5.3 Compliance, Documentation & Investigations
Key Takeaways
- Required federal postings include the FLSA minimum-wage, EEO 'Know Your Rights,' FMLA, OSHA 'Job Safety and Health,' USERRA, and Employee Polygraph Protection Act notices.
- A defensible workplace investigation is prompt, thorough, impartial, and documented, with confidentiality limited to a need-to-know basis.
- Retaliation is the most frequently filed EEOC charge; adverse action against someone who reported or participated in a complaint is unlawful even if the underlying complaint fails.
Compliance Management and Required Postings
Compliance is the ongoing work of meeting all applicable laws, regulations, and internal policies. A core HR duty is displaying mandatory federal labor-law posters in a conspicuous location (and digitally for remote staff). Common required postings:
| Posting | Source law | Enforcer |
|---|---|---|
| Minimum-wage / FLSA notice | FLSA | DOL |
| 'Know Your Rights' EEO poster | Title VII/ADA/ADEA/GINA | EEOC |
| Employee Rights under FMLA | FMLA | DOL |
| Job Safety and Health (It's the Law) | OSH Act | OSHA |
| USERRA notice | USERRA | DOL/VETS |
| Employee Polygraph Protection Act | EPPA | DOL |
Documentation and Recordkeeping
Good documentation is contemporaneous, factual, specific, and objective, it records what happened, when, and who was involved, not opinions or conclusions. Retention rules vary by record:
- I-9 forms: keep for 3 years after hire or 1 year after termination, whichever is later; store separately from the personnel file.
- Payroll records (FLSA): 3 years.
- Title VII / ADA personnel records: 1 year (longer if a charge is filed).
- OSHA 300 logs: 5 years.
A trap: medical information (ADA, FMLA certifications) must be kept in a confidential file separate from the general personnel file, accessible only on a need-to-know basis.
Audits and Self-Assessment
Proactive compliance includes periodic HR audits, structured reviews that test whether the organization's practices match the law and its own policies. Common audit types include an I-9 audit (verifying every active employee has a correct, retained form), a wage-and-hour audit (checking exempt classifications and overtime), a pay-equity audit (comparing pay across protected groups for equal work), and a policy audit (confirming the handbook is current with new laws). Auditing before a government investigation lets the employer correct problems and demonstrate good faith, which can reduce penalties.
An affirmative action plan (AAP) is a separate written program required of many federal contractors under OFCCP rules; it is not the same as voluntary diversity initiatives.
Workplace Investigations, Harassment, and Retaliation
Conducting an Investigation
When a complaint arises, HR must run an investigation that a court would call defensible. The hallmark elements: prompt (begin quickly), thorough (interview complainant, accused, and witnesses), impartial (an unbiased investigator), and documented (written summary and findings). Steps:
- Receive and assess the complaint; decide on interim measures (e.g., separating parties).
- Plan the investigation and preserve evidence (emails, records).
- Interview the complainant, then the respondent, then witnesses.
- Weigh credibility using the preponderance of the evidence standard (more likely than not).
- Reach a conclusion, take corrective action, and document everything.
Confidentiality is maintained on a need-to-know basis; HR cannot promise absolute secrecy because the accused must be allowed to respond.
Harassment Prevention
The EEOC recognizes two harassment theories. Quid pro quo ('this for that') occurs when a tangible job benefit is conditioned on submission to sexual conduct. A hostile work environment arises when unwelcome conduct based on a protected class is severe or pervasive enough to alter working conditions. Under Faragher and Ellerth, an employer can raise an affirmative defense to a hostile-environment claim if it had an anti-harassment policy with a reporting channel and the employee unreasonably failed to use it, but only when no tangible employment action occurred.
Retaliation
Retaliation is an adverse action (termination, demotion, discipline) taken against an employee for engaging in a protected activity, such as filing an EEOC charge, complaining about discrimination, or participating in an investigation. Retaliation is the most common charge filed with the EEOC, and it is unlawful even if the underlying complaint is ultimately unfounded, provided the employee had a good-faith belief. This is a frequent aPHR trap: a 'reasonable, good-faith' complainant is protected regardless of outcome.
Whistleblower and Privacy Protections
Beyond EEOC retaliation, several statutes protect whistleblowers, employees who report illegal conduct. OSHA Section 11(c) protects safety complaints; Sarbanes-Oxley (SOX) protects those who report financial fraud at public companies; and state public-policy doctrines protect refusing to commit an illegal act. HR must also balance employee privacy against legitimate monitoring. Generally, employers may monitor work email and company systems if employees are notified, but they must respect limits on medical, genetic (GINA), and background-check information.
Background checks are governed by the Fair Credit Reporting Act (FCRA), which requires written disclosure, the applicant's authorization, and a pre-adverse-action notice (with a copy of the report) before an employer rejects a candidate based on a consumer report. These documentation steps are exactly the kind of procedural detail the aPHR tests.
Harassment-Prevention Programs and Records Disposal
A defensible compliance program does more than react. Effective harassment-prevention programs combine a clear written policy, multiple reporting channels (so an employee is not forced to report to the harasser), prompt investigation, and regular anti-harassment training, which several states now mandate on a fixed schedule. Documenting that training, who attended, when, and on what content, is itself part of the compliance record.
At the end of the lifecycle, records disposal matters too: once a retention period lapses, sensitive documents (especially those with Social Security numbers, medical data, or background-check results) should be securely destroyed, not simply discarded, to satisfy privacy and FCRA disposal rules. A useful exam framing is the compliance cycle: create the policy, communicate it, enforce it consistently, document the actions, audit for gaps, and dispose of records securely. If you can map a fact pattern to one of those stages, you can usually eliminate the wrong answers quickly.
An employee files a discrimination complaint that, after investigation, turns out to be unfounded. Two weeks later the manager demotes that employee for having complained. This is most likely:
Where should an employer store an employee's I-9 form and ADA medical documentation?