HIPPA, IT and Emails
We are a relatively small, family owned company. Our IT Manager, takes it upon himself to read everyone's emails. His stand to the owners is that he worked for a local hospital and had access to all medical records, SSN etc so it is the same thing here. However, now he works with these individuals. We reads peoples emails, and many of them are correspondance between HR, Workers Comp claims, individuals regarding benefit questions, etc. I know this is unethical but I need to be able to present it to the owners that what he is doing is wrong, and have HIPPA violation implications. I know the emails are the company's property, but unless directed by an owner to check an email because of suspision of policy violation, he should not be able to read anything. Any specific rules/laws that I can reference would be greatly appreciated.
Technically, higher up IT people always have access to all kinds of information, that doesn't mean they should access it. Our employees process health claims. If they looked at someone's history without a legitimate business need they would be termed; it is a HIPAA violation.
If I worked there and discovered the IT person was reading my emails, and there was not a really good legitimate business reason for him/her to do so, I would be looking for another job. Sooner or later someone will discover this violation and sue. I wouldn't want to be the one left holding the bag.
If you really want to present specifics, do a google search for hipaa violations. There are many cases where people were fined for looking at medical records, etc, without a legitimate business reason. There are also cases where employers looked a private employee emails and it was considered an invasion of privacy.
Also, what does your policy say about "need to know" when it comes to employee information? If you don't have a strong policy regarding privacy, look at your policy on email and/or computer use. You can find an email policy on both HRHero and HRLaws that includes this line: If an employee receives a message that is not addressed to him/her, he/she is not authorized to read or use information contained in that message. You can also find a computer use policy that states that employees with access to a computer should not attempt to read, intercept, copy, or delete e-mails between other users; I agree with Nae. If your other employees knew he was reviewing all of their emails you'd have a serious employee relations issue. The owners should hold his toes to the fire and require him to justify his actions with something much better than, "Well, I used to do it at my old job." Being an IT Manager doesn't entitle one to "know" everything about everyone in the company.
Just my two cents.
Our company policy is that you must have a "business reason" to access any other employees files, hard copy or electronic. If anyone does so without sound business reasons are subject to discipliary action up to and including termination and this includes our IT staff.
Now, long term, you need to distance yourself from this IT guy because I can guarantee this isn't the only sleazy thing he's involved in.