The Pharmacy Owner's Guide to Employee Files & HR Compliance

Why HR is the risk you are probably ignoring

If you ranked the existential threats to a typical independent pharmacy, the obvious ones would be at the top. PBM clawbacks. Audit denials. Inventory shrinkage. Loss of a major contract. Most owners think about these constantly because the consequences are visible and the dollars are easy to count.

HR risk is different. It is invisible until the day it is not, and then it is suddenly everything. A wrongful termination lawsuit will tie up your time, your money, and your attention for 12 to 24 months. A wage and hour audit can result in back pay, liquidated damages, and penalties going back two or three years for every employee on your payroll. An EEOC complaint generates a federal investigation file that follows your business forever, even if the complaint is ultimately dismissed. The settlement amounts are routinely larger than what most independent pharmacies make in profit in a full year.

The brutal part is that almost all of this is preventable. Not by being a perfect employer, which is impossible, but by maintaining the documentation that proves you handled the situation correctly when something inevitably goes sideways. Documentation does not prevent disputes. Documentation determines who wins disputes. A well-organized employee file with a signed handbook, documented warnings, and a clean separation form is the difference between a lawsuit you settle for $5,000 and one you lose for $50,000.

The pharmacy-specific dimension

Independent pharmacies have one HR consideration that most other small businesses do not: the overlap between employee records and protected health information. Your employee files will inevitably contain documents that touch HIPAA territory. Workers comp claims, FMLA paperwork, drug test results, return-to-work clearances after illness or injury, ADA accommodation requests. All of these need to be stored separately from the rest of the employee file because they qualify as protected health information under HIPAA, and the employee's general personnel file (the one a manager might access for routine review) cannot contain PHI.

If you commingle PHI with the rest of the employee's file, you are creating two separate problems at once. You are creating a HIPAA exposure, because PHI is supposed to be access-restricted to people with a specific need to know. And you are creating an employment law exposure, because if a manager makes a decision about an employee while having access to the employee's medical history, that decision is inherently suspect under the Americans with Disabilities Act. The plaintiff's lawyer's first question in an ADA case is always "did the decision-maker have access to the employee's medical records before making this decision?" If the answer is yes, the case just got much harder for you.

The solution is not complicated. Keep separate files. The rest of this guide explains how.

The seven core best practices

Before we get into what goes in each file, here are the seven discipline rules that govern the entire system. These are the foundation. Get these right and the rest is mostly just paperwork.

1. Be consistent. Set up the file on day one of employment

Every new employee gets a complete file structure created on their start date. Not "when we get around to it." Not "when there is something to put in there." On day one. The file structure exists from the moment the employee starts so that every document generated during the employment relationship has a designated home. When you create files retroactively (which everyone does at first), you inevitably miss documents and create inconsistencies between employees, which is exactly what plaintiff's attorneys look for in discovery.

2. Keep three separate files for every employee

Every active employee should have three distinct file folders, stored separately from each other:

• Personnel File. Non-confidential administrative information. The employee's manager can access this file for routine reviews and disciplinary documentation. This is the file that goes to the employee if they request to see their records (in states where that is required).
• Confidential File. Medical information, PHI, anything that reveals a protected characteristic (race, ethnicity, gender identity, sexual orientation, disability, age, religion, national origin, etc.), and anything related to benefits or payroll. Only HR (or the owner if there is no HR person) should have access. This file is the firewall that protects you from ADA and discrimination claims.
• I-9 File. Form I-9 and the supporting identity documents go in their own file, separate from everything else. The reason is that I-9s are subject to ICE audits which are completely separate from any other HR audit, and you want to be able to produce just the I-9s without exposing the rest of your employee records. Keep all I-9s for the entire workforce in one binder, organized alphabetically.

3. Limit access aggressively

Storage and day-to-day access should be limited to a single individual or a single department whose authorization is required before anyone else can view a file. The Confidential File should be stored behind two locks: a locked office or HR area, and a locked filing cabinet inside that area. Fireproof cabinets are highly recommended for the Confidential File and the I-9 file because losing those records to a fire creates documentation gaps that are nearly impossible to recover from.

If you are running a digital filing system instead of paper (which is fine and increasingly common), the same principles apply. Different file categories live in different folders with different access permissions. The Confidential File folder should require additional authentication beyond what the Personnel File folder requires.

4. Know your record retention requirements

Different documents have different retention requirements. The general rule is that most business records need to be kept for 6 years if they are tax-related and 10 years if they are related to hiring, firing, or other employment actions. But these rules vary by industry and by state, and some categories have their own specific rules. Form I-9s, for example, must be retained for either 3 years after the date of hire or 1 year after the date of termination, whichever is later. Workers comp records should be kept indefinitely in many states. Payroll records have their own retention schedule.

If you are unsure about when you can dispose of a record, the safe answer is "do not dispose of it yet" and the next step is to ask your accountant or attorney. The cost of holding documents you do not need is much smaller than the cost of having destroyed something you needed for a case.

5. Notify employees per your state's rules

Several states have laws requiring you to notify employees when certain types of information are added to their personnel file. Massachusetts is the most aggressive: under the Massachusetts Personnel Records Statute, employers must notify employees within 10 calendar days of placing in their personnel file any information that has been used, is being used, or may be used to negatively affect their qualification for employment, promotion, transfer, additional compensation, or the possibility of disciplinary action.

Other states have similar but different rules. California, New York, Illinois, Connecticut, Pennsylvania, and Ohio all have versions. The penalties for violation can include the inadmissibility of the documentation in any later legal proceeding, which means the warning you carefully wrote and put in the file becomes legally invisible because you did not follow the notification process. Look up your state's requirements and follow them exactly.

6. Handle employee access requests by the book

In most states, employees have a legal right to view their personnel file within a specified number of business days after submitting a written request. The mechanics of how this access happens are important. The employee should submit the request in writing. The viewing should happen in an office, in the presence of HR or a manager. The employee should never be left alone with their personnel file. If the employee asks for photocopies of documents, the photocopies should be made by HR or the manager (not the employee themselves), and the employee should sign a receipt acknowledging which documents they received.

Why this matters: documents have a way of disappearing or being altered when employees handle their own files unsupervised. The chain of custody for personnel records is a real legal concept, and breaking it is one of the easiest ways to lose a case you should have won.

7. Audit every employee file at least annually

Set a recurring calendar reminder for once a year (the start of the calendar year is a good default) to review every active employee's files. During the audit, check three things:

• Are the documents in the file accurate and up to date? Is the address current? Is the emergency contact still valid? Is the signed handbook acknowledgment from the most recent version of the handbook?
• Is the file complete? Are there gaps? A missing performance review cycle? A missing disciplinary documentation that you remember happening?
• Do the documents in the file actually belong to that employee? In a small pharmacy with similar names (two technicians named Maria, for example), it is very common for documents to be misfiled. Catching this in an annual audit is much better than discovering it during litigation.

What goes in the Personnel File

The Personnel File holds non-confidential administrative information. A manager can open this file at any time to review the employee's history, performance, and disciplinary record. It contains everything except medical information, protected characteristic information, and I-9 documentation. Here is the full list, organized by category.

Employment records

• Employment application
• Resume (clean copy without any handwritten notes or annotations)
• College diploma or transcripts (if relevant to the position)
• Test documents used to make the hiring decision (skills tests, calculation tests)
• Copy of driver's license (if required for the position, e.g., delivery driver)
• Employment offer letter, signed by both the employer and the employee
• Job description for the position
• Completed new employee orientation checklist
• Signed acknowledgment of the employee handbook
• Arbitration agreement, if your pharmacy uses one
• Relocation or transfer records, if applicable
• Any contract, written agreement, receipt, or acknowledgment between the employee and the pharmacy (non-compete agreements, agreements about returning company property, etc.)

Performance and employee relations

• Performance evaluations and appraisal forms
• Performance improvement program records
• Personnel action forms (promotions, transfers, schedule changes)
• Letters of recognition, commendations, awards
• Bonus records (the fact that a bonus was paid; not the dollar amount, which goes in payroll)
• Completed employee suggestion forms
• Documented complaints from customers or coworkers
• Employee written warning notices (disciplinary documents, memos, signed warnings)
• Documentation of discrimination complaints and investigations
• Records of demotions and promotions

Training and development

• Training program applications and requests
• Training history records
• Training expense reimbursement records
• Skills inventory questionnaires

Employee separations

• Documents given with the final paycheck (final wage notice, COBRA notification, etc.)
• Resignation statement or layoff records
• Termination records and the separation form

Other personnel file items

• Emergency contact information
• Authorization to release private information (when given by the employee)
• Records of employee requests to review the personnel file

What goes in the I-9 File

The I-9 File is the smallest of the three but the most consequential during an ICE audit. Keep it simple and self-contained:

• Form I-9, completed and signed
• Copies of the identifying documents the employee submitted (driver's license, passport, social security card, etc.)
• E-Verify confirmation, if you participate in E-Verify (which is mandatory in some states for some employers)

That is it. Nothing else goes in this file. Keep all employee I-9s in one shared binder or folder, alphabetized, so that when an ICE audit happens (and they do happen) you can produce the entire workforce in one motion without exposing any other records.

What goes in the Confidential File

The Confidential File is the most heavily restricted and the most legally sensitive. It contains anything that touches medical information, anything that reveals a protected class status, and anything related to compensation or benefits. Access should be limited to HR (or the owner if there is no HR person) and accessed only when there is a specific need to know.

Benefits records

• Annual benefits statement acknowledgment
• Health insurance application form
• Life insurance enrollment form
• Beneficiary designation forms for life insurance and 401(k) accounts
• Medical, dental, and vision coverage waiver or drop forms
• COBRA notification and election forms
• Tuition reimbursement applications and payment records

Security clearance and investigation records

• Security clearance status, if applicable
• Background investigation information
• Personal credit history (only retain if it was used for a hiring decision)
• Personal criminal conviction history
• Driving record history
• Legal case data

Medical records (this is the HIPAA-sensitive section)

• Any medical records on the employee
• Laboratory and diagnostic test records (including drug screens)
• Drug and alcohol test results
• Any document containing personally identifiable medical information about the employee
• Requests for medical leave of absence, regardless of the underlying reason
• Requests for non-medical leave of absence
• Short-term and long-term disability documentation
• Personal accident reports
• Family Medical Leave Act (FMLA) documents
• OSHA injury and illness reports
• Any other form containing medical information for a specific employee

Payroll administration

• Rates of pay and other forms of compensation
• Notification of wage or salary increases or decreases
• Compensation history records
• Compensation recommendations
• State and federal tax forms (W-4, state W-4 equivalent)
• FLSA exemption test (if you classify the employee as exempt from overtime)
• Payroll authorization form
• Authorization for payroll deductions and actions
• Individual attendance records
• Paid Time Off records
• Pay advance request records
• Loan repayment agreements
• Direct deposit authorization
• Child support orders and other wage garnishments

Other confidential items

• Unemployment documents
• Requests for employment verification (and your responses)
• Workers' compensation claims
• EEO ethnicity declaration forms

The downloadable checklist

The three lists above are a lot to keep track of. Below is a downloadable Word checklist that organizes all three file categories with checkboxes. Print one for each employee and use it to verify your files are complete during your annual audit. You can also use it as a setup checklist for new hires to make sure no document goes missing on day one.

Building the system from scratch (if you are starting today)

If you are reading this and your current employee files are a mess (or do not exist), here is the order of operations to fix it without overwhelming yourself.

1. Set up the empty structure first. Buy three different colored folders (one color for each file type) and create the empty file structure for every active employee. Personnel folder, Confidential folder, I-9 folder. Or do this in your digital file system if you are paperless. Do not try to populate them yet. Just create the structure.
2. Locate and consolidate your I-9s first. The I-9 file is the smallest and the highest-risk because of ICE audits. Pull every existing I-9 you can find, alphabetize them in one binder, and identify any employees who do not have a properly completed I-9. Anyone missing one needs to complete one immediately.
3. Audit your existing employment documents and sort them into the right file. Go employee by employee. Pull every document you have for that employee and sort it into Personnel, Confidential, or I-9. If a document touches medical information, benefits, or protected class information, it goes in Confidential. Everything else (except I-9 stuff) goes in Personnel.
4. Identify the gaps. For each employee, note what is missing. Common gaps: signed handbook acknowledgments, current emergency contact information, written job descriptions, signed offer letters. Make a list.
5. Close the easy gaps systematically. Have every employee re-sign the handbook acknowledgment with the current handbook version. Update emergency contact forms. Get current copies of any required documents. This is a one-time cleanup that takes maybe 30 minutes per employee.
6. Set up the storage and access controls. Confidential files behind two locks, ideally fireproof. Personnel files in a manager-accessible location. I-9s in their own dedicated location. Document who has access to what.
7. Schedule the annual audit. Put a recurring calendar reminder for once a year (January is a good default) to audit every active employee's files for accuracy, completeness, and correct filing.

Total time investment for a 5-employee pharmacy: maybe 4 to 6 hours of focused work, spread across two or three sittings. Total cost: less than $100 in folders, binders, and a fireproof cabinet if you need one. The protective value: enormous.

The mistakes I see most often

After 24 years in pharmacy operations and 40+ consulting engagements, here are the patterns I see repeated at almost every independent pharmacy that has not done this work yet.

1. One folder per employee. The medical records, the disciplinary write-ups, the I-9, the application, all in the same folder. The single biggest HR exposure I see. Three folders is non-negotiable.
2. No signed handbook acknowledgment. The pharmacy has a handbook (sometimes), but nobody has ever signed an acknowledgment that they received and read it. This means the policies in the handbook are essentially unenforceable in any dispute, because the employee can credibly claim they never knew about them.
3. Verbal warnings only. The owner gave the employee three verbal warnings before terminating them, but none of those warnings are documented in the file. From a legal standpoint, the warnings did not happen. The termination looks like it came out of nowhere, which is exactly what wrongful termination cases are built on.
4. Termination paperwork is incomplete. No separation form. No documentation of the reason for termination. No record of the final paycheck or what was given to the employee on their last day. No COBRA notification record. Every one of these gaps becomes a separate legal issue if the employee files a claim.
5. Performance reviews skipped for years. The pharmacy has not done formal performance reviews in two or three years. When the owner finally writes up an employee for poor performance, the file shows no prior documentation of the issue, which makes the writeup look retaliatory.
6. FMLA paperwork in the personnel file. When an employee takes FMLA leave for a serious health condition, the FMLA paperwork ends up in the regular personnel folder where the employee's manager has access. This is both an FMLA violation and a potential ADA discrimination case waiting to happen.
7. I-9s mixed in with everything else. When ICE shows up for an I-9 audit, the pharmacy has to pull I-9s out of dozens of mixed personnel folders, which takes hours and creates the impression that the pharmacy does not take I-9 compliance seriously. Both bad.
8. Old employees never purged correctly. Files for employees who left 12 years ago are still in the active filing cabinet with no clear retention schedule. This creates clutter, confusion, and potentially exposes documents that should have been destroyed under retention rules.
9. No annual audit, ever. The files exist but they have never been reviewed since they were created. By the time someone looks at them in response to an active issue, the gaps are years deep.

How this connects to running your pharmacy as a real business

If you have read the P&L mindset guide, you know the core argument: pharmacy owners need to be business people first and pharmacists second when it comes to running the business itself. HR compliance is one of the cleanest examples of this principle in practice. The clinical work is what you trained for. The business work is what determines whether you are still in business in five years to do the clinical work.

Setting up bulletproof employee files is the same kind of discipline as monthly P&L reviews and quarterly strategic planning. Boring, repetitive, easy to skip when you are busy, and absolutely critical when something goes wrong. The pharmacies that thrive over decades are the ones where the boring work gets done consistently. The pharmacies that fail are usually not killed by bad luck. They are killed by the slow accumulation of skipped administrative work that finally caught up to them at the worst possible time.

If you have not done this work yet, do it this month. Buy the folders, set up the structure, sort the documents, identify the gaps, and put the annual audit on your calendar. Then sleep better at night knowing that the next employee dispute (whenever it comes) will find you with the documentation to handle it cleanly.