Rules Mate
PlaybooksBottom-funnel persona playbook

Compliance playbook for Australian medical practitioners

AHPRA registration, mandatory notifications under s 140 of the National Law, Medicare provider obligations under ss 19AA + 19AB of the Health Insurance Act 1973, PBS prescriber requirements, federal Privacy Act + state health-privacy regimes, the My Health Records Act, AHPRA advertising guidelines + the Therapeutic Goods Advertising Code, professional indemnity, scope-of-practice + endorsements, CPD, mandatory child-abuse reporting by state, and telehealth MBS rules — every obligation a medical practitioner faces on one page.

19 obligations2 deadlines22 cross-linked articles

Key deadlines — next 12 months

  • 30 September annuallyAHPRA medical registration renewal
  • 10 December 2026Privacy Act ADM transparency obligation
  • Within 30 daysNDB assessment after suspected breach
  • ContinuousMandatory notification on threshold belief (s 140)

Does this apply to me?

Answer yes to any of the below and the obligations in this playbook are likely relevant.

  • 1Are you a medical practitioner registered with the Medical Board of Australia under the Health Practitioner Regulation National Law (the National Law)?
  • 2Do you bill or claim Medicare benefits — meaning ss 19AA and 19AB of the Health Insurance Act 1973 apply to you?
  • 3Do you prescribe PBS-listed medicines, requiring PBS prescriber number compliance?
  • 4Do you handle health information about identifiable individuals (federal Privacy Act 1988 + state health-records regimes apply)?
  • 5Do you advertise health services (subject to s 133 of the National Law + AHPRA advertising guidelines + the Therapeutic Goods Advertising Code)?
  • 6Do you deliver telehealth services (the COVID-era expansion was substantially narrowed by July 2022 — telehealth MBS now restricted to established-relationship patients for most items)?

Plain English summary

Medical practitioners in Australia work under a layered compliance regime: a professional-registration layer (AHPRA + the Medical Board under the National Law); a Medicare-billing layer (Health Insurance Act 1973 and the MBS); a prescribing layer (PBS and state controlled-substances law); a privacy layer (federal Privacy Act + state health-records regimes); an advertising layer (AHPRA guidelines + the Therapeutic Goods Advertising Code); and a state-by-state mandatory-reporting layer for child abuse and family violence.

The National Law (Health Practitioner Regulation National Law) is the master statute — adopted by each state and territory as their respective application Act. AHPRA administers it on behalf of the 15 National Boards (the Medical Board for medical practitioners). The s 140 mandatory-notification regime requires practitioners to report a 'notifiable conduct' threshold — impaired performance posing risk of substantial harm, sexual misconduct, intoxication while practising, or significant departure from accepted professional standards.

Medicare obligations are separate and material. Section 19AA restricts general Medicare provider status to those holding Fellowship of an Australian medical college (or working under an approved 3GA training program). Section 19AB targets overseas-trained doctors and former overseas medical students through 10-year moratoriums on Medicare provider status. Both sections drive professional placement decisions for new fellows and IMGs.

This playbook walks through every obligation a registered medical practitioner faces, the section of the Act it sits under, who is accountable, the cadence, the maximum penalty, and a regulator-direct source. Tailor down for non-Medicare-billing private specialists or for trainees still working under supervision.

Obligation checklist

Every obligation cites the Act and section. Source URLs link to the regulator's portal — Rules Mate does not republish statutory text.

  1. 1

    Health Practitioner Regulation National Law, s 109 (registration)

    Maintain general or specialist registration with the Medical Board of Australia via AHPRA. Annual renewal by the practitioner's birth-month renewal deadline (1 October standing deadline for most medical practitioners).

    Who's responsible
    Every medical practitioner
    Frequency
    Annual (renewal by 30 September; late period to 30 November)
    Penalty
    Unregistered practice — up to $60,000 (individual) under s 113 + 116 of the National Law.
  2. 2

    Health Practitioner Regulation National Law, s 140 (mandatory notifications)

    Notify AHPRA where you reasonably believe a registered health practitioner has engaged in notifiable conduct: practising while intoxicated, sexual misconduct, impairment posing risk of substantial harm, or significant departure from accepted professional standards.

    Who's responsible
    Every registered medical practitioner + employer
    Frequency
    Event-driven
    Penalty
    Failure to notify by treating practitioner: disciplinary action including loss of registration.
    Full obligation page →
  3. 3

    Health Practitioner Regulation National Law, s 128 (CPD)

    Complete the Medical Board's CPD requirements: 50 hours of CPD annually under the strengthened 2023 CPD framework (CPD home through an accredited provider; reviewing performance; measuring outcomes; educational activities). Declare at registration renewal.

    Who's responsible
    Every medical practitioner
    Frequency
    Annual
    Penalty
    Conditions on registration; risk of refusal to renew.
    Full obligation page →
  4. 4

    Health Practitioner Regulation National Law, s 133 + AHPRA advertising guidelines

    Do not advertise a regulated health service in a way that is false, misleading or deceptive, offers a gift/discount/inducement, uses testimonials, creates an unreasonable expectation of beneficial outcomes, or directly/indirectly encourages unnecessary use of a regulated health service. Comply with the AHPRA Guidelines for advertising a regulated health service.

    Who's responsible
    Practice principal + every advertising practitioner
    Frequency
    Continuous (per advertisement)
    Penalty
    Up to $60,000 (individual) / $120,000 (body corporate) under s 133.
    Full obligation page →
  5. 5

    Therapeutic Goods Act 1989, Pt 5-1 + Therapeutic Goods Advertising Code 2021

    Do not advertise prescription medicines to the public. For other therapeutic goods, comply with the Code: no testimonials by health professionals, no comparisons that are misleading, mandatory statements where applicable, comply with the prohibited/restricted representations list.

    Who's responsible
    Practice principal + practitioner posting content
    Frequency
    Continuous
    Penalty
    Civil penalties up to ~$315,000 (individual) under the TG Act; criminal up to 5 years.
    Full obligation page →
  6. 6

    Health Insurance Act 1973 (Cth), s 19AA

    To bill Medicare, hold Fellowship of an Australian medical college (RACGP / RACS / RACP / etc.) or work under an approved 3GA program. New medical graduates from 1996 onwards are subject to s 19AA.

    Who's responsible
    Every Medicare-billing medical practitioner
    Frequency
    Continuous
    Penalty
    Loss of Medicare provider status; repayment of incorrectly claimed benefits.
  7. 7

    Health Insurance Act 1973 (Cth), s 19AB

    Overseas-trained doctors and former overseas medical students are subject to a 10-year moratorium on Medicare billing in non-District-of-Workforce-Shortage (non-DPA / non-DWS) locations. Section 19AB exemptions are administered by the Department of Health.

    Who's responsible
    OTDs + FOMSes
    Frequency
    Continuous (until 10-year moratorium ends or DPA condition lifted)
    Penalty
    Loss of Medicare provider status in restricted locations.
  8. 8

    Medicare Benefits Schedule (MBS) — telehealth items + MBS Online

    Comply with item-specific MBS rules. Most telehealth items require an existing clinical relationship (established-relationship rule): patient seen face-to-face by the GP or another GP at the same practice in the previous 12 months. Exemptions for COVID-19, after-hours, blood-borne viruses, eating disorders, and certain specialist items.

    Who's responsible
    Every billing practitioner
    Frequency
    Per consultation
    Penalty
    Medicare compliance audit; repayment + administrative penalty; PSR referral for serious cases.
    Full obligation page →
  9. 9

    Health Insurance Act 1973 (Cth), Part VAA — Professional Services Review (PSR)

    Practitioners with patterns suggesting inappropriate practice (high-volume billing, unusual consultation-mix, vertically-integrated co-claims) may be referred to PSR. Cooperate with PSR review. PSR may impose repayments, disqualification from MBS billing, or counselling.

    Who's responsible
    Practice principal + practitioner
    Frequency
    Event-driven
    Penalty
    Repayment of benefits; partial or full disqualification from Medicare; reputational.
  10. 10

    National Health Act 1953 (Cth) — PBS prescribing

    Obtain PBS prescriber number to write PBS prescriptions. Comply with PBS restrictions, authority rules (telephone or written authority for restricted items), and online prescribing rules. Comply with continuing-medication regimes and authority renewals.

    Who's responsible
    Every prescribing medical practitioner
    Frequency
    Continuous
    Penalty
    Loss of PBS prescriber number; investigation by Department of Health.
    Full obligation page →
  11. 11

    Privacy Act 1988 (Cth) — health-service-provider APP entity

    Every health-service provider is an APP entity regardless of turnover (s 6D(4)(b)). Comply with all 13 APPs: Privacy Policy (APP 1), collection notices (APP 5), use/disclosure rules (APP 6), security (APP 11), access/correction (APPs 12-13).

    Who's responsible
    Privacy Officer + practice principal
    Frequency
    Continuous
    Penalty
    Up to $50M / 3× benefit / 30% turnover for serious or repeated interferences.
    Full obligation page →
  12. 12

    Privacy Act 1988 (Cth), Pt IIIC — Notifiable Data Breach scheme

    Notify OAIC and affected individuals of eligible data breaches involving health information as soon as practicable. Assessment within 30 days. Health-information breaches are presumed serious — bar for notification is low.

    Who's responsible
    Privacy Officer / Practice manager
    Frequency
    Event-driven
    Penalty
    Up to $50M / 3× benefit / 30% turnover.
    Full obligation page →
  13. 13

    Health Records and Information Privacy Act 2002 (NSW) / Health Records Act 2001 (Vic)

    NSW and Victoria operate state Health Privacy Principles in addition to the federal APPs. Comply with retention (NSW HRIPA: 7 years; minors: until age 25 minimum). Both regimes have parallel access-and-correction rights with state-specific complaint regulators.

    Who's responsible
    Privacy Officer
    Frequency
    Continuous
    Penalty
    State-specific penalties + complaint outcomes (NSW Information and Privacy Commission; Victorian Health Complaints Commissioner).
  14. 14

    My Health Records Act 2012 (Cth)

    Where registered with the My Health Record system: upload records consistent with practitioner participation rules; restrict access to authorised users; honour patient access controls and emergency access protocols.

    Who's responsible
    Practice principal + every practitioner with MHR access
    Frequency
    Continuous
    Penalty
    Civil penalty up to ~$315,000 + criminal up to 2 years for unauthorised access.
  15. 15

    Health Practitioner Regulation National Law — scope of practice + endorsements

    Practise within scope of registration and endorsements (e.g. acupuncture endorsement, anaesthesia procedural endorsement). Notify AHPRA of changes to practice arrangements.

    Who's responsible
    Every practitioner
    Frequency
    Continuous
    Penalty
    Disciplinary action including conditions on registration.
  16. 16

    Health Practitioner Regulation National Law, s 129 + AHPRA — professional indemnity

    Hold professional indemnity insurance arrangements appropriate to practice. Declare at renewal. Most medical practitioners hold through MIPS, Avant or MDA National.

    Who's responsible
    Every practising practitioner
    Frequency
    Continuous; declare at annual renewal
    Penalty
    Refusal of registration renewal.
  17. 17

    State mandatory child-abuse reporting laws (NSW Children and Young Persons (Care and Protection) Act 1998 s 27 + state equivalents)

    Notify state child-protection authority where you reasonably suspect a child is at risk of significant harm. Each state has its own mandated-reporter list — medical practitioners are mandated reporters in all states and territories.

    Who's responsible
    Every medical practitioner
    Frequency
    Event-driven
    Penalty
    Failure to report — state-specific criminal penalties (e.g. NSW up to $22,000).
  18. 18

    State controlled-substances law (e.g. Drugs, Poisons and Controlled Substances Act 1981 (Vic); Poisons and Therapeutic Goods Act 1966 (NSW))

    Comply with state controlled-substances law for Schedule 8 prescribing: Real Time Prescription Monitoring (SafeScript Vic / RTPM jurisdictions), authority-to-prescribe limits, dosing rules. Record-keeping per state regs.

    Who's responsible
    Every prescribing practitioner
    Frequency
    Per prescription
    Penalty
    State criminal + disciplinary action by AHPRA.
  19. 19

    Australian Consumer Law — services to consumers

    Services to private patients are subject to the ACL: services must be rendered with due care and skill, fit for purpose, and supplied within a reasonable time. Misleading conduct provisions apply to claims about outcomes.

    Who's responsible
    Practice principal
    Frequency
    Continuous
    Penalty
    Civil penalties under ACL (up to $50M for body corporate); ACCC enforcement.

Deadlines

Pulled from the Rules Mate compliance calendar. Click through for the full deadline page.

Forms and regulator portals

Direct links to the lodgement forms and regulator portals. Rules Mate does not host copies — we link to the official source.

  • AHPRA registration renewal portal

    Annual renewal of medical registration. Renewal by 30 September (medical); late period to 30 November.

    Open portal →

  • AHPRA mandatory notification form

    Lodge a mandatory notification under s 140 of the National Law where you reasonably believe a practitioner has engaged in notifiable conduct.

    Open portal →

  • Services Australia HPOS (Health Professional Online Services)

    Medicare provider portal — provider number requests, MBS lookups, claiming.

    Open portal →

  • TGA Online — Therapeutic Goods complaints

    Report a breach of the Therapeutic Goods Advertising Code.

    Open portal →

  • OAIC Notifiable Data Breach notification

    Lodge an NDB notification for an eligible breach involving health information.

    Open portal →

  • Professional Services Review portal

    PSR matters and information about inappropriate-practice review.

    Open portal →

Free tools that help

Interactive Rules Mate tools matched to this persona.

Compliance calendar builder

Use tool →

Penalty estimator

Use tool →

NDB notification timer

Use tool →

Privacy Act 2026 readiness

Use tool →

What changes 2025–2026

2023 — Strengthened CPD framework

The Medical Board's strengthened CPD framework commenced — every medical practitioner must engage a CPD home, complete 50 hours/year, including reviewing performance and measuring outcomes.

2024-2025 — AHPRA cosmetic-procedures advertising guidelines tightened

The Medical Board introduced enhanced cosmetic-procedure advertising guidelines covering testimonials, before-and-after images and influencer arrangements. Enforcement is active.

10 December 2026 — Privacy Act ADM transparency obligation

Medical practices using automated decision-making (triage algorithms, AI-assisted diagnostic decisions affecting access to services) must update their APP 1 Privacy Policy.

10 December 2026 — Children's Online Privacy Code

Where the practice operates online services likely to be used by children (paediatric clinics, telehealth platforms with paediatric service lines), the Code applies.

Ongoing — Telehealth MBS rules

The COVID-era expansion was substantially wound back from 1 July 2022. Telehealth MBS items are now restricted to established-relationship patients for most general consultations; specialist items have separate rules. Monitor MBS Online for ongoing changes.

Ongoing — Real Time Prescription Monitoring (RTPM)

Mandatory across NSW (SafeScript NSW), Victoria (SafeScript Vic), Queensland (QScript), SA, WA, Tas and ACT. Mandatory check before prescribing certain Schedule 8 medicines.

In-depth reading

22 Rules Mate articles tagged to this playbook.

Frequently asked

When does the s 140 mandatory notification obligation actually trigger?

When you form a reasonable belief that a registered health practitioner has engaged in notifiable conduct: practising while intoxicated by alcohol or drugs; sexual misconduct in the practice of the profession; impairment posing risk of substantial harm; significant departure from accepted professional standards. The threshold is 'reasonable belief' not 'reasonable suspicion'. Treating practitioner exemptions narrowed under 2020 reforms (in WA the exemption is broader than other states).

Are we APP-entity for the Privacy Act even though our turnover is under $3M?

Yes. Every health-service provider is an APP entity regardless of turnover under s 6D(4)(b) of the Privacy Act 1988. The small-business exemption does not apply to health services.

What's a 'health-service provider' for the s 6D(4)(b) carve-in?

Section 6FB defines a health service as any service provided to assess, record, maintain or improve a person's health, diagnose illness or injury, treat illness or injury, dispense medication, or provide aged care. Sole practitioners, group practices, allied health, dentistry, optometry and pharmacy are all health-service providers.

How long must we retain medical records?

AHPRA registration standards require 7 years from the last entry for adult patients, and until age 25 for minors. State law adds requirements: NSW HRIPA HPP 5 requires the same minimums; Victoria Health Records Act follows the same period. Records of high-risk procedures, controlled substances and child patients should be retained longer.

Does the NDB scheme apply if our breach is only between one patient and another?

Yes. The Notifiable Data Breach scheme assesses likely serious harm to one or more individuals. Health information has a lower threshold for serious harm. Assess within 30 days, notify OAIC and affected individuals as soon as practicable if eligible.

What about telehealth — does the established-relationship rule have exceptions?

Yes — COVID-19 services, after-hours, blood-borne viruses, eating disorders, urgent care arrangements in DPA locations, and certain specialist items have separate rules. MBS Online publishes item-by-item rules. Practitioners billing outside the relationship-rule risk PSR review.

Can we advertise patient testimonials?

No. Section 133 of the National Law and AHPRA's advertising guidelines prohibit testimonials about clinical aspects of a regulated health service. Reviews relating to administrative aspects (booking, wait time, parking) may be permissible; clinical-outcome testimonials are not.

Free assessment

Get a personalised obligation list

2-minute structured check tailored to your business.

AI advisor (waitlist)

Ask any compliance question

Coming Phase 2 — grounded answers with citations.

Last verified: 9 June 2026

Rules Mate provides citation-first reference material, not legal advice. Always consult a qualified professional for specific obligations.