Labor and Employment

Keeping Employee Records Private

By Lisa Guerin, ​J.D., Boalt Hall at the University of California at Berkeley
Employers are required to take certain steps to protect sensitive information in employee records.

Personnel files hold lots of private information about employees, from their Social Security numbers and next of kin to bank account numbers and medical records. State and federal laws place strict limits on who can access these records and for what reasons.

Despite the legal and practical reasons to keep employee records private, there are times when certain employees will need to access personnel files to do their jobs. Employees may also want to view their own files, either while still employed or after leaving the company. This article explains your company’s legal obligations when it comes to employee personnel documents.

Legal Limits on Disclosing Employee Information

The law dictates how employers may use certain types of employee information and who has a right to see that information. Generally, your obligation to keep employee records private depends on the type of information the records contain.

Social Security Numbers

We use Social Security numbers as a key method of verifying identity and work authorization here in the U.S. For this very reason, they are a rich target for thieves, who can use Social Security numbers to open bank accounts, obtain credit cards, create false work documents, and otherwise steal someone’s identity.

A growing number of states have passed laws requiring employers to maintain the confidentiality of employee Social Security numbers. In California, for example, employers may print only the last four digits of employee Social Security numbers on the pay stubs they are legally required to provide. The state also prohibits employers from making employee Social Security numbers available to the public, printing those numbers on access cards, or printing those numbers on materials to be mailed (unless legally required, as might be the case for tax documents).

Medical Records

Strict confidentiality requirements apply to employee medical records. You might not have medical records for all of your employees. However, if an employee has a disability, you may have medical records relating to the employee’s medical condition and need for an accommodation. An employee who has taken leave for a serious health condition under the Family and Medical Leave Act may have submitted a medical certification form. (See Understanding the Family and Medical Leave Act for more information.) And, even though the Genetic Information Nondisclosure Act (GINA) generally prohibits employers from gathering genetic information about employees, you may nonetheless have such information pursuant to an exception to the law.

If you have employee medical records, you must treat them confidentially. If you have information pertaining to an employee’s disability, for example, the Americans with Disabilities Act (ADA) requires you to keep that information in a separate confidential file, to be accessed only by:

  • first aid and other safety personnel, if necessary to provide medical treatment or safely evacuate the employee in an emergency
  • the employee’s supervisor, if the employee’s disability imposes work limitations or requires a reasonable accommodation
  • government officials, if required by law, and
  • insurance companies that require a physical examination.

If your company has more than 50 employees and provides group health benefits, it may also have privacy obligations under the Health Insurance Portability and Accountability Act (HIPAA). For example, you may be required to have a designated in-house privacy officer and adopt policies to keep employee health information private. (Learn more at the federal Department of Health and Human Services’ Health Information Privacy page.)

Some state laws also protect the privacy of employee medical records and limit the circumstances in which they may be disclosed. To find out if your state has this type of law, contact your state department of labor.

Employee Rights to View Personnel Files

Although federal law doesn’t address the issue, a number of states give employees and former employees the right to view their own personnel files. These laws vary in what is allowed and required. In Illinois, for example, current and former employees have the right to inspect their full personnel files up to twice a year; they also have the right to insert a rebuttal statement in the file, if they disagree with something that the employer refuses to remove from the file. California employees and former employees also have the right to view their files, but employers do not have to provide certain records, including letters of reference and documents pertaining to an investigation of a criminal offense. (See State Laws on Access to Your Personnel File for more information.)

Best Practices for Personnel Files

In addition to the above legal obligations, employers have good practical reasons for keeping employee records private. Although employers may not be legally required to keep things like employee salary information or performance evaluations private, for example, there is no good reason to allow other employees access to these records.

Here are some tips that will help you maintain the confidentiality of employee personnel files:

  • Learn the state and federal laws that apply to particular employee records, and follow them. As explained above, for example, your company will need separate confidential files for employee medical records, with access limited as required by law.
  • Keep all employee personnel files in a secure location, such as a locked filing cabinet, an offsite storage facility, or secure computer server.
  • Restrict access to employee personnel files to those with a legitimate need to know. For example, you might allow only an employee, the employee’s manager, and HR personnel to view each file.
  • Adopt a written policy explaining who has access to an employee’s file, how an employee can access his or her own personnel file, and how special records (like medical documents) are handled. Distribute the policy to employees.
Review personnel files periodically to make sure they include all relevant employment records, like recent performance evaluations, salary data, and disciplinary records. Also, make sure the files don’t include documents that shouldn’t be there, such as medical records or disciplinary warnings that should have been removed after a certain period of time.
Have a human resources law for employers question?
Get answers from local attorneys.
It's free and easy.
Ask a Lawyer

Get Professional Help

Find a Labor And Employment lawyer
Practice Area:
Zip Code:
How It Works
  1. Briefly tell us about your case
  2. Provide your contact information
  3. Connect with local attorneys

Talk to an attorney

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you