On January 16, 2026, Illinois enacted new legislation aimed at safeguarding employee privacy in the workplace, coinciding with growing federal efforts to update health information privacy laws. The state’s new law, SB2339, strengthens protections for workers by prohibiting employers from taking adverse actions based solely on discrepancies in employee records flagged by external agencies or vendors.
New Privacy Protections for Illinois Workers
Under the new law, Illinois employers are required to notify employees within five business days if discrepancies in their personal information—such as taxpayer identification numbers—are found by government agencies or insurance companies. This includes discrepancies identified by sources like the IRS, Social Security Administration, or private insurance companies. The aim is to protect workers from losing their jobs due to errors beyond their control, a concern especially relevant as federal oversight of workplace privacy intensifies.
SB2339’s notification requirement adds another layer of protection for workers. In cases where discrepancies are found, employers must first attempt to notify employees in person and, if that’s not possible, follow up with both mail and email. Authorized representatives, such as family members or legal representatives, must also be informed, ensuring that the employee has ample opportunity to address any issues before facing negative consequences at work.
Employers must align state regulations with federal rules like the E-Verify system. This system mandates that employers notify employees within ten federal government working days if a mismatch occurs. Failure to respond within the specified timeframe could allow the employer to close the case. Illinois employers must coordinate these two timelines carefully to avoid conflicts or potential disadvantages for their workers.
Enforcement of the new law is robust, with the Illinois Department of Labor (IDOL) granted broad investigative powers. Employees, former employees, and even third-party organizations, such as unions, can file lawsuits against employers who fail to comply. The law also allows for rapid resolutions without requiring workers to exhaust administrative channels first, potentially expediting relief for those harmed by violations.
Penalties for employers found in violation of the law are substantial, ranging from $100 to $1,000 for a first offense, with subsequent violations carrying fines between $1,000 and $5,000. Employers who terminate or deny employment to an individual because of such violations could face additional sanctions, including back pay, reinstatement with seniority, and a $10,000 civil penalty. The law’s stringent penalties are designed to ensure swift corrective actions and to discourage employers from mistreating workers based on administrative errors.
Despite the tough penalties, employers are not without recourse. The law includes a safe harbor provision for those who can prove they relied in good faith on federal guidance or if the violation was due to an administrative error that did not impact the employee’s job or pay. These provisions help to balance enforcement with fairness, protecting employers from undue penalties in cases of genuine mistakes.
As businesses adjust to the new regulations, experts urge employers to update their internal policies. Compliance with SB2339 requires clear documentation of the notification process and adherence to both state and federal timelines. Training for HR and compliance teams is critical, and employers should be prepared to demonstrate compliance during any IDOL investigation.
Meanwhile, at the federal level, the U.S. Department of Health and Human Services (HHS) is progressing toward finalizing updates to the Health Insurance Portability and Accountability Act (HIPAA). These updates, first proposed in 2021, are expected to enhance individuals’ rights to access their own health information and improve coordination among healthcare providers. A final ruling on the updates could come soon, with a consultation scheduled for February 2026.
In the interim, HHS is focusing on enforcing current HIPAA regulations, particularly those related to the confidentiality of substance use disorder treatment records and patient access rights. These ongoing efforts reflect a broader push at both the state and federal levels to strengthen privacy protections and ensure fair treatment for employees and patients alike.
With these simultaneous shifts in state and federal privacy laws, businesses must stay vigilant, ensuring they comply with evolving regulations while also safeguarding the rights of their employees and patients.
