Because of the COVID-19 pandemic, employee medical information and confidentiality has become an especially important topic. During the crisis, employers may see employee medical information such as a doctor’s note advising an accommodation for a high-risk employee; an employee request for FFCRA sick leave due to COVID-19 symptoms; or results from an employee’s medical test such as a temperature check before the employee re-enters the workplace.
Now is the time to reflect on your practices for handling employee information.
Your employee files accumulate a lot of paperwork, from new hire forms and performance reviews to safety documents and medical records. The storage, care, and ongoing maintenance of employee records are not only important to your employees, but failure to do so could expose you, as an employer, to potential liability, including monetary fines and criminal penalties.
In addition to various federal agencies that have record-keeping requirements, state and local jurisdiction regulations must also be considered. Employers should adopt record retention policies that follow legal requirements and address record destruction procedures and timetables.
Take a look at 3 steps for employee records retention.
1. Streamline Personnel Files.
A personnel file should be created for each employee and should include documents related to employment decisions, training, and performance. When considering items to add to the personnel file, be sure to include all documents required by law. At the same time, you should carefully consider whether other documents need to be stored here. Remember, the personnel file can even be used in court.
It is best practice to streamline this file to the essentials which would include items such as:
- Certain Hiring Records (exclude criminal history, for example)
- Signed Handbook Acknowledgement
- Performance Reviews
- Corrective Action Documentation
- Job Description
2. Separate Confidential Records.
The following information should be maintained separately from the personnel file and kept confidential.
Medical Records. The Americans with Disabilities Act (ADA), the Health Insurance Portability Act (HIPAA), and the Genetic Information Nondiscrimination Act (GINA) all address employee medical information and provide regulations for how it can be used in the workplace. For example, the ADA prohibits employers from including medical information in an employee’s general personnel file, and require that it’s kept confidential. If confidentially is breached, it is possible for the employee to sue under an ADA violation. Medical information should be kept in a separate “medical file.”
Items to place in the medical file include:
- Medical Leave
- Reasonable Accommodations
- Doctor’s Notes
- Medical Test Results (i.e., drug testing results)
- Workers’ Compensation Claims
Other Confidential Records. Documents with personal information related to a protected class, immigration status, criminal history, as well as investigations, should be kept confidential also.
For example, Form I-9 verifies an employees’ identity and employment authorization status in the United States. Due to its sensitive nature, it should not be accessible by managers or supervisors, and should only be handled by the HR representative. It is recommended that physical copies of I-9 forms are kept separated from other records in a binder, organized alphabetically by employee name, and sorted by current or terminated status.
Other confidential items include:
- Social Security Number
- Immigration Status
- National Origin
- Bank Account Information
- Criminal History
- Investigation Reports
3. Maintain Security.
Keeping employee records safe and secure is an employer’s responsibility. Physical records must be stored in a locked and secure location. Digital records must be protected with the latest electronic security features. In both cases, records should be periodically reviewed to ensure contents are current, accurate, and complete. Outdated or unnecessary documents should be destroyed in line with record retention requirements.
Records in the personnel file may be accessed for a variety of reasons such as when making promotion or layoff decisions, filing tax returns, handling government audits, or defending against lawsuits. However, access should be restricted to those with a legitimate need to know. Share information only when it’s appropriate and limit access to only what’s necessary. For instance, a manager may request access to an employee’s performance review before offering a promotion. A manager may want to review past corrective action documentation as they decide on the next appropriate step for misconduct. These legitimate requests can be granted, but with narrow access to the employees’ personnel file only.
Many states also have statutory requirements that permit employees to review the contents of their personnel file. Even without this requirement, a company needs to have a policy regarding access to personnel files. Will employees be allowed to photocopy items? What can an employee do if they believe information is incorrect? Will there be a limit to the number of times an employee can request access to their file?
Setting and following clear guidelines for securing personnel records goes a long way toward keeping employee information safe and demonstrates good faith practices in the event of a breach.
Final Thoughts
While juggling many challenges during this pandemic, employers must not drop the ball on day-to-day legal requirements. Employers need to uphold good record-keeping of employee data and keep medical information confidential. Employers should also follow job applicant data retention requirements as well as biometric data obligations, as additional examples. At FrankCrum, we help our clients navigate employment law requirements and provide guidance on HR best practices.
