Doctors’ notes and HIPAA compliance for employers and patients

Doctors’ notes occupy the intersection between healthcare privacy laws and workplace policies, creating a complex landscape for providers, employers, and patients to navigate. These medical documents serve multiple purposes beyond clinical documentation, such as verifying absences, supporting disability claims, or justifying workplace accommodations, while simultaneously raising important questions about privacy, compliance, and proper handling.

The role and purpose of doctors' notes in today's healthcare environment

Doctors’ notes have evolved significantly from simple excuses for school or work absences. Today, these documents serve as official medical verifications that can impact employment decisions, insurance claims, disability accommodations, and legal proceedings. This increased importance demands careful attention to both content and handling procedures.

For healthcare providers, creating these notes requires balancing sufficient detail for legitimacy while protecting patient privacy. For employers, properly requesting and handling these documents means navigating multiple legal frameworks. For patients, understanding their rights regarding these notes affects both their healthcare privacy and workplace standing.

The SOAP note (Subjective, Objective, Assessment, Plan) represents one of the most widely used clinical documentation methods used by healthcare providers, originally theorized by Larry Weed nearly 50 years ago. This structured format serves multiple purposes: it provides clinicians with a cognitive framework for clinical reasoning, acts as a communication tool between health professionals, and creates a standardized record of patient health status.

According to medical documentation experts Podder, Lew, and Ghassemzadeh, "SOAP notes are an essential piece of information about the health status of the patient as well as a communication document between health professionals." While the complete SOAP format is normally used for comprehensive clinical documentation, the information shared with employers in doctors' notes represents a carefully filtered subset of this documentation, balancing verification needs with privacy requirements.

HIPAA compliance requirements for doctors' notes

HIPAA establishes strict guidelines for protecting patients' protected health information (PHI). For doctor's notes to maintain HIPAA compliance, several key requirements must be met:

• Minimum Necessary Standard: Perhaps the most fundamental HIPAA principle applying to doctors' notes is the Minimum Necessary Standard. This requires healthcare providers to disclose only the minimum information needed to fulfill the legitimate purpose of the note, nothing more. This principle directly shapes what information can and should appear in workplace documentation.
• Patient authorization: Before sharing any medical information with third parties like employers, providers must obtain the patient's written authorization. The authorization must specifically indicate what information can be shared, with whom, and for what purpose. Generic or blanket authorizations are insufficient under HIPAA.

According to a study on patient confidentiality, "When a patient is admitted to a healthcare institution, he or she must be provided with information on rights to privacy, what type of PHI should be shared, and for what reason… any other use or disclosure of PHI must be authorized by the patient in writing before any PHI is disclosed."

• Security requirements: When notes are transmitted electronically, they must be sent through secure, encrypted channels to prevent unauthorized access. Standard email is generally not considered secure enough for PHI unless encrypted or otherwise protected.
• Documentation of disclosures: Healthcare providers must maintain records of all disclosures of PHI made outside routine healthcare operations, including when doctors’ notes are provided to employers or other third parties.
• Business associate agreements (BAAs): If any third-party services are used to handle or transmit doctors' notes (such as electronic health record systems or secure messaging platforms), appropriate business associate agreements must be in place.

Failure to meet these requirements can result in significant penalties for healthcare providers, ranging from corrective action plans to substantial fines depending on the nature and extent of the violation.

One notable example illustrating the importance of HIPAA compliance for doctors' notes is the breach involving Patient Home Monitoring, a company providing in-home medical testing services. In this incident, a misconfigured Amazon cloud repository left more than 316,000 PDF reports publicly accessible. These reports contained detailed patient information, including weekly blood test results, names, phone numbers, addresses, and most importantly, doctors’ notes. The breach affected over 150,000 individuals and exposed sensitive narrative content written by physicians alongside other medical data. 

Permissible content in HIPAA compliant doctors’ notes

Healthcare providers often struggle with determining exactly what information they can include in a doctors’ note without violating HIPAA. Generally, a HIPAA compliant doctors’ note for workplace purposes may include:

• Confirmation that a medical appointment occurred
• Date and time of the medical visit
• General work recommendations (e.g., "Patient should refrain from work for 3 days")
• Return-to-work date
• Basic activity restrictions if applicable (e.g., "No heavy lifting over 10 pounds for two weeks")
• Provider's name, credentials, and contact information
• Provider's signature and date

What should normally be excluded from a workplace doctors’ note:

• Specific diagnosis or medical condition details
• Test results or laboratory findings
• Medication information and treatment plans
• Prognosis details
• Mental health information
• Genetic information
• Any other sensitive health information not directly relevant to the work accommodation or absence

In contrast to workplace doctors' notes, the full SOAP note format used in clinical settings contains considerably more detail. The standard SOAP structure includes:

• Subjective: Patient's symptoms, experiences, and reported history
• Objective: Physical examination findings, vital signs, lab results, and other measurable data
• Assessment: Diagnosis or clinical impression based on subjective and objective information
• Plan: Treatment approach, medications, therapies, and follow-up instructions

Only carefully selected elements from this comprehensive clinical documentation should ever appear in a workplace doctor's note, and only with appropriate patient authorization.

Employer rights and limitations regarding doctors' notes

Employers often have legitimate needs to verify medical absences or determine appropriate accommodations, but these needs must be balanced against employee privacy rights. Several legal frameworks govern when and how employers can request doctors' notes:

• Americans with Disabilities Act (ADA): The ADA permits employers to request reasonable documentation when an employee requests an accommodation for a disability. However, the employer can only request information relevant to establishing the existence of a disability and the need for accommodation.
• Family and Medical Leave Act (FMLA): For FMLA leave, employers can require certification from a healthcare provider. The Department of Labor provides specific forms for this purpose that comply with privacy requirements.
• Company sick leave policies: Many employers have policies requiring doctors’ notes for extended absences or to verify legitimate use of sick leave. These policies must be applied consistently to avoid discrimination claims.

However, employers must be cautious about:

• Requesting excessive details about an employee's medical condition
• Applying sick note policies inconsistently, which could lead to discrimination claims
• Contacting healthcare providers directly without proper employee authorization
• Failing to maintain confidentiality of medical documentation they receive

The Equal Employment Opportunity Commission (EEOC) guidance states that all medical information obtained about a particular employee must be collected and maintained on separate forms and in separate medical files, apart from the usual personnel files.

Electronic transmission of doctors' notes to employers

One challenging area of HIPAA compliance involves the electronic transmission of doctors' notes to employers. Standard, unsecured email is not considered HIPAA compliant for transmitting PHI, creating a significant compliance risk.

Providers can email doctors’ notes to employers only if:

• The patient has provided specific written authorization for this disclosure
• The email transmission is secure and encrypted
• The note contains only the minimum necessary information

According to the study on patient confidentiality, "All emails must be encrypted" when transmitting patient information, and providers should "only transmit the bare minimal information in an email." They emphasize that healthcare workers should "never use commercial email accounts; instead, you should use the email system set up by the institution" which typically incorporates necessary security measures.

Secure transmission methods for doctors' notes include:

• Encrypted email services
• Secure patient portals that allow document downloads
• Secure electronic faxing services
• HIPAA compliant messaging platforms

Alternatively, providers may give the note directly to the patient, who can then choose to share it with their employer. This approach bypasses many HIPAA concerns since patients can handle their own information as they choose.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

State laws that may impact doctors' notes

While HIPAA establishes federal baseline protections, many states have enacted additional laws that further restrict the disclosure of medical information. Some notable examples include:

• California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA), which provide additional protections for medical information
• New York's Shield Act, which expands data breach notification requirements
• Texas Medical Records Privacy Act, which applies to entities not covered by HIPAA
• Illinois' Personal Information Protection Act, which includes biometric information

Healthcare providers and employers operating across multiple states must comply with the most restrictive applicable laws when handling doctors' notes.

The future of doctors' notes

The COVID-19 pandemic accelerated several trends affecting how doctors' notes are created, transmitted, and verified:

• Telehealth integration: With the rise of telehealth, doctors' notes increasingly need to verify remote consultations, creating new verification challenges.
• Digital authentication: Advanced digital signature and verification technologies are making it easier to authenticate medical documentation electronically.
• Patient-controlled health information: Patient portals and health apps are giving patients more control over their health information, potentially changing how doctors' notes are shared.
• Standardization efforts: Healthcare organizations are moving toward more standardized formats for doctors' notes to ensure consistency and compliance.

One interesting development noted by medical documentation experts is the potential restructuring of the traditional SOAP format. Podder, Lew, and Ghassemzadeh point out that "rearranging the order to form APSO (Assessment, Plan, Subjective, Objective) provides the information most relevant to ongoing care at the beginning of the note, where it can be found quickly." This evolution demonstrates the medical community's recognition that documentation formats must adapt to changing needs while maintaining essential content requirements.

Learn more: Video communication in healthcare

FAQs

Can my employer contact my doctor directly to verify my note?

According to HHS guidance, if your employer contacts your healthcare provider directly for information about you, your provider cannot share information without your explicit authorization. Your employer should request verification from you, not directly from your healthcare provider.

Are doctors' notes legally required?

There is no universal legal requirement for doctors' notes for sick days. However, employers may legally request doctor's notes as part of their attendance policies, especially for extended absences. For FMLA leave or ADA accommodations, medical certification is typically required.

How detailed should a doctors’ note be?

A doctor's note should include only the minimum necessary information needed to verify the legitimacy of an absence or need for accommodation. This includes confirmation of the appointment, dates of absence, and any specific work restrictions, but not medical details or diagnosis unless explicitly authorized by the patient.