Generally, you should treat personnel files as private records belonging to you and your individual employees. You don't want to allow just anyone in the company to rummage through the performance evaluations, salaries, and job applications of coworkers.
But there are employees who have a legitimate need to view the information in a personnel file. For example, a supervisor may need to review performance evaluations to decide whether to promote an employee, or the human resources manager may need to review an employee's salary information to decide what to pay a new hire in the same position. And, in most states, employees have the right to inspect their own personnel files. (To learn more about an employee's right to inspect his or her own personnel file, read Nolo's article Employee Access to Personnel Files: Is It Required?)
Treat personnel files like any other private company records. You can do this by keeping employee files in a locked cabinet. Make them available only to those people in your company who have a legitimate business need to access the files. For example, you might establish a policy that only the human resources manager, the individual employee's manager, and the employee have a right to see an employee's file. This will protect your employees' privacy and limit opportunities for inappropriate documents to find their way into the files.
Special guidelines apply to medical information pertaining to your employees. For example, the Americans With Disabilities Act (ADA) imposes very strict rules for handling information obtained through post-offer medical examinations and inquiries. Employers who are covered by the ADA must keep these medical records confidential and separate from other personnel records. This information may be revealed only to safety and first aid workers, if necessary to treat the employee or provide for evacuation procedures; to the employee's supervisor, if the employee's disability requires restricted duties or a reasonable accommodation; to government officials as required by law; and to insurance companies that require a medical exam.
The Health Insurance Portability and Accountability Act (HIPAA) also imposes privacy obligations on many employers who provide group health plans. (Employers who administer their own plans and have fewer than 50 participants don't have to comply with HIPAA's privacy rules, and employers that sponsor plans that receive only enrollment information have minimal obligations.) Under HIPAA, employers are required to protect the privacy of employees' personal health-related information by designating an in-house privacy official, adopting policies and procedures to keep this information private, and notifying employees of their privacy rights, among other things. For more information on HIPAA's privacy rules, go to the HIPAA website established by the federal Department of Health and Human Services, at www.hhs.gov/ocr/hipaa.
The Genetic Information Nondiscrimination Act (GINA) also requires employers to keep employee medical records confidential. GINA prohibits employers from requesting or requiring that employees provide genetic information. If, however, the employer receives such information inadvertently or pursuant to one of the strict exceptions to the law, the employer must keep it in separate, confidential files.
Some state laws also provide special protections for employee medical records. These laws may limit the way such records can be used or the people who can view them.
For help in establishing policies regarding personnel files, get Create Your Own Employee Handbook: A Legal & Practical Guide, by Lisa Guerin and Amy DelPo (Nolo).