Breach of Confidentiality of Personnel Records

Your employer is legally obligated to keep certain employee records private.

By Aaron Hotfelder, J.D., University of Missouri School of Law

Employers tend to gather a lot of paperwork on employees, from employment applications and resumes to benefits forms, performance evaluations, disciplinary documentation, contact information, and even medical records.

The law requires employers to keep some information confidential, but not all of it. This article explains which records must be kept private—and what to do if the confidentiality of your records has been violated.

Confidentiality Rules for Medical Information

The biggest category of records that must be kept confidential is medical information. The Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), and the Health Insurance Portability and Accountability Act (HIPAA) all have very strict rules about how employers must keep certain types of medical information.

The general intent of these rules is to protect employee privacy and prevent managers from making discriminatory workplace decisions based on an employee's disability or genetic information.

Under the ADA, for example, medical records and information must be kept in a file that's separate from the employee's regular personnel file, and must be kept confidential (for example, in a separate locked file cabinet or online behind a secure firewall). These records may be seen only:

by safety and first-aid workers, if necessary to provide medical treatment to the employee or come up with evacuation procedures
by the employee's supervisor, if the employee's disability requires restricted duties or reasonable accommodation
by government officials, if required by law, and
by insurance companies that require a medical exam.

If an employer (or more typically, the HR department) doesn't follow these rules, and the confidentiality of an employee's medical records is compromised, the employee can sue for violation of the ADA.

Confidentiality of Other Types of Records

Very few rules specifically require employers to keep other types of personnel records confidential. However, smart employers observe some common sense protocols to maintain the privacy of records that could cause legal problems if they fall into the wrong hands. Here are some examples:

I-9 forms. On these official government forms, employers have to verify that employees are authorized to work in the United States. (For more on I-9 forms, see Employer Verification Procedures on Work Visas and Immigration Status.) Employers may not hire employees who don't have work authorization. Beyond that prohibition, however, employers may not make job decisions based on an employee's national origin or citizenship status. Because I-9 forms may contain this information, savvy employers don't make them available to everyone in the company. The fewer people who have access to this information, the fewer people are in a position to discriminate against the employee on this basis. Although employees may not sue just because an employer didn't keep I-9 forms confidential, an employee could sue for discrimination, if that was the end result of the breach.
Investigation records. Many employers keep files on workplace investigations (of a harassment complaint or theft incident, for example) in separate confidential files. This isn't legally required, but it prevents legal trouble. For example, a manager accused of discrimination may look in the file to see which employees complained or were witnesses against him -- and then retaliate against those employees. Or, an HR employee may read the file, then gossip with coworkers about who said what about whom, which could lead to defamation claims against the company.
Records from background checks. If an employer routinely runs credit reports, criminal background checks, or other investigations of employees or applicants, these materials should be kept confidential as well. For example, state law may prohibit an employer from making job decisions based on an employee's credit or arrest record. If managers have access to these materials and use them to take action against an employee, the employer might face legal liability.

Examples of Violations of Confidentiality at Work

Here are some common scenarios in which employers might breach their duty of confidentiality to their employees. While not all of these are illegal in themselves, they could all lead to legal trouble for the employer:

Disclosing personal information without consent. An employer should not share an employee's personal information, such as address, Social Security number, or medical information without the employee's consent.
Failing to secure confidential data. Employers must ensure they take reasonable steps to avoid the unauthorized access of confidential information by third parties. For example, medical information and private information such as Social Security numbers shouldn't be left in unsecured locations. When stored digitally, such information should be password protected.
Sharing disciplinary or salary information. An employer should avoid revealing disciplinary action that was taken against an employee, or how much an employee earns.
Accessing private emails or messages on private devices. Employers are generally allowed to monitor employer-provided electronic devices such as laptops and smartphones. However, many states prohibit employers from tracking or monitoring an employee's own device.
Using surveillance equipment. Some states restrict the extent to which employers can use surveillance equipment to monitor their employees. For example, states might prohibit employers from recording in certain locations such as changing rooms, or require employers to obtain employee consent.

If Your Confidentiality Is Violated

If your private information has been leaked in the workplace, your legal options depend on the type of records, the circumstances of the breach, and the consequences to you.

In many cases, even if you are embarrassed by the breach, you might not have any legal recourse unless someone at work used the information in an illegal way (for example, as a basis to discriminate against you). An experienced employment lawyer can help you figure out whether your legal rights have been violated, and what you can do about it.

Get Professional Help

Talk to an Employment Rights attorney.

Full Name

Full Name is required

Email

Email is required

Please enter a valid Email

Phone

Phone Number is required

Please enter a valid Phone Number

Zip Code

Zip Code is required

Please add a valid Zip Code

Please enter a valid Case Description

Description is required

By submitting this form I agree to the Terms of Use and Privacy Policy and consent to be contacted by Martindale-Nolo and its affiliates, and up to three attorneys regarding this request and to receiving relevant marketing messages by automated means, text and/or prerecorded messages at the number provided. Consent is not required as a condition of service,

Click here

to agree without providing consent to be contacted by automated means, text and/or prerecorded messages. Rates may apply.

You should not send any sensitive or confidential information through this site. Any information sent through this site does not create an attorney-client relationship and may not be treated as privileged or confidential. The lawyer or law firm you are contacting is not required to, and may choose not to, accept you as a client. The Internet is not necessarily secure and emails sent through this site could be intercepted or read by third parties.

How It Works

Briefly tell us about your case
Provide your contact information
Choose attorneys to contact you

Copyright ©2023 MH Sub I, LLC dba Nolo ® Self-help services may not be permitted in all states. The information provided on this site is not legal advice, does not constitute a lawyer referral service, and no attorney-client or confidential relationship is or will be formed by use of the site. The attorney listings on this site are paid attorney advertising. In some states, the information on this website may be considered a lawyer referral service. Please reference the Terms of Use and the Supplemental Terms for specific information related to your state. Your use of this website constitutes acceptance of the Terms of Use, Supplemental Terms, Privacy Policy and Cookie Policy. Do Not Sell or Share My Personal Information