Compliance

    AHPRA, Privacy Act 1988 and AI voice: a 2026 compliance checklist

    Cadence
    May 25, 2026
    3 min read
    AHPRA, Privacy Act 1988 and AI voice: a 2026 compliance checklist

    The compliance bar AI voice vendors must clear before they touch an Australian clinic — written for practice managers, not lawyers.

    AHPRA, Privacy Act 1988 and AI voice: a 2026 compliance checklist

    In 2026 the OAIC is actively investigating AI voice deployments in healthcare. AHPRA's social media and AI guidance has tightened. Most vendors haven't updated their compliance posture since 2024. This is the checklist we run before any vendor goes near an AU clinic.

    If a vendor can't answer "yes" to every item below, in writing, they don't deploy.

    Data residency and hosting

    • AU-region hosting for voice, transcripts and PMS write-back data.
    • Documented data flow diagram covering ASR, LLM, TTS and storage.
    • Explicit statement of which sub-processors touch the data and where they are located.
    • No US-region transit for the voice path — even ephemeral.

    Consent flow

    • AHPRA-aligned consent prompt at call open, in the patient's preferred language.
    • Opt-out path that does not penalise the patient (route to human immediately).
    • Retention windows configurable per clinic, defaulting to no longer than clinically necessary.
    • Auditable consent log per call.

    Clinical safety

    • Hard-coded escalation on a configurable urgent-symptom keyword list.
    • The agent does not give clinical advice — full stop. Tested adversarially.
    • Handoff to nurse line or 000 with no friction.
    • Quarterly clinical review of escalation triggers.

    Privacy Act 1988 / APP alignment

    • APP 1 (open and transparent) — published privacy notice covers AI voice.
    • APP 6 (use / disclosure) — secondary use of recordings explicitly bounded.
    • APP 8 (cross-border) — no cross-border disclosure without explicit consent.
    • APP 11 (security) — encryption at rest and in transit, key management documented.
    • Notifiable Data Breach response plan — vendor and clinic roles defined.

    AHPRA-specific

    • The agent identifies itself as an AI in the opening line.
    • It does not impersonate a registered health practitioner.
    • It does not provide diagnoses, prescriptions or treatment recommendations.
    • Marketing claims about the agent comply with AHPRA's advertising guidelines.

    Governance

    • Quarterly compliance attestation from the vendor.
    • Monthly call sampling and red-team review.
    • Documented incident response with <15 min target.
    • Vendor cyber insurance disclosed (minimum $5M for networks of size).

    NZ networks

    Replace APP / Privacy Act 1988 with Privacy Act 2020 + HISO 10029. Same rigour, different framework. Te reo support is a clinical-safety expectation, not optional polish.

    What we do with this checklist

    It is the gate before any vendor reaches a pilot. ~70% of the AI voice vendors who pitch into ANZ healthcare in 2026 fail on at least three items. That's the filter.

    If you're running a procurement and want this checklist applied to a vendor RFP, the shortlist tool embeds the compliance gate as a hard cut.

    Want This for Your Network?

    See how Cadence can get your clinics live with AI voice in weeks — not months.

    Book Discovery Call More Articles