Today’s question relates to the confidentiality of medical records held by a health facility established by an employer or Person Conducting a Business or Undertaking (a PCBU). The context is a:
… mine site and commercially employed paramedics and nurses.
- Does the employer have an automatic entitlement to medical records for an injured party at the workplace when they are treated by an on-site or embedded health service such as an on-site paramedic?
- Is there a difference between first aid / incident registers for the purposes of WHS legislation, and medical records for the purposes of protected private information?
- If the patient is employed by the same company as the clinician, is it work product? Does there have to be a specific clause in the employment agreements for employee medical record release?
- To what extent can clinicians try to prevent access to clinical records which may contain information adverse to the patient’s employment status?
- Is it different if the clinician, or the patient, is engaged as, or by, a subcontractor?
My correspondent says:
The answer I often provide is that this is grey. The easiest solution is to get the patient’s express consent, and document that. If the employer is shared, I generally advise the clinician to have a transparent (and well documented) discussion with their line manager (+/- HR/IR/inhouse counsel) advocating their concerns and the issues that may arise from unrestricted access to employee medical records; but ultimately the employer is also the health service provider and it would be their responsibility to comply with the confidentiality and privacy legislation; if there is a subcontractor relationship on either side, it is often a little easier to provide a barrier to wholesale release of data.
In reality, and in some very complex edge cases, I have advised the clinicians to specifically make the patient aware that information provided to them as the workplace paramedic may be accessible by their employer, and they should specifically consider that before disclosing specific health information to the paramedic. This obviously creates a suboptimal situation and makes it hard to build therapeutic rapport.
I have previously written on this subject – see Confidentiality and workplace health services (May 9, 2025). I’ve also written about a similar context where contracted health service providers are asked to provide records for people treated at an event – see Sharing first aid patient care records (May 2, 2023) and First aid patient records – who and what are they for? (January 31, 2015). I generally agree with the advice my correspondent says has been given to those at the workplace.
The critical question is who owns the records. The prima facie rule is that the person who writes them owns them. But if the person is completing the document as part of their employment or as part of the contract with the PCBU, then they will be the PCBU’s documents. If they are the PCBU’s documents, then they can be accessed by the PCBU on a need to know basis. So, the PCBU can access an employee’s employment and HR record, but that does not mean anyone who works for the PCBU can access those documents. The PCBU must have in place procedures and policies to limit access but subject to that and speaking at high level of abstraction, they are the PCBU’s documents so the PCBU can access them and further will be deemed to know what’s in them. If the documents reveal that the employee has a health issue that means continued exposure to the risks at work will aggravate their condition, then the PCBU ‘knows’ that and must take appropriate preventative action. It will not work for the PCBU’s line manager to say ‘but that was told to our medical team in confidence, so I didn’t know so there was no fault on our part when we continued to require the employee to do work that we ‘knew’ he or she was not fit for’.
But there may be different scenarios. If a mine operator decides that to attract staff to work at their remote location they will buy and fit out a medical centre and then invite expressions of interest from medical practitioners to come and run their practice, then that practitioner is not the PCBU’s doctor even if they are being subsidised. How they run their practice and what obligations might arise from the funding arrangement would need to be negotiated but prima facie any record there belongs to the doctor, not the PCBU.
Question 1
The model Work Health and Safety Regulations (adopted in each jurisdiction other than Victoria) provide that a PCBU must provide access to relevantly trained emergency first aid personnel and in the relevant context that may well be paramedics, nurses and/or medical practitioners. If they treat someone as part of that duty and where the injury or illness occurs at work it must follow that the PCBU is entitled to some access as they need to be able to monitor working conditions, identify risks and trends and in relevant cases confirm that the injury or illness was work related.
Question 2
There could be a difference between ‘first aid / incident registers for the purposes of WHS legislation, and medical records for the purposes of protected private information’. If the PCBU says ‘we’re going to fund a medical practice and we encourage you all to go to these doctors for any health concern’ and there are issues that are clearly not work related (that is not caused by work nor impacting on the person’s ability to do work) then it would be hard to justify giving that information to the PCBU. But it would really need to be negotiated. The PCBU may well want data about how many people are coming etc to help understand the demand for services and whether they are cost effective, but that could all be aggregated, anonymous data. On the other hand, if the PCBU is directly employing the doctors then the medical records belong to the PCBU (see Health Services for Men v D’Souza [2000] NSWCA 56) and may well need to access them for quality assurance purposes.
Question 3
Yes; and the terms of who can access the information and for what purpose should be negotiated and explained in relevant policy. I think it is not the case that there has ‘… to be a specific clause in the employment agreements for employee medical record release’ but rather there has to be a specific clause to stop that release if everyone wants to try and allow the health team to withhold information from other parts of the PCBU. And risk has to be assessed here; if the health information means that the worker is not fit to perform their duties, that reasonable accommodation needs to be made for them or that they are a danger to themselves or others, there can be no guarantee that the information will be kept confidential behind artificial walls within the PCBU’s business.
Question 4
That would depend on the circumstances of the clinicians engagement and the workplace arrangements.
Question 5
Yes, and what difference it would make would depend on the terms of the various agreements.
Conclusion
I agree with my correspondent’s advice:
‘… The easiest solution is to get the patient’s express consent, and document that. ‘
‘…have a transparent (and well documented) discussion with their line manager (+/- HR/IR/inhouse counsel) advocating their concerns and the issues that may arise from unrestricted access to employee medical records’
and have the outcomes recorded in a policy document that identifies who can access the records and for what purpose.
… make the patient aware that information provided to them as the workplace paramedic may be accessible by their employer, and they should specifically consider that before disclosing specific health information to the paramedic.’
This may create ‘a suboptimal situation and makes it hard to build therapeutic rapport’ but if you’re working for the employer, not the patient, they need to know that.
This blog is a general discussion of legal principles only. It is not legal advice. Do not rely on the information here to make decisions regarding your legal position or to make decisions that affect your legal rights or responsibilities. For advice on your particular circumstances always consult an admitted legal practitioner in your state or territory.
Australian Emergency Law 
Question how, would AHPRA react to this? would it be considered a breach of patient confidentiality and a breach of professional conduct?Injury management return to work coordinators and insurance providers also have access to information, supervisors and line managers need to be aware of the workers capacity and restrictions.Also Alcohol and drug related issues in the workplace.
And if I add into this the now national requirements around Psychosocial risk management how does this affect the situation?
Remember AHPRA is the secretariat that assists the boards, it is how would the relevant board (medical, nursing, paramedic) respond. They will understand that people are employed under different conditions to do different jobs. The issue is that if you are going to an employee provided health service there may not be an expectation of confidentiality, and sometimes the law insists that there is not (eg mandatory blood tests after a car accident). You can’t ask how would the ‘board react to this’ without identifying what ‘this’ is and as noted the circumstances can be many and varied. The best bet is for everyone to know what the expectations are in each different situation.