Personal Information of Current or Former Employees

An employee’s right to privacy in the workplace generally includes the employee’s personal information and activities at work. Private companies have some legal obligations to their employees, but most of an employee’s privacy rights are determined by company policy. Government officials, however, generally have an obligation not to disclose employees’ personal information. For example, federal government officials are bound by The Privacy Act of 1974 not to disclose any personal information and to take precautions to keep personal information confidential—unless the disclosure is made following a written request by the person whose information is disclosed or with the prior written consent of the person whose information is disclosed. See 5 U.S.C. §552.

Job References and Other Information Requests

It is generally not recommended for employers to give out any information about current or former employees in response to phone calls or e-mail inquiries seeking information about specific individuals—including full name, date of birth, social security number, address, bank account information, wages, or work schedule—as it is very difficult for the employer to confirm the identity and motivations of such a caller or e-mail sender. Although the inquirer could be a prospective employer calling for job reference information or a bank seeking to verify employment on an employee’s loan application, the inquirer could also be a debt collector disrupting the employee’s workday, an identity thief, or a disgruntled person seeking to harm the employee. An employer or former employer should take additional precautions when responding to such information requests.

Video Surveillance and Monitoring of Employee Phone, Computer, and Internet Use

A private employer is generally allowed to monitor the telephone, computer, and internet use of its employees during work hours and on company-owned equipment. But such electronic monitoring of employees should be well-defined in an employee handbook, for example, and acknowledged by employees. An employee electronic monitoring policy should state that employees have no expectation of privacy while on company property (except in the restroom or a breastfeeding room, for example) or when using company resources (computer, internet, telephone, automobile, etc.).

Monitoring laws vary from state to state, but the federal Electronic Communications Privacy Act of 1986 (ECPA) is a federal law (statute) that governs an employer’s monitoring of electronic communications in the workplace in all states. See 18 U.S.C. §2511. The ECPA generally prohibits an employer from intercepting its employees’ oral, wire, and electronic communications—unless the employer’s interception of those employee communications falls within one of the exceptions in the statute. For example, the business purpose exception allows employers to monitor oral and electronic communications if the employer can show a legitimate business purpose for doing so. The consent exception allows an employer to monitor employee communications if the employer has the employees’ consent to do so. And the ECPA’s restrictions may be limited to the transmission of electronic communications and may not include the employer’s storage of electronic communications. But state laws may also apply—including state statutes, court opinions, and constitutions—and may further restrict an employer’s ability to monitor employee communications in the workplace.

An employer may also want to use video surveillance to protect against workplace misconduct such as (1) theft of personal property; (2) theft of intellectual property (data, etc.); (3) sexual or other harassment; (4) workplace accidents; and (5) idle employees. But when using video surveillance in the workplace the employer must be aware of state laws and issues such as (1) whether the surveillance is in a public area (hallway or workspace) or a private area (bathroom or breastfeeding room); (2) whether the camera is in open view or hidden; and (3) whether audio/sound is captured in addition to the capture of visual images/video. Employers should not monitor employees or capture video or audio where employees have an expectation of privacy.

Drug and Alcohol Testing

Private employers generally have the right to test employees for drugs and alcohol but must maintain the confidentiality of test results to protect employees’ privacy interests. An employer that wants to test employees for drugs and alcohol should have a detailed, written policy explaining the company’s drug and alcohol testing policy in the employee handbook or other materials, with a written acknowledgment by employees that they have received the employee handbook or drug and alcohol testing policy.

Searches of Personal Space or Workspace

An employer may have a policy that allows it to search the desk or personal workspace of an employee, or the company property used by an employee—such as an automobile, computer, phone, container, notebook, or other property—while it is on company property. Under some circumstances—such as an employer’s reasonable belief the employee is stealing or embezzling property from the employer—the employer may have a right to search an employee (pockets, etc.) or the employee’s personal property that is not owned by the company (purse or computer bag)—but such searches may lead to legal liability and should not be undertaken without input from a lawyer.

Employers and Health Information in the Workplace

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule controls how a health plan or a covered health care provider shares an employee’s protected health information with an employer.

Employment Records

The HIPAA Privacy Rule does not protect an employee’s employment records, even if the information in those records is related to the employee’s health. In most cases, the HIPAA Privacy Rule does not apply to the actions of an employer.

If an employee works for a health plan or a covered health care provider:

• The Privacy Rule does not apply to the employee’s employment records.

• The Privacy Rule does protect the employee’s medical or health plan records if the employee is a patient of the provider or a member of the health plan.

Employer’s Requests For Employee Health Information

An employer can ask an employee for a doctor’s note or other health information if the employer needs the information for sick leave, workers’ compensation, wellness programs, or health insurance purposes.
But if an employer asks an employee’s health care provider directly for information about the employee, the health care provider cannot give the employer the information without the employee’s authorization, unless other laws require them to do so.

Generally, the HIPAA Privacy Rule applies to the disclosures made by an employee’s health care provider—not the questions the employer may ask.

In Ohio, employees have certain privacy rights regarding their personal information. Federal laws like the Privacy Act of 1974 and the Electronic Communications Privacy Act of 1986 set the baseline for these rights, which include protections against unauthorized disclosure of personal information by government officials and restrictions on employer monitoring of electronic communications, respectively. Employers in Ohio are generally advised against sharing employee information without verification due to the risk of identity theft or other harm. Employers are allowed to monitor employee phone, computer, and internet use with proper notice and policies in place, but they must be aware of both federal and state laws that may limit this ability. Video surveillance is permissible in public areas of the workplace but should not invade areas where employees expect privacy. Drug and alcohol testing by private employers is allowed, but results must be kept confidential. Employers may search an employee's workspace or company property but should be cautious about searching personal property without legal counsel. Health information in the workplace is protected under HIPAA, and employers cannot access an employee's health records without authorization, except for certain employer-related purposes or when required by other laws. Employment records are not protected by HIPAA, but medical records are if the employee is a patient or member of the health plan. Overall, while employers have some rights to monitor and manage their workforce, they must balance these with the privacy rights of their employees and comply with applicable laws.