Who Can Access Medical Records? (2026 Updated)

Medical records are some of the most sensitive documents you’ll ever handle in your business or personal life. They can include everything from a doctor’s notes and test results to psychological reports and workplace injury information. If you’re an employer, HR manager, clinic owner, or small business owner who deals with staff health information, it’s normal to wonder: who is actually allowed to see medical records in Australia? And just as importantly, when is it not allowed? In 2026, privacy expectations are higher than ever, and regulators (as well as employees and customers) are far less tolerant of “informal” handling of health information. The good news is that with a clear process, you can manage health information properly while still meeting your workplace and safety obligations. Below, we’ll walk through who can access medical records in Australia, what consent usually looks like, what employers can (and can’t) request, and how to store and share medical information the right way.

Why Access To Medical Records Matters In 2026

Access to medical records isn’t just a “privacy” issue. It can quickly become a workplace relations issue, a WHS issue, and a legal risk issue. From a business perspective, you’re often balancing competing priorities, including:

• Your duty of care to provide a safe workplace (including managing fitness for work and safety risks)
• Your employee’s right to privacy and confidentiality around sensitive health information
• Your operational needs, like managing absences, rosters, and performance fairly
• Your legal obligations under privacy laws and employment laws

Handled well, medical information is used for a specific purpose, shared only with the right people, and stored securely. Handled poorly, it can lead to complaints, employee disputes, reputational damage, and in some cases penalties (particularly if health information is mishandled or accessed without authority). If you’re setting internal rules, it also helps to understand the difference between privacy and confidentiality because a “confidential” document is not automatically a “free-for-all” internally.

What Counts As A “Medical Record” (And What’s Just “Medical Information”)?

In everyday language, people say “medical records” to mean a wide range of things. Legally, the rules can vary depending on what the document is and who holds it.

Common Examples Of Medical Records

• GP and specialist notes (clinical observations, diagnoses, treatment plans)
• Pathology and imaging results (blood tests, X-rays, MRIs)
• Hospital records (admissions, discharge summaries, medication charts)
• Mental health records (psychology notes, psychiatric assessments)
• Work-related medical documents (fitness for work certificates, injury reports, IME reports)
• Vaccination history and other public health documentation

Medical Information In The Workplace

In a workplace context, what you typically deal with is medical information rather than “full medical records”. For example:

• a medical certificate confirming an employee is unfit for work for a period
• a functional capacity assessment outlining restrictions (for example, “no lifting above 10kg”)
• a return-to-work plan or a clearance letter

A key idea in 2026 privacy compliance is “only collect what you need”. In other words, you usually don’t need an employee’s full history to manage the workplace issue in front of you.

Who Can Access Medical Records In Australia?

In Australia, access depends on (1) who holds the records, (2) the law that applies (federal and/or state), and (3) whether valid consent or another legal basis exists. Here are the most common categories.

1. You (The Patient)

Generally, you can request access to your own medical records. That doesn’t always mean you’ll instantly receive every single document in the form you want, but as a general rule, people have strong rights to access information held about them, subject to limited exceptions (for example, where providing access would pose a serious threat to life, health, or safety, or where it would unreasonably impact someone else’s privacy). If you’re requesting records, you may be asked to:

• prove your identity
• submit a written request
• pay an administrative fee (in some contexts)

2. Treating Health Practitioners And Clinics

Your treating practitioners can access your records as needed to provide care, and clinics/hospitals can share relevant information internally for treatment and care coordination. However, “health practitioner access” isn’t unlimited. Most providers have policies limiting access to staff who genuinely need the information for their role (for example, a treating doctor versus an admin staff member).

3. A Person You Authorise (With Consent)

You can authorise another person to access your medical information (for example, a family member, support person, lawyer, or insurer). In practice, this is usually done through a written authority or consent form specifying what can be released and to whom. From a business angle, if you’re asking for authorisation (for example, in an employment, insurance, or dispute context), having a clear medical release consent form helps ensure consent is informed, specific, and properly recorded.

4. Employers (In Limited Circumstances)

Employers do not have a general right to access an employee’s medical records. But employers can request and use certain medical information when it’s reasonably necessary for managing the employment relationship (for example, to assess fitness for work or manage leave). The key is that the request must be proportionate, relevant, and handled confidentially. We’ll unpack the employer position in more detail below, including what’s reasonable and what crosses the line. If you want a deeper look at how this plays out in practice, employer access to employee emails and medical information issues often overlap with broader workplace privacy expectations and internal governance.

5. Insurers, Workers Compensation Parties, And Regulators (Where Permitted)

Insurers and workers compensation schemes may access certain medical information where:

• the individual has provided consent (common in claim processes), and/or
• the scheme is authorised under relevant legislation and processes

Even where access is legally permitted, the usual principle is that information should be limited to what’s relevant to the claim or assessment.

6. Courts, Tribunals, And Law Enforcement (Compelled Access)

In some matters, medical records can be accessed through legal processes such as subpoenas, court orders, or tribunal directions. This is different from “voluntary disclosure” because the provider (or the party holding the record) may be legally compelled to produce documents.

7. Emergency And Serious Threat Situations

In limited situations, health information may be disclosed without consent to prevent or lessen a serious threat to life, health, or safety, or where required/authorised by law (for example, mandatory reporting obligations). These situations are typically narrow, and providers usually have strict internal rules around when they apply.

When Can Employers Ask For Medical Information?

For many Sprintlaw clients, the most practical question isn’t “who can access medical records generally?” It’s this: If an employee is unwell, injured, or not performing, what can we lawfully ask for? As a starting point, it’s usually safer to think in terms of “medical information relevant to work” rather than “medical records”. In most cases, you only need enough information to make a fair workplace decision.

Medical Certificates And Evidence For Leave

It’s common (and often reasonable) to request medical certificates or evidence for personal/carer’s leave, especially where:

• the leave pattern is unusual
• there are policy requirements
• you need to confirm the employee was unfit for work

However, you generally shouldn’t demand “full details” of a diagnosis unless there’s a genuinely work-related reason and a lawful basis for collecting that level of detail.

Fitness For Work And Return-To-Work Clearance

If an employee is returning after an illness or injury, you may be able to request evidence that they are fit to return, particularly if:

• their role is safety-sensitive
• there is a risk to the employee or others
• reasonable adjustments may be required

This is often framed as a request for medical clearance (or functional capacity information), rather than a broad request for medical history. Practically, you’re looking for restrictions and capabilities, not a complete medical file. This issue comes up frequently in workplaces, and medical clearance to return to work is one of the most common areas where employers accidentally request too much (or too little).

Independent Medical Examinations (IMEs)

In some cases, an employer may ask an employee to attend an independent medical examination, particularly where:

• there’s a genuine concern about the employee’s capacity to perform inherent requirements of the role
• there are prolonged or recurring absences
• there are safety risks that can’t be addressed without clearer information

Whether this is lawful and reasonable depends on the contract, workplace policies, award/enterprise agreement terms, and the circumstances.

What Employers Generally Should Not Do

Employers often get into trouble when they:

• ask for “all medical records” without a clear, limited purpose
• pressure employees to disclose diagnoses that are not relevant to work
• share medical information widely within the business (“just keeping everyone in the loop”)
• store medical documents in unsecured folders or inboxes
• try to access information without consent

If you’re an employee reading this, it’s also worth knowing that refusing access can be lawful in many scenarios-particularly where the request is unreasonable or overbroad. A practical discussion of this issue is set out in refusing employer access to medical records.

A Simple “Relevance” Test For Employers

If you’re deciding whether you can ask for or use medical information, a helpful internal checkpoint is:

• Why do we need it? (specific purpose)
• What decision are we making? (leave approval, safe return, adjustments, etc.)
• Is there a less intrusive option? (restrictions letter instead of diagnosis)
• Who actually needs to know? (usually HR and a direct manager only, sometimes WHS)
• How will we store and restrict access?

This approach helps you avoid collecting sensitive information “just in case”, which is where many privacy risks start.

How To Request, Share, And Store Medical Records Lawfully (A Practical Checklist)

If your business collects or holds medical information-whether it’s employee medical certificates, injury reports, or customer health details-your processes matter. Here’s a practical checklist you can implement.

1. Collect Only What You Need

Health information is typically treated as sensitive information. That means you should be cautious and specific about what you collect. In an employment setting, you may only need:

• confirmation the person is unfit for work (and dates)
• capacity restrictions (what they can and can’t safely do)
• expected review dates

Try to avoid requesting broad medical histories unless there is a clear legal and operational reason.

2. Get Clear Consent (And Document It)

If you need to obtain information from a third party (like a treating doctor or allied health professional), you will usually need the employee’s consent. Consent should be:

• informed (they understand what is being shared)
• specific (not “everything forever”)
• voluntary (no improper pressure)
• current (not stale or outdated)

This is also where a fit-for-purpose form can reduce misunderstandings and disputes, like a medical release consent form that clearly limits what’s being requested and why.

3. Limit Internal Access (Need-To-Know Only)

Inside your business, access should be limited to people who genuinely need the information to do their job. In many workplaces, that means:

• HR (or the person responsible for HR)
• the employee’s direct manager (but only what they need to manage work)
• WHS personnel (where necessary)

It usually does not mean “the whole leadership team” or “the whole roster team”.

4. Store Medical Information Separately And Securely

Medical documents should not be sitting in shared drives, general personnel folders, or email inboxes as the “main storage system”. You want a controlled system with access restrictions. Good practices include:

• storing medical information in a restricted-access HR system
• keeping medical documents separate from general performance documents
• using clear naming and version control (to avoid accidental disclosure)
• limiting the ability to download, print, or forward documents

If your business is covered by privacy laws (or you’re adopting best practice even if you’re not strictly required), having a clear Privacy Policy helps explain how you collect, hold, and disclose personal information-especially if your operations extend beyond pure employment matters (for example, you also collect customer data online).

5. Be Careful With Retention And Deletion

Many businesses keep medical information indefinitely because they’re unsure what they’re allowed to delete. That can create risk-because the longer you keep sensitive information, the more chance there is of unauthorised access or disclosure. Retention periods depend on context (including employment law, WHS, workers compensation, and privacy requirements). If your business is subject to specific data retention regimes in other contexts, it’s also worth being aware of the broader landscape, including the data retention rules in Australia (noting that different rules apply depending on your industry and what data you hold). A practical approach is to set a retention policy and apply it consistently, rather than leaving medical information scattered across systems forever.

6. Make Sure Your Employment Documents Support Your Process

Many disputes arise not because an employer asked for medical information, but because the business didn’t have a clear contractual and policy basis for the request. It’s worth checking that your:

• Employment contracts set expectations around leave evidence and lawful directions (where appropriate)
• workplace policies explain how medical information will be handled and who may see it
• privacy documentation supports how you collect and store sensitive information

If you’re updating your documentation suite, an Employment Contract is usually a key place to start (alongside well-drafted policies that reflect how your workplace actually operates).

Key Takeaways

• In Australia, access to medical records depends on who holds the records, what law applies, and whether consent or another legal basis exists.
• Patients generally have strong rights to access their own medical information, subject to limited exceptions.
• Employers do not have a general right to an employee’s full medical records, but can request limited information where it’s reasonably necessary (like fitness for work or leave evidence).
• As a best-practice rule, collect only what you need, keep it need-to-know internally, and store it securely and separately from general personnel records.
• Clear consent processes and well-drafted employment documents reduce the risk of disputes and privacy complaints.

If you’d like help setting up a practical, legally compliant process for handling employee medical information (including contracts, policies, and consent documentation), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.