HR serves as the gatekeeper of employee information -- sensitive personal data, performance and compensation history, and health-related records. Not everything kept in HR's personnel files is confidential, but to comply with the Sarbanes-Oxley Act, control and access to all personnel files should be limited. Several other federal laws dictate that HR keep business-related employee information separate from medical information to prevent discrimination, ensure confidentiality and guard employee privacy.
Americans With Disabilities Act
The Americans with Disabilities Act polices the distribution of employee medical information. To comply with ADA, human resources must keep separate, secure files to store documents about workers' health histories and conditions. Another ADA stipulation limits access to those files. Office first aid or medical staff called to attend an employee at work may see the files. Direct supervisors of employees with disabilities can access them if the employee requires reasonable accommodation or restricted duties. The only others granted access by ADA are government officials, when required by law, and insurance companies that require a medical exam.
Genetic Information and Non-Disclosure Act of 2008
The Genetic Information Non-Disclosure Act disallows employers with at least 15 employees from ever obtaining or requesting genetic information about job candidates, workers or their relatives with a few exceptions. If an employee's or family member's genetics are acquired under an exception, GINA mandates that it be kept separate from the employment-related personnel file for confidentiality. According to the Bernstein Shur law firm, HR can file genetic information in the employee's ADA medical file.
Family and Medical Leave Act
Although the Family and Medical Leave Act doesn't stipulate the format of leave and compensation records used to support an employee's absence under its provisions, it does specify that they must be considered confidential and kept separate from the personnel file.
Health Insurance Portability and Accountability Act
According to Ohio law firm Coolidge Wall, the Health Insurance Portability and Accountability Act does not cover HR personnel files containing employee health information unless the employer is a group health plan sponsor. However, HIPAA's standards for guarding the confidentiality of employee health information should be respected by HR professionals. For example, identifiers such as social security number, birth date, name and address should not be shared.
Other Confidentiality Concerns
State law may place an additional record-keeping burden on HR for confidential information such as background checks or credit reports. Other kinds of information, such as work-related investigations on theft or complaints, have no state or federal legal filing requirement. By maintaining separate files, HR can control access and minimize the risk associated with breaches of privacy.
- Kinsey: HR Automation Technologies: Supporting Sarbanes-Oxley Compliance & the Drive for Operational Excellence
- Envision Resource Group: Security of Confidential Employee Information
- LawFirms.com: Privacy Guidelines and Rights in the Workplace
- Bernstein Shur: Confidential Personal Information in the Workplace
- EmploymentLawFirms.com: Breach of Confidentiality of Personnel Records
- U.S. Department of Labor: Employment Law Guide; Family and Medical Leave
- Coolidge Wall: HIPAA and Employee Files
Trudy Brunot began writing in 1992. Her work has appeared in "Quarterly," "Pennsylvania Health & You," "Constructor" and the "Tribune-Review" newspaper. Her domestic and international experience includes human resources, advertising, marketing, product and retail management positions. She holds a master's degree in international business administration from the University of South Carolina.