Breach of Confidentiality of Personnel Records

Your employer is legally obligated to keep certain employee records private.

Employers tend to gather a lot of paperwork on employees, from employment applications and resumes to benefits forms, performance evaluations, disciplinary documentation, contact information, and even medical records.

The law requires employers to keep some information confidential, but not all of it. This article explains which records must be kept private — and what to do if the confidentiality of your records has been violated.

• Confidentiality Rules for Medical Information
• Confidentiality of Other Types of Records
• Examples of Violations of Confidentiality at Work
• If Your Confidentiality Is Violated

Confidentiality Rules for Medical Information

The biggest category of records that must be kept confidential is medical information. The Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), and the Health Insurance Portability and Accountability Act (HIPAA) all have very strict rules about how employers must keep certain types of medical information.

The general intent of these rules is to protect employee privacy and prevent managers from making discriminatory workplace decisions based on an employee's disability or genetic information.

Under the ADA, for example, medical records and information must be kept in a file that's separate from the employee's regular personnel file, and must be kept confidential (for example, in a separate locked file cabinet or online behind a secure firewall). These records may be seen only:

• by safety and first-aid workers, if necessary to provide medical treatment to the employee or come up with evacuation procedures
• by the employee's supervisor, if the employee's disability requires restricted duties or reasonable accommodation
• by government officials, if required by law, and
• by insurance companies that require a medical exam.

If an employer (or more typically, the HR department) doesn't follow these rules, and the confidentiality of an employee's medical records is compromised, the employee can sue for violation of the ADA.

Confidentiality of Other Types of Records

Very few rules specifically require employers to keep other types of personnel records confidential. However, smart employers observe some common sense protocols to maintain the privacy of records that could cause legal problems if they fall into the wrong hands. Here are some examples:

• I-9 forms. On these official government forms, employers have to verify that employees are authorized to work in the United States. (For more on I-9 forms, see Employer Verification Procedures on Work Visas and Immigration Status.) Employers may not hire employees who don't have work authorization. Beyond that prohibition, however, employers may not make job decisions based on an employee's national origin or citizenship status. Because I-9 forms may contain this information, savvy employers don't make them available to everyone in the company. The fewer people who have access to this information, the fewer people are in a position to discriminate against the employee on this basis. Although employees may not sue just because an employer didn't keep I-9 forms confidential, an employee could sue for discrimination, if that was the end result of the breach.
• Investigation records. Many employers keep files on workplace investigations (of a harassment complaint or theft incident, for example) in separate confidential files. This isn't legally required, but it prevents legal trouble. For example, a manager accused of discrimination may look in the file to see which employees complained or were witnesses against him -- and then retaliate against those employees. Or, an HR employee may read the file, then gossip with coworkers about who said what about whom, which could lead to defamation claims against the company.
• Records from background checks. If an employer routinely runs credit reports, criminal background checks, or other investigations of employees or applicants, these materials should be kept confidential as well. For example, state law may prohibit an employer from making job decisions based on an employee's credit or arrest record. If managers have access to these materials and use them to take action against an employee, the employer might face legal liability.

Examples of Violations of Confidentiality at Work

Here are some common scenarios in which employers might breach their duty of confidentiality to their employees. While not all of these are illegal in themselves, they could all lead to legal trouble for the employer:

• Disclosing personal information without consent. An employer should not share an employee's personal information, such as address, Social Security number, or medical information without the employee's consent.
• Failing to secure confidential data. Employers must ensure they take reasonable steps to avoid the unauthorized access of confidential information by third parties. For example, medical information and private information such as Social Security numbers shouldn't be left in unsecured locations. When stored digitally, such information should be password protected.
• Sharing disciplinary or salary information. An employer should avoid revealing disciplinary action that was taken against an employee, or how much an employee earns.
• Accessing private emails or messages on private devices. Employers are generally allowed to monitor employer-provided electronic devices such as laptops and smartphones. However, many states prohibit employers from tracking or monitoring an employee's own device.
• Using surveillance equipment. Some states restrict the extent to which employers can use surveillance equipment to monitor their employees. For example, states might prohibit employers from recording in certain locations such as changing rooms, or require employers to obtain employee consent.

If Your Confidentiality Is Violated

If your private information has been leaked in the workplace, your legal options depend on the type of records, the circumstances of the breach, and the consequences to you.

In many cases, even if you are embarrassed by the breach, you might not have any legal recourse unless someone at work used the information in an illegal way (for example, as a basis to discriminate against you). An experienced employment lawyer can help you figure out whether your legal rights have been violated, and what you can do about it.