Australian medical clinics.

Every public claim a medical practice makes — a Google ad, an Instagram caption, a before/after image, a five-star review on the homepage — sits inside a regime where the regulator can prosecute, and routinely does. The space inside the rules is narrower than most clinics assume, and the risk of a non-specialist agency stepping over the line is borne by the practice principal, not the agency.

A registered medical practice answers to several authorities at once. The dominant frame is the Health Practitioner Regulation National Law, administered by the Australian Health Practitioner Regulation Agency (AHPRA) and the Medical Board of Australia. Section 133 of the National Law is the operative advertising provision. It prohibits advertising a regulated health service in a way that is false, misleading or deceptive; offers a gift, discount or inducement without stating the terms; uses testimonials about the service; creates an unreasonable expectation of beneficial treatment; or directly or indirectly encourages indiscriminate or unnecessary use.

The Guidelines for advertising a regulated health service, issued jointly by the National Boards, sit beneath section 133 and a court hearing an advertising prosecution may have regard to them. For higher-risk non-surgical cosmetic procedures and cosmetic surgery, AHPRA and the Medical Board have issued additional advertising guidelines with stricter requirements on social media, before/after imagery and testimonials.

Patient information is governed by the Privacy Act 1988 and the Australian Privacy Principles, regulated by the Office of the Australian Information Commissioner (OAIC), with mandatory notification of eligible data breaches. Trade conduct — pricing claims, package inclusions, comparative statements outside the clinical-care frame — sits within the Australian Consumer Law, enforced by the ACCC.

The penalties are not theoretical. Section 133 maxima were lifted in 2022 and apply nationally from July 2024: up to $60,000 per offence for an individual practitioner and $120,000 per offence for a body corporate, per the AHPRA advertising compliance and enforcement strategy. Each non-compliant ad is a separate offence.

In 2024–25, AHPRA assessed 775 advertising complaints, 356 of which were treated as criminal offences, and continues to audit the cosmetic sector following the Independent Review of the Regulation of Medical Practitioners who perform Cosmetic Surgery. Outcomes available to the regulator include advertising orders, conditions on registration, suspension or cancellation, and prosecution in the Magistrates Court.

Privacy enforcement has hardened sharply. In *Australian Information Commissioner v Australian Clinical Labs Limited (No 2)*, the Federal Court in October 2025 imposed a $5.8 million civil penalty — the first under the Privacy Act — for a 2022 pathology data breach affecting more than 223,000 patients: failures across security, breach assessment and notification under APP 11.1 and sections 26WH(2) and 26WK(2). The maximum civil penalty per serious or repeated breach is currently the higher of $50 million or three times the benefit obtained.

Two failure modes recur, and both end on the practitioner's record.

The generalist who breaks the rules without knowing. An agency built for cafes, trades and e-commerce ports the same playbook into a clinic: harvest reviews into a hero carousel, run before/after carousels on Meta, write headlines about being the best or safest in the suburb. Each is a section 133 breach in plain sight — testimonial about clinical care, comparative claim, unreasonable expectation of benefit. The agency invoices and moves on; the practitioner inherits the AHPRA notification.

The cautious agency that ships nothing. The opposite failure is often worse. Faced with a regulated environment they don't understand, the agency strips every claim out until the website is a list of services and a contact form. The marketing is defensible and commercially inert. Patient acquisition stalls. The principal concludes marketing doesn't work for medical, when in fact the agency could not see what was permitted.

You may recognise one of these from past engagements.

The rules are stricter than most clinics realise, and the room inside them is wider than most agencies see. That gap is the game. A practice that works with people who understand the regime — who know what a tribunal would call a testimonial and what it would not, who understand the difference between an unreasonable expectation and an accurate description of care — can market with specificity, weight and confidence. The output is more credible because it is more honest, more durable because it does not need to be pulled at the next audit cycle, and harder to copy because the constraint filters out competitors who cannot operate inside it. Compliance, treated as a posture rather than a tax, becomes positioning.

Regimen is built for regulated Australian professional services. Compliance review runs on every piece of work we ship — copy, creative, landing pages, paid media, organic content — against the current AHPRA guidelines, the cosmetic procedure guidelines where they apply, the Australian Consumer Law and the Privacy Act. We anonymise client work as a matter of practice, not a marketing pose. We know which claims have a defensible footing and which do not, and we know how to make the permitted ones earn their keep.

If you run a GP practice, allied-health collective or specialist clinic and you want marketing that converts inside the rules rather than around them, book a 30-minute discovery call. We will tell you, on the call, whether your current advertising would survive an AHPRA audit.