All templates
Privacy Act / APPs · APP 1.2

Privacy Impact Assessment Template — Healthcare

Structured PIA template aligned to the OAIC's Guide to undertaking privacy impact assessments. Includes APP-by-APP analysis, information flow mapping, risk register, health-specific considerations (My Health Record, state HRIPA/HRA/HRPPA) and decision sign-off. Used before any new system, vendor or AI tool that handles patient data.

Privacy Act 1988Australian Privacy PrinciplesOAIC PIA Guide6 pages, Word format

This template is available on a paid plan

Subscribe to ClinicComply to download the Privacy Impact Assessment Template template and access all policy templates.

View plans

What's in this template?

This Privacy Impact Assessment (PIA) template gives Australian healthcare practices a structured way to assess privacy risk before introducing a new system, vendor or process. It is built directly from the structure of the OAIC's Guide to undertaking privacy impact assessments and the consolidated APP Guidelines, then tailored for medical and allied health settings.

The template covers 11 sections plus a sign-off block:

  1. When to use this PIA — triggers (new clinical software, AI scribe, MSP, telehealth, research, secondary use)
  2. Project description — drivers, scope, stakeholders
  3. Personal information involved — categories, sources, sensitivity, volume
  4. Information flows — collection, storage, internal use, disclosure, cross-border, retention, destruction
  5. APP-by-APP analysis — every one of the 13 APPs assessed against the project
  6. Privacy risk register — likelihood, consequence, mitigation, owner, target date
  7. Health-specific considerations — My Health Record, children's records, state HRIPA/HRA/HRPPA
  8. Consultation — Privacy Officer, IT, clinical lead, legal, patients
  9. Recommendations — required changes before go-live
  10. Decision and sign-off — proceed, proceed with conditions, do not proceed
  11. Post-implementation review — 6-month follow-up

Editable placeholder fields

  • {{project_name}}, {{practice_name}}, {{project_owner}}, {{privacy_officer}}
  • {{date_commenced}}, {{go_live_date}}
  • Per-APP and per-risk fields throughout the document

When should you complete a PIA?

The OAIC says a PIA should be carried out before any project that involves a new way of handling personal information. For healthcare practices that translates to specific triggers:

  • New clinical software or change to the patient management system
  • New patient portal or telehealth platform
  • New third-party processor — cloud vendor, billing service, MSP, transcription service
  • AI tools that ingest patient data (AI scribes, automated triage, clinical decision support)
  • New data-sharing arrangements (research, MyMedicare data feeds, secondary use)
  • Changes to retention or destruction practices
  • Significant changes to consent, identity verification or notification practices

A short PIA early in the project is far cheaper than retrofitting privacy controls — or notifying a breach — later.

APP 1.2 at a glance

Australian Privacy Principle 1.2 requires APP entities to take reasonable steps to implement practices, procedures and systems to comply with the APPs. The OAIC's Privacy Management Framework treats PIAs as a key reasonable step for any project that introduces material privacy risk. Many regulators (including the OAIC itself) require a PIA as a precondition for any new project involving personal information.

Why this matters

Privacy Act penalties for serious or repeated interferences with privacy can reach $50 million after the 2022 amendments. AI-related breaches are now over-represented in OAIC enforcement activity, and projects without a PIA are more likely to result in a notifiable data breach. A documented PIA is also evidence for:

  • RACGP accreditation Criterion C6.3 (Confidentiality and privacy)
  • NDIS Practice Standards Information Management
  • ISO 27001 / IRAP risk assessment requirements
  • The OAIC's expectations for "reasonable steps" under APP 1.2

How to customise this template

  1. Download the Word document and complete the project description first — be specific about scope
  2. Map the information flow in section 4 — a flow diagram is often the most useful artefact
  3. Work through every APP in section 5 — even where the answer is "not applicable", document why
  4. Engage the Privacy Officer before drafting — the PIA should inform the project, not be retrofitted
  5. Build the risk register with realistic likelihood/consequence ratings
  6. List required changes in section 9 with owners and target dates
  7. Sign off before go-live and schedule the 6-month post-implementation review

Related templates and tools

The PIA is the upstream document for any new system or arrangement. It typically generates updates to:

  • Privacy Management Plan — register the project in the privacy register
  • Patient Data Collection Notice — update if collection methods change
  • Privacy Policy — update if disclosures or overseas storage change
  • Data Retention and Destruction Policy — add new categories where needed
  • Third-Party Data Sharing Agreement — for new processors

For breach-related projects, also consult the Data Breach Response Plan and Computer and Information Security Policy.

Frequently asked questions

Is a Privacy Impact Assessment mandatory in Australia?

PIAs are not a standalone legal requirement under the Privacy Act, but the OAIC and most accreditors treat them as a key reasonable step under APP 1.2. Where a project introduces material privacy risk and a PIA was not done, the OAIC will frequently treat that as a failure of "reasonable steps" in the event of a breach.

When should we use this PIA template?

Use it before any project that materially changes how personal information is handled. Common triggers in general practice and allied health include: a new clinical software system, a new third-party processor (MSP, AI scribe, billing service), a new patient portal, telehealth changes, and any new disclosure of patient data (research, secondary use, AI training).

Do we need a PIA for AI tools like AI scribes?

Yes, and the OAIC has been explicit about this. AI tools that ingest patient data trigger a PIA because they introduce new processors, often new cross-border disclosures (cloud regions in the US or EU), and risks of model training on practice data. A documented PIA is now the OAIC's expected baseline for AI deployments in healthcare.

Who should sign off the PIA?

The Privacy Officer and the project owner sign off the PIA. Where the project is significant or involves substantial cross-border disclosure, the practice owner also signs. The signed PIA is filed in the privacy register and revisited at the 6-month post-implementation review.

How long does a PIA take?

A focused PIA for a typical practice software change can be completed in 1 to 2 working days of the Privacy Officer's time, plus consultation. A larger project (a new patient portal across multiple sites) may take 1 to 2 weeks. The cost of doing a PIA is consistently lower than the cost of remediating a breach.

How does a PIA differ from a security risk assessment?

A security risk assessment focuses on technical risks (threats, vulnerabilities, controls). A PIA focuses on privacy risks (how the project affects compliance with the APPs and individual privacy rights). The two are complementary — most large projects need both.

What if the PIA recommends not proceeding?

The decision rests with the practice owner. The PIA documents the privacy risks; the owner balances them against the clinical and business benefits. Where the decision is to proceed despite material residual risk, the rationale is recorded in section 10 and the risk is added to the practice risk register for ongoing monitoring.

Related templates

APP 12 & APP 13

Patient Access and Correction Procedure

Step-by-step procedure for handling patient requests under APP 12 (access) and APP 13 (correction). Covers recognising a request, identity verification, treating clinician review, the 30-day response window, refusal grounds, statement-of-correction handling, fee rules, special situations (children, deceased, family violence) and a printable patient request form.

View template
APP 1.2

Privacy Management Plan

The internal governance plan required by APP 1.2. Sets out the Privacy Officer's role, the practices, procedures and systems implemented to comply with the APPs, training, risk management, and the privacy register that tracks complaints, requests and breaches.

View template
Part IIIC

Data Breach Response Plan

Operational response plan for the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act. Covers the four-step response (Contain, Assess, Notify, Review), 30-day assessment timeline, OAIC notification statement under section 26WK, individual notification options, and a 7-year breach register.

View template
30-day free trial, no credit card

Your next accreditation visit starts today.

Join Australian GP clinics and medical practices that have replaced spreadsheets and email threads with a single healthcare compliance platform. Your free trial starts the moment you sign up.

Start your 30-day free trialView all features
No credit card required
Australian data residency (Sydney)
Cancel anytime