HIPPA, IT and Emails

We are a relatively small, family owned company. Our IT Manager, takes it upon himself to read everyone's emails. His stand to the owners is that he worked for a local hospital and had access to all medical records, SSN etc so it is the same thing here. However, now he works with these individuals. We reads peoples emails, and many of them are correspondance between HR, Workers Comp claims, individuals regarding benefit questions, etc. I know this is unethical but I need to be able to present it to the owners that what he is doing is wrong, and have HIPPA violation implications. I know the emails are the company's property, but unless directed by an owner to check an email because of suspision of policy violation, he should not be able to read anything. Any specific rules/laws that I can reference would be greatly appreciated.


  • 5 Comments sorted by Votes Date Added
  • Everyone has a right to privacy, and even owners and managers should not have access without a legitimate business reason (need to know) to employee information. I think you should put this back on him. What is his legitimate business reason for needing to read these emails?

    Technically, higher up IT people always have access to all kinds of information, that doesn't mean they should access it. Our employees process health claims. If they looked at someone's history without a legitimate business need they would be termed; it is a HIPAA violation.

    If I worked there and discovered the IT person was reading my emails, and there was not a really good legitimate business reason for him/her to do so, I would be looking for another job. Sooner or later someone will discover this violation and sue. I wouldn't want to be the one left holding the bag.

    If you really want to present specifics, do a google search for hipaa violations. There are many cases where people were fined for looking at medical records, etc, without a legitimate business reason. There are also cases where employers looked a private employee emails and it was considered an invasion of privacy.

    Good luck!
  • edited August 2015 PMVote Up0Vote Down
    Having access doesn't equate to right or need to know (having a right to read every word of every employee email message). You might find something pertinent in the Electronic Communications Privacy Act as well as the OSH Act and the FMLA.

    Also, what does your policy say about "need to know" when it comes to employee information? If you don't have a strong policy regarding privacy, look at your policy on email and/or computer use. You can find an email policy on both HRHero and HRLaws that includes this line: If an employee receives a message that is not addressed to him/her, he/she is not authorized to read or use information contained in that message. You can also find a computer use policy that states that employees with access to a computer should not attempt to read, intercept, copy, or delete e-mails between other users; I agree with Nae. If your other employees knew he was reviewing all of their emails you'd have a serious employee relations issue. The owners should hold his toes to the fire and require him to justify his actions with something much better than, "Well, I used to do it at my old job." Being an IT Manager doesn't entitle one to "know" everything about everyone in the company.
    Just my two cents.

  • My first thought would be that if he wants to continue this practice then he needs to go back to his previous job where he had a business reason to access this information. How do the owners of the company feel about him reviewing all of their emails, etc?
    Our company policy is that you must have a "business reason" to access any other employees files, hard copy or electronic. If anyone does so without sound business reasons are subject to discipliary action up to and including termination and this includes our IT staff.
  • Maybe you should tell the IT guy that because you are the HR person, and you have a vested interest in all things related to employee relations and behaviors, you are going to start listening to all phone conversations made during working hours, and you will start with monitoring all of his phone calls first......of course that's right after you install the surveylance camera in his office to insure he is working productivly every moment...
  • Whether you talk to the IT guy about it or not, you need to promptly send an e-mail or other written (documented) memo to the owners letting them know his activity is most likely creating HIPAA violations, and depending on your written policies could be violating the Stored Communications Act. Toss some potential fines or damage awards in the memo - I think it's up to $50,000 per HIPAA violation, and a willful violation can result in criminal prosecution and jail time for the IT guy AND any owners who allowed him to continue this. Close by letting them know you've performed your duty by advising them, but it's up the them to stop this activity PRONTO. You can be nice about it, but be firm.

    Now, long term, you need to distance yourself from this IT guy because I can guarantee this isn't the only sleazy thing he's involved in.
Sign In or Register to comment.