As a small business owner, you’re often balancing two competing priorities when an employee’s health becomes relevant at work:
- you need enough information to keep the workplace safe and manage attendance and performance fairly; and
- you must respect your employee’s privacy and handle sensitive information lawfully.
This is where getting proper consent to disclose medical information can be incredibly important. In simple terms, it’s the employee’s permission for a doctor (or other health professional) to share certain health-related information with you.
But the practical questions come fast: When can you ask? What exactly should the consent cover? What if the employee refuses? How do you store the information properly?
Below, we’ll walk you through a practical, employer-focused approach to requesting and using consent to disclose medical information in Australia - without collecting more than you need or creating unnecessary legal risk.
Consent to disclose medical information is usually a written authorisation from an employee allowing a nominated health professional or provider to disclose specific medical information to you (the employer) or your representative.
In most workplaces, this comes up when you need clarity about an employee’s:
- capacity to work (for example, whether they can perform inherent requirements of their role);
- fitness for work and any safety restrictions;
- likely timeframe for recovery and return-to-work planning; and
- reasonable adjustments (where appropriate).
Why this isn’t just “paperwork”
Health information is generally treated as sensitive information. If you collect it casually, store it poorly, or request more than you need, you can create issues across:
- privacy obligations (including under the Privacy Act in some cases, and in any event as a matter of reasonable workplace practice);
- employment law risks (including adverse action and unfair dismissal disputes);
- discrimination law (for example, disability discrimination); and
- work health and safety obligations, where you must manage risks so far as reasonably practicable.
A good rule of thumb: collect the minimum medical information you actually need to make a workplace decision, and only use it for that purpose.
A note on privacy law: “small business” vs “employee records”
Employers often hear that “small businesses are exempt” or that “employee records are exempt”, and assume privacy rules don’t apply. The reality is more nuanced:
- Small business exemption: some small businesses may be exempt from parts of the Privacy Act 1988 (Cth), but the exemption isn’t universal and can be affected by factors like how you handle personal information and the nature of your operations.
- Employee records exemption: even where an employer is otherwise covered by the Privacy Act, there is an exemption for certain acts and practices that are directly related to current or former employee records (and the employment relationship). However, this exemption has limits and won’t necessarily cover everything you do (for example, what you collect before employment, or disclosures that aren’t directly related to the employment relationship).
Even where an exemption may apply, handling medical information carefully is still best practice and can reduce legal, operational and reputational risk.
From a practical employer standpoint, strong consent has three key features:
- Informed: your employee understands what will be disclosed, why, and to whom.
- Specific: it’s not an open-ended permission slip for “any and all medical records”.
- Voluntary: the employee signs freely (not under improper pressure), even if you explain that you need information to manage their role safely and fairly.
If you’re documenting and managing employee information more generally, it can also help to align your approach with an Employee Privacy Handbook so your process is consistent across the business.
In most workplaces, you don’t automatically have a right to detailed medical information. However, there are common scenarios where it’s reasonable (and often necessary) to ask for medical information connected to the job.
Common situations where a request is usually reasonable
- Extended or frequent absences: where you need to understand capacity, likely return dates, and whether duties need adjustment.
- Safety-critical roles: where fitness for duty impacts the employee, co-workers, customers, or the public.
- Return to work after illness/injury: where you need confidence the employee can return safely, potentially with restrictions.
- Performance concerns linked to health: where the employee has raised a medical issue that may affect their ability to perform the role.
- Suspected risk in the workplace: where you need information to meet your WHS duties (without jumping to conclusions).
If the issue is specifically about returning after illness or injury, medical clearance often becomes the focus. The key is making the request proportionate. In many cases, you only need information about capacity and restrictions - not a diagnosis. This is explored in more detail in medical clearance requirements and best practice.
What you should usually ask for (capacity-based questions)
To reduce privacy risk, frame your request around the employee’s work capacity, not their private medical history. For example, you might ask the treating practitioner to confirm:
- whether the employee is fit to perform the inherent requirements of their role;
- any restrictions (lifting limits, reduced hours, no night shifts, etc);
- whether adjustments or a graduated return is recommended; and
- expected review dates and likely timeframe for improvement.
In other words: focus on “what can they do at work?” rather than “what do they have?”
What about asking for the employee’s medical records?
This is where employers often run into trouble. Requests for “full medical records” are usually excessive unless there’s a very specific reason and it’s genuinely necessary.
It’s also important to understand that employees can push back on broad requests, and they may refuse access to records. If that happens, you’ll generally need to manage the employment issue based on the information you reasonably have available (and the operational impacts), rather than treating a refusal as misconduct by default. This issue is closely related to medical records access boundaries in an employment context.
If you need medical information, your best approach is to follow a clear, repeatable process. This keeps things fair, reduces conflict, and helps you demonstrate you acted reasonably if a dispute arises later.
Step 1: Clarify your purpose (and keep it narrow)
Before you ask for consent, be clear internally on:
- what workplace issue you’re trying to manage (safety, return-to-work, attendance, inherent requirements);
- what decisions you need to make (temporary adjustments, redeployment options, performance planning, or whether further information is needed); and
- what medical information is genuinely required to make that decision.
This is where a lot of businesses go wrong: they ask for too much, too early, and then create a privacy issue that didn’t need to exist.
Step 2: Explain the request to the employee in plain English
When you raise the issue with the employee, keep your language calm and practical. You can explain:
- why you’re asking for information;
- the type of information you need (capacity, restrictions, timeframes);
- who will receive it (for example, the business owner and/or manager);
- how it will be stored and used; and
- that they can choose to consent, and you’ll manage the situation based on available information if they don’t.
Often, just explaining the “why” reduces resistance, because employees can see you’re not trying to invade their privacy - you’re trying to run a safe, workable roster and meet your obligations.
In many cases, it’s sensible to use a written form that covers the essentials and stays specific. Depending on your situation, you might use a Medical Release Consent Form that you tailor to the role and the circumstances.
Practically, a good consent form should include:
- The employee’s details (name, DOB or identifier, role).
- The doctor/clinic details and contact information.
- Who can receive the information (named people, not “anyone at the company”).
- The scope of information (capacity, restrictions, likely return date, ability to perform inherent requirements).
- The purpose (for example, managing fitness for work and WHS obligations).
- Time limits (for example, valid for one report or for a defined period).
- Signature and date.
If you want a meaningful response, don’t just ask “is the employee fit for work?” in a vacuum.
Give the practitioner a short summary of the role’s inherent requirements, such as:
- hours of work and shift patterns;
- physical requirements (standing, lifting, driving);
- cognitive requirements (high concentration, safety-critical tasks); and
- work environment factors (heat, noise, stressful peak periods).
This helps the doctor give you capacity-based guidance you can actually use.
Step 5: Keep the consent and response on the right file (and limit access)
Medical information should be stored separately (or at least clearly restricted) from general personnel files, with access limited to people who genuinely need it.
Even if your business may be exempt from parts of the Privacy Act (for example, due to the small business exemption or the employee records exemption), safe handling of sensitive information is still best practice - and it reduces risk if something goes wrong.
It’s also a good time to review whether your business needs a Privacy Policy, particularly if you collect and store personal information more broadly (for example through a website, CRM, marketing list, or online bookings).
Once you receive medical information, the next risk point is how you use it.
Employers can unintentionally create legal issues by:
- treating medical information as “proof” the employee can’t do the job permanently (when it may be temporary);
- making assumptions without clarifying restrictions or timeframes;
- sharing information too widely in the workplace; or
- moving straight to termination without considering adjustments.
Focus on the “inherent requirements” and reasonable adjustments
A practical (and safer) way to approach this is:
- Identify the inherent requirements of the role (the core duties that can’t be removed).
- Check whether the employee can do those requirements now, and if not, whether they may be able to after treatment/recovery.
- Consider whether reasonable adjustments can be made (for example, temporary modified duties, reduced hours, different equipment, alternative shifts).
This is exactly where getting your documentation right matters. Clear position descriptions, policies, and well-drafted employment documents help you show that you’ve managed the situation fairly and consistently. For example, an Employment Contract can support clearer expectations around attendance, evidence requirements for leave, and lawful and reasonable directions at work.
Be careful with “need to know” access
In a small business, it’s common for everyone to know everyone’s business. But with medical information, that can cause real problems.
As a starting point:
- only share medical information with those who need it to implement restrictions (for example, a direct manager coordinating modified duties);
- avoid disclosing diagnosis details to colleagues; and
- communicate restrictions in a practical way (for example, “Alex is on restricted duties and won’t be lifting items over 5kg”) rather than explaining medical reasons.
If an employee refuses to consent, you generally can’t force their doctor to provide information. However, that doesn’t mean you’re stuck.
Depending on the circumstances, you may be able to:
- request alternative evidence that still addresses work capacity (for example, a fitness-for-work certificate that answers specific capacity questions);
- ask the employee to attend an independent medical examination (IME) if it’s lawful and reasonable in the circumstances (including under an applicable award, enterprise agreement or contract, and where the request is proportionate to the issue); and/or
- make decisions based on the information you reasonably have (including operational and safety considerations), provided you act fairly and avoid assumptions.
In some situations, a refusal to provide reasonable evidence or cooperate with a lawful and reasonable direction can become a disciplinary issue. Whether that’s the case is highly fact-specific (for example, how narrowly you framed the request, whether safety is at stake, and what workplace instrument applies), so it’s worth getting advice before escalating.
Sometimes, you can’t safely have the employee working until you have clearer medical guidance (particularly in safety-sensitive environments). In those cases, you need to consider your options carefully and document your reasons.
It’s important not to assume you can automatically “stand down” an employee whenever you’re waiting on medical information. In Australia, stand down without pay is generally only available in limited circumstances (for example, where there is a stoppage of work for which the employer cannot reasonably be held responsible, and the employee cannot be usefully employed). In many medical-capacity scenarios, employers instead consider options like temporary alternative duties, agreed leave arrangements, or (where appropriate) directions to not attend the workplace on safety grounds while pay arrangements are clarified.
Depending on the circumstances, you may be considering temporary changes such as standing an employee down while you investigate safety risks or obtain capacity information. This should be handled cautiously and consistently - and it can help to understand the legal framework around standing down an employee.
Common Mistakes Employers Make With Consent (And How To Avoid Them)
Most small businesses aren’t trying to do the wrong thing - they’re trying to manage a difficult situation with limited time and resources. The mistakes below are common, and thankfully, also avoidable.
Mistake 1: Asking for “all medical records” as a default
This is often disproportionate to what you need. It can escalate conflict and make the employee feel you’re fishing for private details.
Better approach: ask for a capacity-focused report tied to the role’s inherent requirements.
If you can’t clearly explain why you need certain medical information, you probably shouldn’t be collecting it.
Better approach: decide the workplace decision you need to make first, then request only what supports that decision.
Mistake 3: Using “consent” that’s too broad or unclear
Overly broad consent forms are risky because they can look like the employee didn’t truly understand what they were agreeing to.
Better approach: limit the consent to defined information, for a defined purpose, over a defined timeframe.
Mistake 4: Treating refusal to consent as automatic misconduct
Employees may refuse for many reasons, including genuine privacy concerns. A refusal can create practical challenges, but it isn’t always misconduct.
Better approach: explain what you need and why, give them time to consider it, and if they still refuse, manage based on what you reasonably know (and the operational needs of the business). If you think the refusal may involve non-compliance with a lawful and reasonable direction, get advice before taking disciplinary steps.
Mistake 5: Poor storage and oversharing internally
Even if your team is small, loose handling of sensitive information can damage trust and create legal exposure.
Better approach: restrict access, store securely, and communicate only what’s necessary to implement work restrictions.
Mistake 6: Trying to “DIY” a high-risk situation without advice
Medical capacity issues often overlap with unfair dismissal risk, discrimination considerations, and WHS duties - and the right next step depends heavily on the facts.
If the situation is escalating (or you’re considering termination), it’s a good time to speak with an Employment Lawyer so you can map out a compliant process and reduce the chance of a costly dispute.
Key Takeaways
- Consent to disclose medical information is often the safest way to obtain medical capacity information from an employee’s treating practitioner, but it should be informed, specific, and voluntary.
- As an employer, you’ll usually be on stronger ground if you request capacity-based information (restrictions, timeframes, ability to perform inherent requirements) rather than diagnoses or full medical records.
- A clear process helps: explain your purpose, use a tailored consent form, provide role information to the practitioner, and securely store the response with limited internal access.
- Be careful how you use medical information - consider reasonable adjustments and avoid assumptions that could trigger employment or discrimination risks.
- Overly broad requests, poor storage, or treating refusal as misconduct can create avoidable legal and relationship problems.
- If the issue could lead to stand down, dismissal, or a formal dispute, getting advice early can save you time, cost, and stress.
Disclaimer: This article is general information only and does not constitute legal advice. Because employment, privacy and WHS obligations can vary depending on your circumstances (including any award, enterprise agreement or contract terms), you should get advice for your specific situation.
If you’d like help putting the right consent documents and workplace process in place (or you’re managing an employee medical capacity issue right now), contact Sprintlaw on 1800 730 617 or email team@sprintlaw.com.au for a free, no-obligations chat.
