AI Compliance for Healthcare: TGA, AHPRA, and AI Obligations in Australia

A radiologist uses an AI algorithm to detect pulmonary nodules on chest CT scans. The algorithm, trained on 50,000 images, is faster than manual review and catches some lesions humans miss. But what regulatory framework applies? Who is responsible if the AI misses a cancer and the patient sues? And does the manufacturer need approval from the Australian regulator?

These questions are no longer theoretical. Australian healthcare providers are deploying AI systems at an accelerating pace, yet many are unaware of their obligations under the Therapeutic Goods Administration (TGA) and the Australian Health Practitioner Regulation Agency (AHPRA). The regulatory landscape is complex, and non-compliance can result in serious penalties—and patient harm.

TGA Classification of AI as a Medical Device

The TGA regulates medical devices under the Therapeutic Goods Act 1989 (Cth). In December 2023, the TGA published its Software as a Medical Device (SaMD) framework, which explicitly applies to AI and algorithmic tools used in healthcare diagnosis, treatment, or monitoring.

The key question: does your AI system qualify as a medical device? Under the TGA framework, a medical device is any instrument, apparatus, implant, material, or other article intended by the manufacturer to be used on humans for diagnosis, treatment, prevention, or monitoring of disease. If your AI system is intended to assist in diagnosing a disease or monitoring a patient, it’s likely a medical device.

Critically, even if the AI is used solely as a decision-support tool (the radiologist always reviews the output), the TGA may still classify it as a medical device because it “contributes to” diagnosis. The intended use determines classification, not the mode of operation.

Once you’re regulated as a medical device, you must meet several obligations: register with the TGA (for Class I devices) or obtain approval (for Class II–IV devices); maintain quality management systems; ensure safety and efficacy; report adverse events; and keep detailed technical records demonstrating the device’s safety and performance.

Risk Classification and Approval Pathways

The TGA uses a four-class risk system: Class I (low-risk) devices are often exempt from pre-market approval; Class II devices require 510(k)-style notification; Class III devices require pre-market approval; Class IV (highest-risk) devices undergo intensive scrutiny.

Most diagnostic AI systems (e.g., image analysis for radiology, pathology, or cardiology) are classified as Class II or III, depending on the specific clinical application and risk. A TGA classification opinion can cost AU$10,000–$30,000 and take 3–6 months to obtain. Once classified, manufacturers must maintain technical files documenting: the algorithm’s training data and performance metrics; clinical validation studies; risk analysis; and ongoing post-market surveillance.

For devices classified as Class II, manufacturers typically submit a Technical File (TF) or Quality Overall Summary to TGA for assessment. For Class III, clinical evidence of safety and efficacy is required, often including prospective clinical trials.

AHPRA Guidance on AI-Assisted Clinical Practice

While the TGA regulates the device, AHPRA regulates the health practitioner using it. AHPRA (which oversees doctors, nurses, allied health professionals, and other registered practitioners) has published guidance on the use of AI tools in clinical practice.

The core principle: the registered practitioner remains responsible for all clinical decisions, regardless of whether AI assisted in the decision. If a doctor uses AI-generated diagnostic recommendations, the doctor must understand how the AI reached its conclusion, must validate the recommendation against their own clinical judgment, and must document their reasoning if they reject the AI’s output.

AHPRA expects practitioners to: understand the limitations of any AI tool they use; not rely blindly on AI outputs; maintain their own clinical expertise; and disclose to patients (where appropriate) that AI contributed to the decision. Failure to do so can result in disciplinary action by AHPRA, including suspension or deregistration.

Patient Data Obligations Under Privacy Act and State Health Laws

Any AI system used in healthcare must comply with the Privacy Act 1988 (Cth), which governs how healthcare organisations handle personal information. The Australian Privacy Principles (APPs), particularly APP 1 (open and transparent management), APP 6 (use and disclosure), and APP 11 (security), apply directly to AI systems.

Key obligations: obtain explicit consent before using patient data to train or test AI models; implement security controls to protect patient data from unauthorised access; limit AI systems’ access to only the minimum necessary data; and notify patients if a data breach occurs. Many healthcare providers assume that “de-identification” of training data removes privacy obligations, but the TGA and AHPRA guidance emphasises that re-identification risks remain significant, particularly with image data.

Additionally, each state in Australia has Health Records Act equivalents (e.g., Health Records Act 2001 in Victoria) with similar or more stringent privacy requirements. Some states require explicit consent for any secondary use of health data, including AI training.

If your AI system processes genomic data, additional obligations arise under the National Health and Medical Research Council’s guidance on genetic research and data governance, which many state health departments have adopted.

Clinical AI Validation Requirements

Before deploying an AI system in clinical practice, healthcare providers and manufacturers must demonstrate that it works safely and accurately. The TGA expects validation evidence including: retrospective studies (testing the algorithm on historical data), prospective validation (testing on new data not used in training), and ideally prospective clinical trials (randomised comparison with the current standard of care).

The gold standard for diagnostic AI is a prospective, multi-centre study comparing the AI’s diagnostic accuracy against a reference standard (e.g., pathology diagnosis). However, not all AI systems require this level of evidence—the evidence standard should be proportionate to the clinical risk.

Equally important is ongoing monitoring post-deployment. If an AI system’s performance drifts in real-world use (e.g., accuracy falls below the validated threshold), the healthcare provider must detect this and respond. This requires: maintaining logs of AI inputs and outputs, periodically comparing outputs against ground truth, and auditing performance metrics monthly or quarterly depending on the risk level.

Liability for AI Clinical Errors

Under Australian common law, a healthcare provider owes patients a duty of care. If a patient is harmed because a clinician negligently relied on AI output (without proper validation or despite red flags), the patient can sue the provider. The provider may also be vicariously liable if the AI was deployed by the provider’s staff.

Can a patient sue the AI vendor? That depends on the vendor’s contract terms. Most AI vendors include broad liability exclusions and disclaimers in their terms of service, stating they provide the algorithm “as is” without warranty. Australian Consumer Law (ACL) may imply warranties of merchantability and fitness for purpose, but these can be difficult to enforce against commercial software vendors.

This creates a significant liability gap: the healthcare provider bears ultimate liability for patient harm, even if the AI system was flawed. Your professional indemnity and clinical liability insurance must explicitly cover AI-related claims. Many providers don’t realise their existing policies have carve-outs for technology-related losses.

Consider also the regulatory response. If patient harm occurs and TGA/AHPRA investigation reveals inadequate governance (e.g., no validation, no performance monitoring, clinicians not trained in AI limitations), regulators can issue enforcement notices, impose licence conditions, or refer cases for prosecution under the Therapeutic Goods Act.

What Healthcare Providers Must Have in Place

To operate AI systems lawfully in Australian healthcare, implement: a documented AI governance framework (approved by your clinical and risk committees); a registry of all AI systems in use, with classification status, TGA decision details, and validation records; clinical protocols describing when and how each AI system is used and how clinicians should validate outputs; staff training on each AI system and its limitations; patient communication and consent processes (where appropriate); an adverse event reporting process (to TGA, AHPRA, and internal risk); and a privacy and data security framework compliant with the Privacy Act and state health laws.

For organisations deploying high-risk clinical AI, consider engaging external consultants to conduct a TGA classification opinion and clinical validation plan before deployment. The upfront investment protects your organisation from regulatory surprises later.

FAQ

Q1: Does every clinical AI system need TGA approval?
A: Not necessarily. The TGA exempts some low-risk devices from approval requirements. However, the onus is on you to obtain a formal TGA classification opinion. If you deploy an AI system without seeking a TGA classification and the TGA later determines it should have been approved, you could face enforcement action and fines up to AU$10 million (for serious breaches of the Therapeutic Goods Act). Always seek clarification early.

Q2: Can we use a general-purpose AI model (e.g., ChatGPT) in clinical decision-making?
A: Not without extensive validation and governance. General-purpose models are trained on internet data (not medical literature or clinical data) and provide no transparency about their training or limitations. AHPRA guidance explicitly cautions against using such models for high-stakes clinical decisions. If you want to use a general-purpose model, you must conduct validation studies demonstrating its safety and accuracy in your specific clinical context—a process that can take months and cost hundreds of thousands of dollars.

Q3: What should we document for AHPRA audits?
A: AHPRA audits focus on practitioner conduct and governance. Maintain: records of training sessions for staff using the AI; clinical protocols describing how the AI is used; a sample of patient files showing clinician validation of AI outputs; adverse event logs; and communications with the TGA or other regulators. Be prepared to explain your governance process for approving new AI tools and monitoring their performance.

Next Steps

If your healthcare organisation is using or planning to deploy clinical AI, obtain a TGA classification opinion immediately. The classification determines your regulatory obligations and approval timeline. Engage clinical governance and risk leadership; don’t treat AI deployment as a purely technical project. Ensure patient data governance is documented and Privacy Act-compliant. Brief your professional indemnity insurer on all AI systems in use, and confirm coverage includes AI-related clinical errors. Healthcare AI is advancing rapidly, but regulatory clarity is lagging—proactive governance minimises your organisation’s exposure.

Need expert guidance on AI compliance for healthcare? Contact Anitech to develop a regulatory roadmap for your AI systems.