If you run a business that needs to collect or share someone’s health information (even occasionally), you’ll quickly come across the idea of a medical release consent form.
This can feel a bit daunting at first - health information is sensitive, and nobody wants to accidentally breach privacy laws. The good news is that with a clear process and the right document, you can handle medical information in a way that’s lawful, respectful, and practical.
This guide is updated for current expectations around privacy and consent in New Zealand, including the day-to-day realities of digital records, online forms, and remote services.
A medical release consent form (sometimes called a “medical release” or “authorisation to release medical information”) is a document where a person gives permission for their health information to be collected, accessed, used, or disclosed.
In plain terms, it’s how you show that the person has agreed to you (or someone else) obtaining or sharing their medical information for a stated purpose.
Medical release consent forms are common in situations like:
- Employers needing information to manage a workplace injury process (in limited circumstances and usually via appropriate channels).
- Insurance and claims where a customer authorises a provider to share records with an insurer or assessor.
- Fitness, wellness, and allied health services, where a client consents to their information being shared with other practitioners for coordinated care.
- Schools, sports clubs, and youth programmes where consent is needed to seek medical treatment or contact a health provider in an emergency.
- Events and high-risk activities where organisers may need health details for safety planning (with clear limits on what’s collected and why).
It’s important to note that a medical release consent form isn’t a “free pass” to collect anything you want. Consent needs to be meaningful, specific, and linked to a legitimate purpose.
These get mixed up all the time.
- A medical certificate is usually evidence of illness or fitness for work (for example, for sick leave).
- A medical release consent form is permission to access or share medical information (often more detailed and more sensitive).
If you’re an employer, it’s especially important not to overreach. Even when you have good intentions, asking for “all records” can create privacy risk and employee distrust.
When Do You Actually Need One?
You generally need a medical release consent form when you want to obtain health information from someone’s doctor or health provider, or share health information with a third party (like an insurer, another clinic, or a service partner).
In many cases, you don’t need a full release - you might only need:
- confirmation that someone is fit to participate
- emergency contact information
- allergy information relevant to a specific activity
A good rule of thumb is: only collect what you genuinely need to keep someone safe or to deliver your service.
Common Business Scenarios
Here are a few examples where a medical release consent form often becomes relevant for NZ businesses:
- Workplace injuries and return-to-work planning: you may need consent for limited information about restrictions or accommodations (rather than detailed diagnoses).
- Childcare, education, and youth services: you may need authority to seek medical treatment and share relevant information with emergency responders.
- Health, allied health, and telehealth providers: you may need consent to share information with another provider involved in care.
- Gyms, trainers, and wellness services: you may want consent to collect health information, but you should avoid collecting more than required.
Where consent forms become most important is when you’re dealing with third parties - someone else (not you) is going to receive or release the information, and they’ll want evidence that the person authorised it.
What Laws Apply In New Zealand?
In New Zealand, the key legal framework for medical release consent forms is the Privacy Act 2020. Health information is generally treated as sensitive personal information, meaning you should treat it with extra care.
At a practical level, privacy law expectations affect:
- what you collect (only what you need)
- how you collect it (fairly, transparently, and with a clear purpose)
- how you store it (securely, and only for as long as needed)
- who you disclose it to (only where authorised and necessary)
- how people access or correct it (individuals have rights to access and request correction)
Because medical information is sensitive, you’ll usually want your consent process supported by a clear Privacy Policy (and, depending on how you collect it, a privacy collection notice too) so people understand what’s happening with their information.
A common mistake is using a vague, blanket consent like: “I authorise you to obtain any medical information about me from anyone.”
That’s risky because good consent should be:
- informed (the person understands what they’re agreeing to)
- specific (what information, for what purpose, and who it will be shared with)
- freely given (not coerced or bundled in unfairly)
- current (not something signed years ago and reused without thinking)
If your form is too broad, you may still end up with a refusal from the health provider - and you’ll likely damage trust with the individual as well.
There’s no single “perfect” medical release consent form, because what you need depends on your business and what information you’re dealing with.
That said, strong medical release consent forms usually include the following core elements:
1. Who Is Giving Consent
- full legal name
- date of birth (often used by providers to verify identity)
- address and contact details (depending on context)
This should identify the health provider or organisation being asked to share information, such as:
- a named GP clinic
- a physiotherapy practice
- a hospital or specialist
If you genuinely don’t know the provider (for example, emergency situations), you should be very careful - broad “any provider” wording can cause unnecessary privacy risk and may not be accepted in practice.
Your form should clearly name the receiving person or organisation, such as:
- your business name and contact details
- a specific staff role (e.g. “HR Manager”)
- an insurer, claims manager, or rehabilitation provider
Be precise here. “Any third party” is a red flag.
This is where you narrow the scope. For example:
- confirmation of fitness to participate
- relevant restrictions or accommodations
- treatment dates (if needed for a claim)
- allergy and emergency risk information (for an activity)
If you’re collecting more detailed information (like diagnosis, medication, mental health history, or test results), you should be able to clearly justify why you need it and how it will be used.
5. Purpose Of The Release
Always state the “why” in plain English, such as:
- to assess a claim
- to coordinate treatment between providers
- to implement safety planning for an event
- to support a return-to-work plan
If the purpose changes later, you may need fresh consent.
6. Time Limits And Expiry
It’s often best practice to include:
- an expiry date (or time period)
- whether the consent applies to one-off disclosure or ongoing sharing
Time limits keep consent “tight” and reduce the risk of relying on outdated permissions.
7. Withdrawal Of Consent
People should be told they can withdraw consent (to the extent possible). Your form can explain:
- how to withdraw (email, phone, written request)
- what happens if they withdraw (for example, you may not be able to provide the service or process a request)
8. Privacy And Storage Statements
Your form should align with your privacy practices, including:
- how you store the information
- who can access it internally
- how long it’s kept
- how someone can request access or correction
Many businesses also back this up with an internal data handling process, particularly where staff are working remotely or using cloud storage.
9. Signature And Date (And Who Signs For Minors)
Most third parties will expect a signature and date. If the person is under 18, consent may need to be provided by a parent or guardian depending on the situation (and the child’s ability to understand what they’re consenting to).
If your process involves minors signing anything, it’s worth understanding the basics of Can A Minor Sign A Contract? so your paperwork matches the real-world legal risk.
Having a medical release consent form is only one part of doing this properly. The bigger (and often overlooked) piece is your internal process - how your team collects, stores, and shares sensitive information day to day.
Keep Collection Proportionate
One of the best ways to reduce privacy risk is to avoid collecting sensitive information unless you truly need it.
Ask yourself:
- Do we need medical information, or do we just need a yes/no confirmation (e.g. “fit to participate”)?
- Can we limit information to what’s relevant to this activity or service?
- Can we collect the information directly from the person rather than requesting it from their provider?
If you collect too much, you don’t just increase compliance risk - you also increase your obligations to secure and manage that data.
Limit Internal Access
Not everyone in your business should be able to view health information.
As a practical step, restrict access to people who genuinely need it (for example, the owner/manager or a specific HR contact). If you’re building policies around staff handling sensitive data, it can help to formalise confidentiality expectations, including through contracts like an Employment Contract that clearly sets expectations about information handling.
Store It Securely (And Don’t Keep It Forever)
If you’re storing medical information:
- use secure systems (password protection, role-based access, encryption where appropriate)
- avoid saving sensitive attachments in open inboxes or shared drives
- have a retention and deletion process (keep it only as long as you need it)
Even small businesses can be caught out here, especially when information is collected through online forms, emailed PDFs, or messaging platforms.
Be Careful With Third Parties
If you use third-party platforms (booking systems, CRM tools, form builders, cloud storage, outsourced admin), your privacy risk can extend to your suppliers.
That doesn’t mean you can’t use those tools - it just means you should be clear on where data is stored, who can access it, and what protections apply.
In some situations, you may also want a written contract with the supplier that deals with confidentiality, security, and handling instructions (particularly if they’re processing data on your behalf).
Common Mistakes To Avoid (And How To Get It Right)
Medical release consent forms are often used with good intentions - but a few common mistakes can create legal headaches fast.
Using A Generic Template That Doesn’t Match Your Purpose
Health information is sensitive, and your form should be tailored to what your business actually does.
A template that’s “close enough” might:
- ask for far more information than you need
- be too vague to be meaningful consent
- fail to identify the correct parties
- conflict with your privacy policy or internal process
This is one of those areas where it’s worth getting the document reviewed or drafted properly - a small upfront cost can prevent a much bigger issue later.
Bundling Consent Into Other Terms
If you’re trying to include medical consent inside a long set of terms and conditions, there’s a risk the person hasn’t truly understood what they agreed to.
If you do include it in broader terms (for example, membership terms), make sure it’s clearly set out and brought to the person’s attention.
A medical release consent form works best when it sits inside a wider privacy setup:
- a clear Privacy Policy
- a clear explanation at the point of collection (especially online)
- internal rules around access and retention
If you’re collecting any sensitive information, it’s also worth understanding what counts as Sensitive Personal Information, because the compliance expectations are higher.
Assuming Consent Is Permanent
Consent isn’t something you get once and then rely on forever.
If your purpose changes, your business changes hands, or you’re now disclosing to different parties, you may need fresh consent.
This comes up in real life more than you’d expect - for example, when a business is sold or operations are restructured. If you’re buying or selling a business where personal information is part of operations, it’s worth checking what’s involved in a business sale checklist so privacy issues aren’t missed during the handover.
Not Knowing When A Separate Authorisation Is Better
Sometimes you don’t need a “medical release” form at all - you might need a more specific document instead.
For example, if your business is asking a person’s GP or clinic to release records directly to you, a Medical Release Consent Form is the right approach. But if you’re dealing with authority for someone else to act on their behalf in a broader sense, a different authorisation document may be more appropriate depending on the situation.
(And if you’re ever unsure, getting advice is the smart move - it’s much easier to set this up correctly from day one than to fix it after information has already been shared.)
Key Takeaways
- A medical release consent form is a written authorisation that allows medical or health information to be collected, accessed, used, or disclosed for a specific purpose.
- In New Zealand, medical information is usually treated as sensitive personal information, so your consent process should align with the Privacy Act 2020 and good privacy practice.
- A strong form clearly identifies who is giving consent, who can release the information, who receives it, what information is covered, and why it’s needed.
- Limit your collection to what’s genuinely necessary, restrict internal access, store information securely, and don’t keep sensitive data longer than needed.
- Avoid overly broad “blanket consent” wording, and don’t rely on generic templates that don’t match your business or the specific purpose of the disclosure.
- If your business collects or uses health information, it’s worth having a clear Privacy Policy and a consistent internal process so your team handles information properly every time.
If you’d like help drafting or reviewing a medical release consent form (or making sure your privacy setup is right from the start), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
