Digital Healthcare 2021

Last Updated June 30, 2021


Law and Practice


Clayton Utz is recognised as a leading life sciences law firm. With 17 partners and over 25 qualified lawyers across its Sydney, Melbourne, Brisbane and Perth offices, the firm continues to build a reputation for innovative and incisive advice. The team has a unique combination of scientific, regulatory and legal expertise in prescription pharmaceuticals, OTC and complementary medicines and medical devices, and is consistently the legal firm of choice for many Australian and global pharmaceutical and medical device companies. The firm advises on all aspects of the product life cycle, including the protection of IP, clinical trials, marketing approval, product labelling, reimbursement, approval and registration processes, promotion and distribution, product risk, product liability and product recall. Clayton Utz counts both established global pharmaceutical companies and agile start-ups among its clients. It has advised Medicines Australia (the prescription pharmaceutical industry body) about significant policy initiatives in the pharmaceutical space.

There are many solutions to long-standing problems in the healthcare industry that can be addressed with innovative technologies, including those of healthcare providers, patients and regulators. 

From a healthcare provider's perspective, advances in digital healthcare may assist in responding to changes in their operating environment (eg, the restrictions created by the COVID-19 pandemic), as well as improved efficiencies and practice management. This includes the adoption of online booking systems for medical practices, telehealth capabilities, and data record-keeping systems. 

From a technical perspective, there has been an increase in the prevalence of "do-it-yourself" devices that work with mobile phone apps to allow people to easily monitor their own signs, such as blood oxygenation or electrocardiography. These give practitioners easier access to more comprehensive patient data. At the far end of the spectrum, practitioners may also have increasingly advanced digital medicine options available to deploy, prescribe or administer, such as medical devices that are controlled by software, for example, insulin pumps controlled by mobile phone applications. These technologies are enabled by advances in mobile computing power and internet infrastructure.

From a regulatory perspective, much will turn on the extent to which such products are therapeutic goods regulated under the Therapeutic Goods Act 1989 (Cth) (TG Act). Medical devices are regulated under Chapter 4 of the TG Act, which is administered by the Therapeutic Goods Administration (TGA). The regulation of medical devices is discussed further in 5. Software as a Medical Device.

The terms "digital health" and "digital medicine" are not defined in any Australian regulatory framework. There are, however, active organisations in this space that provide definitions for each of these terms.

Digital Health

The term "digital health" is defined by the Australian Government Institute of Health and Welfare as: "An umbrella term referring to a range of technologies that can be used to treat patients and collect and share a person’s health information, including mobile health and applications, electronic health records, telehealth and telemedicine, wearable devices, robotics and artificial intelligence."

An example of digital health in Australia is the My Health Record initiative, which is a federal government-operated database that stores an individual's health information in one place. This is regulated by the Australian Digital Health Agency (ADHA).

Digital Medicine

It is more difficult to find a government agency which defines "digital medicine". However, ANDHealth, an organisation established to support the commercialisation of digital medicine in Australia, defines digital medicine as: "Evidence based software and/or hardware products that measure and/or intervene in human health. They all require clinical evidence and are likely to require regulatory approval."

Digital medicine which meets the definition of a medical device will be subject to regulation by the TGA. On the other hand, many products, including healthcare-enabling technologies, are now excluded from the regulatory regime. 

The key technologies enabling new capabilities in digital healthcare and digital medicine include telemedicine, blockchain electronic health records (or comparable, eg, My Health Record uses Public Key Infrastructure) and artificial intelligence-enabled medical devices.

Digital Healthcare

Since the beginning of the COVID-19 pandemic in early 2020, digital healthcare and its enabling technologies have increased in popularity as the healthcare industry came to rely on technologies to enable consultations with medical practitioners to take place remotely. 

This shift, based on necessity, has provided opportunities to improve accessibility and appeal to healthcare for patients who might have had obstacles in attending a consultation previously, including those who live remotely, those who have work or carer commitments, and those with compromised immunity who prefer not to attend a clinic. 

At the same time, the federal government's My Health Record has created the potential for medical records to be accessed across medical practices, meaning patients who have not opted out of the programme can be treated by any doctor without needing to have their files transferred manually. If implemented effectively, this has the potential to improve the standard of healthcare provided, as the medical practitioner has all previous tests, results and medical history available to them on the database. However, the use of electronic health records in Australia is in its infancy. Use of the My Health Record system is not yet widespread enough to deliver on its potential benefits. Take-up has been limited by concerns about data security.

Digital Medicine

The most critical development in digital medicine is the increasing prevalence of software which, whether operating alone or in conjunction with certain hardware, operates as a medical device, for example, technologies that can diagnose or at least identify the possible presence of health conditions based upon the application of an algorithm to personal health data which is provided directly by the patient.

Such technologies are instances of "Software as a Medical Device", and will be regulated by the TGA as a standalone medical device.

Important emerging legal issues in digital health include cybersecurity/data privacy and the boundaries of medical device regulation. The increased use of digital healthcare and rapid innovations in digital medicine have meant that the law has lagged behind in implementing legislation to address the newly created risks associated with these technologies. 


Cybersecurity concerns are a key emerging legal issue arising from digital health. The increased availability of digital healthcare means that personal health information will increasingly be stored electronically in connected systems, making such information vulnerable to theft.

Cybersecurity breaches of medical devices that use network functions could not only result in a loss of personal health data privacy, but also changes in device functionality, placing lives at risk. 

Healthcare providers using Australia's My Health Record electronic medical record are required by the My Health Records Rule 2016 (Cth) to have a written policy addressing their security arrangements in respect of access to the system, known as a "My Health Record system security policy".

The TGA requires that, where relevant, medical devices should be appropriately cybersecure in order to comply with safety and performance standards under the Therapeutic Goods (Medical Device) Regulations 2002 ("Medical Device Regulations"). 

More generally, where personal information is accessed or disclosed without authority and there is a risk that the breach will cause serious harm, the Privacy Act 1988 (Cth) (Privacy Act) requires organisations to inform affected individuals and the Office of the Australian Information Commissioner (OAIC) that serious harm may occur. 

Medical Device Regulation

The regulation of software-based medical devices by the TGA poses another emerging issue, given that digital forms of healthcare have necessarily entailed the proliferation of such devices. It is important to strike the right balance between appropriate regulation of the technology and not limiting the development of new technologies that may not fit neatly into existing categories.

As of 25 February 2021, changes were made to the Medical Device Regulations, clarifying existing requirements, introducing new requirements for software-based medical devices, and expressly exempting or excluding certain types of software from the requirement for registration. 

COVID-19 has accelerated the uptake of digital healthcare technologies which facilitate the remote delivery of health services.

The benefits of telehealth, as discussed in 1.3 New Technologies, have been crucial during the pandemic. Australia's Medicare system subsidises doctors' provision of most medical services to Australian citizens and permanent residents. Subsidised services are listed on the Medicare Benefits Schedule (MBS). During 2020, the federal government both increased the number of subsidised telehealth services and removed many of the pre-conditions for the provision of existing listed telehealth services.

A number of those changes were temporary and were originally put in place until 31 March 2021. They have since been extended to the end of 2021. The government is working on permanent changes to the subsidisation of telehealth services.

Similarly, Australia's Pharmaceutical Benefits Scheme (PBS) subsidises the dispensing of prescription medicines. Some high-cost medicines require medical testing before a prescription is authorised. Many of these requirements were temporarily suspended from 1 May 2020 and these arrangements also remain in place until the end of 2021. The federal government also introduced changes to permit the dispensing of most PBS medicines on the basis of a digital image of a prescription. This measure remains in place until 30 September 2021. States and territories which did not permit image-based dispensing have corresponding arrangements in place. 

Effects of Climate Change

Climate change poses significant public health dangers, both directly and indirectly. There are physiological effects arising from exposure to higher temperatures and increasing incidences of non-communicable diseases, and injuries and death due to extreme weather events such as extreme heatwaves, drought and flood. Furthermore, ecological change can result in food and water insecurity and the spread of climate-sensitive infectious diseases, while societal reactions to climate change can result in population displacement and reduced access to health services. (See the WHO CPO24 Special Report, Health and Climate Change, p 20.)

Role of Digital Healthcare

Digital healthcare can play a substantial role in addressing these dangers. Firstly, digital healthcare affords a significant level of accessibility to patients – this is especially important in disaster-stricken locations with limited resources. Distance-spanning technologies, such as virtual consultations, remote diagnostics and tele-homecare as well as electronic documentation systems, such as health records and prescription systems, all assist individuals who would otherwise not be able to access healthcare. Arising from these technologies, the speed and efficiency with which medical knowledge can be shared encourages a global collaborative effort in tackling health issues associated with climate change.

Moreover, digital healthcare systems can utilise climate data and predictive technology to ensure that there is adequate resourcing in the event of climate change-related disasters. For example, the WHO has observed that data relating to the relationship between rainfall, temperature and malaria transmission has been used to create early warning systems that can give up to four months' advance notice of a potential outbreak, so that preventative and curative measures can be prepared. (See the WHO COP24 Special Report, Health and Climate Change, p 41.)

The key regulatory agencies in Australia that oversee technologies, devices and treatment include the following.

Therapeutic Goods Administration (TGA)

The TGA is the medicine and therapeutic regulatory agency of the Australian government, governed by the TG Act. It is responsible for regulating the supply, import, export, manufacturing and advertising of therapeutic goods and it carries out a range of assessment and monitoring activities to ensure that therapeutic goods available in Australia are of an acceptable standard. 

Generally, any product for which therapeutic claims are made must, unless there is an applicable exemption, be approved by the TGA for entry on the Australian Register of Therapeutic Goods (ARTG) before it can be legally supplied in Australia.

Australian Digital Health Agency (ADHA)

The ADHA is a statutory authority in charge of implementing Australia's National Digital Health Strategy, which seeks to improve the quality and delivery of healthcare and the Australian health system by digital means. 

This organisation manages the Australian My Health Record electronic health record program. The agency also promotes other forms of digital healthcare, including telehealth and electronic prescription systems, and has an advisory role to the government health minister regarding the implementation and delivery of national digital health initiatives.

Australian Health Practitioner Regulation Agency (AHPRA)

AHPRA is the regulatory agency of the Australian government for health practitioners. It is governed by the Health Practitioner Regulation National Laws that operate across the states and territories. The scope of its work includes managing registrations for qualified health practitioners, managing complaints and conducting audits to ensure compliance with national board requirements. AHPRA publishes guidelines for health practitioners in relation to telehealth.

Regulation of Software-Based Medical Devices

There has been a steady increase in the number of digital medical products available on the market, eg, symptom checkers and diagnostic apps, diabetes management software, and melanoma and skin analysis software. These devices may not fit easily into established pathways for review of the safety and efficacy of health technology. Furthermore, some have been created by developers with limited experience in relation to the requirements for establishing the safety and efficacy of medical devices.

On 25 February 2021, changes were made to the TG Act and the Medical Device Regulations to introduce new classification rules and better define the boundary between software which is regulated as a medical device and software which is not. The new regulatory regime is discussed further in 5.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technology

At the same time, the TGA has introduced changes to the regulation of custom-made medical devices. Custom-made medical devices are and will continue to be exempt from the requirement for registration on the ARTG. However, the changes not only introduce new reporting requirements for manufacturers of custom-made medical devices, but also introduce new categories of medical devices: patient-matched medical devices and medical devices manufactured using a Medical Device Production System.

Patient-matched medical devices and Medical Device Production Systems will need to be included on the ARTG. This is a significant regulatory development to accommodate devices, the production of which is enabled by digital technology (eg, devices which are 3D-printed from a pre-specified design envelope with adaptations to meet the needs of individual patients).

Regulation of Digital Healthcare

In recent years, especially in light of the COVID-19 pandemic, health practitioners have increasingly turned to digital forms of healthcare delivery to overcome barriers to individual access. This not only includes telehealth forms of healthcare delivery that use technology as an alternative to face-to-face consultations, but also digital information systems such as My Health Record, a federal government program initiated in 2015, which provides an online summary of key health information, electronic prescribing systems, and systems for the home delivery of medication.

The ADHA promotes the use of these technologies and provides regulatory oversight, supporting healthcare integration and delivering improvements to the quality and efficiency of healthcare. For example, the ADHA not only promoted an increase in the use of the My Health Record system, but also expanded the system to include more Australian Immunisations Register Information, assisting with the COVID-19 vaccine roll-out. In also engaging in significant education and promotion campaigns, the ADHA allows for greater individual awareness of new forms of healthcare, providing support to these individuals at a time when more traditional forms of healthcare service delivery have been unavailable or inaccessible. 


The TGA has not identified any specific areas for regulatory enforcement that relate to digital healthcare or digital medicine. More generally, the TGA has a risk-based compliance framework, meaning that its response to low-risk breaches of its regulatory framework will be to educate the infringing party (particularly if that party is not a repeat offender). Its regulatory options escalate to warning letters suspending or cancelling products on the ARTG, right through to enforceable undertakings, the exercise of compulsory powers and ultimately court action.

The changes to the regulatory regimes for software as a medical device and the patient-matched medical devices outlined in 3.2 Recent Regulatory Developments will result in changed requirements for ARTG listing of existing products. There is a transitional period for sponsors of those products to update their ARTG registrations which runs through to November 2024. It is reasonable to expect that the TGA will be focused over coming years on ensuring that sponsors update their registrations before the expiry of the transition period.


The ADHA focuses on providing transparent digital health standards, as well as ensuring sustainable governance of these standards. It provides annual reports on the performance of digital health systems, in order to ensure accountability within the sector. 

Given the amount of private information that exists within digital healthcare databases, privacy is a key concern of the ADHA. The agency works closely with the Office of the Australian Information Commissioner (OAIC) to maintain privacy and safety across the healthcare system. A Memorandum of Understanding between the ADHA and the OAIC exists to manage the way in which the OAIC provides advice, assistance and independent regulatory services using the personal data in the My Health Record system.


AHPRA provides recourse where serious concerns regarding safe and professional healthcare practices by a practitioner exist. Where a concern is received by AHPRA, it performs a risk assessment of the practitioner in the context of the concern raised. 

After assessing concerns, AHPRA may take regulatory action by issuing cautions, imposing conditions on practitioners with a focus on improvement, refer the matter or aspects of the matter for further investigation by, for example, a tribunal or the police, or refer the health practitioner for a health or performance assessment.

The Australian Competition and Consumer Commission (ACCC)

The ACCC is Australia's competition and consumer protection regulator. It has an important role to play in policing online conduct directed at consumers, including conduct by providers of online health services. Its role includes: 

  • ensuring that software-based health products are not in breach of competition and consumer laws;
  • protecting consumers from misleading and deceptive conduct in relation to online health services; and
  • undertaking enforcement action in relation to the misuse of consumer data.

The ACCC has a specialist Digital Platforms Branch and in 2019 published the final report of its Digital Platforms Inquiry. The ACCC is currently conducting a further inquiry in relation to digital platform services (eg, search engines, messaging services, online marketplaces, etc).

In 2018, the ACCC commenced regulatory proceedings against HealthEngine, the operator of Australia's largest online heath marketplace for alleged misleading conduct in relation to its failure to disclose to users of the platform that it was sharing user information with insurance brokers, and its failure to publish negative reviews. In August 2020, the Federal Court ordered that HealthEngine pay AUD2.9 million in penalties in respect of this conduct.

The Office of the Australian Information Commissioner (OAIC)

The OAIC, discussed in 3.3 Regulatory Enforcement, is the national regulator for privacy and freedom of information. With respect to healthcare, the OAIC has a range of responsibilities regarding data management, such as: 

  • handling complaints associated with the collection, use and disclosure of personal health information;
  • conducting privacy assessments to ensure that personal information, such as health information, is handled in accordance with legislative requirements; and
  • reporting on data breaches where personal information, such as health information, is accessed or disclosed without authorisation, or lost.

The Privacy Act recognises information about an individual's health as "sensitive information", meaning that it is subject to additional protections above and beyond those which apply to personal information generally.

The OAIC also has a statutory role under the Privacy Act in approving guidelines for the use of personal information in medical research, which are discussed in 9.1 The Legal Relationship between Digital Healthcare and Personal Health Information.

While there are no specific examples of OAIC enforcement action involving the health industry, it has had a role to play in education in relation to the privacy issues arising from the government's My Health Record program as well as its COVIDsafe App (in respect of both of which the OAIC has been given additional enforcement powers).

While neither agency has enforcement policies at present which specifically target healthcare, both have a particular focus on digital services. As the HealthEngine enforcement action shows, health service providers can be affected by that focus.

Software will be a medical device if it falls within the definition of a medical device under Section 41BD of the TG Act, unless it is the subject of a specific exclusion. 

That definition provides that a medical device includes anything (including software) which:

  • is intended to be used for human beings for the purposes of diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease; and
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or disability;

providing it does not achieve its principal intended action by pharmacological, immunological or metabolic means.

There are different categories of software that could fall within the scope of a regulatory authority, including: 

  • Software as a Medical Device (SaMD) – software that, on a standalone basis, meets the definition of a medical device;
  • Software in a Medical Device (SiMD) – software that is part of a device when it is integral to the functioning of that device and is usually supplied with the hardware device; and
  • software that controls a medical device – software that can control or adjust a medical device through a connection, either physical or utilising wireless technology such as Bluetooth or Wi-Fi.

The TGA uses a risk-based approach to regulating medical device technologies by examining the evidence of product risk and comparing it to evidence associated with product benefit. The higher the potential risks of a medical device, the more they need to be examined and monitored. 

There are five classifications depending on the level of risk a product poses, class I, IIa, IIb, III and IV.

As described in 3.2 Recent Regulatory Developments, from 25 February 2021, new classification rules were introduced into the Medical Device Regulations for software-based medical devices, providing specific guidance on the classification levels of various types of software-based medical devices, depending on their purpose.

The effect of those changes is, in summary:

  • to exclude the following from the category of medical devices –
    1. consumer health products which do not provide specific treatment or treatment suggestions; 
    2. enabling technologies (eg, systems which enable telehealth consultations or the transmission of health information);
    3. digitised patient records; 
    4. population-based data analytics; and
    5. laboratory information management systems; and
  • to introduce classification rules for –
    1. diagnostic or screening software;
    2. monitoring software;
    3. software which recommends a treatment or intervention; and
    4. software which provides treatment in the form of information,

with the classification rules based, in each case, on the potential consequences of the disease in question and the degree of involvement of a healthcare professional in the process.

The current regulatory regime does not specifically address the use of AI as part of the technology, nor does it deal with the status of software updates.  However, a software update is capable of being a recall action in respect of a medical device if it is undertaken for a safety-related reason. Indeed, a 2020 review conducted by the TGA found that in the five years to April 2020, over 20% of medical device recalls were due to software faults.

Telehealth has had significant growth and impact on healthcare and this can be seen in the recent data available. The University of Queensland Centre for Online Health published statistics in April 2021 which show that: 

  • over 55 million Medicare-reimbursed telehealth consultations have taken place with over 13 million patients in Australia since the COVID-19 pandemic began; and
  • in April 2021 alone, telehealth was utilised across the following consultation areas: mental health (20%), general practitioner (19%), specialist (12%), nurses (14%), and allied health professionals, eg, dentists and physiotherapists (2%). 

These statistics also suggest that telehealth has grown across all areas of healthcare, but that its greatest impact is perhaps in the area of mental health.


As discussed in 1.5 Impact of COVID-19, attending consultations remotely, either via video conference or phone call, has several benefits. From a public health perspective, telehealth facilitates the general reduction in community contact that is required to control the spread of COVID-19. At the individual level, it provides a safe way for people who are vulnerable or not confident about exposing themselves to the possible risks of a clinic to get to appointments. The convenience of telehealth appointments also benefits people living in remote areas and people with substantial work or carer commitments. It also facilitates more flexible work arrangements for practitioners themselves.

Virtual Hospitals

Virtual hospitals refer to an extended suite of remote-care options available for patients requiring ongoing monitoring and consultation. Through virtual hospitals, healthcare professionals can have patient health data, such as oxygen levels, fed to their systems wirelessly. While monitoring this information remotely, practitioners can then contact patients as required, with patients also being able to contact doctors or nurses on demand. The Royal Prince Alfred Hospital in Sydney launched a virtual hospital in February 2020, intended for cystic fibrosis and palliative care patients. However, when the pandemic escalated, the model was adapted to cater for COVID-19 patients. 

The regional centre of Armidale has also established the New England Joint Virtual Care Centre, which was fast-tracked in early 2020 to cater for COVID-19 patients.

In terms of remote practice, Australian medical practitioners must all be registered with AHPRA, which publishes guidelines in relation to the use of telehealth. In addition to AHPRA, practitioners may also be subject to the requirements of further regulatory bodies in their areas of specialism, the specific requirements of which may control remote work more stringently. However, there are no specific qualification requirements to provide telehealth services.

Healthcare practitioners who are not registered with AHPRA may not claim to be authorised or qualified to practise in a health profession in Australia, and a patient would not be able to claim a Medicare benefit in respect of the provision of services by such a person.

Many regulatory changes were made in response to the COVID-19 pandemic, with the focus on facilitating digital healthcare so that practitioners could respond to isolation requirements while continuing to offer consultations and treat patients.

Electronic Prescriptions

The National Health (Pharmaceutical Benefits) Regulations 2017 (Cth) were relaxed to permit electronic prescriptions or "e-prescriptions" under the Pharmaceutical Benefits Scheme (PBS). As explained in 1.5 Impact of COVID-19, this allowed digital copies of prescriptions to be sent directly to pharmacies. The process still allows the patient to nominate their preferred pharmacy, as long as it has the facilities required to receive the e-prescription. These arrangements are currently intended to remain in place until the end of September 2021. Each state and territory also has a regime relating to the issuing of prescriptions and dispensing of medication. Although the practice is currently permitted in all states under corresponding special arrangements, the exact rules surrounding electronic prescriptions may vary across the different jurisdictions.

However, there are still weaknesses in the delivery of electronic prescriptions. For example, e-prescriptions can only be sent to pharmacies, and not directly to the patient. Hard-copy prescriptions on the other hand are given directly to patients, and can also be posted to their addresses. At the same time, removing this obstacle in the e-prescribing process would likely have implications under the therapeutic goods regime, given that certain classes of medicines must only be provided once the patient's identity has been confirmed, which is more difficult to achieve remotely.

Videoconferencing Platforms

Videoconferencing platforms such as Zoom and Microsoft Teams have not been subjected to any regulation specifically aimed at telehealth. In fact, Allied Health Professionals Australia recommends Zoom and Skype as having useful features for telehealth. It does, however, also recommend the platforms designed specifically for telehealth, Coviu and Cliniko. Nonetheless, all telehealth consultations remain subject to the Privacy Act 1988 (Cth). While the Privacy Act does not specifically govern telehealth, practitioners must remain aware of their statutory obligations under it, as well as any relevant state and territory regimes.

As discussed in 6.1 Role of Telehealth in Healthcare, most medical practitioners' services are subsidised by the federal government through Medicare.  From 13 March 2020 to 30 June 2021, temporary MBS items were introduced allowing many reimbursed services to be provided by telehealth. The federal government also increased certain incentives for medical practitioners, to encourage an increased uptake of telehealth appointments for suitable issues.

The current arrangements are temporary, remaining in place until the end of 2021, but the federal government is actively considering permanent changes to the MBS to continue a wider range of telehealth services than were available before the pandemic.

In addition, as discussed in 1.5 Impact of COVID-19, there have been temporary changes to the PBS system to reduce the need for patients to submit to in-person tests before being approved for PBS-subsidised prescriptions for high-cost drugs.

Connected devices relating to healthcare have become one of the fastest growing categories of the internet of medical things (IoMT) revolution. Many technological developments have contributed to the advent of the IoMT, however, three of the most distinct enablers of the internet of things (IoT) in the medical sector have been improvements in connectivity, advancements in device-embeddable technologies, and greater sophistication in the applications which connect to, control and receive data from those devices. In relation to each of these factors:

  • improvements in the quality and affordability of connectivity have become the backbone of the IoT, enabling connections across networks between remote devices and front-end applications (see 11.1 IT Upgrades for Digital Healthcare for further discussion in relation to trends in telecommunications connectivity in Australia);
  • miniaturisation of sensors has vastly expanded the range of devices which can be connected and enabled; and
  • innovations in applications functionality are rapidly expanding the range of commercially useful IoMT developments that can be pursued.

Commercial Adoption of IoMT

To date, the most prevalent commercial adoption of IoMT is in monitoring applications and data collection. Sensors embedded in devices can be used to collect and transmit information in relation to heart rate, blood pressure, glucose levels and even information from which a patient’s mental state can be determined. Other innovative applications in the development stages include ingestible sensors which can collect information in relation to stomach pH levels and digestive health, smart asthma inhalers and even smart contact lenses. Remarkably, in addition to monitoring functionality to bolster diagnostic capabilities, IoMT applications are also being conceived and developed for robotic surgery applications, making complex interventional decisions in real time during procedures.

Associated Risks

The opportunities presented by the IoMT naturally come with associated technology and legal risks which, to some degree, correspond to the level of connectivity and functionality exhibited by the relevant solution. These range from device malfunction and loss of data to hacking, information theft and even manipulation of the relevant device. In this regard, modern security protection measures can be adopted to identify network vulnerabilities and moderate the risks of attack.

Legal risks can also arise, especially with respect to traditional legal liability.

  • The extent of liability of an IoMT supplier to a healthcare institution, for example, for applications or devices that do not fulfil their stated purposes or that do not operate in the manner intended. This kind of liability may arise from misrepresentation, in negligence, under consumer law (eg, under an implied statutory warranty) or under contract (such as under an express contractual product warranty in the supply contract’s terms and conditions). This is further discussed in 13.2 Commercial.
  • The liability to patients of medical or healthcare professionals who rely on the functionality and resilience of IoMT applications or devices, whether for diagnostic or interventional purposes. These issues are discussed in 13.1 Patient Care.

Regulatory issues may also arise when IoMT applications reach a sufficient level of sophistication to be classified as medical devices. This is explored further in 5.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technology.

The key distinguishing feature of 5G networks as compared to their predecessors, most relevantly 4G networks, is the ability to transfer greater volumes of data at significantly higher speeds, across lower latency connections. For example, 5G networks can reach speeds of up to 100 times faster than 4G networks and can reduce the delay between sending and receiving data from 200 milliseconds to 1 millisecond.

These advances mean that more data can be transmitted between the healthcare provider and the patient, and also that the provider can see such data in close to real time. At a basic level, provided that the hardware exists to measure a patient's physiology, this opens the possibility to remote consultations moving closer to what is currently possible in a face-to-face consultation, including in terms of a healthcare provider's ability to test the patient's symptoms and diagnose the patient by way of a virtual experience that more closely resembles a traditional physical consultation. Once these technologies exist, it is possible to imagine many applications for them.

For example, it is possible to imagine first responders to medical emergencies being equipped with portable patient monitoring systems. Data from those systems could be relayed to appropriate specialists who could advise about critical treatment needs and assist to triage the patients.

Of course, the more dependent a healthcare service becomes on a particular technology, the more difficult it is to cope with a failure of that technology. If 5G technologies come to be relied upon to facilitate the delivery of critical health services, those who are providing those services will have high expectations of the reliability, reach and security of those services, as well as critical service-level expectations in the event of a service failure. Equally, however, tensions may arise between the service-quality expectations of those administering the services and the risk appetite of upstream suppliers of standard products and services. These are matters which will need to be considered in entering into any contract for the provision of 5G services to support critical health infrastructure. 

The Privacy Act

The collection, storage and use of health information is regulated by the Privacy Act, as well as by health information-specific legislation in some of the Australian states and territories (NSW, Victoria and the ACT). State and territory legislation generally agrees with the Privacy Act, as least with respect to the manner in which consent to the collection and use of personal information is obtained.

The Privacy Act contains some specific provisions which deal with the use of health information for medical research. While it is preferable that the collection of health information for research purposes is the subject of specific consent, Section 16B of the Privacy Act provides for an exemption for private industry from the usual requirements of consent if a "permitted health situation" exists. "Permitted health situations" include situations where:

  • the collection, use or disclosure of data is necessary for research or the compilation or analysis of statistics relevant to public health or public safety;
  • in the case of collection, the purpose cannot be served by the collection of de-identified information;
  • it is impracticable to obtain individuals' consent to the collection, use or disclosure of their data;
  • the collection, use or disclosure of data is undertaken in accordance with the relevant guidelines published under the Privacy Act.


The guidelines in question are the guidelines approved under Section 95A of the Privacy Act published by the National Health and Medical Research Council (NHMRC) and approved by the OAIC. The guidelines provide, among other things, that any proposal to use personal information in medical research must be approved by a Human Research Ethics Committee.

There are also separate guidelines published by the NHMRC and approved by the OAIC pursuant to Section 95 of the Privacy Act which relate to the use of personal information in medical research by public agencies.

De-identified Information

The Privacy Act does not apply to the use of de-identified information. However, the NHMRC also publishes the National Statement on Ethical Conduct in Human Research which deals with the appropriate conduct of medical research in Australia (and is the standard against which Human Research Ethics Committees approve the conduct of such research).

Clause 2.2.7 of the National Statement provides that, "Whether or not participants will be identified, research should be designed so that each participant’s voluntary decision to participate will be clearly established." While this provision should not be read as a blanket prohibition on the use of de-identified data for research purposes, it does mean that it is preferable that patients are aware of how their health data will be used.

There are no specific rules or guidelines as to how consent to the collection or use of personal information must be obtained in a digital context. The collection of sensitive information, including health information, is subject to stricter requirements for obtaining consent than is the case for other forms of information.  However, there is no need under Australian law for a specific collection statement. Rather, what is required is that in all circumstances it can be shown that the individual has provided unambiguous and specific consent to the collection of their health information for a specific purpose.

The Privacy Act also includes a data breach regime, administered by the OAIC. It requires organisations to report unauthorised access to or disclosure of personal information which may result in serious harm to any of the individuals to whom the information relates. The Privacy Act also permits individuals to complain to the OAIC in respect of interference with their privacy. The OAIC has the power, following investigation of a complaint, to declare that a breach has occurred and that a person or entity must perform certain acts or pay compensation by way of redress.

Finally, as the HealthEngine case discussed in 4.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies makes clear, undisclosed use of personal information may give rise to breaches of general consumer law prohibitions on false, misleading or deceptive conduct.

AI's Present Role

According to some, true artificial intelligence (AI) is demonstrated when a machine becomes capable of emulating and applying true cognitive decision-making, self-learning from its own prior decisions and adaptively adjusting its own future decisions based on historical experience. In the IoMT context, many of the applications and devices initially deployed (such as the remote monitoring and assistive technologies referred to in 7.1 Developments and Regulatory and Technology Issues Pertaining to the Internet of Medical Things) are, at least for now, better described as assisting and augmenting human decision-making as opposed to completely replacing it. In this respect, the primary role of these types of technologies is to provide a richer basis for the exercise of human judgement.

The Next Era of AI

Equally, however, there is also emerging recognition that significant potential exists for the next era of AI to expeditiously problem-solve, rigorously reason and apply judgement within appropriate decision parameters. Furthermore, significant resources are being furiously applied to developing independent machine learning capability – ie, machines which can improve and define their own decision processes without the need for specific human enhancement. If this can be achieved, then the implications for IoMT are significant. New IoMT applications could lead to continuously improving diagnostic capabilities, reduction in error rates, improved procedural success rates and better patient outcomes. Another key hope for digital healthcare is that IoMT will come to provide robotic assistance to interventional clinicians during medical procedures and even generate model data sets for training purposes.

The processing and interpretation of data is closely linked to the future of AI in modern healthcare. A significant advantage of computer-assisted technology over human clinicians is the capacity to analyse, process and determine patterns in vast data sets with a speed and consistency of approach that would not otherwise be possible. This would enable a new era of deductive or predictive medicine, in which systems can review data and identify patterns and characteristics which would be unrecognisable by a clinician. For instance, in Mount Sinai Hospital, New York in 2016, a computer program was trained using the electronic health records of 700,000 patients and then used to predict disease in a select sample of 76,214 patients in the "Deep Patient" initiative. Researchers noted that the results significantly outperformed those obtained from alternative learning strategies applied to original raw health records.

Risks Associated with AI in IoMT

Commentators have highlighted various risks associated with the overly rapid adoption and implementation of AI-based technologies, including the influence of machine and algorithmic bias, a failure to appreciate non-quantitative nuance and the possibility that future over-reliance on technologies may lead to a lower level of skills in future generations of medical professionals. These risks will need to be cautiously approached and managed as technologies are tested and deployed.

The enhanced digital healthcare solutions of the future will require the coalescence of a range of enabling factors, including accessibility to robust and resilient telecommunications connections, modern software solutions, data transfer and storage solutions, and ongoing advancements in nano-technologies to enable further miniaturisation of "smart devices". In Australia, various steps are being taken to enable these developments.

  • The Australian government is currently undertaking a landmark national broadband network (nbn) roll-out, which involves the deployment of a multi-technology mix of telecommunications infrastructure across the country. This is a major transformative initiative in the Australian telecommunications industry. Relevantly, significant commentary in relation to the business proposition for the nbn project focused on the potential benefits of improved access to telehealth solutions, particularly for regional Australians, and the richness of new health-related applications that could be supported by high-bandwidth connectivity. At the customer’s end, the IT infrastructure of healthcare institutions, medical centres and other organisations will need to evolve to be capable of receiving and benefiting from this improved connectivity.
  • The Australian healthcare sector is experiencing a steady proliferation of new software and applications which are designed to support or facilitate diagnostic activities. Based on industry commentary, there appear to be mixed views among Australian medical professionals in relation to the utility of machine or software-based diagnostic tools. One view is that advancements in AI and software-based tools represent a vital tool in improving diagnostic reliability, by offering an invaluable initial assessment for further human interrogation or by way of a useful cross-check against human-based primary assessments. The contrary view is that, for seasoned medical professionals, the need to have regard to machine-based assessments and navigate false-positive machine-generated diagnoses simply adds to case review time without necessarily improving substantive diagnostic or patient care outcomes. As machine learning and medical software solutions evolve in functionality and sophistication, it is likely that confidence in AI-based tools will continue to improve, encouraging their adoption.
  • Data storage solutions are becoming an increasingly essential part of modern healthcare applications, including those applications which rely on the hosting, management and retrieval of large data sets. The uptake of these kinds of applications has been accelerated by the move to cloud-based solutions and the growing mobility of medical professionals, as distinct from the traditional approach of hospitals, medical centres and other institutions maintaining local storage solutions for their healthcare and patient information.

Focus on Safeguarding and Protecting Healthcare Information

The corollary of greater levels of patient and healthcare information being held in and communicated through third-party data services is a higher level of sensitivity in relation to the safeguarding and protection of that information from unauthorised use and disclosure. To the extent that such services are relied on to maintain the sole repository of an organisation’s healthcare information, this also places a greater focus on ensuring that mechanisms exist to enable the recovery or restoration of that data in the event of loss or corruption. For these reason, many contracts in the healthcare space have come to include comprehensive provisions relating to privacy, security, data protection and recovery, which bolster the statutory obligations applying to health information (being a sensitive category of personal information) under the Privacy Act. 

Australia is experiencing a pronounced cross-sector trend towards decentralised computing (as opposed to local server-based processing) and a corresponding uptake in cloud-based applications. In the medical and healthcare sector, adoption of cloud solutions has been driven by:

  • the promise of less software and solution support and lower maintenance costs;
  • a desire to move away from the ongoing patching and updating of ageing, bespoke legacy on-premises systems;
  • the growing availability of applications for medical devices;
  • the way in which cloud-based technologies can better support the mobility needs of modern medical professionals and services; and
  • greater affordability in relation to data centre offerings. 

This has resulted in the initiation of many IT transformation programs across the healthcare sector, which are aimed at replacing existing legacy software with new cloud-based solutions featuring more flexibility, greater capacity for front-end configuration and rich user functionality.

Generally, competitive tender processes conducted by large hospitals, medical centres and other customers will ensure that those information technology vendors selected to supply their proprietary solutions and/or perform integration services in respect of their (or other parties’) solutions have a proven capability and track record in similar implementations in the healthcare industry. Sometimes, more complex integrations will require the contributions of a range of IT licensors and vendors to be assembled and harmonised as an integrated solution. In such circumstances, best practice is for a single systems integrator to assume responsibility for delivering a "whole of solution" outcome, including drawing together and co-ordinating the relevant inputs (which may be services, software and other products) of various subcontractors and assuming prime accountability for delivery of the overall integrated solution. In projects of this kind, it is important for effective governance mechanisms to be implemented so that there is an appropriate operational forum for managing the hand-over points between various suppliers and ensuring appropriate levels of co-operation between them in the course of program delivery.

Patent Law

Patent law will protect an invention in digital health that meets the standard requirements for the granting of a patent under the Patents Act 1990 (Cth). An invention must be a manner of manufacture that is new, useful and involves an inventive step. This means business methods will not be patentable unless they involve the direct application of a physical form or device, in a technically innovative way, to bring about a useful result. Mere schemes implemented using generic software will not constitute patentable subject matter (see, eg, Encompass Corporation Pty Ltd v InfoTrack Pty Ltd (2019) 145 IPR 1).

Copyright Law

Copyright law will protect an original literary work (such as computer code) that is the product of an identifiable human author or authors. This means the original literary work must be the product of independent human intellectual effort directed to the creation of the material form of that work (see, eg, Telstra Corp Ltd v Phone Directories Co Pty Ltd (2010) 90 IPR 1). 


There is no database right under Australian law. It also offers no protection for databases that are created without direct human authorship. Works of authorship created by AI technologies are not protected or owned by anyone, even if the computer code behind an AI was authored by a human and is itself protected.

Trade Secrets

Trade secrets can be protected as confidential information by way of contract or equity. By ensuring anyone with access to trade secrets is bound by appropriate obligations of confidence, such as in the terms of an employment contract, the confidentiality claimant can enforce any breach of those obligations.

The allocation of IP rights between a university or healthcare institution and physicians or inventors is generally dealt with in contracts of employment. The default Australian position is that, unless a contract of employment expressly provides otherwise, it is an implied term of employment that a patentable invention developed by an employee in the ordinary course of employment (ie, the employee doing what the employee is engaged and instructed to do, during working hours and using the employer's materials) will be the property of the employer (see, eg, University of Western Australia v Gray (2009) 82 IPR 206).

If a private sector technology company wishes to be involved in developing a device or medical innovation, the terms of its involvement will be recorded in the contract recording its engagement. The contractual terms will depend on elements such as the source and share of funding and could include a complete assignment of rights or a licence to the private sector company.

Inventions and works of authorship that are the product of joint inventors or authors may not be exploited without the consent of each inventor or author. Under Australian law, joint authors of copyright works are tenants in common and, in the absence of an agreement otherwise, in equal shares (see, eg Prior v Lansdowne Press Pty Ltd (1975) 12 ALR 685). It is therefore insufficient for a single co-owner of copyright to exercise the exclusive rights afforded by that copyright without licence from the other co-owners.

Functional Approach to Regulation of Technology

Fundamentally, the traditional approach of the Australian legislature has been to avoid technology-prescriptive regulation and instead impose functional requirements in a technology-agnostic way. This has been a consistent theme across a range of sectors. This philosophical approach often stands in contra-distinction to European-based directives or statutory requirements in other countries, which can be more technology-specific in nature (eg, in relation to mandating particular technology standards relating to data transfer, encryption levels and electronic attestation). Generally, Australian laws which are predicated on or which relate to a base assumption of human decision-making have not evolved to mandate the adoption of particular technology standards as a substitute for that human decision-making process, nor to automatically alleviate responsibility for a human decision based merely on reliance on a prescribed technology process.

Liability for Decisions Based on AI Solutions

In Australia, liability for medical decisions with an impact on patient outcomes will often be determined according to the common law tort of negligence. Establishing negligence relies on demonstrating the existence of a duty of care, defining the appropriate standard of that duty, proving that such standard has been breached and showing that a certain measure of damages has flowed from the breach. The determination of these various elements will always depend on the specific facts and circumstances of a particular case, however, no general rule or principle exists to the effect that a medical professional who exclusively relied on an AI-based solution in substitution of their own judgement will be exempted from liability. Relevant factors will include the extent to which it was reasonable to rely on a machine-based assessment, the extent to which the medical professional was reliant (eg, whether in relation to the interrogation of specific data points or in relation to an overall AI-based recommendation) and potentially, to some degree, the level of sophistication of the solution provided by the AI and the proven integrity of its outputs.

It is also likely that the developers of such systems could be liable to patients for their consequences both under theories of negligence and under statutory liability regimes which impose liability on manufacturers of goods.

Where a third-party vendor supplies products or services to support the operations of hospitals, medical centres or other healthcare institutions, the liability for the non-performance or non-conformity of those products or services with their intended requirements will typically be regulated by the applicable contract of supply. The terms and conditions of that supply contract will usually, assuming it is consistent with best practice:

  • contain various warranties, performance and delivery comments in relation to the applicable products and services;
  • outline security (including cybersecurity), data protection, disaster recovery and business continuity obligations owed by the vendor;
  • include indemnities in relation to particular kinds of risks that could create exposure for the customer, including in relation to the third-party vendor’s breaches of law or regulatory requirements and other types of third-party claims brought against the healthcare institution as a result of the vendor’s activities; and 
  • set out a contractual allocation of risk in relation to legal claims arising in relation to the contract or its subject matter.

The extent of the vendor’s liability and how risks are contractually allocated will largely depend on the parties’ commercial understanding with respect to the relevant scope of the products and services. For instance, it may not be appropriate for a third-party vendor to indemnify the customer against all cybersecurity attacks if it is only responsible for providing a discrete solution for the customer’s deployment and is not otherwise assuming responsibility for the security and integrity of the customer’s network environment in which that solution will be deployed and implemented. In such circumstances, the vendor’s liability may be more appropriately confined to security vulnerabilities in the solution itself. Conversely, if security management and network integrity fall within the scope of the professional services the vendor is supplying, then a greater level of contractual protection against such events would be justified.

The contract of supply will usually also outline how any limitations on the vendor’s liability interact with any common law claims arising from its activities (eg, arising in negligence) and, to the extent that it can be legally altered by the contract, any statutory liability.

The hot topics relevant to Australia have been covered throughout this chapter. The critical issues are:

  • the extent to which the recent reforms to medical device regulation strike the appropriate balance between innovation and regulation;
  • cybersecurity in respect of the increasing amount of health information stored online, and the growing number of devices which are dependent on the transmission of health information to operate; and
  • how to manage the regulatory implications of the rapid move to telehealth driven by the COVID-19 pandemic (to date, the Australian government has moved quickly to deal with the reimbursement of telehealth, but there have yet to be significant developments in the standard relating to the appropriate delivery of health services remotely).
Clayton Utz

Level 15
1 Bligh Street
NSW 2000

+612 9353 4000

+612 8220 6700
Author Business Card

Law and Practice


Clayton Utz is recognised as a leading life sciences law firm. With 17 partners and over 25 qualified lawyers across its Sydney, Melbourne, Brisbane and Perth offices, the firm continues to build a reputation for innovative and incisive advice. The team has a unique combination of scientific, regulatory and legal expertise in prescription pharmaceuticals, OTC and complementary medicines and medical devices, and is consistently the legal firm of choice for many Australian and global pharmaceutical and medical device companies. The firm advises on all aspects of the product life cycle, including the protection of IP, clinical trials, marketing approval, product labelling, reimbursement, approval and registration processes, promotion and distribution, product risk, product liability and product recall. Clayton Utz counts both established global pharmaceutical companies and agile start-ups among its clients. It has advised Medicines Australia (the prescription pharmaceutical industry body) about significant policy initiatives in the pharmaceutical space.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.