Hiring a VA for your medical practice: the legal checklist you can’t ignore
You’re drowning in admin work. Your phone never stops ringing. The practitioners in your medical practice are buried in paperwork or emails instead of seeing patients.
A virtual assistant (VA) could be your lifeline. But hire the wrong way, and you are looking at privacy breaches, ATO audits and serious liabilities.
The reality is that the stakes are higher in medical practices - more so than almost any other business. Your VA will handle patient health information, access your practice management system, and become part of your operational backbone.
If you get the employment status wrong, skip privacy safeguards, or miss insurance requirements, your medical practice is exposed.
This article walks you through exactly what you need to know when hiring help, including:
the legal boundaries for VA work;
the contractor vs employee trap;
privacy obligations; and
practical steps to protect your practice.
1. What your VA can (and absolutely can’t) do in a medical practice
There’s definitely a place for VA support in medical practices. The right VA handles the admin avalanche, which could be non-clinical phone triage, appointment booking, reminders, inbox management, referrer liaison, transcription, document formatting, entering demographics, Medicare/DVA/private billing support, claim reconciliation, debt follow-up, data entry, and reporting.
But here’s where practices get into trouble
Your VA can’t, under any circumstances, cross into clinical territory. That means no interpreting pathology or radiology results, no changing clinical notes, no authorising prescriptions, and no giving patients clinical advice.
Here’s what crossing the line looks like in practice
A VA who tells a patient, “your results look fine,” or reschedules appointments based on clinical urgency without practitioner input is crossing the line. These aren’t admin tasks, they are clinical judgements and if something goes wrong, your medical practice is liable.
These boundaries are a legal necessity and must be made crystal clear in your role descriptions, standard operating procedures, and contract with your VA.
2. The employee v contractor trap
Call them a contractor when they’re really an employee? The ATO will come knocking with superannuation back payments, penalties and potential payroll tax liabilities. This one mistake has cost businesses buckets of money.
The line between employees and contractors has fundamentally changed. In 2022, the High Court of Australia handed down a judgment, ZG Operations Australia Pty Ltd v Jamsek, that changed everything. This decision shows that what matters most is the contract and not superficial indicators like uniforms or tools.
Even if your medical practice and the VA both agree to call the VA a “contractor,” the law looks at what your contract actually says and what happens in practice. If the contract and what happens in practice shows they’re really an employee, that’s what counts.
The one question that matters
The High Court's approach comes down to this question: "Is this worker serving in my business?"
To answer this, your medical practice needs to honestly assess:
does this person work as part of my business and represent my brand?
OR
is this person running their own business and just providing services to mine?
How to tell the difference
Here are the key indicators. Remember, these are clues, not hard rules. The real answer lies in your contract and what the VA does day to day.
| What to look for | Employee | Contractor |
|---|---|---|
| Who’s in control | Your medical practice decides how, where, and when work gets done. | The VA chooses how, where, and when to work. |
| Part of the business | Works as your representative within your business. | Provides services to your business from their own business, for example a transcription services business where they offer services to multiple medical practices. |
| How they get paid | Paid for time, per item, or commission. | Paid for results, usually a fixed fee. |
| Who does the work | The VA must personally do the work (for example, answer the phone and can’t outsource or delegate the work). | Can hire others to help or do the work. |
| Tools and equipment | Your medical practice provides tools or equipment or reimburses the VA for expenses. | They bring their own tools, noting "tools" can mean things like laptops, subscriptions to a software platform, etc. |
| Who takes the risk | Your medical practice is responsible if things go wrong. | They’re responsible for problems and must fix mistakes. |
| Who benefits | Your business gets the benefit of their work. | Their business benefits from the relationship. |
3. Privacy obligations
As a private healthcare service provider, you are covered by a web of privacy legislation, including:
The Privacy Act 1988 (Cth);
the Australian Privacy Principles (APPs);
the Healthcare Identifiers Act 2010 (Cth);
My Health Records Act 2012 (Cth);
the Healthcare Identifiers Regulations 2020 (Cth); and
various state and territory legislation.
Some of these laws have undergone recent reforms that tighten obligations even further. Read about it here: Privacy law changes for medical practices in Australia
What this means in practice
You are responsible for how your VA uses private, confidential and medical information. If your VA breaches the APPs, whether they are in Melbourne or Manila, your medical practice can be held accountable under privacy laws.
If your VA is offshore or uses offshore tools or platforms, your practice must take reasonable steps to ensure the overseas recipient will handle personal information in line with the APPs.
When things go wrong
If a VA’s error or a platform incident leads to a data breach likely to cause serious harm, your medical practice must notify:
affected individuals;
The Australian Digital Health Agency (ADHA); and
The Office of the Australian Information Commissioner (OAIC).
Notification must happen as soon as practicable and include recommended protective steps for patients.
4. Onshore VA v Offshore: making the call
There is no right or wrong answer to whether an offshore VA or a local onshore VA is best. Both options can work, however your medical practice needs to decide having regard to the trade-offs for alternative.
Offshore support can have cost advantages and allows you to access a greater talent pool. However introduces extra privacy steps, additional admin with employers on record or VA agencies and time-zone issues. They may also need to be paid in accordance with the relevant Australian award, depending on their engagement.
Onshore support from a local VA can simplify privacy compliance and culturally align with patients. The trade-off is a higher cost base with less of a talent pool to choose from.
The decision comes down to your practice’s risk appetite, budget and operational needs.
5. Insurance, platforms and practicalities
You should never engage an independent VA without verifying their insurance coverage. Always request evidence of both professional indemnity insurance and cyber liability cover.
If the VA is genuinely a contractor running their own business, they should have these. If they don’t, that’s either a red flag about their professional set up or a sign they might actually be an employee.
Platform and access security
Your practice management system, patient records and confidential data need protection. At a minimum you should have:
multi-factor authentication enabled on all practice tools and devices;
role-based access controls so VAs only see what they need to access;
audit trails of who accessed what and when;
secure password protocols; and
no shared accounts.
Bring your own device (BYOD) considerations
If your VA uses their own device, security measures must include:
current anti-virus and anti-malware protection;
VPN usage for all remote areas;
encryption of stored data;
prohibition on downloading sensitive health information and other confidential material to local hard drives;
regular security updates and patches; and
remote wipe capabilities if a device is lost or compromised.
Your contract with your VA, sometimes known as a VA Service Agreement, should specify these security requirements and give you the right to audit compliance.
Getting your VA engagement right
Hiring a VA can transform your medical practice – freeing up time, reducing admin burden and letting you focus on patient care. But getting the legal framework wrong isn’t just inconvenient, it’s expensive, risky and can expose your medical practice to significant liability.
Need Expert Advice?
Our team has extensive experience in legal advice for medical practices, including ensuring your engagement of a team member is done correctly. To discuss your needs, contact our team here, and we will put you in touch with the best professional for your needs.
BONUS – Download the VA Onboarding checklist.