
Before we go deep on specifics, it helps to see the full picture. New medical practices in Australia have to satisfy five parallel compliance streams, each with their own regulators, timelines, and documentary requirements.
Business and tax registrations. ABN, GST, TFN, PAYG withholding, superannuation, workers compensation, professional indemnity and public liability insurance, and the entity setup (sole trader, company, partnership, or trust). These establish the legal shell inside which everything else runs.
Medicare and provider numbers. Each treating practitioner needs an AHPRA registration and a Medicare provider number linked to the specific practice location where they bill. Your practice also needs a Minor ID for electronic claiming.
Privacy Act and data protection. From the moment you collect health information, the Privacy Act 1988 and its 13 Australian Privacy Principles apply. The Notifiable Data Breaches scheme is enforced by the OAIC, and state health records legislation adds further obligations in Victoria and NSW.
Clinical governance and accreditation. The RACGP Standards (currently 6th edition) set the floor for general practice accreditation. Infection control, emergency management, incident reporting, clinical audit, and risk management all sit under this umbrella.
Fair Work and employment. Modern award coverage, written contracts, payroll, superannuation (including payday super from 1 July 2026), workplace health and safety, and the raft of Fair Work Act changes that have accumulated since 2022.
Almost every compliance failure in a new practice traces back to one of these five streams being treated as an afterthought. The rest of this guide walks through each in the order new owners need to tackle them.
Stream 1: Business and Tax Registrations
Get the legal and financial foundations right before you spend money on fit-out or clinical equipment. The decisions you make here (particularly entity structure) lock in tax, liability, and succession consequences that are expensive to unwind later.
Choose your legal structure. Sole trader operations are simple but expose personal assets. Pty Ltd companies provide limited liability and are the default for multi-practitioner practices. Partnerships are common among GP groups but require a well-drafted partnership agreement. Service trusts, where a company provides administrative services to individual practitioners who contract-in, remain the dominant structure for established group practices, but the tax implications have tightened since the ATO's 2023 guidance on professional firm profit allocation. Get advice from a healthcare-specific accountant before you finalise the structure.
Australian Business Number and GST. Register for an ABN before you do anything else. Most medical services are GST-free under the GST Act (for services provided by a medical practitioner that are generally accepted in the medical profession as being necessary for the treatment of the recipient), but supplies outside that scope (cosmetic services, medico-legal reports, some occupational health work) attract GST. If your GST-subject turnover will exceed $75,000 annually, you must register for GST.
Payroll and superannuation setup. Register for PAYG withholding before you engage your first employee. Choose a payroll provider that supports Single Touch Payroll Phase 2 reporting and (critically) can handle payday super from 1 July 2026. Superannuation defaults to 12% of ordinary time earnings from 1 July 2025 and stays there from 2026 onwards.
Insurance. Professional indemnity cover is mandatory for registered practitioners under AHPRA rules. Public liability cover is effectively required by any landlord. Workers compensation is compulsory for every employer under state legislation. Cyber insurance is not legally required but increasingly priced into the risk register for any practice holding electronic health records. Budget for all four before signing the lease.
Banking and records. Separate practice banking from day one. Practice accounting and bookkeeping should be cloud-based, with read-only access provided to your accountant and payroll advisor. Keep records for at least seven years under tax law, and longer for clinical records under state health records legislation (typically seven years for adults, or until a minor turns 25).
Stream 2: Medicare and Provider Numbers
This is where new practice timelines most often slip. Services Australia applications take longer than owners expect, and the provider number issued to a practitioner at one practice cannot be reused at another address.
Register the location. Your practice location must be registered with Services Australia to bill Medicare electronically. The registration produces a Minor ID, which is the unique electronic identifier used to transmit claims. Without a Minor ID, you cannot bulk bill or claim through MBS Online.
Location-specific provider numbers. Every AHPRA-registered practitioner who will bill Medicare at the practice needs a provider number issued for that specific location. If a GP currently bills from another practice and is joining you, they need a new number for your address. Allow four to six weeks for applications, and longer if supporting documents (AHPRA certificate, practice details, proof of employment) need to be re-submitted.
Assignment of benefit and bulk billing. If your practice will bulk bill, understand the assignment of benefit rules under the Health Insurance Act. Patients must sign (physically or electronically) a valid assignment for each bulk-billed service. Electronic assignment through tap-and-go hardware or clinical software is the modern norm, but the legal obligation is the same: no valid assignment, no valid claim.
MyMedicare and the Practice Incentive Program. If you will offer chronic disease management, aged care, or mental health services, register for MyMedicare. MyMedicare registration now underpins a growing list of MBS items and is the eligibility gate for the Bulk Billing Practice Incentive Program and the Workforce Incentive Program. Factor registration into your opening timeline.
Compliance under the 80/20 rule. Once operating, watch your per-practitioner service volumes. Medicare's 80/20 rule prohibits a GP from providing 80 or more professional services on each of 20 or more days in a 12-month period except in exceptional circumstances. Breaches trigger Practitioner Review Program action. Set volume dashboards in your practice software from day one.
Stream 3: Privacy Act, NDB, and Health Records
Privacy obligations start the moment you collect your first piece of health information, which for most practices is when you set up your clinical software and import any data from practitioners' previous practices.
Write your privacy policy before opening day. The Privacy Act 1988 (Cth) and its Australian Privacy Principles apply to every Australian business handling health information, regardless of turnover. Your privacy policy must be publicly available (website and waiting room) and describe what information you collect, how you use and disclose it, how patients can access and correct their records, and how complaints are handled. Generic templates do not cut it: your policy must reflect your actual clinical software, cloud providers, and referral pathways.
Notifiable Data Breaches scheme. If a data breach is likely to result in serious harm, you must notify both the affected individuals and the OAIC "as soon as practicable" after becoming aware of it. Most practices interpret "as soon as practicable" as a matter of days. Build an NDB breach response plan (ClinicComply's 8-step NDB wizard produces one in under 30 minutes) and make sure at least two people at the practice know how to execute it. Read our plain-English guide to healthcare data breach obligations for the decision points every practice manager should understand.
Privacy tort exposure. From 10 June 2025, a statutory tort for serious invasion of privacy allows individuals to sue directly for privacy breaches, without having to show financial loss. Healthcare is squarely in scope, and the tort is uncapped. This single change has shifted the risk calculus for medical practices. A robust privacy program is no longer just regulatory, it is a direct liability risk.
State legislation. Victoria's Health Records Act 2001 and NSW's Health Records and Information Privacy Act 2002 impose additional obligations on top of the federal Privacy Act. Queensland, Western Australia, South Australia, Tasmania, the ACT, and the Northern Territory rely primarily on federal rules for private practices, but their public health legislation imposes mandatory reporting and coroner notification obligations that cross over. Check your state's requirements before writing your policies.
My Health Record. If your practice will use My Health Record (the vast majority will), register through the MyHR operator portal and comply with the My Health Records Act 2012. Understand the changes from the "sharing by default" policy that came into effect in 2026: practitioners must now actively decide to not upload eligible documents, which has implications for consent workflows and clinical software configuration.
Stream 4: Clinical Governance, Accreditation, and Infection Control
This is the stream that takes the longest to stand up properly, which is why new practices need to start early and spread the work across the first 18 months.
Enrol with an accreditation agency in the first quarter. The three agencies recognised by the Commonwealth for RACGP accreditation are QPA (Quality Practice Accreditation), AGPAL (Australian General Practice Accreditation Limited), and GPA Accreditation Plus. Enrolling does not mean booking your on-site assessment. It means getting access to the Standards, the agency's pre-audit tools, and their gap analysis resources. Do this in the first three months so you know which criteria you are building evidence against from day one.
Target your first on-site assessment at 12 to 18 months. The RACGP Standards require evidence of sustained operation. A brand-new practice cannot demonstrate a full 12-month clinical audit cycle, a patient feedback loop, a year of staff meeting minutes, or a mature incident register. Trying to accredit at month six is setting yourself up for a non-conformity list. Plan to book your first on-site assessment at month 12 at the absolute earliest, with month 15 to 18 being more realistic. For the full 12 to 18 month path, read getting started with RACGP accreditation.
Build the five evidence pillars. Every RACGP criterion ultimately reduces to one of five evidence pillars: (1) written policies and procedures, (2) meeting minutes and documented decisions, (3) audit cycles and quality improvement, (4) incident and complaints registers, and (5) training and CPD records. Set up systems for each on day one. The most common reason new practices fail their first assessment is that they have the first pillar (policies) in place but have not started the other four.
Infection prevention and control. The RACGP Infection Prevention and Control Standards require a written IPC program covering hand hygiene, cleaning and disinfection, instrument reprocessing, cold chain management, sharps and clinical waste, staff immunisation, and transmission-based precautions. Autoclave validation is not optional: every practice that reprocesses instruments must have validated sterilisation processes with documented evidence.
Emergency management and resuscitation. Every practice must have a written emergency management plan covering medical emergencies, fire, evacuation, and business continuity. Resuscitation equipment (including a defibrillator) must be accessible, maintained, and checked on a documented schedule. Staff must complete CPR and anaphylaxis training at RACGP-specified intervals.
Information security. The RACGP Standards now incorporate information security expectations that mirror the RACGP Computer and Information Security Standards. See our cybersecurity compliance checklist for Australian GP practices for the full set of controls, from multi-factor authentication on clinical software through to the 72-hour ransomware reporting rules that came into force for healthcare in 2026.
Stream 5: Fair Work, Awards, and Payday Super
Employment compliance in healthcare has shifted dramatically in the last three years, and new practices opening in 2026 face a materially different landscape from those that opened in 2022.
Classify every employee correctly. Most medical practice roles are covered by the Health Professionals and Support Services Award 2020. Employed medical practitioners fall under the Medical Practitioners Award 2020. Practice managers, nurses, receptionists, and allied health assistants almost all fall under the HPSS Award. Classification errors are the single biggest source of underpayment claims, and since the Fair Work Commission's gender undervaluation review repriced significant HPSS roles, practices that have not refreshed classifications may be underpaying staff.
Wage theft is a criminal offence. Since 1 January 2025, intentional underpayment of wages or superannuation has been a criminal offence under the Fair Work Act. Individuals face up to 10 years imprisonment and fines of $1.56 million. Corporate penalties scale up to $7.825 million or three times the underpayment. This is not a theoretical risk. The Fair Work Ombudsman has explicitly prioritised healthcare as an enforcement sector.
Payday super from 1 July 2026. The single biggest operational change for payroll teams in 2026. Employers must pay superannuation on the same cycle as wages, with payment to the super fund required within seven days of payday. For new practices launching in 2026, build payday super into your payroll system from day one rather than migrating under pressure. The ATO's enforcement position is that non-compliance after 1 July 2026 will attract Superannuation Guarantee Charge and, for intentional breaches, criminal exposure.
Right to disconnect. All Australian employers are now subject to the right-to-disconnect provisions in the Fair Work Act. Healthcare's informal culture of texting staff about shift changes, calling about patient queries, and expecting after-hours email responses carries compliance risk if employees exercise their right to refuse. Update your employment contracts and position descriptions to make on-call expectations explicit, and include after-hours contact in any on-call loading.
Written contracts and onboarding records. Every employee (permanent, casual, part-time, or fixed-term) must have a written contract that specifies classification, hours, pay, leave entitlements, and termination notice. Keep signed contracts, position descriptions, induction records, training records, and performance reviews for at least seven years. Our deep-dive on healthcare practice manager employment law for 2026 covers the operational detail.
AI and technology policies. With generative AI tools now routine in clinical workflows, a written AI use policy is increasingly a Fair Work, privacy, and clinical governance requirement all at once. See our AI privacy compliance guide for healthcare practices for the framework.
Your First 18 Months: A Timeline
Here is how the five streams fit together across the first year and a half of operation.
Before opening day. Entity registrations, insurance, Medicare Minor ID and provider number applications, clinical software selection, privacy policy and NDB response plan drafted, HR contracts and classifications confirmed, infection control manual written, emergency management plan in place.
Weeks 1 to 4. Confirm Medicare registrations are live, publish privacy policy on the website and in the waiting room, run first infection control audit and cold chain check, document first staff meeting minutes, enrol with an accreditation agency.
Months 2 to 3. Start incident and complaints registers (log every near-miss, no exceptions), run first quarterly clinical governance meeting, confirm payday super migration plan is on track for 1 July 2026, complete Fair Work classification review for every role.
Months 3 to 6. First completed clinical audit cycle (ideally a chronic disease management audit), patient feedback survey running, staff CPD records being built, vendor documentation portal stood up for MSP and clinical software providers.
Months 6 to 9. Refresh all policies on their first review cycle, run a mock clinical governance meeting that simulates an assessor interview, complete mid-year financial compliance check, begin compiling your evidence pack against the RACGP Standards.
Months 9 to 12. Pre-audit self-assessment. Identify gaps. Close them. If a gap cannot be closed (for example, you genuinely have not had any incidents to log), document why and show the system that would capture them if they occurred.
Months 12 to 18. Book and complete your first RACGP on-site assessment. Address any findings with a documented corrective action plan. Move to business-as-usual compliance cadence.
How ClinicComply Helps New Practices
ClinicComply was built for this exact journey. Every framework a new Australian practice has to satisfy (RACGP Standards, Privacy Act, NDB, My Health Record, RACGP CompSec, Fair Work templates, NDIS Practice Standards if you do disability work, AGPAL and HDAA for accreditation bodies) ships pre-mapped to actionable checklist items. The 12 core policy templates are in the library the day you sign up. The NDB breach response wizard generates an OAIC-aligned plan in under 30 minutes. The IT vendor portal pulls security documentation from your MSP, cloud providers, and clinical software vendors without email back-and-forth.
The Solo plan at $79 a month replaces the 80% of new-practice compliance work that is template-driven, evidence-tracking, and deadline-management. Most new practices use ClinicComply alongside a compliance consultant for strategic advice (which is genuinely valuable) rather than for paperwork (which is not). Compared with the $15,000 to $30,000 one-off consultant-and-template engagements many new practices sign in their first year, the cost difference is significant.
Every customer gets a 30-day free trial with no credit card required. Start your free trial and have your full new-practice checklist mapped by the end of the weekend, or explore the new practice compliance landing page for the full feature walk-through.
Frequently Asked Questions
What compliance is required to open a medical practice in Australia?
Every new Australian medical practice must satisfy five parallel compliance streams before opening day: business and tax registrations (ABN, GST, TFN, PAYG, workers compensation, insurance), Medicare registration including a practice Minor ID and location-specific provider numbers, Privacy Act and Notifiable Data Breaches readiness (privacy policy, consent forms, breach response plan), clinical governance foundations (infection control, emergency management, incident reporting), and Fair Work employment compliance (award classifications, written contracts, payday super from 1 July 2026).
How long does it take to open a new medical practice in Australia?
From signing the lease to seeing the first patient, most new practices need three to six months. The timeline is driven by fit-out and equipment (two to four months), Medicare provider number processing (four to six weeks), clinical software set-up and data migration (three to six weeks), staff recruitment and onboarding (four to eight weeks), and policy development (two to four weeks if using templates, significantly longer if written from scratch). Accreditation readiness takes a further 12 to 18 months beyond opening day.
When should a new practice apply for RACGP accreditation?
Enrol with an accreditation agency (QPA, AGPAL, or GPA) in the first three months of operation so you have access to the Standards and pre-audit resources. Plan to book your first on-site assessment for months 12 to 18. Assessors require evidence of 12 months of sustained operation, including a full clinical audit cycle, staff meeting minutes, an incident register, and a patient feedback loop, which cannot be manufactured retrospectively.
Do I need a Medicare provider number to open a medical practice?
If your practice will bill Medicare (bulk bill, mixed billing, or any MBS item), yes. Each treating practitioner needs a Medicare provider number issued for the specific practice location where they bill. Provider numbers are not transferable between addresses. Your practice also needs a Minor ID issued by Services Australia to enable electronic claiming. Both applications take four to six weeks, so submit at least two months before your opening date.
What privacy obligations apply to a new medical practice?
From the moment you collect health information, the Privacy Act 1988 and its 13 Australian Privacy Principles apply. Before opening you need a documented privacy policy published publicly, valid consent forms, a Notifiable Data Breach response plan, a nominated privacy officer, and staff who understand how to handle access and correction requests. Victoria and NSW add state-level obligations through the Health Records Act 2001 and the Health Records and Information Privacy Act 2002 respectively.
How much does it cost to open a medical practice in Australia in 2026?
Budgets vary widely with location and fit-out, but for a two- to four-room GP practice in a metropolitan area, typical first-year costs include fit-out and equipment ($150,000 to $400,000), clinical software and IT ($8,000 to $20,000 set-up plus $500 to $2,000 per month), insurances ($8,000 to $25,000 annually), staff wages (six to nine months of runway depending on patient growth), legal and accounting ($15,000 to $40,000), and compliance set-up. A traditional compliance-consultant-led policy and accreditation-readiness engagement runs $15,000 to $30,000. Platform-based alternatives like ClinicComply replace most of that for under $1,000 per year.
What awards cover medical practice employees?
Employed medical practitioners are covered by the Medical Practitioners Award 2020. Practice managers, practice nurses, receptionists, allied health assistants, and health information managers are covered by the Health Professionals and Support Services Award 2020. Misclassification is the single largest source of underpayment claims in healthcare. Since the Fair Work Commission's gender undervaluation review repriced significant HPSS roles, practices that have not refreshed classifications since 2022 should review every role.
What is payday super and when does it start?
Payday super is the requirement for Australian employers to pay superannuation contributions on the same cycle as wages, with payment to the super fund required within seven days of payday. It takes effect on 1 July 2026, replacing the current quarterly payment cycle. New practices opening in 2026 should build payday super into their payroll system from day one rather than migrating later. Non-compliance after 1 July 2026 attracts Superannuation Guarantee Charge and, for intentional breaches, potential criminal exposure under the wage theft provisions of the Fair Work Act.
Do I need infection control accreditation for a new medical practice?
The RACGP Infection Prevention and Control Standards apply to every accredited general practice. A written IPC program is required covering hand hygiene, cleaning and disinfection, instrument reprocessing and sterilisation validation, cold chain management for vaccines, sharps and clinical waste disposal, staff immunisation records, and transmission-based precautions. The program must be in place before you see the first patient, and evidence of ongoing audits against the program is essential for accreditation.
Can ClinicComply help a solo GP open a new practice?
Yes. ClinicComply's Solo plan is built for single-practitioner and small-practice start-ups. It includes the full RACGP Standards framework, Privacy Act and NDB tracking, the 8-step NDB breach response wizard, the IT vendor document portal, all 12 core policy templates, and automated deadline reminders. Most solo practices complete platform set-up in a weekend. Every plan includes a 30-day free trial with no credit card required. Upgrade to Group or MSP plans later if you add sites or practitioners.
Opening a medical practice in Australia is a serious undertaking, but the compliance side does not have to feel overwhelming. The five streams described above (business registrations, Medicare, privacy, clinical governance, and Fair Work) cover every obligation you will encounter, and with the right system in place, none of them need to consume more than a few hours a week. Start your free 30-day ClinicComply trial and walk into your first accreditation visit as the kind of practice your assessor has been hoping to see all month. For the full set of new-practice resources, visit our new practice compliance playbook or explore our blog archive for deeper guides on every compliance stream covered above.