Does HIPAA allow employers to require a doctor's note?

HIPAA does not prevent employers from requiring a doctor's note. While HIPAA safeguards protected health information (PHI) and regulates how healthcare providers handle and disclose this information, it does not restrict an employer's ability to request a doctor's note. Notes may be requested to verify absences or meet medical accommodations. Healthcare providers must ensure that any information disclosed is limited to what is necessary and obtain patient consent if more detailed information is requested.

Understanding HIPAA and its application to employers

HIPAA primarily aims to safeguard PHI held by covered entities. According to the Department of Health and Human Services, "Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards." It sets strict standards for the protection and confidential handling of patient information. However, HIPAA does not directly regulate employers' ability to request employee documents.

Related: How to know if you’re a covered entity

Employer's rights and employment law

While HIPAA governs the privacy and security of health information, it does not prevent employers from requesting a doctor’s note. Employment laws such as the Americans with Disabilities Act (ADA) and the Family and Medical Leave Act (FMLA) often allow employers to request medical documentation to verify an employee’s need for leave or accommodations. These laws enable employers to apply leave and accommodation policies fairly and consistently.

How HIPAA applies to doctor's notes

Although employers can request a doctor’s note, HIPAA limits what healthcare providers can disclose. Here’s how HIPAA applies:

1. Minimum necessary information rule: When issuing a doctor’s note, healthcare providers should include only the necessary information to certify the medical condition or absence. Notes should generally only state that the patient was seen and will require a specified period off of work without disclosing specific medical details.
2. Patient consent for additional information: If an employer requests more detailed health information, the healthcare provider must obtain written consent from the employee before releasing any additional details. 

Related: HIPAA Compliant Email: The Definitive Guide. 

Practical examples

• Routine sick leave: An employee feels unwell and visits a doctor. The doctor provides a note stating the employee needs a few days off. The note does not include specific health details, complying with HIPAA by providing only the minimum necessary information.
• Extended medical leave under FMLA: An employee requires extended leave for a serious health condition. Under the Family and Medical Leave Act,  the employer can request medical certification of the required leave. The doctor’s note may confirm the need for leave without detailed medical information unless the employee consents to additional disclosure.
• Accommodations under the Americans with Disabilities Act (ADA): An employee requests workplace accommodations for a disability. The employer can request medical documentation to verify the need for accommodations. The healthcare provider should again provide only the necessary information, protecting the employee’s PHI.

Employee rights

Under HIPAA, employees have several rights concerning their medical information:

1. Access to medical records: Employees can request and obtain copies of their medical records, including any doctor’s notes.
2. Right to request changes: Employees may request corrections if there are inaccuracies in their medical records.
3. Control over information disclosure: Employees can control who receives their health information. Detailed medical information cannot be shared without their explicit consent.

Read more: What are patient rights under HIPAA?

FAQs

Are there any exceptions where HIPAA might not apply to doctor’s notes? 

HIPAA generally applies to all doctor’s notes, but in certain emergencies where rapid disclosure is required for safety, HIPAA’s rules may be interpreted more flexibly.

How can a healthcare provider ensure compliance with HIPAA when issuing a doctor’s note?

Limit the information in the doctor’s note to verify the patient was seen and the number of days the patient should be absent from work. Obtain patient consent if additional details are requested by the employer. 

Can a covered entity share a doctor’s note with a third-party insurer without patient consent? 

No, a covered entity cannot share a doctor’s note with a third-party insurer or any other third party without the patient’s explicit consent, as this would violate HIPAA’s privacy rules.