Authority To Release Medical Information For Employers In Australia

At some point, most employers will need information about an employee’s fitness for work. Whether it’s managing a prolonged absence, planning reasonable adjustments, or addressing a safety risk, you may need medical details to make lawful, informed decisions.

This is where an “authority to release medical information” comes in. With the right consent and process, you can lawfully access specific health information that helps you meet your workplace obligations without breaching privacy or overstepping legal boundaries.

In this guide, we’ll step you through when you can seek medical information, what you can ask for, how to obtain a valid authority, and how to handle that information under Australian privacy law.

What Is An Authority To Release Medical Information?

An authority to release medical information is a written consent from an employee (or job applicant) that permits a health provider or third party to disclose specified health information to your business for a defined purpose.

In Australia, health information is “sensitive information” under the Privacy Act 1988 (Cth). That means you generally need the individual’s consent to collect it, and you must handle it with extra care. A clear, voluntary consent form is therefore the safest way to obtain the information you need.

Practically, an authority is usually a short document signed by the employee that identifies:

• Who can disclose the information (e.g. their GP or specialist).
• Who can receive it (your business and/or your nominated health adviser).
• Exactly what information may be disclosed (e.g. diagnosis, capacity for work, restrictions, prognosis).
• The purpose of disclosure (e.g. assessing fitness for duties, reasonable adjustments, return-to-work planning).
• How long the consent lasts and how it can be withdrawn.

If you need a ready-to-use, lawyer-drafted template, consider a tailored Medical Release Consent Form.

When Can Employers Request Medical Information?

You can request medical information when it’s reasonably necessary for a lawful workplace purpose - typically to manage safety, attendance, performance, or to meet your legal obligations (e.g. work health and safety and anti‑discrimination law).

Common scenarios include:

• Prolonged or repeated absences and you need to understand capacity for work.
• Planning a safe return-to-work after injury or illness.
• Assessing whether reasonable adjustments are available for a disability.
• Safety-critical roles where there is a genuine risk to the employee or others.
• Considering whether an independent medical examination (IME) is justified in limited circumstances.

For many employers, a good first step is requesting medical evidence that speaks to capacity and restrictions. For the boundaries on this, see when employers can legally ask employees for medical certificates.

Sometimes, you may need more detailed information to assess fit for duties. In those situations, it can be appropriate to ask the employee to sign an authority and, in some cases, to attend a medical assessment. Our guide on when employers can request medical clearance to return to work explains what’s reasonable and how to approach it.

What Can You Ask For-And What’s Off Limits?

Even with an authority, you must stick to what’s reasonably necessary for your purpose. Aim for the minimum information that allows you to make a decision. Overly broad or intrusive requests raise risk and can damage trust.

Reasonable Requests (Usually Appropriate)

• Capacity for work: fit, partially fit (with restrictions), or unfit.
• Specific restrictions: hours, lifting limits, driving limits, shift work, exposure to hazards.
• Functional abilities relevant to the role’s inherent requirements.
• Timeframes: expected duration of restrictions or absence, prognosis.
• Recommended reasonable adjustments or graduated return plans.

Requests To Avoid (High Risk Or Unnecessary)

• Full clinical history unrelated to the job’s inherent requirements.
• Irrelevant diagnoses, test results, or past conditions that don’t affect the role.
• Open-ended authority to obtain “all medical information” from “any provider” indefinitely.
• Information about family members or genetic information that isn’t necessary.

Keep in mind that employees retain rights over their medical privacy. For context on limits and employee rights, read about refusing employer access to medical records and consider how a transparent, proportionate request can avoid disputes.

How To Obtain And Use An Authority (Step-By-Step)

Getting this right is as much about process as it is about paperwork. Here’s a practical workflow you can adapt.

1) Identify Your Lawful Purpose

Clearly document why you need the information and how it relates to the role’s inherent requirements, safety, or your legal duties. This anchors your request and helps you keep it proportionate.

2) Define The Scope You Actually Need

Decide what questions you need answered. Focus on capacity, restrictions and timeframes rather than clinical detail. Draft your questions before you approach the employee.

3) Speak With The Employee First

Explain the purpose, the type of information you’ll request, and how you’ll handle their data. Invite their input. A respectful conversation often leads to faster cooperation and better outcomes.

4) Use A Clear, Voluntary Consent Form

Provide a concise authority form that names the disclosing provider and recipient, the specific information sought, the purpose, and how long the authority lasts. A legally sound Medical Release Consent Form helps avoid ambiguity and ensures you’re collecting sensitive information with valid consent.

5) Direct Questions To The Treating Provider (Or IME If Justified)

Send your scoped questions with the signed authority to the provider. If you need an independent view, consider whether an IME is reasonable and proportionate in the circumstances. Tie all questions to inherent requirements and safety.

6) Limit Internal Access On A Strict “Need-To-Know” Basis

Keep health information separate from general HR files and restrict access to the smallest group necessary (e.g. HR, appointed return-to-work coordinator). Train managers on what they can and cannot see.

7) Make Decisions And Document Your Rationale

Use the information to plan adjustments, return-to-work steps or next actions. Note how the medical information was relevant to your decision-making. This documentation can be important if decisions are later challenged.

8) Review, Retain Or Destroy Securely

Only retain health information for as long as it’s needed (or legally required) for the purpose, then securely destroy or de-identify it. Set diarised reviews so records don’t sit indefinitely.

Managing Privacy, Consent And Record-Keeping

Because health information is highly sensitive, your privacy and record-keeping practices need to be tight from day one. This isn’t just a compliance exercise - it builds employee trust and reduces legal risk.

Privacy Foundation

• Policy: Publish and maintain an up-to-date Privacy Policy that explains how you collect, use, disclose and secure personal information, including health information where relevant.
• Collection Notices: When you collect information directly from individuals, issue a short, specific Privacy Collection Notice that explains the purpose, who you’ll share it with, and how to contact you.
• Consent: Use clear, voluntary consent when collecting sensitive information. Ensure employees understand what they’re agreeing to and that consent can be withdrawn.

Data Minimisation And Security

• Collect the minimum necessary to achieve your purpose.
• Store health information separately with role-based access restrictions.
• Encrypt digital records and lock physical files; limit downloads and printing.
• Set retention periods and secure disposal processes for sensitive records.

Internal Protocols And Training

• Adopt an Employee Privacy Handbook to guide managers on handling sensitive information, internal sharing, and responding to requests.
• Train HR and line managers on confidentiality, lawful requests, and anti-discrimination risks.
• Keep medical information on a strict “need-to-know” basis; avoid casual disclosure in emails or meetings.

Sharing With Third Parties

• Only share health information externally where it’s necessary and lawful (e.g. an insurer in a workers’ compensation matter), and limit it to what’s required.
• If using an IME provider or occupational rehabilitation consultant, ensure appropriate contractual safeguards and data security standards are in place.

Employee Rights And Refusals

Employees can refuse to provide medical information, and they can withdraw consent. In those cases, you still must manage safety and performance using the information available. If you reasonably can’t assess capacity or make adjustments without medical input, that may affect what decisions are open to you - but tread carefully and seek advice where needed.

Overlap With Employment And Safety Law

Your duty to provide a safe workplace sits alongside privacy obligations. If you genuinely need medical information to keep people safe, that supports the lawful basis for your request - but it doesn’t remove the need for consent and proportionality.

Similarly, when considering return-to-work or fitness for duty, consider anti-discrimination obligations and the requirement to consider reasonable adjustments. For process points around capacity assessments, refer to when you can request medical clearance to return to work.

Practical Content For Your Authority Form

To help you get the drafting right, here’s what a well-structured authority typically includes.

• Employee identification and role title.
• Named provider(s) who may disclose information (e.g. Dr Smith at XYZ Practice).
• The recipient entity and contact (your business and the specific role or email).
• Scope of information: capacity for duties, restrictions, prognosis timeframes, recommended adjustments.
• Purpose: assessing inherent requirements, safety management, return-to-work planning.
• Duration of consent and how it can be withdrawn.
• Privacy statement describing handling, storage, and who may access the information.
• Employee signature, date, and acknowledgement of voluntariness.

Handling Disputes Or Pushback

Sometimes an employee may worry you are seeking too much. Offer to share your exact questions and adjust scope to the minimum needed. Make it clear you do not need their full history - only information connected to their role and safety. A transparent approach, with a tightly scoped authority, often resolves concerns early.

Sick Leave Evidence vs Broader Medical Information

For short-term personal leave, you’ll usually rely on a medical certificate or statutory declaration. The certificate only needs to confirm the employee was unfit for work on the relevant day(s); it doesn’t need to reveal diagnoses. If you’re unsure about evidence requirements, revisit when employers can legally ask for medical certificates.

In contrast, an authority to release medical information is used when you need more detail to assess capacity, plan adjustments or manage safety - not to second-guess routine sick leave.

Independent Medical Examinations (IMEs)

In limited circumstances, you may reasonably direct an employee to attend an IME - for example, where there’s insufficient information from the treating doctor or where safety risks are unresolved. Any direction must be lawful and reasonable in the context. If you’re considering this step, align it with a narrow, job‑focused set of questions and ensure the employee understands the purpose and privacy safeguards.

Record-Keeping Hygiene

• Separate medical from general HR files; lock down access.
• Label records with the purpose and review dates.
• Avoid forwarding medical details in open email threads; use secure channels.
• Review retention regularly and securely destroy when no longer needed.

Consent Isn’t Forever

Consent should be time-bound. If your purpose changes (e.g. you now need information for a different assessment), obtain fresh consent and explain why. This reduces risk and keeps your practices aligned with the Australian Privacy Principles.

Communications Matter

Most disputes arise from misunderstandings. Explain the “why” behind your request, share your role’s inherent requirements, and invite the employee to have their doctor answer your specific questions. A respectful, transparent approach goes a long way.

Build Medical Privacy Into Your HR Toolkit

Make privacy part of your standard documents and onboarding. Alongside your policies and contracts, include an accessible process for health information requests and storage. If you’re updating your HR suite, consider adding an Employee Privacy Handbook and ensuring your Privacy Policy and Privacy Collection Notice are consistent with your practice.

Key Takeaways

• An authority to release medical information lets you lawfully obtain specific, job‑relevant health information so you can manage safety, capacity and return‑to‑work obligations.
• Ask only for what you genuinely need to assess inherent requirements and plan reasonable adjustments; avoid broad requests for full medical histories.
• Use a clear, voluntary consent form that names providers, narrows the scope, states the purpose and sets a time limit.
• Handle health information under strict privacy controls: minimisation, secure storage, limited access and clear retention/destruction rules supported by your Privacy Policy and Collection Notice.
• Where appropriate, you can request medical certificates or medical clearance; ensure any direction is lawful, reasonable and proportionate to the issue.
• Transparent communication with the employee and their provider often prevents disputes and speeds up safe, fair outcomes.

If you’d like a consultation on setting up your authority to release medical information process (including tailored forms, policies and workflows), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.