Email, local drives exposed investigations; ServiceNow HR Service Delivery with auto?redaction and Legal gates case files

Overview

A healthcare system’s employee relations investigations were documented in personal drives and email threads, creating privacy risk and uneven outcomes. Notes, photos, and attachments lacked consistent redaction, managers forwarded sensitive details, and Legal escalations were handled in chat without a clear trail. Intelligex rolled out a case management workspace with role?based access, automatic redaction for sensitive fields, standard templates, and Legal approvals for escalations. Case files became consistent, access was limited to the right people, and audits referenced one system rather than scattered folders—while the HRIS, identity provider, and collaboration tools stayed the same.

Client Profile

• Industry: Healthcare system (hospitals, ambulatory sites, and corporate services)
• Company size (range): Multi?facility network with centralized HR and regional Employee Relations partners
• Stage: HRIS in place; investigations documented in personal drives and email; no dedicated case management; ad hoc Legal review
• Department owner: Human Resources & People Ops (Employee Relations and HRIS)
• Other stakeholders: Legal/Privacy, Compliance, Information Security, IT/Identity, Labor Relations, People Managers, Internal Audit

The Challenge

Investigations relied on convenience rather than process. ER partners took notes in personal documents, stored photos and screenshots in shared folders, and emailed updates to managers. When cases escalated, Legal asked for complete files, but evidence was spread across drives and chat threads. Redaction depended on individual judgment, so Social Security Numbers, medical notes, or contact details occasionally appeared in attachments that were forwarded broadly.

Access control was inconsistent. Some team folders were open to entire departments, while other files lived on personal desktops. Retention varied by person, making legal hold and audit preparation difficult. The same allegation type received different treatment depending on who handled it, and outcomes were hard to compare across regions. HR knew the risks but lacked a place to put gated workflows, standard templates, and privacy?by?default controls.

Why It Was Happening

The HRIS tracked people, not cases. Without a dedicated case workspace, investigators defaulted to documents and email. Ownership of redaction and approvals was informal, and privacy rules were understood but not enforced by the tools. Escalations to Legal happened in chat because it was faster, leaving approvals and counsel advice outside the record.

Permissions followed folders, not roles. Access to sensitive content depended on whoever created a file or shared a link. There was no consistent role?based model to ensure that an ER partner in one region could not open another region’s files, and there was no system to redact sensitive fields automatically before documents were shared. The result was privacy exposure and rework.

The Solution

Intelligex implemented a case management tool that centralized investigations, enforced role?based access, and embedded privacy controls. Cases opened from a guided intake captured allegation type, locations, witnesses, and attachments with automatic metadata. Redaction rules masked sensitive fields by default, and Legal approvals were required for escalations and high?risk actions. All actions wrote to an audit trail, and retention and legal hold applied at the case level. The design followed role?based access control principles (NIST RBAC) and aligned privacy handling to healthcare expectations such as the HIPAA Privacy Rule (HHS HIPAA Privacy), while integrating with the existing identity provider and HRIS. Where a case platform already existed (for example, ServiceNow HR Service Delivery), the solution extended it rather than replacing tools (ServiceNow).

• Integrations: HRIS for employee and supervisor context; identity provider for single sign?on and role mapping; email and hotline intake to open or append cases; secure document storage for evidence; reporting to the audit repository.
• Guided intake and templates: Allegation types with required fields; standardized interview outlines; checklists for corrective actions; jurisdiction and bargaining?unit prompts.
• Role?based access and permissions: Case visibility by role, region, and participation; need?to?know restrictions for sensitive allegations; read?only links for Legal and Compliance; manager views limited to their cases.
• Automatic redaction: Pattern?based masking for identifiers and medical references; pre?share redaction previews; configurable sensitive?field catalogs with owners under change control.
• Escalations and approvals: Maker?checker for high?risk steps (suspension, termination recommendations); Legal approvals for escalations; reason codes and counsel notes captured in the case.
• Evidence handling: Inline image and audio transcription where allowed; metadata capture (who uploaded, when, source); chain?of?custody log for edited or redacted files.
• Dashboards and reporting: Intake volume and cycle time by allegation type and region; aging cases and pending approvals; policy trend views; exportable case packets with redactions and approvals.
• Security, retention, and legal hold: Encryption at rest and in transit; retention schedules by case type; case?level legal hold; immutable audit logs of access, edits, and exports.

Implementation

• Discovery: Mapped current investigation flows, intake sources, and escalation patterns; inventoried common attachment types and sensitive fields; reviewed privacy, labor, and union requirements; gathered audit expectations for evidence and retention; analyzed access patterns and risks in shared folders.
• Design: Defined roles and access matrices by region and function; authored intake templates and interview outlines; created the sensitive?field catalog and redaction rules; designed escalation and approval paths with Legal; planned dashboards, evidence exports, retention schedules, and legal hold.
• Build: Configured case types, fields, and workflows; implemented SSO and HRIS lookups; enabled email/hotline ingestion; built automatic redaction and pre?share previews; added maker?checker approvals; instrumented audit logging, retention, and hold mechanisms.
• Testing/QA: Ran in shadow mode with a subset of ER partners; imported sanitized historical cases to test templates and redaction; validated role?based access and region boundaries; exercised escalations and approvals with Legal; tuned templates and messages from feedback.
• Rollout: Piloted with corporate ER first, then expanded to hospital sites and ambulatory clinics; migrated active cases with triage and redaction; kept legacy folders read?only as a controlled archive; tightened permissions after adoption stabilized.
• Training/hand?off: Delivered investigator training on templates, redaction previews, and evidence handling; briefed Legal on in?tool approvals and counsel notes; provided manager guides for limited case visibility; updated SOPs for intake, escalation, and retention; transferred rule ownership and dashboards to ER leadership under change control.
• Human?in?the?loop review: Established a monthly case council with Legal, ER, and Privacy to review exception patterns, redaction efficacy, and policy updates; recorded decisions with rationale and effective dates; iteratively improved templates, sensitive?field catalogs, and approval matrices.

Results

Investigations moved from personal drives to a governed workspace. ER partners captured interviews and evidence with the same templates, sensitive details were masked automatically before sharing, and Legal escalations happened inside the tool with approvals and rationale recorded. Access was limited to the right people by role and region, and managers viewed only cases they owned or that affected their teams.

Audits and privacy reviews became straightforward. Case packets included intake details, evidence, redactions, approvals, and outcomes in one exportable record, with retention and legal hold applied consistently. The HRIS continued to be the people system of record, identity continued to manage login and roles, and collaboration tools remained in use; the change was a case layer that standardized documentation and enforced privacy by default.

What Changed for the Team

• Before: Notes and files lived in personal or team drives. After: All investigations lived in a case workspace with audit logs.
• Before: Access depended on who had the folder link. After: Role?based permissions limited visibility by function and region.
• Before: Redaction was manual and inconsistent. After: Sensitive fields were masked automatically with pre?share previews.
• Before: Legal advice was captured in chat. After: Escalations and counsel notes were approved and recorded in the case.
• Before: Retention varied by person. After: Case?type schedules and legal hold applied consistently.
• Before: Status updates were emailed. After: Dashboards showed intake, aging, and pending approvals in one view.

Key Takeaways

• Centralize employee relations; a dedicated case workspace beats documents and email for consistency and privacy.
• Enforce access by role and region; permissions should follow policy, not folders.
• Automate redaction; mask sensitive fields before sharing to reduce risk.
• Gate high?risk actions; maker?checker and Legal checkpoints create defensible outcomes.
• Keep evidence together; store notes, approvals, and redactions with the case and apply retention and holds.
• Integrate, don’t replace; keep HRIS and identity—add case workflows, redaction, and governance around them.

FAQ

What tools did this integrate with? The solution connected a case management platform to the HRIS for employee context, used the enterprise identity provider for single sign?on and role mapping, and ingested email or hotline reports into cases. Where ServiceNow HR Service Delivery was in place, we configured Employee Relations workflows on that platform (ServiceNow). Role models followed NIST RBAC principles, and privacy handling aligned to the HIPAA Privacy Rule where applicable.

How did you handle quality control and governance? Intake templates, sensitive?field catalogs, and approval matrices lived under change control with ER leadership, Legal, and Privacy as owners. Every action—intake, edit, approval, redaction, export—wrote to an immutable log. Maker?checker applied to high?risk steps, and dashboards surfaced exception trends for council review with recorded rationale and effective dates.

How did you roll this out without disruption? We piloted with a small ER cohort and ran in shadow mode for new cases while legacy practices continued. Active cases were triaged and migrated with redaction where needed. Legacy folders became read?only archives. After tuning templates and permissions, coverage expanded site by site, with quick guides and office hours for investigators and Legal.

How did you protect sensitive data and prevent oversharing? Role?based access limited who could view or edit a case. Automatic redaction masked identifiers and medical references in notes and attachments before sharing. Encryption protected data at rest and in transit, and retention schedules and legal holds applied by case type. Access and exports were logged for audit.

How were historical files and email threads handled? We imported recent, relevant artifacts into the case system after redaction, linked emails by header to preserve context, and maintained older materials in a secure, read?only archive with pointers from the case. This kept working files in one place without disrupting long?running matters.

Can this support anonymous reports or hotline intake? Yes. Anonymous or third?party reports can open cases via a monitored mailbox or hotline feed. Fields capture what is known, and identities remain masked where appropriate. Follow?ups are tracked in the case with restricted access.

How did you handle region and union differences? Case types and templates included jurisdiction and bargaining?unit prompts. Access policies scoped visibility by region, and escalation paths reflected local requirements. Template and approval differences were documented and versioned under change control.