Breach of Confidentiality of Personnel Records

Your employer is legally obligated to keep certain employee records private.

Employers tend to gather a lot of paperwork on employees, from employment applications and resumes to benefits forms, performance evaluations, disciplinary documentation, contact information, and even medical records. The law requires employers to keep some information confidential, but not all of it. This article explains which records must be kept private -- and what to do if the confidentiality of your records has been violated.

Rules for Medical Information

The biggest category of records that must be kept confidential is medical information. The Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), and the Health Insurance Portability and Accountability Act (HIPAA) all have very strict rules about how employers must keep certain types of medical information. The general intent of these rules is to protect employee privacy and prevent managers from making discriminatory workplace decisions based on an employee's disability or genetic information.

Under the ADA, for example, medical records and information must be kept in a file that's separate from the employee's regular personnel file, and must be kept confidential (for example, in a separate locked file cabinet or online behind a secure firewall). These records may be seen only:

by safety and first-aid workers, if necessary to provide medical treatment to the employee or come up with evacuation procedures
by the employee's supervisor, if the employee's disability requires restricted duties or reasonable accommodation
by government officials, if required by law, and
by insurance companies that require a medical exam.

If an employer (or more typically, the HR department) doesn't follow these rules, and the confidentiality of an employee's medical records is compromised, the employee can sue for violation of the ADA.

Other Types of Records

Very few rules specifically require employers to keep other types of personnel records confidential. However, smart employers observe some common sense protocols to maintain the privacy of records that could lead to legal problems if they fall into the wrong hands. Here are some examples:

I-9 forms. On these official government forms, employers have to verify that employees are authorized to work in the United States. (For more on I-9 forms, see Employer Verification Procedures on Work Visas and Immigration Status.) Employers may not hire employees who don't have work authorization. Beyond that prohibition, however, employers may not make job decisions based on an employee's national origin or citizenship status. Because I-9 forms may contain this information, savvy employers don't make them available to everyone in the company. The fewer people who have access to this information, the fewer people are in a position to discriminate against the employee on this basis. Although employees may not sue just because an employer didn't keep I-9 forms confidential, an employee could sue for discrimination, if that was the end result of the breach.
Investigation records. Many employers keep files on workplace investigations (of a harassment complaint or theft incident, for example) in separate confidential files. This isn't legally required, but it prevents legal trouble. For example, a manager accused of discrimination may look in the file to see which employees complained or were witnesses against him -- and then retaliate against those employees. Or, an HR employee may read the file, then gossip with coworkers about who said what about whom, which could lead to defamation claims against the company.
Records from background checks. If an employer routinely runs credit reports, criminal background checks, or other investigations of employees or applicants, these materials should be kept confidential as well. For example, state law may prohibit an employer from making job decisions based on an employee's credit or arrest record. If managers have access to these materials and use them to take action against an employee, the employer might face legal liability.

If Your Confidentiality Is Violated

If your private information has been leaked in the workplace, your legal options depend on the type of records, the circumstances of the breach, and the consequences to you. In many cases, even if you are embarrassed by the breach, you might not have any legal recourse unless someone at work used the information in an illegal way (for example, as a basis to discriminate against you). An experienced employment lawyer can help you figure out whether your legal rights have been violated, and what you can do about it.

Talk to a Lawyer

Need a lawyer? Start here.

How it Works

Briefly tell us about your case
Provide your contact information
Choose attorneys to contact you

Get Professional Help

Talk to an Employment Rights attorney.

How It Works

Briefly tell us about your case
Provide your contact information
Choose attorneys to contact you

Copyright ©2022 MH Sub I, LLC dba Nolo ® Self-help services may not be permitted in all states. The information provided on this site is not legal advice, does not constitute a lawyer referral service, and no attorney-client or confidential relationship is or will be formed by use of the site. The attorney listings on this site are paid attorney advertising. In some states, the information on this website may be considered a lawyer referral service. Please reference the Terms of Use and the Supplemental Terms for specific information related to your state. Your use of this website constitutes acceptance of the Terms of Use, Supplemental Terms, Privacy Policy and Cookie Policy. Do Not Sell My Personal Information