As a small business owner, you might sometimes need medical information to manage a workplace issue properly - for example, to verify an employee’s fitness for duty, to assess a request for workplace adjustments, or to understand when someone can safely return to work.
But medical information is sensitive information. If you ask for too much, handle it poorly, or don’t have clear consent, you can create major trust issues with your team (and potentially legal risk).
That’s where a consent to release medical information form comes in. A well-drafted consent form helps you request only what you need, get clear permission to receive it, and set boundaries around how it will be used.
In this guide, we’ll walk through what a consent to release medical information form template in Australia should include from an employer’s perspective, when you should use one, and practical tips to keep your process compliant and respectful. This article is general information only and isn’t legal advice - because what you can request and how you should handle it can depend on the circumstances (including your industry, the role, the medical issue, and your State or Territory).
A consent to release medical information form is a written document where a person (usually an employee) authorises a health practitioner (like a GP, specialist, psychologist, physiotherapist or other treating professional) to provide certain medical information to you, as their employer.
In a workplace context, the goal usually isn’t to get “everything” about someone’s medical history. It’s to obtain specific, work-related information to help you make reasonable, lawful decisions - typically focused on capacity, restrictions and safe duties.
- Return to work clearance: where an employee has been injured or unwell and you need information about restrictions and safe duties (this often links with a request for medical clearance).
- Long or repeated absences: to understand capacity and likely timeframe for returning (without asking for unnecessary clinical details).
- Fitness for duty concerns: where there are reasonable grounds to believe the employee may not be able to safely perform inherent requirements of the role.
- Workplace adjustments: to understand restrictions, reasonable accommodations, and capacity limitations.
- Managing injury and workers’ comp processes: where relevant (note: workers’ compensation and return-to-work obligations are largely regulated at a State/Territory level and often involve specific processes, certificates and insurer requirements).
It can be tempting to treat the consent form as a “blank cheque” to obtain medical files. In practice, that’s one of the quickest ways to escalate conflict and create privacy risk. Your best approach is targeted, role-specific, and proportionate - and aligned to the exact work-related decision you need to make.
Medical information is generally considered sensitive information. Even if you’re not a large employer, the way you collect, use and store this information matters.
A consent form helps, but it doesn’t replace the need for good workplace processes and clear boundaries.
1) Privacy And Confidentiality Issues
If you collect personal information, you need to think about privacy obligations (including who has access to the information, where it’s stored, and why you have it in the first place). A clear Privacy Policy is often part of the picture for businesses that collect and store personal data.
In Australia, the federal Privacy Act 1988 (Cth) can apply differently depending on your business and the type of information involved. For example:
- Many small businesses are covered by a “small business exemption”, but there are important exceptions (including for some health service providers and in certain circumstances where you handle sensitive information).
- There is also an “employee records exemption” that can apply to certain handling of employee records by private sector employers, but it’s not a blanket permission to collect whatever you want. It has limits and doesn’t necessarily cover things like contractors, prospective employees, or disclosures outside what’s directly related to the employment relationship.
Even where privacy legislation doesn’t apply (or doesn’t apply in the same way), confidentiality expectations still exist in workplaces. Mishandling medical details can damage trust and lead to disputes.
2) Over-Collection (Asking For More Than You Need)
One of the most common mistakes is requesting broad information such as:
- full medical history
- diagnosis details not relevant to work capacity
- all treating practitioners’ notes
- information unrelated to the inherent requirements of the job
In most cases, what you actually need is practical information like restrictions, capacity, treatment timelines (at a high level), and fitness for specific tasks.
3) Employment Law And Discrimination Risk
Medical information can intersect with protected attributes (like disability). If decisions are made based on medical information without following a fair process - or without considering reasonable adjustments - you may increase the risk of an adverse action or discrimination issue.
This is why the consent form should be paired with a sensible process: why you’re requesting the information, what decision you’re trying to make, and ensuring procedural fairness.
4) “Consent” That Isn’t Actually Valid
Consent should be informed and voluntary. In an employment relationship, there’s an imbalance of power, so you should be especially careful that the employee understands:
- what will be released
- who will receive it
- what it will be used for
- how long consent lasts
- that they can refuse or limit the consent (noting this may affect your ability to assess capacity and manage workplace health and safety obligations)
Having the employee sign a clear, specific form is a practical way to demonstrate you handled consent properly.
If you’re looking for a consent to release medical information form template for Australia that businesses can rely on, it should be detailed enough to be meaningful, but not so broad that it becomes risky or unreasonable.
Below are the clauses and fields most employers should consider including.
1) Employee Details (The Person Giving Consent)
- Full legal name
- Date of birth
- Address
- Phone/email
- Role/title in the business (optional but useful)
This avoids confusion and ensures the health practitioner is releasing information for the correct person.
2) Employer/Business Details (The Recipient)
- Legal entity name of the employer (company name or sole trader name)
- ABN/ACN (optional but often helpful)
- Business address
- Nominated contact person (e.g. HR manager, director, operations manager)
- Contact details for that person
Tip: try to nominate a role-based recipient (like “HR Manager”) rather than a random manager, so it’s clear who is responsible for receiving and managing the information.
3) Health Practitioner/Provider Details (The Discloser)
- Name of doctor/health practitioner (or practice name)
- Practice address
- Phone/email/fax (if applicable)
If you don’t know the exact practitioner yet, you can draft the form to authorise a defined category (e.g. “my treating GP at ”). However, the more specific you can be, the cleaner the consent.
This is the heart of the form. It should limit the release to information relevant to work capacity and the purpose you’ve identified.
Depending on the situation, you may request information such as:
- capacity to perform the inherent requirements of the role
- current work restrictions and recommended adjustments
- safe hours/duties limitations
- anticipated timeframe for improvement/recovery (if known)
- recommendations for a graded return to work
- whether further review is recommended
In many cases, you don’t need detailed diagnosis notes or unrelated treatment history. If you do request diagnosis information, you should be able to explain why it’s necessary for a work-related decision (and why capacity/restrictions alone aren’t enough).
5) The Purpose Of The Disclosure (Why You’re Asking)
Your template should include a simple, plain-English statement that explains the purpose. For example:
- to assess the employee’s fitness to perform their role
- to assess safe duties and reasonable workplace adjustments
- to support return-to-work planning
- to manage a workplace health and safety risk
This keeps the request grounded and helps the employee make an informed decision.
6) A Specific Timeframe (How Long The Consent Lasts)
A good consent form should have a start date and end date (or clear expiry event). For example:
- valid for a single disclosure only
- valid for 3 months for the purposes of return-to-work planning
- expires on a particular date
Open-ended consents can be risky and may feel intrusive to employees.
7) Method Of Disclosure
You can include a section authorising the health practitioner to provide information via:
- written report/email
- telephone discussion with the nominated contact person
- completion of an attached capacity/fitness-for-work questionnaire
From a recordkeeping perspective, written reports are usually easier to file and control access to.
8) Consent For You To Ask Questions (If Needed)
Sometimes you’ll want the ability to provide position details or ask the practitioner questions about restrictions.
Consider including wording that allows you to provide the practitioner with relevant role information (like a position description), and to ask clarifying questions that relate to work capacity.
Just be careful not to turn this into permission for unlimited back-and-forth about private medical details.
9) Storage, Access And Confidentiality Statement
Employees often worry: “Who is going to see this?” Your template can reduce anxiety by stating:
- the information will be kept confidential
- access will be restricted to authorised personnel
- it will be stored securely
- it will be used only for the stated purpose
This can also tie in with your broader workplace documentation, like an Staff Handbook or internal HR policies (where appropriate).
10) Employee Acknowledgements
Your form should include clear acknowledgements, such as:
- the employee understands what information will be released
- the employee understands the purpose
- the employee can withdraw consent (and how)
- the employee had the opportunity to ask questions
This helps show the consent was informed.
11) Signature, Date, And Witness (Optional)
- employee signature
- date signed
- employer representative signature (optional but common)
- witness signature (optional; may be useful for higher-risk situations)
Whether you need a witness depends on your risk profile and workplace practices. Often it’s not strictly required, but it can be a useful extra safeguard.
Even a well-drafted template can cause problems if the process around it is unclear.
Here’s a practical way to approach it in a small business (without overcomplicating things).
Step 1: Clarify What Decision You’re Trying To Make
Before you request medical information, be clear internally about why you need it. Are you assessing:
- fitness to return to work?
- temporary adjustments?
- ongoing capacity concerns?
- workplace safety risks?
This will shape what you ask for - and what you shouldn’t ask for.
Step 2: Keep The Request Proportionate
If you only need a “yes/no + restrictions” style clearance, don’t ask for detailed reports.
Where possible, use a narrow request and only expand it if the situation genuinely requires more detail.
Step 3: Explain The Process To The Employee
Take a few minutes to explain:
- why you’re requesting the information
- who will receive it
- how you’ll store it
- what will happen next
This can significantly reduce conflict and improve cooperation, especially where there’s already stress in the workplace.
Step 4: Pair It With The Right Employment Documents
Medical information issues often arise alongside broader employment management issues (leave, performance concerns, roster changes, safe work procedures).
Having an up-to-date Employment Contract and clear policies can help set expectations early - including how medical information requests are handled and what evidence may be required when someone can’t work.
Step 5: Restrict Access Internally
As a rule of thumb, only people who genuinely need to know should access medical information.
For many small businesses, that might mean:
- one director/owner
- one HR manager (if you have one)
- the employee’s direct manager only receiving “work capacity” information, not clinical details
It’s often sensible to keep medical reports separate from general personnel files, and clearly mark them as confidential.
A consent to release medical information form is usually just one part of a bigger legal and HR framework.
Depending on your workplace and the type of information you’re requesting, you may also want to consider:
- Medical release/authority documentation: a tailored Medical Release Consent Form can be useful where you need a more formal process and clearer scope.
- Privacy collection and handling measures: if you’re collecting sensitive information, your internal processes and your Privacy Policy should align with how you actually handle that information.
- Workplace policies: a Workplace Policy (or suite of policies) can set expectations for leave evidence, fitness for work, and confidentiality.
- Managing absence and return-to-work communications: clear processes reduce the risk of misunderstanding, particularly where the employee is on extended leave or there are capacity concerns.
Not every business needs every document. The key is ensuring that whatever you do use is consistent, up to date, and actually matches your workplace practices.
Key Takeaways
- A consent to release medical information form helps your business receive necessary medical information in a clear, respectful way, especially when managing fitness for work, return-to-work planning, or workplace adjustments.
- A strong consent to release medical information form template in Australia should clearly identify the employee, the health practitioner, the employer recipient, the purpose of the request, and the exact scope of information being released.
- Employers should avoid overly broad requests and focus on work capacity information (restrictions, inherent requirements, safe duties), rather than full medical history.
- Include time limits, confidentiality/storage statements, and clear employee acknowledgements to help ensure consent is informed and properly documented.
- Good processes matter as much as the template - explain why you’re requesting information, restrict internal access, and make sure your employment documents and policies support your approach.
If you’d like help preparing a consent to release medical information form (or setting up your employment documents and privacy compliance), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
