Illinois Expands Worker Privacy Protections As HIPAA Update Nears

On January 16, 2026, Illinois took a decisive step to bolster employee rights and privacy in the workplace, as reported by Ogletree Deakins. The state enacted SB2339, a sweeping amendment to the Right to Privacy in the Workplace Act, which prohibits employers from taking adverse actions against employees solely based on receiving discrepancy notifications from federal agencies or outside vendors. This move comes at a time when workplace privacy and compliance with federal verification systems are under increasing scrutiny, and it signals Illinois’ intent to provide stronger protections for workers, particularly those who may be vulnerable to administrative errors or misunderstandings.

Under the new law, employers in Illinois are now required to provide timely notice to affected employees and their authorized representatives within five business days of receiving a discrepancy notification. These notifications can come from a variety of sources—such as the Social Security Administration, the Internal Revenue Service, or even private insurance companies—regarding inconsistencies in an employee’s taxpayer identification number or other identifying documents. The law’s scope is intentionally broad, aiming to cover all possible scenarios where a worker’s status might be questioned due to paperwork issues.

Ogletree Deakins notes that this five-business-day notice requirement operates alongside existing federal rules, particularly those under the E-Verify system. For employers enrolled in E-Verify, federal law mandates that employees be notified within ten federal government working days after a mismatch is identified. Employees must then decide whether to take action to resolve the mismatch and inform their employer of their decision. If an employee does not respond by the tenth day, the employer may close the case in E-Verify. This dual system means Illinois employers must be especially careful to harmonize state and federal timelines, ensuring compliance with both sets of rules without inadvertently disadvantaging employees.

Notification methods under SB2339 are also clearly defined. Employers must first attempt to notify employees in person and by hand delivery. If that’s not possible, notification must be sent by mail and by email (if the employer has the employee’s email address). The employee’s authorized representative, if any, must also be informed. This multi-pronged approach is designed to ensure that employees are not left in the dark about potential issues with their records, giving them a fair opportunity to respond and protect their employment status.

Enforcement of these new protections is robust. The Illinois Department of Labor (IDOL) has been granted authority to investigate claims at any time, using tools such as inspection, warrants, and subpoenas. Notably, employees, potential employees, and "interested parties"—which can include labor unions and nonprofit organizations focused on workplace rights—have the right to bring private actions against employers who violate the law. There’s no requirement to exhaust administrative remedies with the IDOL before heading to court, which could mean quicker resolutions for aggrieved workers.

Penalties for violations are significant. According to the new statute, employers found in violation face civil penalties ranging from $100 to $1,000 per violation for a first offense, with subsequent violations within a three-year period subject to increased penalties of $1,000 to $5,000 each. If an employee was discharged or denied employment as a result of a violation, the employer may be ordered to reinstate the employee with the same seniority status, provide back pay and interest, and pay a civil penalty of $10,000. Additionally, compensation for damages can include litigation costs, expert witness fees, and reasonable attorney’s fees. These stiff penalties are intended to serve as a deterrent and to ensure that employees harmed by improper actions are made whole.

There are, however, safe harbor provisions for employers. If an employer can demonstrate good faith reliance on guidance from the IDOL or the U.S. Department of Homeland Security, or show that a bona fide administrative error occurred that did not affect the employee’s employment or pay, they may avoid civil penalties. Furthermore, employers are protected from concurrent or duplicative enforcement actions based on the same set of facts or alleged violations involving the same individuals. This balance aims to encourage compliance without subjecting employers to undue legal jeopardy for honest mistakes.

Ogletree Deakins recommends that employers immediately review and update their policies and procedures to comply with the new law. This includes ensuring that no adverse action is taken solely on the basis of discrepancy notifications, implementing workflows to meet the five-business-day notice requirement while maintaining compliance with E-Verify’s ten-day process, and establishing thorough documentation of notification methods. Training for HR and compliance personnel is strongly advised, as is meticulous recordkeeping for potential IDOL review. The law also incentivizes interested parties to participate in enforcement by allowing them to seek injunctive relief and awarding them ten percent of any statutory penalties recovered, with the remainder directed to fund enforcement of the Illinois Child Labor Law.

While Illinois is moving to strengthen workplace privacy, the federal landscape for health information privacy is also evolving. On January 14, 2026, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Director Paula M. Stannard published a notification of Tribal consultation on proposed HIPAA Privacy Rule updates in the Federal Register, according to HIPAA Journal. These proposed updates, first published in January 2021, aim to enhance individuals’ rights to access their own health information, improve care coordination, reduce compliance burdens for healthcare providers and plans, and maintain robust patient privacy protections.

Although the proposed HIPAA changes languished for several years, the January 2026 notification signals that a final rule may be close. A virtual Tribal consultation meeting is scheduled for February 6, 2026, to gather feedback on topics including individuals’ rights, care coordination, emergency disclosures, telecommunications relay services for those with disabilities, and expanded permissions for the use and disclosure of protected health information (PHI) for Armed Forces personnel. While there is still no firm timeline for publication of the final rule, OCR has assured that regulated entities will have ample time to update policies and provide workforce training before enforcement begins.

In the interim, OCR continues to enforce existing HIPAA provisions, focusing on the Right of Access, parental access to minors’ medical records, and risk analysis and management requirements under the HIPAA Security Rule. A new enforcement initiative will soon target the confidentiality of substance use disorder treatment records, reflecting recent regulatory changes to align these standards more closely with HIPAA.

Taken together, these developments at both the state and federal levels underscore a broader trend toward empowering individuals, strengthening privacy protections, and clarifying the responsibilities of employers and healthcare providers. As laws and regulations continue to evolve, organizations must remain vigilant, updating their practices and training to stay compliant—and to ensure that employees and patients alike are treated fairly and transparently.