You can verify that a medical certificate or sick note is genuine — but unlike most documents, you generally cannot probe the medical details, because medical confidentiality and data-protection law restrict it. The two checks you can legitimately make are: confirm the practitioner is registered, for example on the GMC register in the UK, and confirm the note was genuinely issued, with the person's consent or via the issuer's verification reference. What you cannot do is demand the diagnosis or call the doctor behind the employee's back.
This guide explains how to verify a sick note properly, and lawfully. It is general information, not legal or medical advice; employment and data-protection rules vary by jurisdiction.
First, the privacy rule that changes everything
Medical information is special-category data under UK GDPR, and protected by HIPAA in the US and confidentiality duties everywhere. That has concrete consequences for verification.
An employer cannot demand detailed medical records or a diagnosis. A fit note gives just enough to justify the absence without exposing private detail. And an employer cannot contact the doctor without the employee's consent: if more information is genuinely needed, the lawful route is written consent for a medical report, or an occupational health assessment — not a quiet phone call to the surgery.
So verifying a sick note is not like verifying a payslip. It is deliberately constrained to authenticity and practitioner registration, plus consented medical-report or occupational-health routes when more is needed.
Know the document
In the UK, the term sick note has no legal status — the document is the fit note, the Statement of Fitness for Work, officially the Med3. For the first seven days, employees self-certify, with no medical evidence, using an SC2 form or a simple statement. From day eight onward a fit note can be required, and is needed for Statutory Sick Pay. Since 1 July 2022, fit notes can be issued by doctors, nurses, occupational therapists, pharmacists, and physiotherapists — not only GPs. A fit note states not fit for work, or may be fit for work with adjustments, and most are now issued digitally.
A genuine fit note shows the assessment date, the condition affecting fitness, the outcome, the period covered, and the issuer's name, profession, and practice details. A note missing the issuer's name or signature details should not be accepted, as it may not be genuine.
Private GMC-registered doctors, including online services, can issue legitimate medical certificates, accepted subject to employer agreement — they will not copy the exact NHS layout but can still be valid evidence. In the US and elsewhere there is no single standard form, and HIPAA limits what anyone may confirm.
The two checks you can make
The first check is to confirm the practitioner is registered. This is public and raises no privacy issue. Confirm the named clinician exists and is currently registered with the relevant regulator: in the UK, the GMC for doctors, searchable by name or registration number, the NMC for nurses, the HCPC for occupational therapists and physiotherapists, and the GPhC for pharmacists. In the US, check the state medical board or NPI registry. A note from a non-existent or unregistered doctor is a clear fake.
The second check is to confirm the note was genuinely issued. Contact the issuing practice, clinic, or service to confirm the note's authenticity — that it was genuinely issued. They will confirm issuance, not clinical details. In the UK this requires the employee's consent. Many online medical-certificate services provide an employer verification route — a unique reference number on each note, checked against their records or via a helpline — designed to confirm authenticity while preserving confidentiality. Always use contact details you source independently, not only those printed on the note.
When you need more: consented routes
If you genuinely need more than the fit note provides, the lawful channels are a medical report with the employee's written consent, or an occupational health assessment. These are the proper mechanisms — not pressing the employee or the surgery for confidential detail you are not entitled to.
Forensic red flags (within limits)
Within the limits of what you can inspect, watch for missing issuer details — no practitioner name, profession, practice, or signature; official guidance says such a note should not be accepted. Be wary of generic templates — output from a fake doctor's note generator, or a layout that does not match a legitimate fit note or clinic certificate. Look for inconsistencies — misused medical terminology, incoherent dates, or a covered period that does not fit the account. Note the absence of a reference number where the issuing service uses them. And check the metadata — a PDF produced in a design tool rather than a clinical or certificate system, or edited after issue.
Remember the ceiling: a polished fake can pass document inspection. Registration and authenticity confirmation matter more than appearance.
Quick checklist
Everything above, condensed.
| Check | What to confirm |
|---|
| Practitioner | Named clinician is registered (GMC/NMC/HCPC/GPhC; US state board) |
|---|
| Authenticity | Note genuinely issued — confirmed with consent or via the issuer's reference |
|---|
| Completeness | Issuer name, profession, practice, dates, outcome all present |
|---|
| Consent/process | Use a medical report or occupational health for anything beyond the note |
|---|
| Document | Legitimate format; reference number present; metadata consistent |
|---|
Handle suspicion through process, not interrogation
Often the right response to a doubtful note is not to chase medical detail you cannot access — it is to apply your absence policy consistently: return-to-work conversations, occupational-health referral, and consented medical reports. That keeps you both effective and on the right side of confidentiality and employment law.
The honest bottom line
You can confirm a sick note is genuine and that the clinician is registered; you cannot — and should not try to — verify the diagnosis. Authenticity, registration, and lawful process are the toolkit. As always, what actually proves a document genuine is confirmation at source — here, balanced against medical privacy.
For clinics and healthcare providers who issue certificates
This is where verifiable issuance fits especially well, because it solves the authenticity problem without touching clinical content. Clinics, occupational-health providers, and medical-certificate services that issue fit notes and certificates can make them verifiable at source — so an employer can confirm in seconds that a note genuinely came from the issuer and is unaltered, without the issuer revealing any medical detail. VerifyDoc.ai provides this through a QR-backed Certificate of Authenticity and a proof page, with the issuer controlling exactly what is shown — a natural fit alongside handling special-category health data responsibly.
To be clear on scope: VerifyDoc.ai is issuer-side and confirms a document's authenticity and integrity — that it genuinely came from the issuer and is unaltered. It does not verify a clinician's judgement or diagnosis, and it is not a medical-verification service. If you are an employer verifying a note, use the registration and consented authenticity checks above. See how it works.
Let your clinic's certificates prove themselves — privately
If you issue fit notes or medical certificates, VerifyDoc.ai lets each carry a QR-backed Certificate of Authenticity — so employers can confirm at source that it genuinely came from you and is unaltered, while you keep full control of what is shown. Start free or see how it works.
Related reading: UK GDPR and verifiable documents: an issuer's guide, What actually proves a document is authentic?, and How to verify a reference letter.
This article is for general information and does not constitute legal or medical advice. Employment, confidentiality, and data-protection rules vary by jurisdiction; take professional advice for your circumstances.
