Most would agree that a work cubicle lacks the privacy of a bedroom, but where the line of privacy lies between bedroom and cubicle is a hotly-litigated issue. While there are cases galore on other aspects of workplace privacy, there’s very little guidance in the area of automation and networking of HR information. As a result, as businesses consider who should be able to review or alter various HR records, the issues are likely to be more of style and corporate culture than legality.
However, there are two areas where federal law and a large number of state statutes do require absolute confidentiality: medical records and personnel files. The extent of these protections can vary widely from state to state, and violations of these privacy statutes can result in substantial liability and fines. While the safest course is to consult with counsel in the business’ jurisdiction when deciding what limitations to impose and how to enforce them, there are some general considerations to bear in mind.
Medical records are a particular hot button under both state laws and federal law, such as the Americans with Disabilities Act as well as the Family Medical Leave Act. Employers need to remember that statutes restricting the dissemination of information on a person’s medical condition are not typically limited to health-care providers.
HR records typically contain substantial amounts of medical information, including the results of a pre-employment physical, information for Family and Medical Leave Act compliance, requests for reasonable accommodation under the Americans with Disability Act and related statutes, and employee assistance program participation. All of this information must be treated as highly confidential.
Additionally, good HR management segregates this information from the personnel file and greatly restricts access to it. Medical information is so highly confidential that, at a minimum, access to it should be restricted within a network or on a server that isn’t in any way accessible to persons who aren’t permitted to review it.
The contents of personnel files vary widely from employer to employer. Laws restricting disclosure of personnel files vary from jurisdiction to jurisdiction, but tend to be less strict than those governing medical information and typically permit more individuals to review them under a wider set of circumstances. Items within personnel files that are typically deemed confidential under state statutes and decisional law include performance reviews, disciplinary actions, complaints about harassment or other forms of discrimination, and the like.
The safest course is to treat these records similarly to medical records, in terms of making sure that they cannot be opened or tampered with by hackers and others who should not see them. If the employee is granted online access to her or his own personnel records, employers should make sure that the employee will not be able to edit the records to delete disciplinary reports, improve poor reviews or create salary increases.
Statutory Notice and Reporting Requirements
Government regulators in HR-related fields are beginning to catch up with technology. Some state regulations are already incorporating automation to increase opportunities for online and streamlined reporting, record keeping and employee notifications. While few federal regulations have yet been altered or added to address or make express use of automation and software programs in the human resources arena, many are reportedly in the planning stages.
Employers should keep an eye out for changes in regulations to accommodate automation. In the ERISA field, particularly, the Internal Revenue Service has issued guidelines related to "paperless administration," and the Department of Labor has issued proposed regulations regarding the use of electronic media to satisfy ERISA’s disclosure requirements. Regulations anticipated to be issued under the Health Insurance Portability and Accountability Act (HIPAA) are also expected to greatly impact how electronic data related to health-care plans can be stored, transmitted and accessed.
In the face of new and developing regulations, choosing the right HR software is critical. Consultation with legal counsel or agencies regulating the employer can help employers select software that’s compatible with applicable and anticipated state and federal regulations.
Of course, regardless of whether and when regulations directly address automation, HR software can greatly streamline a business’ compliance with various existing statuary reporting and notice requirements. With a few keystrokes, employers should be able to categorize an employee’s absences as vacation, sick or Family Medical Leave Act to ensure compliance with the FMLA or compile statistics for diversity reports.
Employers need to remember that there’s no escaping the old adage: "Garbage in, garbage out." As beneficial as software programs can be in producing summaries, reports and notices, employers must make very certain that the information in the system that is used to create reports or send notices is both current and accurate. Outdated or inaccurate information can lead to serious violations of statutes.
Businesses can take two general steps to ensure the accuracy of their information. First, employers need to adopt policies for both periodically confirming the accuracy of information currently in the system, and for providing routine and consistent reminders to everyone to update key information.
For instance, once a year, each employee should receive summaries of basic information in the employee’s file—home address and telephone number, spouse, dependents, and the like—with the request that they notify the employer of any changes or inaccuracies. Supervisors likewise need to be reminded to confirm that data is current. At every termination of employment, the employee’s information, particularly the current home address, should be reconfirmed so that employee notices required by law are sent to the proper address.
It’s easy to slip into the mindset that once information is entered into the computer, it’s set in cyberspace and never needs to be changed or reviewed. That misplaced confidence can lead to substantial fines and liability if, for instance, notices are not sent to proper addresses or statistics are incorrect because of outdated data.
Second, make sure that the information is correct and accurate when entered into the system. The temptation is great to create efficiencies for inputting HR material by having employees type their own data directly into employment records. The catch is that maintaining accurate records is the employer’s sole duty under most statutes. Because the employer is responsible for any inaccuracy from the inputting of information, employers can expect to be held responsible for any errors in employees’ entries.
Under these circumstances, employers who permit employees to input HR information into the computer need to develop procedures for ensuring that the information employees enter is accurate. At a minimum, such procedures should include confirming with the employee that the information is accurate and some critical review and analysis by HR personnel.
Record Retention Issues
Both federal and state laws require employers to retain certain employment-related records for specified periods of time. For example, employers must keep certain payroll records for at least three years under the Fair Labor Standards Act. The Internal Revenue Code requires any employer or ERISA plan administrator who files a federal tax return to keep permanent accounts of records needed to establish the amounts reported in each return.
As we move toward an increasingly electronic and paperless society, employers need to protect computer files in order to avoid lost or corrupted information. To governmental regulators, the news that a virus—or hacker—destroyed or altered years of payroll records is the same as hearing that a dog ate the homework. No one wants to be in that situation.
To avoid these problems, employers need to craft and rigorously enforce policies for backing up current HR data in computer systems and for saving and safely storing older data on a disk, CD-ROM or other hard formats.
Drafting an effective electronic-data retention policy requires employers first to create a complete list of all the applicable record-retention requirements in the company’s jurisdiction. The employer then needs to consider how it will satisfy each requirement in a manner that will ensure all its information is accurate, easily retrieved, and also in a form in which authenticity and integrity are above serious challenge.
Workforce, October 1999, Vol. 78, No. 10, p. 92-98.