Clinical AI governance for TGA, AHPRA, and the NSQHS Standards.

91% of Australian hospitals use AI-powered systems. 88% of consultation respondents said human oversight for healthcare AI decisions is mandatory. Practitioners remain personally liable for AI-assisted decisions. The SaMD grace period ended 1 November 2024. The compliance window has closed.

Regulatory framework

Built for

Hospitals & health districts ยท Medical device companies ยท General practices ยท Digital health providers ยท Health tech startups
Aligned to: TGA SaMD / AHPRA / ACSQHC NSQHS / Privacy Act 1988 / IEC 62304 / FHIR / HL7 / My Health Record

What a clinical AI engagement delivers.

SaMD classification

Risk categorisation using IMDRF factors. Class I to Class III determination based on intended therapeutic purpose and clinical decision impact.

Clinical governance pack

ACSQHC "before, while, after" framework integrated with NSQHS Clinical Governance and Consumer Partnership standards.

Patient consent framework

Consent processes for AI-assisted care and AI scribe recording. Aligned to OAIC guidance and AHPRA obligations.

Post-market surveillance

Real-world performance monitoring, drift detection, demographic subgroup analysis, and adverse event reporting for adaptive AI.

The Australian healthcare AI environment.

The TGA regulates AI-enabled medical devices and SaMD under technology-agnostic rules. AHPRA sets professional obligations. OAIC enforces privacy. ACSQHC establishes clinical governance through NSQHS Standards. Healthcare is classified as a high-risk setting under Australia's proposed mandatory AI guardrails.

  1. 01
    In force

    SaMD grace period ended.

    The TGA Software as a Medical Device grace period ended 1 November 2024. Retrospective registration may be required for AI in clinical use. In February 2025 the TGA published outcomes from its AI regulation consultation, with Government approval for 14 regulatory refinements including potential reclassification of AI clinical prediction tools into higher-risk categories.

  2. 02
    In force

    National Health Privacy Rules.

    Commenced 1 April 2025. Stricter requirements for MBS and PBS claims data: encryption, access controls, measures to prevent unauthorised linkage. Health information is sensitive information under the Australian Privacy Principles and requires elevated protections.

  3. 03
    In force

    WA mandatory AI Policy.

    Western Australia's Department of Health implemented mandatory AI policy requirements in September 2025. State-level initiatives are proceeding independently of Commonwealth frameworks. Healthcare organisations operating across jurisdictions need strategies that satisfy all applicable requirements at once.

  4. 04
    Trust gap

    91% adoption. 30% trust.

    91% of Australian hospitals use AI-powered systems. Only 30% of Australians trust AI more than they fear it. 88% of consultation respondents said there should always be human oversight for healthcare AI decisions. This trust gap demands transparent governance built from existing patient safety, digital health, and research ethics frameworks.

The four regulatory domains.

Multiple overlapping frameworks govern AI in Australian healthcare. Each engagement covers all four with controls mapped to the AI systems you operate.

Domain A

TGA SaMD

SaMD must be on the ARTG before legal supply in Australia. IMDRF factors for risk categorisation. SaMD directly diagnosing a critical medical condition is Class III with the highest scrutiny and evidence requirements.

  • Class III. Software diagnosing critical conditions.
  • Class IIb. Software diagnosing serious conditions.
  • Adaptive AI change control and post-market surveillance
  • Exemptions under review for digital health tools

Domain B

AHPRA practitioner obligations

Practitioners remain ultimately responsible for any AI used in practice. GPs are fully liable for errors in patient records regardless of whether AI scribes generated them. AHPRA guidance published August 2024.

  • Testing tools before clinical use, with documented validation
  • Understanding training data, biases, limitations
  • Bias affecting Aboriginal and Torres Strait Islander communities
  • Patient consent for AI-assisted care and AI scribes

Domain C

ACSQHC clinical governance

August 2025 release of three pragmatic guides: AI Clinical Use Guide, AI Safety Scenario for Interpretation of Medical Images, and AI Safety Scenario for Ambient Scribe. Built on NSQHS Clinical Governance and Consumer Partnership standards.

  • Before. Use-case validation, vendor evaluation, bias assessment
  • While. Human oversight, ongoing monitoring, incident reporting
  • After. Post-market surveillance, change management
  • NSQHS integration with existing patient safety processes

Domain D

Privacy Act & health data

Health information is sensitive information under the APPs. AI-generated notes, diagnostic suggestions, and hallucinations relating to identifiable people are all personal information. Using AI to generate or infer sensitive information requires patient consent unless exceptions apply.

  • Cross-border data flows under APP 8
  • My Health Record mandatory breach notification
  • Patient consent for AI-assisted care and AI scribes
  • National Health Privacy Rules (1 Apr 2025)

SaMD, IEC 62304, and digital health standards.

The four technical questions every Australian medical device business developing AI must answer. Clinical decision support vs diagnostic AI. IEC 62304 lifecycle. FHIR / HL7 interoperability. Post-market surveillance for adaptive AI.

  1. 01

    Clinical decision support vs diagnostic AI.

    Classification depends on whether the AI provides clinical decision support or functions as a diagnostic tool. Software making suggestions for diagnosis or treatment is subject to TGA regulation as SaMD with pre-market approval and ARTG registration. Software simply presenting data without clinical interpretation may qualify for exemptions, though the TGA is actively reviewing these boundaries.

  2. 02

    IEC 62304 medical device software lifecycle.

    IEC 62304 defines the software development lifecycle for medical device software including AI-enabled solutions. Compliance is essential for TGA registration. The standard covers planning, requirements, architecture, implementation, verification, and maintenance. Adaptive AI presents particular challenges because IEC 62304 processes were designed for static software models.

  3. 03

    Digital health interoperability. FHIR and HL7.

    AI operating within Australian healthcare infrastructure must integrate using FHIR (Fast Healthcare Interoperability Resources) and HL7. For AI medical devices and clinical decision support, interoperability compliance ensures outputs integrate safely into electronic health records, clinical workflows, and My Health Record. The National Model Clinical Governance Framework requires digital health solutions meet interoperability and clinical safety requirements.

  4. 04

    Post-market surveillance and real-world performance.

    TGA registration is not the end of the compliance journey. AI medical devices require ongoing surveillance to monitor real-world performance, detect adverse events, and manage updates that may affect safety or efficacy. For adaptive AI continuing to learn from new data, real-world performance monitoring becomes especially critical. Many health technology businesses underinvest here, creating significant risk management gaps.

Common healthcare AI applications.

AI is being deployed across diagnostic imaging, clinical documentation, and clinical decision support in Australian healthcare. Each carries a different risk profile and a different governance approach.

  1. 01
    Class IIb / III

    Diagnostic imaging AI.

    AI-powered imaging detects cancers, strokes, and fractures across Australian hospitals. South Australia has deployed AI across metropolitan and regional sites for chest X-ray analysis. Royal Prince Alfred Hospital uses algorithms detecting lung cancer with greater than 90% sensitivity. Typically Class IIb or Class III SaMD requiring full TGA registration. Machine learning analyses over 8.5 million medical images annually with 96.4% accuracy in AI-assisted imaging.

  2. 02
    Often exempt

    AI scribes and clinical documentation.

    Adoption among GPs rose from under 3% in May 2024 to 8.24% in October 2024, with nearly 1 in 4 GPs nationally believed to be using them. Modern ambient scribes have 1 to 3% error rates with distinct failure modes: hallucinations, critical omissions, misattribution. Patient consent for recording is mandatory. AHPRA requires practitioners to verify all AI-generated documentation. Currently most fall outside TGA oversight. 2025 compliance activities target scribes with diagnostic or treatment recommendation features.

  3. 03
    SaMD

    Clinical decision support systems.

    Predicting patient deterioration, streamlining emergency care, and reducing waiting times. Software making suggestions for diagnosis or treatment is subject to TGA regulation as SaMD. ICU trials predict acute kidney injury before symptoms appear. Resource allocation solutions optimise staffing across health districts. Pre-market approval, ARTG registration, and post-market surveillance for real-world performance monitoring are required.

Bias and health equity

Algorithmic bias is a patient safety issue.

Bias in AI can perpetuate and exacerbate healthcare disparities, creating direct patient safety risks. AHPRA guidance requires practitioners to address biases impacting Aboriginal and Torres Strait Islander communities and other diverse populations. We build bias detection and mitigation into every clinical AI governance framework.

Sources of bias

  • AI trained on international datasets may not perform on Australian populations
  • Skin lesion classification predominantly trained on white patient images (5-10% Black patients)
  • Proxy variables can systematically disadvantage certain groups

Mitigation strategies

  • Training data review against Australian demographics
  • Adversarial debiasing during development and validation
  • Ongoing real-world monitoring across populations

Healthcare AI governance services.

Engagements scoped to TGA compliance, clinical governance, privacy, and practitioner guidance. Sized from a focused compliance gap analysis through to multi-site framework builds.

Service A

TGA SaMD strategy

SaMD classification using IMDRF risk categorisation, ARTG registration support, IEC 62304 software lifecycle compliance, clinical evidence requirements, post-market surveillance framework, and adaptive AI change control. Depending on SaMD class and clinical evidence requirements.

Service B

Clinical AI governance framework

Single-site or multi-site

ACSQHC-aligned governance with the "before, while, after" framework. NSQHS integration for clinical governance and consumer partnership. Human oversight protocols, clinical validation, bias and equity assessment, and FHIR / HL7 interoperability review.

Service C

Privacy & patient consent

Privacy Act compliance for AI processing health information. APP gap analysis, My Health Record obligations, cross-border data transfer for offshore providers, secondary data use frameworks, and patient consent strategy for AI-assisted care.

Service D

Practitioner & workforce guidance

Retainer model

AHPRA obligations translated into operational policies. AI scribe implementation with patient consent templates, professional indemnity considerations, bias awareness training, and workforce readiness support. Retainer model.

Service E

Health tech startup support

32% of SMEs have no plans to adopt AI due to privacy and ethics concerns. We help startups manage TGA classification, build MVP compliance frameworks with IEC 62304 alignment, develop market entry strategies, and produce investment-ready governance documentation. Build to the highest standard from the start.

How a healthcare engagement runs.

Three phases. Initial assessment produces a prioritised risk assessment and roadmap. Framework development translates requirements into operational policies. Implementation embeds governance into day-to-day clinical practice.

  1. 01

    Initial assessment.

    Review current AI use or planned implementation against TGA requirements, AHPRA obligations, Privacy Act compliance, and ACSQHC clinical governance principles. Output is a prioritised risk assessment and compliance roadmap with clear strategies.

  2. 02

    Framework development.

    Translate regulatory requirements into operational policies, procedures, and governance structures sized to your clinical context. Includes NSQHS alignment, patient consent frameworks, and workforce training strategies.

  3. 03

    Implementation and growth.

    Change management, workforce training, vendor evaluation assistance, and ongoing compliance monitoring. Operational changes that embed governance into day-to-day practice, enabling sustainable AI adoption.

Related AI consulting services.

Regulatory compliance
Navigate Australia's multi-regulator AI compliance landscape across APRA, ASIC, OAIC, TGA, and AHPRA.
Healthcare industry overview
Sector-specific governance work for hospitals, health districts, and digital health providers.
AI governance consulting
End-to-end governance framework design and implementation for regulated Australian organisations.

Request a healthcare AI compliance assessment.

Initial assessment covers TGA SaMD classification, AHPRA obligations, Privacy Act gap analysis, clinical governance framework evaluation, and IEC 62304 readiness. Fixed-fee quoted based on organisation size and AI use scope.

Or view all services

Get in Touch