What the doctor ordered: dealing with employee medical records

We are often asked what rights an employer has to require their employees to undergo a medical assessment or provide their medical records.  The answer is usually not straightforward, as there are some serious personal and privacy issues to consider.

The question comes down to striking a balance.  There are two main things to balance:

  1. The employer’s right to know if their employees are fit to perform their duties without the risk of injuring themselves or other employees; and
  2. The employee’s general right to privacy, especially when dealing with medical data in the workplace that might raise issues of contractual termination or discrimination.

Balancing these two considerations often creates a grey area.

Can I require an employee to undergo a medical assessment?

Employers have the right to give directions to employees if the directions are employment-related and lawful.  This is the case regardless of whether there is anything in the employee’s contract to that effect. (Although we recommend that these issues be clearly dealt with in employment contracts.)

Changes in work health and safety legislation over the last few years have significantly increased a business owner’s personal exposure to injury claims by workers.  This means that the scope for providing directions to employees about matters concerning health and safety has also expanded to match that increased responsibility.

The Fair Work Commission (in the case of Grant v BHP Coal [2017] FWC 3027) has confirmed that instructing an employee to attend a medical assessment can be a lawful and employment-related direction provided that the employer has a genuine and reasonable concern that the employee might not be fit for their duties.

In the Grant case, BHP Coal asked Mr Grant to attend a medical assessment to satisfy itself that Mr Grant was fit to return to work after leave following surgery for a work shoulder injury.  Mr Grant failed to attend multiple scheduled medical appointments, and was ultimately dismissed by BHP Coal for his failure to follow their directions (and a few contributing misdemeanours).

The FWC found the request by BHP Coal for Mr Grant to attend a medical assessment with its nominated doctor was lawful and reasonable.  This was even though there was no such requirement recorded in an employment contract or the applicable enterprise agreement.

What the Grant decision showed was that circumstances are everything.  If your employee has been away just for one day and doesn’t have any concerning medical precedents, a medical assessment is unlikely to be considered reasonable.  On the other hand, a long absence due to a work injury or a recurring injury or sickness seems to be enough to consider the request of medical evaluation reasonable.

The other lesson from the Grant case was that the employer’s industry plays a big part in determining the reasonableness of a request for medical assessment.  In the Grant case, the employer operated in the coal and mining industry, which is a highly regulated industry where health and safety is paramount.  BHP Coal had strict health and safety obligations to its workers under the Queensland legislation.  It relied on those obligations to support the reasonableness of its direction, and the FWC was satisfied that the obligations overruled other considerations.

Can I ask for an employee’s medical records?

Confidentiality is one of the most important features in the relationship between doctors and patients.  It enables patients to be completely honest with their doctor, making it easier for doctors to reach a diagnosis.  For this reason, confidentiality of medical information is protected as ‘sensitive information’ under the Australian Privacy Principles.

Because of this high level of protection, an employer’s ability to access an employee’s medical records is limited.  To do so, you must demonstrate a genuine concern about their health and that the medical information is directly related to their work duties.

Generally, to access an employee’s medical information requires their consent.  According to the Privacy Principles, a request for access to sensitive information must be a specific request to the doctor signed by the employee that records their consent for you to access their medical records.  The consent must also be recent, and must specify the kinds of medical records the employee gives consent for you to access.

Ultimately, the employee’s doctor may refuse to give you access to the medical records if they consider that sharing the information may result in significant harm to their patient (your employee).

The decision in Australian and International Pilots Association v Qantas Airways Ltd [2014] FCA 32 goes some way towards answering the question of when a request for medical records is appropriate.  In that case, a pilot provided his employer, Qantas, with a medical certificate for four months’ leave due to depression.  The leave was then extended for a further two months (to a total of six months) by the employee providing another medical certificate.  At this stage, Qantas requested that the employee provide a written report from his doctor indicating diagnosis, prognosis, and capacity and timeframe to return to his regular duties.  The employee refused to provide the requested report, despite numerous requests threatening disciplinary action because of his failure to cooperate.  After the employee had been on sick leave for over seven months, his workers’ union brought proceedings against Qantas for adverse action.

Qantas’ position was that it required more detailed medical information for operational reasons – namely to determine when (if ever) the pilot could return to work and in what capacity, and how Qantas could assist a return to work to occur.  The information provided in the medical certificates did not give Qantas any insight into these aspects.

The Federal Court found that Qantas’ operational reasons for its request for a written medical report were legitimate and proper.  The Court determined that Qantas had an implied contractual right to request the further information.

The Court also found, contrary to the union’s argument, that Qantas did not take the action to interfere with the employee’s enjoyment of his right to sick leave, and that the foreshadowed disciplinary action did not constitute adverse action against the employee.

A lesson from the Qantas case is that for an implied contractual right to medical information to arise, the employee’s contract or Award must not be all-encompassing on the issue.  Another lesson is that operational or business purposes are a genuine reason for an employer to request medical information in certain circumstances.

How should I handle an employee’s medical information?

Once you receive medical information by consent, your employee is entitled to check the records to verify that they are correct and up-to-date.

You should also ensure that you limit access to the records within your business to as few people as possible.  Sometimes the consent form itself will have specified the people within your business who could view the records.  If this is the case, you need to ensure that you have safeguards in place so that only the authorised people can access the records.

If your business is in an industry that requires you to handle employees’ medical records fairly frequently, you should implement an internal policy regarding storage and handling.

The policy will need to include details regarding how long you will store the information, how and where you will store it, the safety measures you will put in place regarding access, and the people who can access the information and for what purpose.

Our recommendations

We recommend that employers implement the following strategies to better cover themselves when it comes to employee medical matters:

  • Include provisions in your employment contract allowing you to request specific medical evidence in certain situations (e.g. regarding pre-existing conditions, repeated sick leave or extended sick leave), and requiring that a medical assessment by an employer-nominated doctor may be required after a long period of sick leave or on return from a work injury.
  • Establish a policy in your workplace regarding employee medical matters which:
    • Identifies why and to what extent medical information is or may be relevant to the performance of their work duties or safety in the workplace;
    • Specifies in what circumstances you are likely to seek access to medical records; and
    • Outlines how you will work with your employees to support their treatment and get them back to work in an appropriate role.
  • Assess each proposed request for medical assessment or information on a case-by-case basis considering the employee’s job role and the length of leave and nature of health issue (if known).
  • Ask employees to consent to your access to information, and work with employees to formulate the information request on terms that you are mutually happy with.
  • Develop and implement a policy to ensure proper storage and handling of medical information.
  • Ensure that you carefully store all medical records and limit access to appropriate people only.
  • Provide proper training to people who have access to employee medical information to ensure they are familiar with your privacy obligations and will handle the information securely.

We can assist you to implement policies, review and revise employment contracts, and advise you regarding any employee medical issues.  If you would like some help, please call us on 1300 654 590 or email us.


The information contained in this post is current at the date of editing – 6 July 2023.

Our Great Lawyer Guarantee

We want to be part of your team over the long term. We'll achieve this by sticking closely to the following principles:

  • We'll listen carefully to understand what you want to achieve. Then we'll thoroughly explain our advice and step you through the documents. You can be sure you'll know the full consequences.
  • Our lawyers work as a team, so someone will always be available to answer your questions, or point you in the right direction. You will also benefit from a range of perspectives and experience.
  • One of our key goals is to pass on as much knowledge as we can, so you can make your own informed decisions. We want to make you truly independent.
  • We only do what we're good at. You can be confident that we know what we're doing and won't pass on the cost of our learning.
  • For advice and documents, we provide a fixed or capped quote so you don’t take price risk. If you're in a dispute, we'll map out the process and costs so you know what to expect.
  • We're not in this game for our egos. We're in it for a front row seat to witness your success.

We measure our success on how efficiently we have facilitated your objectives, enhanced your relationships, and reduced the level of stress for all involved.

If we sound like people you can work with, call us now on 1300 654 590 and speak directly with a great lawyer.

Estate planning for sole directors of private companies

Estate planning for sole directors of private companies

If you are the sole shareholder and director of a private company, have you thought about what will happen to your business if you lose capacity or die? Failure to plan for this eventuality can affect the financial viability of your assets and leave your family vulnerable – so it is something you need to turn your mind to. Fortunately, there are several solutions that are easy to implement and lots of advice about these issues is available.

read more