<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=690758617926394&amp;ev=PageView&amp;noscript=1">
Skip to content

Keeping Personnel Files and Medical Records Confidential

Keeping Personnel Files and Medical Records Confidential

If you work in payroll or HR, you have a variety of personal information about employees at your fingertips. However, with the growing toll identity theft is taking on Americans personally and financially, that private information should be guarded with all possible measures to avoid a security breach.

However, the people that need access to these employee records do not begin and end with payroll and HR. There are a variety of employees in positions that require access to specific parts of employee records, such as performance evaluations or salary information. 

It’s your responsibility to ensure that sensitive employee information is kept confidential and secure in compliance with all federal and state laws and company policies. In this article, we will tell you the best ways to ensure the records you keep are only accessible to those who are authorized to view them. 


Confidentiality and Personnel Files

As part of the process of becoming and staying an employee, people provide a lot of personal information without really thinking twice about it. You have on file information like addresses, social security numbers and dates of birth. For would-be identity thieves, what you have on file is a treasure trove of possibility. 

Documents that are part of the personnel file include:

  • Pre-employment documents

This includes applications, resumes, emergency contact forms, signed acknowledgments of receipt and agreement and background checks.

  • Employment documents

These records may include information from performance evaluations, records of attendance, disciplinary actions or documentation of promotions or transfers. 

  • End of employment documents

This part of the record might include exit interviews, documentation about reasons for separation or resignation letters. 


To keep your personnel files confidential you should:

  • Create clear policies about what information is considered “sensitive,” how it will be kept secure, who may access what kinds of information and how to report suspected breaches in security. 
  • If you use paper records, make sure they are stored securely in locked areas that can only be unlocked by authorized personnel. 
  • If you use electronic records, make sure those records are encrypted, accessible only with a regularly changed password and on a secure server. 
  • Create clear policies and procedures around when and how records will be destroyed and disposed of when they are no longer needed. 


Once you have taken all measures possible to keep records safe and confidential, provide training for all employees to provide transparency about your security procedures and provide additional training on the dos and don’ts of using employee records for those authorized to view them.

Confidentiality and Medical Records

Employers may have medical records as part of their employee files for a variety of reasons. Medical information may be disclosed to an employer in the case of work-related injuries, requests for medical leave, requests for accommodations through the Americans with Disabilities Act or fitness-for-duty examinations.  

Medical records are protected through a variety of state and federal legislation, so if you have medical records of employees, it’s essential that you know these laws and that you are compliant. To stay compliant and keep medical information confidential, you should:

  • Keep medical records separate from personnel files. If a security breach happens in one place, part of the employee’s sensitive information is still secure. 
  • Provide access to these records only to: 
    • Safety and first aid workers who may have to provide treatment
    • Direct supervisors who may need to review information regarding restricted duties or requested accommodations
    • Government agencies as required by law
    • Insurance companies who require a medical exam for purposes of coverage
  • Comply with all Health Insurance Portability and Accountability Act (HIPAA) regulations including:
    • Designating an in-house privacy officer
    • Creating policies and procedures that support confidentiality
    • Notifying employees of their privacy rights as granted by HIPAA
  • Be familiar with all state and federal laws that protect personal health information and establish policies for compliance.


For more help on creating policies to protect your employees’ personnel records or how to ensure compliance with all things HR, visit the Complete Payroll blog. We have searchable articles with up-to-date information that can help guide you through this and other HR processes. Visit us today to learn more. 

Get The Newsletter

Bi-weekly on Thursdays. We compile HR best practices, labor law updates & other content to help you pay and manage your workforce more effectively.

Ready For a Move to the Country?

Talk to Sales