The Occupational Safety and Health Administration (OSHA) Act[1] requires most employers with 10 or more full-time employees to keep a yearly log of all work-related injuries and illnesses[2]. OSHA prefers that employers subject to the law use its Form 300 to record the required information. The OSHA Form 300 is an actual, fillable form for employers to record all reportable injuries and illnesses that occur in the workplace, with spaces to report where and when the incidents occur, the nature of the case, the name and job title of the employee injured or made sick and the number of days away from work or on restricted or light duty, if any.
OSHA requires employers to record all new cases of work-related fatalities, injuries and illnesses if they involve death, days away from work, restricted work or transfer to another job, medical treatment beyond first aid, loss of consciousness or of significant injury or illness diagnosed by a physician or other licensed health care professional. Each recordable injury or illness must be recorded on the 300 log and OSHA Form 301 Incident Report within seven calendar days after the employer receives notice the injury or illness occurred. The OSHA 300 log requires employers to check one of six boxes to categorize the illness or injury: injury, skin disorder, respiratory condition, poisoning, hearing loss or “other.” Employees, former employees and employee representatives are authorized to review the OSHA 300 logs.
There are certain cases in which an injury or illness must be handled as a privacy case and kept confidential. Employees are prohibited from entering an employee’s name on the OSHA 300 log in the following cases:
- The injury or illness occurred to an intimate body part or their reproductive system
- Sexual assault
- Mental illnesses
- HIV infection, hepatitis or tuberculosis
- Needle-stick injuries and cuts from sharp objects that are contaminated with another person’s blood
In privacy concern cases, a separate confidential list of employee names must be kept. Employers also have the right to use discretion describing the sensitive nature of the injury where the worker’s identity would be known. Employers must post a copy of an annual summary of OSHA 300 logs in each establishment in a conspicuous place or places where notices to employees are customarily posted. (The summaries do not include employee names.)
Employers have expressed concern to OSHA that employers must remove all of the names from the OSHA 300 log before providing access in order to comply with privacy requirements contained in the Health Insurance Portability and Accountability Act. (HIPAA).[3]
HIPAA essentially defines and limits the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities. Covered entities generally include health plans, health care providers and health care clearinghouses (or any business associate of any of those entities). A covered entity may not use or disclose protected health information except either (1) as the HIPAA permits or requires or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
A covered entity must disclose protected health information in only two situations: (1) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information and (2) to the Department of Health and Human Services when it is undertaking a compliance investigation or review or enforcement action.
The AFL-CIO several years ago asked OSHA to clarify the effect of the HIPAA policy protection rules upon the OSHA recordkeeping requirements contained in the log 300 rules. OSHA has indicated that it does not believe that HIPAA provides a basis for employers to remove employee’s names from the log before providing access to the log to an employee, former employee or employee representative as authorized by the OSHA rules. Even if HIPAA privacy protection is implicated by the employer’s disclosure of the OSHA log, HIPAA and its implementing regulations expressly permit the disclosure of protected health information to the extent required by law.
Health care providers have become remarkably sensitive to HIPAA privacy concerns and remarkably protective of patient health care information. OSHA requires employers to collect, make available and, to some extent, even publish health care information regarding injuries or illnesses caused or occurring in the workplace. While OSHA is almost certainly correct that OSHA-authorized disclosure of information might otherwise be protected under HIPAA, it may be an uphill battle for employers to persuade health care providers to supply required information. OHSA already imposes significant burdens on employers, apart from educating health care providers about the interaction between OSHA and HIPAA. If employers are finding it impossible or even difficult to convince health care providers to supply information the employers believe they need to complete OSHA logs, employers may need to seek reconsideration of the rules by OSHA. Employers may also need to work together through trade or industry groups to convince OSHA and health care providers of potential problems. Congressional action to amend PSHA or HIPAA may be required to clarify the rules, but Congressional action on any issue seems a remote possibility at this time.
[1] 29 U.S.C. 650, et seq.
[2] 29 CFR 1904
[3] 42 U.S.C. § 300gg and 29 U.S.C § 1181 et seq. and 42 USC 1320d et seq.