Friday, March 5, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Do OSHA and HIPAA Rules Stand at Odds?

by Peter McGrath
October 20, 2015
in Compliance
Do OSHA and HIPAA Rules Stand at Odds?

The Occupational Safety and Health Administration (OSHA) Act[1] requires most employers with 10 or more full-time employees to keep a yearly log of all work-related injuries and illnesses[2].  OSHA prefers that employers subject to the law use its Form 300 to record the required information.  The OSHA Form 300 is an actual, fillable form for employers to record all reportable injuries and illnesses that occur in the workplace, with spaces to report where and when the incidents occur, the nature of the case, the name and job title of the employee injured or made sick and the number of days away from work or on restricted or light duty, if any.

OSHA requires employers to record all new cases of work-related fatalities, injuries and illnesses if they involve death, days away from work, restricted work or transfer to another job, medical treatment beyond first aid, loss of consciousness or of significant injury or illness diagnosed by a physician or other licensed health care professional.  Each recordable injury or illness must be recorded on the 300 log and OSHA Form 301 Incident Report within seven calendar days after the employer receives notice the injury or illness occurred.  The OSHA 300 log requires employers to check one of six boxes to categorize the illness or injury:  injury, skin disorder, respiratory condition, poisoning, hearing loss or “other.”  Employees, former employees and employee representatives are authorized to review the OSHA 300 logs.

There are certain cases in which an injury or illness must be handled as a privacy case and kept confidential.  Employees are prohibited from entering an employee’s name on the OSHA 300 log in the following cases:

  1. The injury or illness occurred to an intimate body part or their reproductive system
  2. Sexual assault
  3. Mental illnesses
  4. HIV infection, hepatitis or tuberculosis
  5. Needle-stick injuries and cuts from sharp objects that are contaminated with another person’s blood

In privacy concern cases, a separate confidential list of employee names must be kept.  Employers also have the right to use discretion describing the sensitive nature of the injury where the worker’s identity would be known. Employers must post a copy of an annual summary of OSHA 300 logs in each establishment in a conspicuous place or places where notices to employees are customarily posted.  (The summaries do not include employee names.)

Employers have expressed concern to OSHA that employers must remove all of the names from the OSHA 300 log before providing access in order to comply with privacy requirements contained in the Health Insurance Portability and Accountability Act. (HIPAA).[3]

HIPAA essentially defines and limits the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities.  Covered entities generally include health plans, health care providers and health care clearinghouses (or any business associate of any of those entities).  A covered entity may not use or disclose protected health information except either (1) as the HIPAA permits or requires or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

A covered entity must disclose protected health information in only two situations: (1) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information and (2) to the Department of Health and Human Services when it is undertaking a compliance investigation or review or enforcement action.

The AFL-CIO several years ago asked OSHA to clarify the effect of the HIPAA policy protection rules upon the OSHA recordkeeping requirements contained in the log 300 rules.  OSHA has indicated that it does not believe that HIPAA provides a basis for employers to remove employee’s names from the log before providing access to the log to an employee, former employee or employee representative as authorized by the OSHA rules.  Even if HIPAA privacy protection is implicated by the employer’s disclosure of the OSHA log, HIPAA and its implementing regulations expressly permit the disclosure of protected health information to the extent required by law.

Health care providers have become remarkably sensitive to HIPAA privacy concerns and remarkably protective of patient health care information.  OSHA requires employers to collect, make available and, to some extent, even publish health care information regarding injuries or illnesses caused or occurring in the workplace.  While OSHA is almost certainly correct that OSHA-authorized disclosure of information might otherwise be protected under HIPAA, it may be an uphill battle for employers to persuade health care providers to supply required information.  OHSA already imposes significant burdens on employers, apart from educating health care providers about the interaction between OSHA and HIPAA.  If employers are finding it impossible or even difficult to convince health care providers to supply information the employers believe they need to complete OSHA logs, employers may need to seek reconsideration of the rules by OSHA.  Employers may also need to work together through trade or industry groups to convince OSHA and health care providers of potential problems.  Congressional action to amend PSHA or HIPAA may be required to clarify the rules, but Congressional action on any issue seems a remote possibility at this time.

[1]  29 U.S.C. 650, et seq.

[2] 29 CFR 1904

[3] 42 U.S.C. § 300gg and 29 U.S.C § 1181 et seq. and 42 USC 1320d et seq.


Tags: internal audit
Previous Post

Observations on the Short-Term/Long-Term Debate, Part 2

Next Post

Haskell & White Earns National Accolades

Peter McGrath

September 17 - Peter McGrath headshotA frequent lecturer and author on diverse environmental issues, Peter McGrath, a member at Moore & Van Allen, brings to his wide-ranging clients extensive counseling and litigation experience with environmental issues arising in business and real estate transactions.

Related Posts

illustration of man under giant gavel

BitPay’s $507K OFAC Sanctions Violations Settlement

March 4, 2021
Thinking Outside the Tick Box

Thinking Outside the Tick Box: Compliance Training as a Competitive Advantage

March 3, 2021
The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
illustration of hand holding flashlight illuminating hidden stairs

The Corporate Transparency Act: Pulling Back the Veil

February 23, 2021
Next Post
Haskell & White Earns National Accolades

Haskell & White Earns National Accolades

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights