How Australian Medical Practices Can Use AI Without Breaking the Law

The Problem: Every Major AI Tool Sends Data Offshore

AI is transforming every industry. Medical practices see it every day — staff summarising notes faster, letters drafted in seconds, administrative backlogs cleared in minutes. The productivity gains are real and they are enormous. Every practice owner in NSW is asking the same question: when can we start using AI?

The answer, for most AI tools available today, is blunt: you cannot. Not with patient data. Not legally.

The reason is straightforward. ChatGPT processes data in the United States. Google Gemini processes data on Google's global infrastructure, primarily in the US. Anthropic's direct Claude API processes data in the US. Microsoft recently announced in-country processing for Copilot in Australia, but it is opt-in, qualified with “under normal operations,” and not yet independently verified for healthcare compliance. The reality is that the vast majority of AI tools your staff want to use either definitely send data offshore, or cannot yet provide the ironclad guarantees that Australian healthcare law demands.

For a retail business or marketing agency, this might be an acceptable risk with proper governance. For a medical practice handling patient health information, it is not. Australian healthcare operates under some of the strictest data protection laws in the world, and those laws were written specifically to prevent patient data from leaving Australian borders.

The Three Laws That Block AI in Australian Healthcare

Medical practices in NSW operate under a triple layer of data protection that makes offshore AI processing a legal minefield. Understanding these laws is critical because they do not just suggest you keep data in Australia — they create enforceable obligations with serious penalties when you do not.

Law 1: The Privacy Act 1988 (Commonwealth)

The Privacy Act 1988 is the foundational federal privacy legislation. It applies to all private sector organisations with an annual turnover of more than $3 million, as well as all health service providers regardless of turnover. For medical practices, there is no turnover threshold — every GP clinic, specialist practice, pathology lab, and allied health provider is covered.

Three Australian Privacy Principles (APPs) are directly relevant to AI:

• APP 6 — Use or disclosure of personal information: Personal information can only be used or disclosed for the purpose it was collected for, or a directly related secondary purpose the individual would reasonably expect. Feeding patient data into an AI chatbot for processing on overseas servers is not a purpose any patient consented to or would reasonably expect.
• APP 8 — Cross-border disclosure of personal information: Before disclosing personal information to an overseas recipient, an organisation must take reasonable steps to ensure the recipient does not breach the APPs, or ensure one of the limited exceptions applies. AI tool providers based in the US do not operate under the APPs, and their terms of service do not provide equivalent protections.
• APP 11 — Security of personal information: An organisation must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Allowing patient data to be processed on servers outside your control, in a foreign jurisdiction, with no guaranteed data handling protections, does not meet this standard.

Law 2: The My Health Records Act 2012 (Commonwealth)

The My Health Records Act 2012 governs the national digital health records system. Section 77 of the Act explicitly prohibits holding records, taking records, or processing or handling information relating to records outside Australia. The exact language is unambiguous: the System Operator, registered repository operators, registered portal operators, and registered contracted service providers must not hold, take, process, or handle My Health Record information outside Australia.

This is one of the clearest and strongest data residency requirements in any Australian legislation. Medical practices that are registered with the My Health Record system — which is the vast majority of practices in Australia — must ensure that no AI tool they use could result in My Health Records data being processed outside of Australia. Any AI tool that sends data to US servers for processing is a direct violation of this requirement.

The penalty for contravening Section 77 is 1,500 penalty units — approximately $495,000 at the current Commonwealth penalty unit rate of $330. The Act also creates additional offences for unauthorised collection, use, or disclosure of health information under Sections 59–76, with penalties of up to 120 penalty units for individuals and 600 penalty units for bodies corporate.

Law 3: Health Records and Information Privacy Act 2002 (NSW)

NSW medical practices face an additional layer of protection under the Health Records and Information Privacy Act 2002. This Act establishes 15 Health Privacy Principles (HPPs) that are in several areas stricter than the federal Privacy Act.

The key principles for AI are:

• HPP 9 — Limits on use of health information: Health information must only be used for the purpose for which it was collected. Using patient data as input for an offshore AI system is a use that was never contemplated when the information was collected.
• HPP 10 — Limits on disclosure of health information: Disclosure to a third party (including an AI provider) is restricted to specific circumstances, none of which cover feeding data into consumer or enterprise AI tools.
• HPP 14 — Transborder data flows: This principle specifically addresses the transfer of health information outside NSW. It requires that the recipient is subject to a law or binding scheme substantially similar to the HPPs, or the individual has consented. US-based AI providers are not subject to laws substantially similar to the NSW HPPs.

Why Staff Policies Are Not Enough

Every practice manager reading this is thinking: "We will just create a policy that says staff cannot put patient data into AI tools."

That is not sufficient. Here is why.

Research consistently shows that the vast majority of AI usage in workplaces is completely unsanctioned. Staff use AI tools because they work. A receptionist who discovers that ChatGPT can draft a patient recall letter in 10 seconds instead of 10 minutes is not going to stop using it because of a policy document she signed six months ago. A nurse who finds that Gemini can summarise a complex patient history in moments will use it when the waiting room is full and the doctor needs the summary now.

This is not a question of bad employees. It is human nature. The productivity benefit of AI is so immediate and so significant that expecting every staff member, in every moment of pressure and convenience, to remember and comply with an AI policy is unrealistic.

What Policies Cannot Prevent

• Personal devices: Staff can access ChatGPT on their personal phones while standing at the reception desk. Your network controls do not reach their mobile data connection.
• Free AI tools everywhere: ChatGPT, Gemini, and dozens of other AI tools are free, require no installation, and work in any browser tab. There is no software to block because there is nothing to install — staff simply visit a website.
• Copy and paste: Patient data can be copied from the practice management system and pasted into an AI tool in two keystrokes. There is no technical control that prevents this with consumer AI tools.
• New tools constantly emerging: Staff discover new AI tools every week. Your policy would need to be updated continuously to name every prohibited tool — an impossible task.
• Pressure and time constraints: When a GP is running 30 minutes behind, the temptation to use any tool that speeds things up is enormous. Policies break down under operational pressure.

The only way to eliminate this risk is to ensure that the AI tools available to your staff physically cannot send data offshore. That means either running AI locally on hardware in your practice, or using a cloud AI service that is contractually and technically bound to process data within Australia. Or, if your practice is not ready for AI at all, blocking it entirely at the network level.

Policies are necessary. But they are not sufficient. The technology layer must enforce what the policy requires.

Where Your Data Actually Goes: AI Tool by AI Tool

This is the information every medical practice needs but no AI vendor makes easy to find. Here is where your data actually goes when you use each major AI tool:

The pattern is clear. Every consumer and most enterprise AI tools process data in the United States. Only two options keep data within Australia: local AI hardware and sovereign cloud services in Australian data centres.

Solution 1: Local AI with NVIDIA DGX Spark

The first compliant path forward is the most straightforward: run AI locally, on hardware physically located inside your medical practice. No internet connection required for inference. No data leaves the building. No cross-border transfer. No compliance risk.

The technology that makes this possible in 2026 is the NVIDIA DGX Spark, powered by the GB10 Grace Blackwell superchip.

What It Is

The DGX Spark is a desktop AI computer that sits on a shelf in your practice. It is roughly the size of a Mac Mini — 15cm x 15cm x 5cm, weighing just 1.2 kg. It is completely fanless (silent), draws about 170 watts under load (less than a desktop PC), and plugs into a standard power outlet. It is purpose-built AI infrastructure from NVIDIA, the same company that powers the AI systems at Google, Microsoft, and every major cloud provider.

• 128GB unified LPDDR5x memory — enough to run AI models up to 200 billion parameters
• 1 petaFLOP of AI compute — more than enough for medical administrative tasks
• Silent, fanless design — no noise, suitable for a consultation room or reception area
• Starting from $6,249 AUD (ASUS Ascent GX10) to $7,999 AUD (MSI EdgeXpert 4TB), with Dell Pro Max configs from ~$6,800 AUD — all available from Australian retailers now
• Shipping in Australia now from Dell, ASUS, and MSI, with HP, Lenovo, and others coming

What It Can Run for a Medical Practice

A DGX Spark can run open-source AI models like Meta Llama 3.1 (up to 405B parameters with two clustered units), Mistral, and other production-quality language models. These are not toy models — they are capable, production-ready systems that can handle:

• Clinical note summarisation and structuring
• Referral letter and specialist correspondence drafting
• Patient discharge summary generation
• Pathology and radiology report summarisation
• Medicare billing description assistance
• Patient recall letter generation
• Practice management report generation
• Translation of medical documents for non-English-speaking patients
• Insurance and WorkCover correspondence drafting
• Training material and patient education content creation

Scaling Up: Clustering and Beyond

A single DGX Spark handles most medical practice workloads comfortably. For larger multi-site clinics or healthcare groups that need to serve dozens of concurrent users, up to four DGX Spark units can be clustered together, pooling memory to 512 GB and enabling models up to 405 billion parameters. This “desktop data centre” approach keeps everything on-premises at a fraction of traditional server infrastructure costs.

For most medical practices — whether you are a solo GP, a 5-doctor clinic, or a small specialist group — a single DGX Spark is more than enough. The point is simple: the hardware exists today, it fits on a desk, it costs less than a year of cloud AI subscriptions for a medium practice, and it keeps every byte of patient data exactly where the law requires it.

Solution 2: Sovereign Cloud AI with Claude on AWS Bedrock Sydney

Not every medical practice wants to buy and manage hardware. The second compliant option is to use Anthropic's Claude via AWS Bedrock in the Sydney (ap-southeast-2) region.

This is fundamentally different from using Claude's direct API or website. Here is why:

How It Works

AWS Bedrock is Amazon Web Services' managed AI service. When you deploy Claude through Bedrock and select the Sydney region, every piece of data — your prompts, the patient information, and the AI responses — is processed within AWS data centres physically located in Sydney, Australia. The data does not leave the country. It does not transit through US servers. It does not go to Anthropic's own infrastructure.

Why This Is Compliant

• Australian data residency: All processing occurs in AWS Sydney data centres. Data stays in Australia.
• IRAP PROTECTED assessed: AWS Sydney is assessed under the Australian Government's Information Security Registered Assessors Program (IRAP) at the PROTECTED level. This is the same standard required for Australian government systems handling sensitive information, including health data.
• No training on your data: Anthropic has explicitly confirmed that data processed through AWS Bedrock is not used to train Claude models. Your patient data is processed and discarded — it does not become part of the model.
• Contractual guarantees: AWS provides contractual commitments through its Customer Agreement and Data Processing Agreement that data in a selected region stays in that region.
• Proper security controls: AWS provides user access management, encryption, network isolation, full audit logging (so you can prove who accessed what and when), and compliance certifications that consumer AI tools cannot match. Your MSP configures all of this for you.

Cost Model

AWS Bedrock operates on a pay-per-use model. You pay per token processed (a token is roughly three-quarters of a word). There is no upfront hardware cost. For a typical medical practice, monthly costs range from $200 to $2,000 depending on the volume of AI usage. This makes it accessible to smaller practices that cannot justify the upfront cost of a DGX Spark.

Comparing the Two Solutions

Many medical practices will benefit from a hybrid approach: using local AI on DGX Spark for the most sensitive clinical workflows, and Claude on AWS Bedrock Sydney for higher-volume administrative tasks where frontier model quality provides the most value. AyeTech can design and deploy both.

What Medical Practices Can Do with Compliant AI

Once you have a compliant AI solution in place, the productivity gains for a medical practice are transformative. Here are real-world use cases that work today:

GP Clinics

• Consultation note summarisation: AI summarises a 20-minute consultation into structured clinical notes in seconds
• Referral letter generation: Draft specialist referral letters from clinical notes and patient history
• Patient recall management: Generate personalised recall letters for preventive health checks, immunisations, and chronic disease management reviews
• Medicare item number assistance: AI suggests appropriate MBS item numbers based on consultation descriptions
• Chronic disease management plans: Draft GP Management Plans (item 721) and Team Care Arrangements (item 723) from patient records

Specialist Practices

• Detailed procedural reports: Generate structured operative reports and procedure summaries
• Correspondence to referring GPs: Draft comprehensive post-consultation letters with findings, management plans, and follow-up recommendations
• Research and literature review: Summarise relevant medical literature for complex cases (using de-identified queries)
• Insurance and WorkCover reports: Draft detailed medico-legal reports from clinical records

Allied Health

• Treatment plan documentation: Generate structured treatment plans from assessment notes
• Progress notes: Summarise session outcomes and patient progress
• NDIS reports: Draft NDIS-compliant progress reports and funding review documentation
• Patient education materials: Create personalised exercise sheets, dietary guides, and self-management resources

Practice Administration

• Policy and procedure documentation: Draft and update practice policies, infection control protocols, and workplace health and safety documents
• Staff training materials: Generate onboarding documents, compliance training content, and procedural guides
• Patient communication: Draft SMS reminders, email newsletters, and health promotion content
• Complaint response: Draft professional responses to patient complaints and feedback

What to Do Right Now

If you are a medical practice owner, practice manager, or healthcare IT decision-maker in NSW, here is your immediate action plan:

1. Audit your current AI exposure today
   Find out what AI tools your staff are already using. Ask directly. Send a survey. Check your web filtering logs. The results will almost certainly reveal that consumer AI tools are already being used with patient data — and you need to know the extent of the problem before you can fix it.
2. Block consumer AI tools on your practice network immediately
   Use your firewall or web filtering to block access to ChatGPT, Google Gemini, Claude (direct), and other consumer AI services on your practice network. This is a band-aid, not a solution — staff can still use personal devices — but it stops the most obvious data leakage vector while you implement a proper solution.
3. Draft and distribute an AI acceptable use policy
   Create a clear policy that explicitly prohibits entering patient data into any AI tool that has not been approved by the practice. Make every staff member sign it. Include it in your induction process. Make consequences clear.
4. Engage an MSP with healthcare AI expertise
   Deploying compliant AI for a medical practice is not a DIY project. You need an IT partner who understands the compliance landscape (Privacy Act, My Health Records Act, NSW Health Records Act), the technology options (DGX Spark, AWS Bedrock), and the practical realities of integrating AI into medical workflows.
5. Deploy compliant AI and give your staff a safe alternative
   The reason staff use consumer AI tools is because they work. The only way to stop them is to provide an approved alternative that is equally effective. A properly deployed DGX Spark or Claude on AWS Bedrock Sydney gives your staff the AI productivity they want — without the compliance risk you cannot afford.

How AyeTech Deploys Compliant AI for Medical Practices

AyeTech is a Sydney-based managed IT services provider that specialises in deploying compliant AI infrastructure for Australian healthcare. We understand the regulatory landscape, we have the technical expertise, and we have been helping medical practices across NSW navigate the intersection of AI, compliance, and productivity.

Our healthcare AI deployment follows a structured methodology:

• AI Readiness Assessment: We audit your current AI exposure, identify compliance gaps, review your practice management system integration points, and assess your infrastructure. This is free and comes with a detailed report.
• Solution Design: Based on your practice size, budget, and usage patterns, we recommend local AI (DGX Spark), sovereign cloud AI (Claude on AWS Bedrock Sydney), or a hybrid approach.
• Deployment and Integration: We deploy the chosen solution, configure security controls, integrate with your practice management system, set up user access, and implement audit logging.
• Staff Training: We train every staff member on how to use the approved AI tools effectively and safely. We cover what is allowed, what is not, and why — so your team understands the compliance requirements, not just the rules.
• Ongoing Management: 24/7 monitoring, regular compliance reviews, quarterly policy updates, system maintenance, and continuous optimisation. This is a managed service, not a one-off project.
• Shadow AI Monitoring: We implement network-level monitoring to detect any use of unapproved AI tools on your practice network, giving you visibility and control.

We work with GP clinics, specialist practices, allied health providers, pathology laboratories, dental practices, and multi-site healthcare groups across Sydney and NSW.