Doctors’ notes occupy the intersection between healthcare privacy laws and workplace policies, creating a complex landscape for providers, employers, and patients to navigate. These medical documents serve multiple purposes beyond clinical documentation, such as verifying absences, supporting disability claims, or justifying workplace accommodations, while simultaneously raising important questions about privacy, compliance, and proper handling.
Doctors’ notes have evolved significantly from simple excuses for school or work absences. Today, these documents serve as official medical verifications that can impact employment decisions, insurance claims, disability accommodations, and legal proceedings. This increased importance demands careful attention to both content and handling procedures.
For healthcare providers, creating these notes requires balancing sufficient detail for legitimacy while protecting patient privacy. For employers, properly requesting and handling these documents means navigating multiple legal frameworks. For patients, understanding their rights regarding these notes affects both their healthcare privacy and workplace standing.
The SOAP note (Subjective, Objective, Assessment, Plan) represents one of the most widely used clinical documentation methods used by healthcare providers, originally theorized by Larry Weed nearly 50 years ago. This structured format serves multiple purposes: it provides clinicians with a cognitive framework for clinical reasoning, acts as a communication tool between health professionals, and creates a standardized record of patient health status.
According to medical documentation experts Podder, Lew, and Ghassemzadeh, "SOAP notes are an essential piece of information about the health status of the patient as well as a communication document between health professionals." While the complete SOAP format is normally used for comprehensive clinical documentation, the information shared with employers in doctors' notes represents a carefully filtered subset of this documentation, balancing verification needs with privacy requirements.
HIPAA establishes strict guidelines for protecting patients' protected health information (PHI). For doctor's notes to maintain HIPAA compliance, several key requirements must be met:
According to a study on patient confidentiality, "When a patient is admitted to a healthcare institution, he or she must be provided with information on rights to privacy, what type of PHI should be shared, and for what reason… any other use or disclosure of PHI must be authorized by the patient in writing before any PHI is disclosed."
Failure to meet these requirements can result in significant penalties for healthcare providers, ranging from corrective action plans to substantial fines depending on the nature and extent of the violation.
One notable example illustrating the importance of HIPAA compliance for doctors' notes is the breach involving Patient Home Monitoring, a company providing in-home medical testing services. In this incident, a misconfigured Amazon cloud repository left more than 316,000 PDF reports publicly accessible. These reports contained detailed patient information, including weekly blood test results, names, phone numbers, addresses, and most importantly, doctors’ notes. The breach affected over 150,000 individuals and exposed sensitive narrative content written by physicians alongside other medical data.
Healthcare providers often struggle with determining exactly what information they can include in a doctors’ note without violating HIPAA. Generally, a HIPAA compliant doctors’ note for workplace purposes may include:
What should normally be excluded from a workplace doctors’ note:
In contrast to workplace doctors' notes, the full SOAP note format used in clinical settings contains considerably more detail. The standard SOAP structure includes:
Only carefully selected elements from this comprehensive clinical documentation should ever appear in a workplace doctor's note, and only with appropriate patient authorization.
Employers often have legitimate needs to verify medical absences or determine appropriate accommodations, but these needs must be balanced against employee privacy rights. Several legal frameworks govern when and how employers can request doctors' notes:
However, employers must be cautious about:
The Equal Employment Opportunity Commission (EEOC) guidance states that all medical information obtained about a particular employee must be collected and maintained on separate forms and in separate medical files, apart from the usual personnel files.
One challenging area of HIPAA compliance involves the electronic transmission of doctors' notes to employers. Standard, unsecured email is not considered HIPAA compliant for transmitting PHI, creating a significant compliance risk.
Providers can email doctors’ notes to employers only if:
According to the study on patient confidentiality, "All emails must be encrypted" when transmitting patient information, and providers should "only transmit the bare minimal information in an email." They emphasize that healthcare workers should "never use commercial email accounts; instead, you should use the email system set up by the institution" which typically incorporates necessary security measures.
Secure transmission methods for doctors' notes include:
Alternatively, providers may give the note directly to the patient, who can then choose to share it with their employer. This approach bypasses many HIPAA concerns since patients can handle their own information as they choose.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
While HIPAA establishes federal baseline protections, many states have enacted additional laws that further restrict the disclosure of medical information. Some notable examples include:
Healthcare providers and employers operating across multiple states must comply with the most restrictive applicable laws when handling doctors' notes.
The COVID-19 pandemic accelerated several trends affecting how doctors' notes are created, transmitted, and verified:
One interesting development noted by medical documentation experts is the potential restructuring of the traditional SOAP format. Podder, Lew, and Ghassemzadeh point out that "rearranging the order to form APSO (Assessment, Plan, Subjective, Objective) provides the information most relevant to ongoing care at the beginning of the note, where it can be found quickly." This evolution demonstrates the medical community's recognition that documentation formats must adapt to changing needs while maintaining essential content requirements.
Learn more: Video communication in healthcare
According to HHS guidance, if your employer contacts your healthcare provider directly for information about you, your provider cannot share information without your explicit authorization. Your employer should request verification from you, not directly from your healthcare provider.
There is no universal legal requirement for doctors' notes for sick days. However, employers may legally request doctor's notes as part of their attendance policies, especially for extended absences. For FMLA leave or ADA accommodations, medical certification is typically required.
A doctor's note should include only the minimum necessary information needed to verify the legitimacy of an absence or need for accommodation. This includes confirmation of the appointment, dates of absence, and any specific work restrictions, but not medical details or diagnosis unless explicitly authorized by the patient.