Waboom AI is the Privacy-Safe Voice Receptionist for Australian and New Zealand Medical Practices
Patient data stays where it should. Deletion is a single action. When your auditor asks for a written agreement, we put the obligations on paper before contract. Built for GPs, dentists, allied health, aged care, and vets across both markets.
TL;DR
Patient data stays where it should. Deletion is a single action. When your auditor asks for a written agreement, we put the obligations on paper before contract: recording disclosure, retention windows, deletion rights, breach notification, sub-processor visibility.
Waboom AI is built for GPs, dentists, allied health, aged care, and vets across Australia and New Zealand. We follow the Privacy Act 1988, state health acts in Victoria, New South Wales, and the ACT, and the Health Information Privacy Code 2020 in New Zealand.
HIPAA is a US law. It doesn't apply here. We don't pretend it does.
Is Waboom AI HIPAA compliant for Australian and New Zealand healthcare?
No, and that's the right answer. HIPAA is United States federal law. A Marrickville GP clinic or a Petone physio practice sits outside its jurisdiction entirely.
What we do instead: follow the laws that actually apply to your practice. When your board needs the obligations in writing, we put them on paper before contract. For a service overview by clinic type, see our AI voice agents for medical clinics page.
Why the question is mis-framed for Australia
The relevant frameworks in Australia are the Privacy Act 1988, the My Health Records Act 2012, and the Healthcare Identifiers Act 2010. State health privacy laws in Victoria, New South Wales, and the ACT stack on top. None of them are HIPAA. A vendor that says "HIPAA compliant" in Sydney has answered the wrong question. We answer the right one.
What we'd put in writing with you on request
When your auditor asks for a written agreement, we put the obligations on paper before contract: recording disclosure, retention windows, deletion rights, breach notification, sub-processor visibility. Our full security and privacy pillar covers what's standard across every Waboom AI deployment.
What applies to your voice AI in Australian healthcare, and how do we handle it?
Australian healthcare voice AI sits under a layered framework. Privacy Act for the federal floor, state health acts stacking on top, sensitive-information rules raising the bar on consent. Waboom AI is built to clear the whole stack, and the OAIC enforces penalties that are not theoretical. The official OAIC guidance on collecting sensitive information sets out the detail. Our AI voice agents for Australia page covers the broader Australian deployment posture.
Privacy law applies to every healthcare business, even the tiny ones
A solo GP in Footscray with one part-time receptionist is fully bound. So is a dental practice in Toowong, allied health rooms in Newtown, a vet clinic in Marrickville. No turnover floor. Most US-trained vendors miss this. We built around it.
Higher bar for sensitive information
Health information is treated as sensitive. Consent has to be specific, voluntary, current, and informed. Patients have to know what's being collected, why, and where it goes. The voice agent's opening disclosure exists to satisfy this on every call, by default.
The My Health Records and Healthcare Identifiers laws
Two pieces of legislation specific to digital health records and healthcare identifiers. The first controls what can be written into and read from the national My Health Record system. The second governs the individual and provider healthcare identifiers. If your voice agent touches either, both apply. We can document the specific safeguards your auditor needs.
State health privacy laws
Victoria, New South Wales, and the ACT each have their own health-records laws on top of the federal Privacy Act. If your practice has clinics across multiple states, the requirements stack. We handle the stack.
What the AUD 5.8 million Australian Clinical Labs fine taught the sector
In 2025 a medical testing company copped an AUD 5.8 million Federal Court fine after the Medlab data breach hit 223,000 individuals. Largest civil penalty under the Privacy Act in a health sector matter. Courts now quantify failure in millions, not warnings. Waboom AI clears that bar the same way every time: Sydney audit log on every admin action, a written data-handling agreement drafted with enterprise procurement before contract, SOC 2 Type II inheritance at the runtime layer.
What applies to your voice AI in New Zealand healthcare, and how do we handle it?
In New Zealand we follow the Health Information Privacy Code 2020 in full. Made under the Privacy Act 2020, enforced by the Office of the Privacy Commissioner, binding on every health agency in the country. Waboom AI is built around it.
For the country level service view, see our AI voice agents for New Zealand page.
What the Health Information Privacy Code actually covers
A specialist set of rules sitting on top of the Privacy Act 2020 for health agencies. Covers GPs, dentists, allied health, pharmacies, Te Whatu Ora successors, ACC providers, and aged-care providers. Our companion Privacy Act 2020 guide walks through each information privacy principle.
HIPC Rule 5: Storage and security with reasonable safeguards
Health agencies have to protect information with reasonable security safeguards against loss, unauthorised access, use, modification, or disclosure. Waboom AI handles this with encryption on every connection, encryption at rest, the recording disclosure on every patient call, hard retention windows, and a single-action deletion path that completes in 10 minutes.
HIPC Rule 12: Cross-border health information
If patient data leaves New Zealand, your provider has to handle it to the same standard as if it stayed. Waboom AI's SOC 2 Type II audited foundation gets you there at the runtime layer, audited annually by an independent third party. For practices with stricter onshore needs (Te Whatu Ora, ACC, district health board contracts), NZ residency for the portal piece is available on request. The pillar covers the broader cross-border framework.
HIPC Rule 3 / 3A: source-of-data disclosure on every call (live 1 May 2026)
From 1 May 2026, when your health agency collects health information from somewhere other than the individual, you must tell the individual three things: that the information has been collected, what it relates to, and who else has it.
Waboom AI agents are configured to answer "how did you get my information?", "why are you calling?", and "who is this on behalf of?" live during the call, reading the source field from your PMS or CRM. Recall calls, appointment confirmations, and campaign work all run the updated script by default. Here's how the agent reads PMS or CRM source data mid-call.
Can a patient have their call recording deleted on request?
Yes, on request. Inside 10 minutes. If you want a patient's data deleted on request, a single portal action completes the wipe across every layer. Permanent. Audit-logged. That covers your obligations under both the Australian and New Zealand correction rules. Mechanics covered in full at the security pillar.
What's healthcare-specific about the deletion path
The captured fields your agent wrote into your practice management system are a separate question. Those live in your PMS, not in our platform. We can tell you exactly what crossed the boundary into Halaxy, Cliniko, or MedTech32, so you know what to remove on your side to close the loop.
Default 30 day retention for clinical recordings
Long enough to investigate a quality complaint. Short enough that you're not sitting on a six-month archive of voice data that becomes a breach liability. Your practice can shorten the window or extend it for ACC matters where statutory retention applies. For practices that want recordings gone the second the call ends, our zero-retention setup for non-negotiable privacy walks through how that's wired.
PII redaction across fourteen categories of patient data
Post-call, the transcript is scrubbed across fourteen categories: person names, email addresses, social security numbers, driver licences, bank account numbers, PIN codes, dates of birth, addresses, phone numbers, passport numbers, credit card numbers, passwords, medical IDs, and customer account numbers. The sensitive moment in the recording gets a placeholder beep. The transcript gets a placeholder token. Admin users can re-reveal originals for an audit. Standard users can't.
Real screenshot from the Waboom AI portal: Agent Settings > Compliance > Privacy. PII redaction is configurable per agent. Medical IDs are one of the fourteen default categories.
Want to see your practice's compliance walkthrough?
Book a 15 minute call. We'll show you what gets stored, where, for how long, and what your patients hear at the start of every call. Bring your compliance officer.
Book a walkthroughWhat does our agent say at the start of a patient call?
The agent identifies itself as an AI assistant, names your practice, and discloses that the call may be recorded for quality and clinical accuracy. One opening line covers your collection-notice obligation in both Australia and New Zealand. State-by-state jurisdictional detail sits in our call recording consent guide.
Why "this call may be recorded" is the safe floor for clinics
Some practices want softer phrasing. We can soften it. We can't drop it. Skipping the recording line for the sake of a warmer opener trades half a second of friction for a regulator letter you don't want.
How the disclosure scripting changes for sensitive triage
For sensitive triage (mental health, sexual health, family violence screening), the script tightens. Your caller is told that what they share will be passed to a clinician, named where possible. They can request a human at any point. The default is always to escalate, not to handle.
What about veterinary clinics?
The Health Information Privacy Code doesn't apply to vets because pets aren't people. The Privacy Act 2020 still does: owner records, payment information, and communications are personal information about your client. We handle vets the same way we handle GPs and dentists on the privacy side, just under a different statute. Our AI voice agents for veterinary clinics page covers the vet specific build.
Why the Health Information Privacy Code doesn't apply to vets
The health code defines a health agency by reference to health services provided to individuals. Veterinary medicine is excluded. That removes the storage, cross-border, and outbound-collection rules from your vet clinic's stack. It does not remove the Privacy Act 2020.
But the Privacy Act 2020 still does
Owner names, addresses, phone numbers, payment details, communication history, recall reminders. All of that is personal information about your client under the Privacy Act 2020. The agent treats it the same way it treats medical patient contact data: disclosed, encrypted in transit and at rest, retention windowed, deletable on request.
ezyVet booking integration and what it means for compliance
We're in active scoping with ezyVet's partner team for a write back integration. Once live, the agent will book appointments, take repeat script requests for animal medications, and run vaccination recalls straight into ezyVet. Compliance posture stays identical: owner consent on the opening line, encrypted in storage, deletable on request.
Integrations view in the Waboom AI portal: Tools & integrations. Connected PMS systems write back bookings, recalls, and repeat scripts. ezyVet sits in active partner scoping as at May 2026.
How fast can a focused medical voice agent go live?
Three tiers, fastest first. A focused inbound build goes live in hours. A standard build with one PMS integration runs in days. Multi-PMS or hospital grade orchestration takes two to three weeks at the outside. Pick the tier that matches what you actually need.
Live in hours for a single inbound flow
One number, one inbound flow, one script, no PMS write back. Same day. Useful for after hours overflow, or a pilot to test caller reception before broader rollout.
Live in days for a standard build with one PMS integration
The common shape. Inbound, outbound recall, calendar integration with Halaxy, Cliniko, MedTech32, BestPractice, Genie, or OpenDental. Days, not weeks. The bottleneck is usually your PMS API credentials, not our side.
Two to three weeks max for multi-PMS or hospital grade orchestration
Hospitals, day surgery groups, multi-clinic networks running two PMS systems and a separate billing platform. Two to three weeks at the outside, with a shared scope document and weekly check ins. Beyond that, you're being oversold.