Health data privacy is a hot topic in Australia as digital health records and telehealth services continue to expand. While Australia has its own privacy laws, many Australians have heard of the US Health Insurance Portability and Accountability Act (HIPAA)—but what exactly is HIPAA, and why does it matter down under? Let’s dive into what HIPAA is, how it works in the United States, and the lessons Australia can take as we build our own digital health future.
What Is HIPAA and Why Was It Created?
Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a landmark US law that sets strict standards for the privacy and security of health information. Its two main objectives are to:
- Protect individuals’ health information from unauthorised access and misuse
- Ensure health data can be shared safely to improve healthcare delivery
HIPAA introduced a set of privacy rules, security protocols, and penalties for breaches. These rules apply to healthcare providers, insurers, and any business handling protected health information (PHI). For example, a hospital in California must ensure patient records are encrypted, staff are trained in privacy, and data breaches are reported promptly. Major breaches can attract fines running into millions of US dollars.
HIPAA in 2025: What’s New and Why Does It Matter?
The world of health data is changing fast. In 2025, the US government is pushing for stricter HIPAA enforcement and new updates in response to rising cyber threats and the explosion of telehealth. The Biden administration and US Department of Health and Human Services (HHS) have proposed:
- Mandatory breach notifications within 24 hours for high-risk incidents
- Expanded patient rights to access their health data digitally
- Stronger penalties for health apps and wearables that mishandle data
- Greater transparency requirements for data sharing with third parties
Real-world example: In early 2025, a major US telehealth provider faced a $5 million penalty after hackers accessed thousands of patient records. The incident triggered a wave of reforms, including tighter security assessments for all digital health platforms.
These updates reflect a global trend—health data is now a prime target for cybercriminals, and patients want more control over their information. Australia’s My Health Record and e-health systems face similar risks and opportunities.
What Can Australia Learn from HIPAA?
Australia’s Privacy Act 1988 and the My Health Records Act 2012 already provide a framework for protecting personal health information. However, recent reviews—like the 2024 Privacy Act Reforms—suggest our laws may need further strengthening as digital health grows.
Key HIPAA-inspired best practices for Australia include:
- Explicit breach notification timelines: Fast, transparent communication when data is compromised
- Data minimisation and encryption: Only collect necessary data, and ensure it’s securely encrypted
- Comprehensive staff training: Ongoing education for healthcare workers on privacy obligations
- Patient empowerment: Easy digital access to health records and options to control who sees them
- Third-party accountability: Clear rules for health apps, cloud providers, and partners handling sensitive data
With the Australian government’s 2025 Digital Health Strategy focusing on interoperability and consumer-centric care, aligning with global best practices is more important than ever. The rise of AI diagnostics, remote patient monitoring, and data sharing between providers means the risks—and the rewards—are growing.
The Bottom Line: Health Data Privacy Is Everyone’s Business
HIPAA may be an American law, but its principles resonate worldwide. As Australian health data becomes more digital and interconnected, we can learn from the US experience—especially as breaches and cyberattacks become more frequent. Staying informed about privacy rights and demanding best-practice protections is the best way to ensure our personal health information remains safe, secure, and under our control.
