The Dilemma

An employee representative asks to see your company's OSHA Logs. This is a legitimate request under the OSHA Recordkeeping Rule (29 CFR 1904.35(b)(2)(iv)) and if you refuse you could be fined $1,000 to $7,000 per document you withhold.

On the other hand, the records contain private medical information about your employees. So you fear that disclosing them will get you into trouble under federal privacy law - specifically, the Health Insurance Portability and Accountability Act (HIPAA).

The Choices

You have three options:

A. Disclose to ensure compliance with OSHA and risk liability under HIPAA;

B. Withhold to ensure compliance with HIPAA and risk liability under OSHA; and

C. Disclose the records after redacting all identifying information.

Which should you choose?

The Answer

A. Disclose the records.

The Explanation

How do we know that A. is right? Who says that you can disclose OSHA Logs containing private medical information about employees in response to a request under the OSHA Recordkeeping Rule without violating HIPAA?

OSHA says so - in an Interpretation Letter of August 2, 2004. To understand why OSHA said this, you need to know a little about how HIPAA works.

The HIPAA Privacy Rule bans disclosure or use of individuals' "protected health information" (PHI) without their permission. Medical information about an employee in an OSHA 300 Log would probably be considered PHI.

So it would appear that disclosure of OSHA 300s containing medical information about employees would be problematic under HIPAA. But it's not as big a problem as it looks. There are two reasons:

1. Your Company Might Not Be Covered By HIPAA

HIPAA doesn't cover everybody. Your company would be subject to HIPAA only if it's what's called a "covered entity". There are three kinds of covered entities:

• Healthcare providers such as hospitals, doctors and medical labs;
• Healthcare clearinghouses, or companies that process and transmit medical information on behalf of third parties, such as a medical billing company that takes a hospital's billing records and submits a bill to the insurance company on the hospital's behalf; and
• Health plans including not just HMOs and PPOs but companies that sponsor a group health plan that provides medical or dental benefits to employees and/or companies that have a health clinic at their workplace.

If your company doesn't fall into one of these categories, it's not a covered entity and it's thus not subject to HIPAA.

2. Disclosure Is OK Even If You Are Covered

Even if you are covered by HIPAA, disclosing OHSA 300s containing employee PHI shouldn't get you into trouble. That's because there are exceptions within HIPAA when you're allowed to disclose PHI about individuals even without their permission. One of these exceptions is when disclosure is "required by law."

In its August 2 Interpretation Letter, OSHA interprets the "required by law" exception as applying to the disclosure of injury and illness records to an employee representative (or a current or former employee) in response to a legitimate request under the Recordkeeping Rule. "Even if HIPAA is implicated by the employer's disclosure of the OSHA Log," the Letter says, "the exception for disclosures required by law applies here because the Recordkeeping Rule requires that employees, former employees and employee representatives have access to the complete Log, including employee names, except for privacy cases."

Note: This language suggests that redacting personal information from the Log - Option C above - would run afoul of recordkeeping requirements [OSHA Interpretation Letter, August 2, 2004].

The Caveat

The OSHA Recordkeeping Rule may trump HIPAA in terms of disclosing OSHA Logs containing personal health information about employees in response to legitimate requests for access. But that doesn't mean privacy isn't an issue. On the contrary, the Recordkeeping Rule itself includes its own privacy restrictions. We'll look at those restrictions next week in Part 2 of this article.

The Canadian Perspective

The principles in this article apply equally in Canada.

In 2004, Canada enacted its own privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Three provinces - Alberta, British Columbia and Ontario - have enacted similar privacy laws of their own. Like HIPAA, PIPEDA and the provincial privacy laws restrict use and disclosure of personally identifiable health information about an individual without the individual's permission. Injury and illness records containing personal medical information about an employee would be covered by these laws.

At the same time, though, some of the provincial OHS laws give the Joint Health and Safety Committee, Health and Safety Representative and other workplace stakeholders the right of access to illness and injury records, like the OSHA Recordkeeping Rule does in the U.S. Consequently, Canadian employers may find themselves in exactly the same dilemma as U.S. employers of having to violate one law to comply with another.

In Canada, there's no OSHA Interpretation Letter supporting the choice of disclosure over privacy. But, like HIPAA, the Canadian privacy laws provide for exceptions when disclosure is okay without the individual's permission. That includes disclosures that are required by law.

The Bottom Line: A strong case can thus be made that disclosing injury records containing personal information is okay to the extent disclosure is required by the OHS laws.

DOES YOUR COMPANY HAVE TO KEEP INJURY/ILLNESS RECORDS?

Certain employers don't have to keep OSHA injury and illness records as long as:

• OSHA, the Bureau of Labor Statistics or an authorized state agency doesn't ask them in writing to do so; and
• They report all workplace incidents involving a fatality or the hospitalization of three or more employees.

Here's a list of the kinds of companies exempt from recordkeeping requirements:

Story Tools:  Email This Post  Print This Post Top