N
    Nifty Computing
    2026 Compliance Readiness Assessment
    Last reviewed

    Is your practice ready for the 2026 compliance landscape?

    A 20-question diagnostic for Australian dental practices - solo principals, group practices, and DSO-managed sites. See how you measure up against the Privacy Act reforms, AHPRA registration and AI-use obligations, clinical record-keeping standards, AS 5369:2023 sterilisation, ARPANSA radiation safety, and the cyber threats actively targeting Australian healthcare. Each weak answer returns a concrete next step for your practice manager or IT provider.

    What's changing (and already changed) for Australian dental practices
    • 10 DEC 2026Automated Decision-Making (AI) disclosure rules take effect under the Privacy Act
    • CURRENTOAIC privacy compliance sweep underway, with healthcare named as a priority sector
    • CURRENTAS 5369:2023 is the required sterilisation standard (replaces AS/NZS 4815)
    • ONGOINGAHPRA AI Guidance applies now - practitioners accountable for all AI output

    Australian healthcare is under sustained ransomware attack - MediSecure, Medibank, Genea, St Vincent's, and multiple regional providers have been hit in the past 18 months.

    Your privacy. Your individual answers stay on your device - we don't store them. When you finish, we save an anonymous record of your scores (industry, overall and per-category percentages, state, business type) so we can show how you compare to others in your industry. We also log anonymous counts for when a quiz is started, when a report is downloaded, and (if you later request it) when one is emailed - no identifying information is attached to any of these. We never capture your name, email, IP address, or any business identity.

    20Questions
    LiveAverage time
    10Risk Areas

    Full quiz content - Dental Compliance Quiz 2026 - Privacy Act, AHPRA, IPC, Radiation | Nifty Computing

    This index lists every question, every answer option with its score, every tier band, every recommendation, and every regulatory source used by the dental compliance readiness quiz. Last reviewed .

    Tier scoring

    • Compliance Ready - score ≥ 85/100, review every 12 months. Your practice demonstrates strong compliance maturity across the Privacy Act, AHPRA obligations, and clinical safety frameworks. Maintain annual reviews and keep pace with emerging reforms. Recommended next review: 12 months.
    • Good - Minor Gaps - score ≥ 70/100, review every 12 months. Solid foundations with targeted gaps to address before the December 2026 ADM deadline and current regulatory focus on healthcare. Work through the priority findings below. Recommended next review: 12 months.
    • Moderate Risk - Action Needed - score ≥ 50/100, review every 6 months. Several material gaps in your compliance practices. Given the active OAIC focus on healthcare and sustained ransomware pressure, prioritise the findings below over the next 1–3 months. Recommended next review: 6 months.
    • High Risk - Urgent Action - score ≥ 30/100, review every 1 months. Significant exposure across multiple obligations. An OAIC or AHPRA finding, or a cyber incident, is a material risk at this readiness level. Engage professional advice. Recommended next review: 1 month.
    • Critical - Immediate Intervention - score ≥ 0/100, review every 1 months. Your practice has substantial non-compliance with Australian regulatory obligations. Engage qualified compliance and cyber advisers as soon as practicable. Recommended next review: 1 month.

    Categories assessed

    • POL - Privacy Policy
    • REC - Clinical Records Management
    • ADM - Automated Decisions & AI
    • COL - Patient Collection & Forms
    • SEC - Security & Breaches
    • VEN - Third-Party Vendors
    • MKT - Marketing & Advertising
    • TRN - Staff & Governance
    • IPC - Infection Prevention & Control
    • RAD - Radiation Safety

    Questions

    1. Q1 (POL, weight 3): Does your practice have a written privacy policy published on your website?

      • Yes, and it's reviewed at least annually (score 5)
      • Yes, but we haven't reviewed it in over two years (score 2)
      • Yes, but I'm not sure what's in it (score 1)
      • No, or I don't know (score 0)

      If a weak option is selected: Publish an up-to-date privacy policy. APP 1.3 requires it to be clearly expressed and kept current. All dental practices are APP entities regardless of size - the small business exemption does not apply to health service providers.

    2. Q2 (POL, weight 3): Does your privacy policy specifically mention your use of AI or automated decision-making tools (e.g. AI scribing, image analysis, recall automation)?

      • Yes, with clear detail on each tool (score 5)
      • Briefly mentioned (score 2)
      • No mention (score 0)
      • Don't know (score 0)

      If a weak option is selected: From 10 December 2026, APP 1.7 requires transparency about automated decision-making. Name each AI tool you use, what it does, what data it uses, and how patients can request human review.

    3. Q3 (POL, weight 2): Does your privacy policy address state-specific health privacy obligations where applicable (Vic Health Records Act 2001, NSW HRIPA 2002, ACT HR(P&A)A 1997)?

      • Yes, with state-specific provisions where relevant (score 5)
      • Generic policy relying only on the federal Privacy Act (score 2)
      • No state-specific provisions (score 1)
      • Don't know (score 0)

      If a weak option is selected: Practices in Victoria, NSW, and ACT have dual federal and state privacy obligations. The state regimes have 11 Health Privacy Principles (HPPs) - similar to APPs but with specific health-sector provisions.

    4. Q4 (POL, weight 2): Does your privacy policy explain how patients can access or correct their dental records?

      • Yes, with documented 30-day response target (score 5)
      • General statement only (score 2)
      • No (score 0)

      If a weak option is selected: APP 12 and APP 13 require clear processes for access and correction. The operating standard is a 30-day response; in Victoria/NSW/ACT the state health records regimes also apply.

    5. Q5 (POL, weight 2): Is your privacy policy accessible at the practice, not only online?

      • Yes - printed copies and displayed in the waiting area (score 5)
      • Available on request (score 3)
      • Online only (score 1)
      • Don't know (score 0)

      If a weak option is selected: Have a printed privacy policy or short-form collection notice available at reception. The OAIC's current compliance sweep targets in-person collection practices across healthcare.

    6. Q6 (POL, weight 2): Does your privacy policy describe how to make a complaint, including referrals to the OAIC and your state health complaints commissioner?

      • Yes - full referral pathways to both federal and state regulators (score 5)
      • OAIC only (score 3)
      • Internal process only (score 2)
      • No (score 0)

      If a weak option is selected: Your policy must describe the complaints pathway. For healthcare in Victoria, NSW, and ACT, patients can also complain to the Health Complaints Commissioner/Privacy Commissioner - these state regulators handle health-specific matters and are often the first port of call.

    7. Q7 (POL, weight 2): Does your privacy policy itemise the types of health information you collect (medical history, Medicare/fund details, imaging, clinical notes)?

      • Yes, clearly itemised (score 5)
      • General description (score 2)
      • No (score 0)

      If a weak option is selected: Itemise what you collect. 'Health information' is a specific category under the Privacy Act - it includes not just medical history but also treatment notes, images, and billing information with clinical context.

    8. Q8 (REC, weight 3): How long do you retain adult patient clinical records after their last visit?

      • Indefinitely (risk management best practice for healthcare) (score 5)
      • At least 7 years (meets Vic/NSW/ACT minimum) (score 5)
      • Less than 7 years (score 1)
      • Don't know our retention period (score 0)

      If a weak option is selected: For dental records, the legal minimum is 7 years from last service in Victoria, NSW, and ACT. Industry best practice is indefinite retention for risk management - dental records can be relevant to malpractice claims many years later.

    9. Q9 (REC, weight 3): For minor patients, do you retain records until they reach age 25?

      • Yes - meets Vic/NSW/ACT statutory requirement (score 5)
      • We retain until age 18 or patient-specific (score 1)
      • No specific policy for minors (score 0)
      • Don't know (score 0)

      If a weak option is selected: In Victoria, NSW, and ACT, records for patients treated when under 18 must be retained until the patient reaches age 25 (or 7 years after last service, whichever is later). Build this into your practice management software's retention rules.

    10. Q10 (REC, weight 3): Are clinical records made contemporaneously - at the time of the clinical encounter or as soon as possible afterwards?

      • Yes, always - before the next patient (score 5)
      • Usually - sometimes at end of session (score 3)
      • Often batched at end of day (score 1)
      • Often days later (score 0)

      If a weak option is selected: The DBA Code of Conduct explicitly requires contemporaneous records. Delayed records are harder to defend in complaints and malpractice cases, and AHPRA views systemic delays as a practice issue.

    11. Q11 (REC, weight 2): Do your clinical records include what the DBA Code of Conduct expects - clinical history, findings, investigations, information given to patient, medication, and management plan?

      • Yes, documented against a standard template (score 5)
      • Mostly - varies by clinician (score 3)
      • Inconsistent (score 1)
      • No standard (score 0)

      If a weak option is selected: Standardise your records template against the DBA Code of Conduct requirements. Inconsistent record content between clinicians is a governance risk and a continuity-of-care risk.

    12. Q12 (REC, weight 3): When patients request access to their dental records, can you provide them within 30 calendar days?

      • Yes, documented process (score 5)
      • Yes, but ad hoc (score 3)
      • Takes longer than 30 days (score 1)
      • Not sure how to handle these requests (score 0)

      If a weak option is selected: Access requests under APP 12 and state Acts expect timely response. 30 days is the operating standard. Have a written procedure covering identity verification, what to provide, and any permitted redactions (e.g. third-party confidential information).

    13. Q13 (REC, weight 2): If your practice is ever sold, transferred, or closed, do you have a plan for notifying patients and handling records?

      • Yes - documented, with notice templates and a custodian plan (score 5)
      • Informal plan (score 2)
      • No plan in place (score 0)

      If a weak option is selected: Under Vic Health Records Act HPP 10 (and similar provisions in other states), practice sale/transfer/closure triggers patient notification requirements - newspaper notice, letters to current clients, and practice signage. Plan before you need it.

    14. Q14 (REC, weight 2): Do you have a process for correcting records when a patient disputes accuracy (by annotation rather than deletion)?

      • Yes - annotation-based correction process (score 5)
      • Informal (score 2)
      • We'd just delete and re-enter (score 0)
      • No process (score 0)

      If a weak option is selected: Corrections must preserve the original record - you annotate, not delete. APP 13 requires this, and the Vic HR Act specifically prohibits erasing clinical records. Deletion destroys audit trail and creates liability.

    15. Q15 (ADM, weight 3): Have you identified which tools in your practice use AI or automated decision-making (scribing, image analysis, recall automation, chatbots, predictive scheduling)?

      • Yes - documented inventory (score 5)
      • Partially identified (score 2)
      • No inventory (score 0)
      • Not aware we need to (score 0)

      If a weak option is selected: Build an AI inventory before December 2026. AI scribing (Heidi, Lyrebird), diagnostic image analysis (Pearl, Overjet), recall automation, and chatbots all qualify. Many modern practice management systems also include AI-driven predictive features.

    16. Q16 (ADM, weight 3): From 10 December 2026, practices must disclose use of AI in their privacy policy under APP 1.7. Are you prepared?

      • Yes - policy already updated (score 5)
      • In progress (score 3)
      • Not started (score 1)
      • Wasn't aware of this requirement (score 0)

      If a weak option is selected: Start drafting ADM disclosures now. The December 2026 deadline is hard - non-compliant privacy policies can attract $66,000 penalties, and the OAIC has signalled AI transparency as an enforcement priority.

    17. Q17 (ADM, weight 3): Under AHPRA's AI guidance, practitioners remain fully accountable for AI output. Do you document human review of AI-influenced clinical decisions?

      • Yes - documented oversight for all AI use (score 5)
      • Usually documented (score 3)
      • Informal (score 1)
      • No documentation (score 0)
      • We don't use AI in clinical decisions (score 5)

      If a weak option is selected: AHPRA's position is that practitioners are accountable for AI output regardless of the tool's sophistication or TGA approval. Document your review of AI-generated notes, image interpretations, and recommendations. Your PI insurer may require evidence of this oversight in a claim.

    18. Q18 (ADM, weight 3): If you use AI scribing tools, do you obtain informed patient consent before recording consultations?

      • Yes - documented consent on record (score 5)
      • Verbal consent only (score 3)
      • No specific consent obtained (score 0)
      • We don't use AI scribing (score 5)

      If a weak option is selected: AHPRA's guidance specifically calls out AI scribing - patients must be informed, and informed consent documented. This is also a Privacy Act issue because you're creating an additional record (the transcript) that didn't previously exist.

    19. Q19 (ADM, weight 2): Have you checked whether the AI tools you use should be registered with the TGA (i.e. whether they meet the medical device definition)?

      • Yes - checked all tools against ARTG (score 5)
      • Checked some (score 2)
      • No (score 0)
      • Don't know which tools would qualify (score 0)

      If a weak option is selected: AI tools with therapeutic purpose (diagnosis, treatment) are medical devices and must be TGA-registered. General-purpose tools like ChatGPT are not TGA-regulated. Check each tool via the Australian Register of Therapeutic Goods.

    20. Q20 (ADM, weight 2): Have staff been trained on safe and compliant use of AI in clinical practice?

      • Yes - within the last 12 months, documented (score 5)
      • General awareness only (score 2)
      • No formal training (score 0)

      If a weak option is selected: Staff training should cover: AHPRA's AI guidance, informed consent for AI scribing, when human review is mandatory, and confidentiality risks of pasting patient info into general-purpose AI tools. Annual refresh is appropriate given how fast this space moves.

    21. Q21 (COL, weight 3): What personal information do you collect from new patients?

      • Only what's reasonably necessary, with clear purpose (score 5)
      • Standard form used but not recently reviewed (score 3)
      • Extensive form - collecting more than we strictly need (score 1)
      • Not sure what's on our form (score 0)

      If a weak option is selected: Review your intake form against APP 3. Health history, emergency contact, Medicare/fund details are necessary. Lifestyle questions, marketing preferences, and background information beyond clinical need should be optional and justified separately.

    22. Q22 (COL, weight 2): Do you provide patients with a Privacy Collection Notice at or before first collection (APP 5 requirement)?

      • Yes, verbal and written (score 5)
      • Verbal only (score 3)
      • Sometimes (score 1)
      • No (score 0)

      If a weak option is selected: APP 5 requires notification of what you collect, why, who you share with, and how to access or complain. A short-form notice on the intake form or displayed at reception satisfies this - template versions are available from the ADA.

    23. Q23 (COL, weight 2): Can patients decline to provide optional information and still receive treatment?

      • Yes, and this is clearly communicated (score 5)
      • Yes but not communicated (score 3)
      • Required fields aren't marked as optional (score 1)
      • Don't know (score 0)

      If a weak option is selected: APP 2 expects the option of anonymity or pseudonymity where practicable. For a dental practice, certain fields are necessary (identity, emergency contact, medical history), but marketing preferences, occupation, referral source etc. are typically not.

    24. Q24 (COL, weight 3): How are paper intake forms handled after digitisation?

      • Securely destroyed after digital capture confirmed (score 5)
      • Stored in a locked filing area (score 4)
      • Stored in open filing cabinets or on desks (score 1)
      • Don't know (score 0)

      If a weak option is selected: APP 11.2 requires destruction or de-identification of paper records once the digital version is confirmed. Paper intake forms sitting in unlocked filing are a documented breach pathway.

    25. Q25 (COL, weight 2): Do you have a documented cadence for reviewing patient forms against current APP and health records requirements?

      • Yes - annual review (score 5)
      • Ad hoc review only (score 2)
      • Never formally reviewed (score 0)

      If a weak option is selected: Review patient forms annually. The APPs and state health records rules change, and legacy forms accumulate unnecessary fields over time. The review should cover both legal compliance and whether each field is actually used.

    26. Q26 (COL, weight 1): Approximately how many fields does your new patient intake form contain?

      • Fewer than 30 (score 5)
      • 30–60 (score 3)
      • More than 60 (score 1)
      • Don't know (score 0)

      If a weak option is selected: Long intake forms often accumulate fields that aren't clinically used. Audit against 'what do we actually use this for?' - cut anything you can't tie to a specific operational or clinical purpose.

    27. Q27 (SEC, weight 3): Is multi-factor authentication enforced on every staff account across practice management, imaging, document storage, and email?

      • Yes - handled in-house, and we verify it (reports, logs, or checks) (score 20)
      • Yes - outsourced to our IT provider, verified (they send us reports) (score 20)
      • Yes - in-house, but not formally verified (score 15)
      • Yes - outsourced, but we assume rather than verify (score 15)
      • Partial or inconsistent across staff/devices (score 8)
      • No, or don't know (score 0)

      If a weak option is selected: MFA is the single highest-impact security control. Australian healthcare is under sustained ransomware attack - MediSecure, Medibank, Genea and St Vincent's have all been hit. If your IT provider manages accounts, ask for a quarterly MFA-coverage report naming any staff or service accounts still without MFA.

    28. Q28 (SEC, weight 3): Do you have a documented data breach response plan that covers the 30-day OAIC notification timeframe?

      • Yes, tested in the last 12 months (score 5)
      • Yes, but never tested (score 3)
      • Informal - it's in the principal's head (score 1)
      • No (score 0)

      If a weak option is selected: The Notifiable Data Breaches scheme requires notification within 30 days of becoming aware. Have a tested plan: who declares the incident, who decides on notification, external advisers to call (insurer, lawyer, IT forensics), comms approach to affected patients.

    29. Q29 (SEC, weight 3): Have you implemented layered ransomware protections - EDR (not just basic AV), email security filtering, and offsite immutable backups?

      • Yes - handled in-house, and we verify it (reports, logs, or checks) (score 20)
      • Yes - outsourced to our IT provider, verified (they send us reports) (score 20)
      • Yes - in-house, but not formally verified (score 15)
      • Yes - outsourced, but we assume rather than verify (score 15)
      • Partial or inconsistent across staff/devices (score 8)
      • No, or don't know (score 0)

      If a weak option is selected: Healthcare is a priority ransomware target. Minimum controls: EDR (not just AV), offsite immutable backups tested quarterly, email security gateway, network segmentation between clinical and admin systems, MFA everywhere. If your IT provider handles this, ask for monthly EDR detection summaries and the last restore-test report - 'we have EDR' without evidence is the same as 'we hope we do'.

    30. Q30 (SEC, weight 2): Do you know the OAIC notification timeframe if a serious data breach occurs?

      • Yes - as soon as practicable, no later than 30 days from awareness (score 5)
      • Vague awareness (score 2)
      • No (score 0)

      If a weak option is selected: Know the NDB timeframe. Health information is almost always 'likely to result in serious harm' if exposed, so healthcare breaches are generally notifiable. Over-notifying internally is always safe; under-notifying creates additional Privacy Act exposure.

    31. Q31 (SEC, weight 2): How do you dispose of paper documents containing patient information (health forms, imaging, referral letters)?

      • Secure shredding service (score 5)
      • Cross-cut shredder in the office (score 4)
      • Regular rubbish or recycling bins (score 0)
      • Don't know (score 0)

      If a weak option is selected: APP 11.2 requires destruction or de-identification. Paper in recycling bins is a documented breach pathway - and for health information, also a potential contravention of state health records legislation.

    32. Q32 (SEC, weight 2): When staff leave (including temps and locums), how quickly are their system access credentials revoked?

      • Same day, with a documented offboarding checklist (score 5)
      • Within a week (score 3)
      • When we get around to it (score 1)
      • Never formally revoked (score 0)

      If a weak option is selected: Same-day credential revocation is the standard. In dental practices, locums and temps especially accumulate - you need a checklist covering practice software, email, imaging, building access, and physical keys.

    33. Q33 (SEC, weight 2): Are your backups tested against actual restoration on a regular schedule (at least annually - quarterly is safer given the ransomware threat)?

      • Yes - handled in-house, restore-tested, and evidence retained (score 20)
      • Yes - outsourced to our IT provider, restore-tested and verified by provider report (score 20)
      • Yes - in-house backups exist, but restore testing/evidence is informal (score 15)
      • Yes - outsourced to our IT provider, but we assume rather than verify (score 15)
      • Partial, incomplete, or not covering all critical systems (score 8)
      • No reliable backup and restore process, or don't know (score 0)

      If a weak option is selected: Backups you haven't restored from aren't backups. Include practice management software, imaging, and document storage in the test. If your IT provider runs backups, ask for the dated restoration-test report covering all three systems - a provider that can't produce one is charging you for hope.

    34. Q34 (VEN, weight 2): Where does your practice management software (Dentrix, OASiS, D4W, EXACT, Principle, etc.) store patient data?

      • Australia (score 5)
      • Australia with offshore failover (documented) (score 4)
      • Offshore with documented APP 8 arrangements (score 2)
      • Don't know (score 0)

      If a weak option is selected: Know your data residency. APP 8 makes you accountable if overseas providers mishandle data. Cloud-based dental PMS vendors increasingly store in Australia - worth asking explicitly and getting confirmation in writing.

    35. Q35 (VEN, weight 3): Have you documented which vendors hold or process your patient data (PMS, imaging, cloud backup, recall/SMS, AI scribing, accounting)?

      • Yes - comprehensive inventory (score 5)
      • Most vendors documented (score 3)
      • Some vendors (score 1)
      • No inventory (score 0)

      If a weak option is selected: Build a vendor inventory. Columns: vendor name, what data, data residency, jurisdiction, contract end date, last review. Modern practices typically have 15–25 vendors touching patient data. You can't manage what you haven't mapped.

    36. Q36 (VEN, weight 2): Have you reviewed vendor contracts for breach-notification SLAs and data handling terms?

      • All reviewed in the last 12 months (score 5)
      • Some reviewed (score 3)
      • No (score 0)

      If a weak option is selected: Push for 24–48 hour breach notification SLAs in writing. Without it, a vendor's slow notification eats into your 30-day OAIC clock. For critical vendors (PMS, imaging), raise this at renewal - some vendors will negotiate.

    37. Q37 (VEN, weight 2): Do any AI or cloud tools you use process patient data outside Australia?

      • No - all local (score 5)
      • Yes, with documented APP 8 compliance (score 4)
      • Yes, with no specific review (score 1)
      • Don't know (score 0)

      If a weak option is selected: Most general-purpose AI tools (ChatGPT, Claude, Gemini) route data through US infrastructure. Not automatically a breach, but it requires APP 8 consideration - either 'reasonable steps' documentation or specific patient consent.

    38. Q38 (VEN, weight 2): If you use My Health Record, do you have a current Security and Access Policy as required by Rule 42 of the My Health Records Rules?

      • Yes - policy in place, reviewed annually (score 5)
      • Yes, but not recently reviewed (score 3)
      • Not sure what this refers to (score 1)
      • No policy (score 0)
      • Not registered for My Health Record (score 5)

      If a weak option is selected: Practices registered with My Health Record must maintain a Security and Access Policy covering staff training, user account management, and appropriate use. The Australian Digital Health Agency can revoke registration for non-compliance.

    39. Q39 (VEN, weight 1): When you switch vendors, do you request certificates of destruction confirming your patient data has been deleted from the outgoing vendor's systems?

      • Yes - written confirmation kept for 7+ years (score 5)
      • Informal assurance only (score 2)
      • No (score 0)

      If a weak option is selected: Get a certificate of destruction in writing when you change vendors. 'They said they'd delete it' isn't evidence of APP 11.2 compliance, and the stakes are much higher with health information.

    40. Q40 (MKT, weight 3): Do all your marketing emails and SMS messages include a functional unsubscribe mechanism?

      • Yes, always (score 5)
      • Usually (score 2)
      • Sometimes (score 1)
      • No, or not sure (score 0)

      If a weak option is selected: The Spam Act requires functional unsubscribe on every commercial message, including recall reminders if they include any commercial content. Broken or missing unsubscribe links are the most common Spam Act breach.

    41. Q41 (MKT, weight 3): Do you obtain explicit consent before adding patients to marketing lists (newsletters, promotional campaigns)?

      • Yes - explicit opt-in (score 5)
      • Implied consent from existing patients only (score 3)
      • Patients added automatically from intake forms (score 1)
      • Don't know (score 0)

      If a weak option is selected: Auto-enrolment from intake forms is the most common consent breach. Recall reminders for existing patients have implied consent under the Spam Act - general newsletters and promotional offers do not. Use explicit opt-in at collection.

    42. Q42 (MKT, weight 3): Does your advertising comply with the AHPRA advertising guidelines and section 133 of the Health Practitioner Regulation National Law?

      • Yes - reviewed annually against the guidelines (score 5)
      • Generally compliant, not formally reviewed (score 3)
      • Not reviewed specifically (score 1)
      • Not aware of these rules (score 0)

      If a weak option is selected: AHPRA's advertising guidelines and s133 of the National Law regulate all advertising of regulated health services. Breach risks include false/misleading content, creating unreasonable expectations, encouraging unnecessary treatment, and prohibited testimonials. Fines apply.

    43. Q43 (MKT, weight 3): Do you use patient testimonials in your advertising (website, social media, print, directory listings)?

      • No - testimonials for regulated health services are prohibited under s133 (score 5)
      • Only reviews on third-party platforms (Google, Facebook) which we don't republish (score 4)
      • Yes, we include testimonials on our own materials (score 0)
      • Don't know (score 0)

      If a weak option is selected: Section 133 of the Health Practitioner Regulation National Law prohibits testimonials in advertising of regulated health services. This includes your own website, social media, brochures. Third-party reviews (Google, HealthEngine) aren't in your 'advertising' as long as you don't republish them. AHPRA enforces this.

    44. Q44 (MKT, weight 2): Are recall reminders (SMS/email) Spam Act compliant, with consent at enrolment and unsubscribe on every message?

      • Yes - full compliance (score 5)
      • Partially compliant (score 3)
      • Not sure (score 1)

      If a weak option is selected: Clinical recalls for existing patients generally fall under implied consent, but the unsubscribe requirement still applies. Ensure every recall SMS includes STOP or a link, and that the suppression is honoured across channels.

    45. Q45 (MKT, weight 2): How quickly are unsubscribe requests honoured across your marketing systems?

      • Within 5 business days (Spam Act requirement) (score 5)
      • Within 30 days (score 3)
      • Eventually (score 1)
      • Not formally tracked (score 0)

      If a weak option is selected: The Spam Act mandates unsubscribe within 5 business days. Tracking needs to be automated - a patient who unsubscribes from your newsletter shouldn't get re-added via a CSV import from your PMS three months later.

    46. Q46 (TRN, weight 2): When did staff last receive formal privacy and data-handling training?

      • Within the last 12 months (score 5)
      • 1–2 years ago (score 3)
      • More than 2 years ago (score 1)
      • Never, or don't know (score 0)

      If a weak option is selected: Annual privacy training is the industry standard for healthcare. Cover: the APPs, state health records obligations, breach response, access/correction requests, and AI use. 45–60 minutes per year is enough - document attendance.

    47. Q47 (TRN, weight 2): Does your practice have a designated Privacy Officer?

      • Yes - named, formally trained, accountable (score 5)
      • Yes, but informal (score 3)
      • No (score 0)

      If a weak option is selected: Appoint a named Privacy Officer. In a small practice this is typically the principal dentist or practice manager. They don't need to be a specialist - they need to be the accountable point of contact for privacy questions and incidents.

    48. Q48 (TRN, weight 2): Do new staff (including locums) receive privacy and records-handling training as part of onboarding?

      • Yes - documented, day-one training (score 5)
      • Informal coverage during onboarding (score 2)
      • No (score 0)

      If a weak option is selected: Day-one privacy training prevents the 'I didn't know' incidents. Include locums and temps - they often have broad access to records during short engagements. Short recorded module + acknowledgement form scales well.

    49. Q49 (TRN, weight 2): Do you verify AHPRA registration status of clinical staff at onboarding and annually thereafter?

      • Yes - documented at onboarding and annual verification (score 5)
      • At onboarding only (score 3)
      • Ad hoc verification (score 1)
      • Never formally verified (score 0)

      If a weak option is selected: Verify AHPRA registration status (which is free and public via the AHPRA website) at onboarding and at least annually. Conditions can be placed on a practitioner's registration, or it can lapse, and you're responsible for ensuring only registered practitioners provide treatment.

    50. Q50 (TRN, weight 1): Do you maintain a register of privacy complaints, incidents, and near-misses (even minor ones)?

      • Yes - actively maintained (score 5)
      • Informal log (score 3)
      • No register (score 0)

      If a weak option is selected: A simple incident register (date, description, action, lessons) captures patterns and demonstrates governance. Include near-misses (misdirected emails, phishing clicks caught, paperwork left visible) - these are your early warning system.

    51. Q51 (TRN, weight 2): Is your leadership team aware of the 10 December 2026 ADM disclosure deadline and current OAIC focus on healthcare?

      • Yes - actively preparing (score 5)
      • Aware, but no action yet (score 2)
      • Not aware (score 0)

      If a weak option is selected: Leadership awareness is the starting point. Without it, compliance projects get deprioritised until something goes wrong. 30 minutes at a practice meeting to walk through the 2026 landscape is the minimum.

    52. Q52 (TRN, weight 2): Do you have a documented process for responding to access and correction requests from patients?

      • Yes - documented with timeframes and templates (score 5)
      • Informal process (score 2)
      • We've never received one (score 1)
      • No process (score 0)

      If a weak option is selected: APP 12/13 requests will increase as patient awareness grows. Have a named contact, identity verification steps, a template response, and a 30-day target. The Vic/NSW/ACT health records Acts set specific fee caps for access - know yours.

    53. Q53 (IPC, weight 3): Does your practice have a current IPC Manual aligned with the ADA 5th Edition IPC Guidelines and NHMRC Australian Guidelines for the Prevention and Control of Infection in Healthcare (2019)?

      • Yes - reviewed and updated annually (score 5)
      • Yes, but based on older guidelines (score 2)
      • No formal manual (score 0)
      • Not sure what this refers to (score 0)

      If a weak option is selected: A practice-specific IPC Manual is an expectation, not optional. The DBA expects compliance with the NHMRC 2019 Guidelines and the ADA 5th Edition IPC Guidelines. ADA members can access a template manual. Review annually.

    54. Q54 (IPC, weight 3): Are your autoclaves currently validated to AS 5369:2023 (the current standard, which replaced AS/NZS 4815)?

      • Yes - certified under AS 5369:2023 (score 5)
      • Certified under the old AS/NZS 4815 standard only (score 1)
      • Not sure which standard applies to our certificate (score 0)
      • Not formally validated (score 0)

      If a weak option is selected: AS 5369:2023 replaced AS/NZS 4815 as the national standard for reprocessing of reusable medical devices. All new validations and calibrations must be to the new standard. Certificates referencing only AS/NZS 4815 are out of date - request re-certification from your provider.

    55. Q55 (IPC, weight 3): For sterilisers with chamber capacity over 60L, do you perform and document daily air removal and steam penetration tests?

      • Yes - daily documented tests (score 5)
      • Sometimes documented (score 2)
      • No (score 0)
      • All sterilisers under 60L (score 5)

      If a weak option is selected: Under AS 5369:2023, sterilisers over 60L require a daily Bowie-Dick type test conforming to ISO 11140-3, 11140-4, or 11140-5. Document the result every day - auditors look for this.

    56. Q56 (IPC, weight 2): Do staff performing exposure-prone procedures comply with CDNA guidelines on blood-borne virus status, and make the required annual declaration at registration renewal?

      • Yes - all compliant, documented (score 5)
      • General awareness, not formally tracked (score 2)
      • Not aware of this requirement (score 0)

      If a weak option is selected: The CDNA National Guidelines for healthcare workers living with blood-borne viruses apply to dentists performing exposure-prone procedures. AHPRA requires an annual declaration of compliance at registration renewal - track this in your staff compliance register.

    57. Q57 (IPC, weight 2): Are your IPC staff training records current for all clinical and clinical-support staff?

      • Yes - annual documented training (score 5)
      • Training happens but not well documented (score 2)
      • Not documented (score 0)

      If a weak option is selected: Annual IPC training is expected for all clinical and clinical-support staff. Document attendance, content, and assessment. The DBA self-reflective tool includes IPC training as a specific expectation.

    58. Q58 (IPC, weight 2): Do you comply with any state-specific IPC requirements (e.g. Queensland's requirement for an Infection Control Management Plan)?

      • Yes - compliant with state-specific requirements (score 5)
      • Aware, partial compliance (score 2)
      • Not aware of state-specific requirements (score 0)
      • No state-specific requirements in our jurisdiction (score 5)

      If a weak option is selected: Some states have additional IPC requirements beyond national guidelines. Queensland, for example, requires an Infection Control Management Plan. Check your state health department's requirements - your ADA branch can confirm.

    59. Q59 (RAD, weight 3): Is all your dental X-ray equipment (intraoral, OPG, CBCT) registered with your state or territory radiation regulator?

      • Yes - all units registered, registrations current (score 5)
      • Some registered, some unsure (score 2)
      • Not sure which units are registered (score 0)
      • Not registered (score 0)

      If a weak option is selected: Radiation equipment registration is a state responsibility and a legal requirement. Confirm registrations are current and on file. Unregistered equipment is a prosecution risk and typically invalidates PI cover for any related claim.

    60. Q60 (RAD, weight 3): Does your practice operate in line with ARPANSA's Code for Radiation Protection in Dental Exposure (RPS C-7)?

      • Yes - documented alignment, SOPs reflect the Code (score 5)
      • Aware of the Code but not formally documented (score 2)
      • Not aware of RPS C-7 (score 0)

      If a weak option is selected: ARPANSA RPS C-7 is the national code for radiation protection in dental exposure. State radiation regulators reference it. Your practice SOPs for X-ray use should align with the Code - ARPANSA's resources are free and detailed.

    61. Q61 (RAD, weight 2): Is your Radiation Safety Officer (where required in your jurisdiction) appointed, trained, and currently registered?

      • Yes - appointed, trained, registered as required (score 5)
      • Appointed but not recently trained (score 3)
      • Not sure (score 0)
      • No RSO (score 0)
      • Not required in our jurisdiction (score 5)

      If a weak option is selected: Some states require a Radiation Safety Officer for licensed practices. The RSO must have training appropriate to the role and often requires periodic re-training. Check your state's radiation safety legislation.

    62. Q62 (RAD, weight 2): Do staff who take or operate X-ray equipment have radiation safety training appropriate to their role, documented on file?

      • Yes - documented, role-appropriate training for all operators (score 5)
      • Informal training only (score 2)
      • Not documented (score 0)

      If a weak option is selected: Dentists, dental hygienists, dental assistants and anyone operating X-ray equipment need radiation safety training. The training must be documented - auditors and regulators look for this. ARPANSA provides free educational resources.

    63. Q63 (RAD, weight 2): Do you have a documented justification policy for CBCT use, ensuring it's used only for complex cases rather than as routine imaging?

      • Yes - documented policy, CBCT justified case-by-case (score 5)
      • Case-by-case clinical judgement, no written policy (score 3)
      • CBCT used routinely without specific justification (score 1)
      • No CBCT in practice (score 5)

      If a weak option is selected: ARPANSA has flagged routine CBCT use as a concern - it delivers more radiation than standard dental imaging. Document a justification policy: when CBCT is indicated (complex cases, implant planning), and when it's not (routine check-ups). This protects you and your patients.

    64. Q64 (RAD, weight 2): Do you have documented pregnancy protection protocols for both staff and patients when radiographs are taken?

      • Yes - documented protocol for staff and patients (score 5)
      • Informal practice (score 2)
      • No documented protocol (score 0)

      If a weak option is selected: Pregnant staff have protective dose limits (1 mSv to unborn child - same as public limit). Pregnant patients need appropriate shielding and treatment deferral where clinically possible. Document your protocol.

    Guidance

    Privacy Policy

    Your privacy policy is the document the OAIC will read first if anything goes wrong, and it's the explicit focus of the current compliance sweep. Dental practices have no small-business exemption - all health service providers are APP entities regardless of turnover.

    • Audit your current policy against APP 1.4 (Within 30 days · Privacy Officer): Walk through APP 1.4 requirements: identity, kinds of information collected, purposes, how collected and held, access and correction process, complaints process and OAIC referral, overseas disclosure, and (from December 2026) automated decision-making.
    • Add automated decision-making disclosure (Before 10 Dec 2026 · Privacy Officer): Map every tool that uses AI, scoring, or automation to make or influence decisions about patients. Include AI scribing, image analysis, recall automation, chatbots. Name each tool, what it does, what data it uses, and how patients can request human review.
    • Add state health records provisions (Vic/NSW/ACT) (Within 60 days · Privacy Officer): If you're in Victoria, NSW, or ACT, your policy needs to address the state regime as well as the federal Privacy Act. The state HPPs have specific provisions on record transfer, practice closure notices, and access that federal APPs don't cover.
    • Make the policy accessible at reception (Within 30 days · Practice Manager): Print a short-form Privacy Collection Notice for the reception desk. Include a QR code linking to the full policy. The OAIC sweep is targeting in-person collection practices across healthcare.

    Clinical Records Management

    Dental records are legal documents. The DBA Code of Conduct, state health records legislation, and APP 12/13 all apply. Records retention in Victoria, NSW, and ACT is a minimum of 7 years from last service for adults, or to age 25 for minors - with indefinite retention being risk management best practice.

    • Set retention rules in your practice management software (Within 60 days · Practice Manager): Configure retention: indefinite or at least 7 years from last service for adults; to age 25 for minors (or 7 years from last service if later). Flag the difference between retention and active records - archived records still need to be retrievable.
    • Standardise your clinical record template (Within 90 days · Principal Dentist): Build a record template aligned with the DBA Code of Conduct: clinical history, findings, investigations, information given to patient, medication, management plan. Every clinician in the practice uses the same template. Review quarterly.
    • Document an access request process (Within 30 days · Privacy Officer): Write a one-page procedure: who handles access requests, identity verification, what to provide, what to redact, 30-day response target, fee structure (capped in Victoria under the Health Records Regulations). Have template response emails ready.
    • Prepare a practice sale/transfer/closure plan (Within 12 months · Principal): Even if you're not planning to sell, have a plan. State HPPs require specific patient notifications (newspaper notice, direct letters to current patients, practice signage) if the practice closes or is sold. Template everything now so it's there if you need it.

    Automated Decisions & AI

    Two regulatory layers apply: AHPRA's AI guidance (already in force) and the Privacy Act's automated decision-making disclosure rules (10 December 2026). Practitioners remain fully accountable for AI output - your PI insurer will expect documented oversight.

    • Build an AI inventory (Within 30 days · Privacy Officer + IT): List every tool that uses AI: scribing (Heidi, Lyrebird), diagnostic image analysis, recall automation, chatbots, predictive scheduling. For each: what does it do, what data it uses, is it TGA-registered, does a human review the output.
    • Implement informed consent for AI scribing (Immediately · Principal Dentist): If you use AI scribing, patients must be informed and consent documented. Verbal plus written consent on first use is the standard. AHPRA's guidance is explicit about this - and privacy law requires it because the transcript is a new record.
    • Document human-in-the-loop oversight (Within 90 days · Practice Manager): For every AI tool influencing clinical decisions, document who reviews, what they check, and how. 'The dentist reviewed the AI note' only stands up if there's an audit trail. This is also what your PI insurer will ask for if a claim arises.
    • Draft the December 2026 ADM disclosure (Before 10 Dec 2026 · Privacy Officer): Plain-English section in your privacy policy naming each AI tool, what it does, what data it uses, and how patients can request human review. Draft by October 2026 to allow for legal review and rollout.

    Patient Collection & Forms

    Health information is sensitive personal information under the Privacy Act, which means heightened collection rules apply. The OAIC sweep targets overcollection and missing collection notices - both easy fixes, both common in dental practice intake forms.

    • Audit your intake form against APP 3 (Within 60 days · Practice Manager): For every field ask: what operational or clinical purpose does this serve? Cut anything you can't tie back. Typical cuts: occupation (unless clinically relevant), marital status, referral source details, extensive lifestyle questions. Aim for under 30 fields.
    • Display a Privacy Collection Notice at reception (Within 14 days · Practice Manager): Printed notice on the intake clipboard or at reception covering who you are, what you collect, why, who you share with, and where to find the full policy. Template versions available from the ADA. Satisfies APP 5.
    • Make optional fields visibly optional (Within 30 days · Practice Manager): Mark required fields (identity, emergency contact, medical history) clearly. Everything else optional. Train reception staff that patients can decline optional fields and still receive treatment. APP 2 expects this where practical.
    • Secure paper intake form handling (Within 60 days · Practice Manager): Once intake forms are digitised into your PMS, the paper should be securely destroyed within a documented timeframe. Paper forms sitting in open filing or on desks are APP 11.2 exposure and a common breach pathway.

    Security & Breaches

    Australian healthcare is a priority ransomware target - MediSecure, Medibank, Genea, St Vincent's, and multiple regional providers have been hit in the past 18 months. APP 11 requires reasonable steps to protect information; NDB requires 30-day notification when things go wrong.

    • Enable MFA on every business-critical account (Within 14 days · IT lead): Practice management software, imaging systems, email, cloud storage, banking. Use an authenticator app rather than SMS. This is the single highest-impact security control - missing MFA is the most common ransomware initial access vector.
    • Document and test a breach response plan (Within 60 days · Privacy Officer + IT): One page is enough. Who declares incident, who decides on OAIC notification, the 30-day clock, insurer/lawyer/IT forensics contacts, comms approach. Run a tabletop exercise quarterly - pick a scenario, walk through, find gaps.
    • Implement ransomware-specific protections (Within 90 days · IT lead): Minimum controls: EDR/next-gen AV (not just traditional antivirus), offsite immutable backups tested quarterly, email security gateway, network segmentation between clinical and admin systems. Budget $150–300 per staff per month for managed security.
    • Same-day offboarding checklist (Within 30 days · Practice Manager): When staff (including locums) leave, credentials revoked same day: practice software, email, imaging, cloud, building access, physical keys, mobile devices if practice-issued. Stale accounts of departed staff are a common breach vector.

    Third-Party Vendors

    APP 8 makes you accountable for how overseas vendors handle patient information. Dental practices typically have 15–25 vendors with access to patient data - PMS, imaging, cloud backup, recall SMS, AI scribing, accounting. You can't manage what you haven't mapped.

    • Build a vendor inventory (Within 60 days · Practice Manager + IT): One spreadsheet: vendor name, data accessed, data residency (country), jurisdiction (US/EU/AU), contract end date, last review date, breach notification SLA. Most practices discover they have more vendors with access than they realised.
    • Push for breach-notification SLAs in writing (At next renewal · Operations lead): 24–48 hour vendor notification is the standard you want in writing. Without it, a vendor's slow notification eats into your 30-day OAIC clock. For critical vendors (PMS, imaging), raise the issue before renewal.
    • Document APP 8 compliance for offshore tools (Within 90 days · Privacy Officer): For each vendor processing data overseas, document either reasonable steps (vendor's SOC 2, security commitments, data processing terms) or patient consent authorising the transfer. Generic AI tools (ChatGPT, Claude) typically route through the US - this requires consideration.
    • Get certificates of destruction at vendor change (Process ongoing · Practice Manager): When you switch a vendor, request written confirmation that all your data has been deleted from their systems. Keep for 7 years. 'They said they would' isn't evidence of APP 11.2 compliance.

    Marketing & Advertising

    Dental marketing is governed by three regimes simultaneously: the Spam Act (consent and unsubscribe), AHPRA advertising guidelines (no false or misleading claims), and section 133 of the Health Practitioner Regulation National Law (testimonial prohibition). Breach risk is real and enforcement active.

    • Audit every marketing list for consent (Within 60 days · Practice Manager): For each list: source of consent, when, how recorded. Patients added automatically from intake forms typically don't have valid marketing consent. Recall reminders for existing patients usually have implied consent; newsletters and promotional content don't.
    • Remove testimonials from your advertising (Within 14 days · Practice Manager): Section 133 prohibits testimonials in advertising of regulated health services. This includes your website, social media posts you publish, brochures, and print ads. Third-party platform reviews (Google, Facebook) that you don't republish are generally OK. AHPRA actively enforces this.
    • Review advertising against AHPRA guidelines (Within 90 days · Principal): Check every marketing asset: website, social, Google Ads, directory listings, brochures. Common breaches: unrealistic outcomes, before-and-after photos without context, superlative claims ('best', 'leading'), implied guarantees, promotion of specific price-driven treatment decisions.
    • Make unsubscribe automatic across channels (Within 90 days · Practice Manager + IT): Spam Act requires unsubscribe within 5 business days, across all channels. A patient who unsubscribes from email shouldn't be added back via a CSV import from your PMS. Automate the suppression list.

    Staff & Governance

    Compliance in a dental practice is delivered by people, and governance evidence is what separates 'incident investigation' from 'no further action' outcomes. AHPRA, OAIC, and your PI insurer all look for named roles, documented training, and an incident register.

    • Appoint a named Privacy Officer (Within 30 days · Principal): In small practices, the principal or practice manager is the natural choice. Write a one-page role description: scope, time commitment, decision authority, escalation path. This is your named contact for OAIC and patient correspondence.
    • Run annual privacy training (Within 90 days, then annually · Privacy Officer): 60–90 minutes per year covering: the APPs, state health records obligations (if Vic/NSW/ACT), AI and informed consent, breach response, access and correction requests. Document attendance. ADA members can use branch-provided training material.
    • Verify AHPRA registration annually (Ongoing · Practice Manager): AHPRA registration is publicly searchable and free. Verify every clinical staff member at onboarding and annually. Any conditions on registration are yours to accommodate. Unregistered practice is a regulatory and PI insurance issue.
    • Maintain an incident register (Ongoing · Privacy Officer): Date, description, category (privacy/security/IPC/radiation/clinical), action taken, lessons. Include near-misses. This is your early warning system and your evidence if a regulator asks what you knew and when.

    Infection Prevention & Control

    Three frameworks apply simultaneously: NHMRC Australian Guidelines for Prevention and Control of Infection in Healthcare (2019), the ADA 5th Edition IPC Guidelines, and AS 5369:2023 for reprocessing. The DBA expects compliance with all three. Autoclave validation certificates referencing the old AS/NZS 4815 standard are out of date.

    • Review and update your IPC Manual (Within 60 days · Principal + IPC lead): Align with ADA 5th Edition and NHMRC 2019. ADA members can access a template manual. Cover standard precautions, transmission-based precautions, reprocessing, PPE, waste, sharps, BBV management. Review annually at minimum.
    • Re-validate autoclaves to AS 5369:2023 (Within 12 months · Practice Manager): AS 5369:2023 replaced AS/NZS 4815 as the national standard. Request re-certification from your validation provider. Certificates referencing only the old standard are no longer sufficient. New equipment must be validated to AS 5369:2023 from installation.
    • Implement daily air removal / steam penetration tests where required (Within 30 days · Clinical team): For sterilisers over 60L chamber capacity, AS 5369:2023 requires a daily Bowie-Dick type test conforming to ISO 11140-3/4/5. Document every day. Auditors and regulators specifically look for this.
    • Document IPC training annually for all clinical staff (Within 90 days, then annually · IPC lead): Include hand hygiene, sterilisation procedures, PPE use, exposure incident response, BBV compliance, waste handling. Document attendance, content, any competency assessment. The DBA self-reflective tool is a useful framework.

    Radiation Safety

    Radiation safety is dual-regulated: ARPANSA's national Code for Radiation Protection in Dental Exposure (RPS C-7) sets the technical standard, and each state and territory licenses and registers the equipment. Unregistered X-ray equipment is a legal exposure and a PI insurance issue.

    • Verify all X-ray equipment registrations are current (Within 30 days · Practice Manager): Check with your state radiation regulator that every unit (intraoral, OPG, CBCT) is registered and registrations are current. Most states require renewal every 1–3 years. Keep copies on file - auditors ask for these.
    • Align practice SOPs with ARPANSA RPS C-7 (Within 90 days · Principal + RSO): ARPANSA's Code for Radiation Protection in Dental Exposure is the national standard. Your SOPs for X-ray prescription, justification, optimisation, and operator protection should reference it. ARPANSA's resources are free and detailed.
    • Document a CBCT justification policy (Within 60 days · Principal): ARPANSA has flagged routine CBCT use as a concern. Document when CBCT is indicated (implant planning, complex endodontics, orthognathic cases) and when it's not (routine check-ups). Record the justification in the patient record at the time of prescription.
    • Document radiation safety training for all operators (Within 90 days · Practice Manager): Every staff member who takes or operates X-ray equipment needs role-appropriate radiation safety training, documented on file. Include dentists, hygienists, dental assistants. ARPANSA provides free educational materials; state regulators often have training requirements specified.

    Disclaimer

    General disclaimer

    This assessment is an indicative self-diagnostic tool and does not constitute legal, regulatory, or clinical advice. It reflects the regulatory landscape as of April 2026, including the Privacy and Other Legislation Amendment Act 2024, AHPRA's AI in healthcare guidance, ARPANSA's Code for Radiation Protection in Dental Exposure (RPS C-7), and AS 5369:2023.

    Clinical and professional advice

    Clinical practice obligations are governed by the Dental Board of Australia Code of Conduct and AHPRA registration requirements. This tool is not a substitute for clinical judgement or advice from your professional indemnity provider, the ADA, or specialist compliance advisers.

    State variations

    Practices in Victoria, NSW, and the ACT have additional obligations under state health records legislation (Vic Health Records Act 2001, NSW Health Records and Information Privacy Act 2002, ACT Health Records (Privacy and Access) Act 1997). Radiation safety licensing is also state-regulated. For a definitive compliance review, consult your jurisdiction's regulator and a qualified adviser.