Your employer is legally obligated to keep certain employee records private.
Employers tend to gather a lot of paperwork on employees, from employment applications and resumes to benefits forms, performance evaluations, disciplinary documentation, contact information, and even medical records. The law requires employers to keep some information confidential, but not all of it. This article explains which records must be kept private — and what to do if the confidentiality of your records has been violated.
Rules for Medical Information
The biggest category of records that must be kept confidential is medical information. The Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), and the Health Insurance Portability and Accountability Act (HIPAA) all have very strict rules about how employers must keep certain types of medical information. The general intent of these rules is to protect employee privacy and prevent managers from making discriminatory workplace decisions based on an employee’s disability or genetic information.
Under the ADA, for example, medical records and information must be kept in a file that’s separate from the employee’s regular personnel file, and must be kept confidential (for example, in a separate locked file cabinet or online behind a secure firewall). These records may be seen only:
- by safety and first-aid workers, if necessary to provide medical treatment to the employee or come up with evacuation procedures
- by the employee’s supervisor, if the employee’s disability requires restricted duties or reasonable accommodation
- by government officials, if required by law, and
- by insurance companies that require a medical exam.
If an employer (or more typically, the HR department) doesn’t follow these rules, and the confidentiality of an employee’s medical records is compromised, the employee can sue for violation of the ADA.
Other Types of Records
Very few rules specifically require employers to keep other types of personnel records confidential. However, smart employers observe some common sense protocols to maintain the privacy of records that could lead to legal problems if they fall into the wrong hands. Here are some examples:
- I-9 forms. On these official government forms, employers have to verify that employees are authorized to work in the United States. (For more on I-9 forms, see Employer Verification Procedures on Work Visas and Immigration Status.) Employers may not hire employees who don’t have work authorization. Beyond that prohibition, however, employers may not make job decisions based on an employee’s national origin or citizenship status. Because I-9 forms may contain this information, savvy employers don’t make them available to everyone in the company. The fewer people who have access to this information, the fewer people are in a position to discriminate against the employee on this basis. Although employees may not sue just because an employer didn’t keep I-9 forms confidential, an employee could sue for discrimination, if that was the end result of the breach.
- Investigation records. Many employers keep files on workplace investigations (of a harassment complaint or theft incident, for example) in separate confidential files. This isn’t legally required, but it prevents legal trouble. For example, a manager accused of discrimination may look in the file to see which employees complained or were witnesses against him — and then retaliate against those employees. Or, an HR employee may read the file, then gossip with coworkers about who said what about whom, which could lead to defamation claims against the company.
- Records from background checks. If an employer routinely runs credit reports, criminal background checks, or other investigations of employees or applicants, these materials should be kept confidential as well. For example, state law may prohibit an employer from making job decisions based on an employee’s credit or arrest record. If managers have access to these materials and use them to take action against an employee, the employer might face legal liability.
If Your Confidentiality Is Violated
If your private information has been leaked in the workplace, your legal options depend on the type of records, the circumstances of the breach, and the consequences to you. In many cases, even if you are embarrassed by the breach, you might not have any legal recourse unless someone at work used the information in an illegal way (for example, as a basis to discriminate against you). An experienced employment lawyer can help you figure out whether your legal rights have been violated, and what you can do about it.