- Part Number:1913
- Part Number Title:Rules Concerning OSHA Access to Employee Medical Records
- Standard Number:
- Title:Rules of agency practice and procedure concerning OSHA access to employee medical records.
- GPO Source:
For the purposes of this section, "personally identifiable employee medical information" means employee medical information accompanied by either direct identifiers (name, address, social security number, payroll number, etc.) or by information which could reasonably be used in the particular circumstances indirectly to identify specific employees (e.g., exact age, height, weight, race, sex, date of initial employment, job title, etc.).
This section does not apply where a written directive by the OSHA Medical Records Officer authorizes appropriately qualified personnel to conduct limited reviews of specific medical information mandated by an occupational safety and health standard, or of specific biological monitoring test results.
Assistant Secretary. The Assistant Secretary of Labor for Occupational Safety and Health (Assistant Secretary) shall designate an OSHA official with experience or training in the evaluation, use, and privacy protection of medical records to be the OSHA Medical Records Officer. The Assistant Secretary may change the designation of the OSHA Medical Records Officer at will.
Access to personally identifiable employee medical information (paragraph (d)), and
OSHA Medical Records Officer. The OSHA Medical Records Officer shall be responsible for the overall administration and implementation of the procedures contained in this section. The OSHA Medical Records Officer shall report directly to the Assistant Secretary on matters concerning this section and be responsible for:
Making final determinations concerning the approval or denial of medical access orders (paragraph (d) of this section);
Assuring that medical access orders meet the requirements of paragraphs (d)(2) and (3) of this section;
Responding to objections concerning medical access orders (paragraph (f) of this section);
Overseeing internal agency use and security of personally identifiable employee medical information (paragraphs (g) through (j) of this section);
Assuring that the results of agency analyses of personally identifiable medical information are, where appropriate, communicated to employees (paragraph (k) of this section);
Preparing an annual report of OSHA’s experience under this section (paragraph (l) of this section); and
Making final determinations concerning inter-agency transfer or public disclosure of personally identifiable employee medical information (paragraph (m) of this section). The Medical Records Officer shall also assure that advance notice is given of intended inter-agency transfers or public disclosures.
Requirement for medical access order. Except as provided in paragraph (d)(4) of this section, each request by an OSHA representative to examine or copy personally identifiable employee medical information contained in a record held by an employer or other recordholder shall be made pursuant to a written medical access order which has been approved by the OSHA Medical Records Officer. A medical access order does not constitute an administrative subpoena.
Approval criteria for medical access order. Before approving a medical access order, the OSHA Medical Records Officer shall determine that:
The medical information to be examined or copied is relevant to a statutory purpose and there is a need to gain access to this personally identifiable information;
The personally identifiable medical information to be examined or copied is limited to only that information needed to accomplish the purpose for access; and
The personnel authorized to review and analyze the personally identifiable medical information are limited to those who have a need for access and have appropriate professional qualifications.
[Reserved]
Inter-agency transfer and public disclosure.
Personally identifiable employee medical information shall not be transferred to another agency or office outside of OSHA (other than to the Office of the Solicitor of Labor) or disclosed to the public (other than to the affected employee or the original recordholder) except when required by law or when approved by the OSHA Medical Records Officer.
Except as provided in paragraph (m)(3) of this section, the OSHA Medical Records Officer shall not approve a request for an inter-agency transfer of personally identifiable employee medical information, which has not been consented to by the affected employees, unless the request is by a public health agency which:
Needs the requested information in a personally identifiable form for a substantial public health purpose;
Will not use the requested information to make individual determinations concerning affected employees which could be to their detriment;
Has regulations or established written procedures providing protection for personally identifiable medical information substantially equivalent to that of this section; and
Satisfies an exemption to the Privacy Act to the extent that the Privacy Act applies to the requested information (see 5 U.S.C. 552a(b); 29 CFR 70a.3).
Upon the approval of the OSHA Medical Records Officer, personally identifiable employee medical information may be transferred to:
The National Institute for Occupational Safety and Health (NIOSH); and
The Department of Justice when necessary with respect to a specific action under the Occupational Safety and Health Act.
The OSHA Medical Records Officer shall not approve a request for public disclosure of employee medical information containing direct personal identifiers unless there are compelling circumstances affecting the health or safety of an individual.
The OSHA Medical Records Officer shall not approve a request for public disclosure of employee medical information which contains information which could reasonably be used indirectly to identify specific employees when the disclosure would constitute a clearly unwarranted invasion of personal privacy (see 5 U.S.C. 552(b)(6); 29 CFR 70.26).
Except as to inter-agency transfers to NIOSH or the Department of Justice, the OSHA Medical Records Officer shall ensure that advance notice is provided to any collective bargaining agent representing affected employees and to the employer on each occasion that OSHA intends to either transfer personally identifiable employee medical information to another agency or disclose it to a member of the public other than to an affected employee. When feasible, the OSHA Medical Records Officer shall take reasonable steps to assure that advance notice is provided to affected employees when the employee medical information to be transferred or disclosed contains direct personal identifiers.
Medical records maintained in electronic form.
In general, when accessing and/or copying personally identifiable employee medical information in electronic form, OSHA personnel shall follow all of the requirements set forth in this section.
When personally identifiable employee medical information in electronic form is taken off-site, the Principal OSHA Investigator is primarily responsible for ensuring that such information is properly used and kept secured.
The Principal OSHA Investigator is responsible for preventing any accidental or unintentional disclosure of, modification to, or destruction of personally identifiable employee medical information in electronic form.
The Principal OSHA Investigator is responsible for controlling the flow of data into, through, and from agency computer operations.
The Principal OSHA Investigator shall ensure the distribution and review of medical information in electronic form is limited to only those OSHA personnel and contractors with a need for access.
The transfer and/or duplication of medical information in electronic form shall be kept to the minimum necessary to accomplish the purpose for which it was obtained.
Electronic files containing personally identifiable employee medical information shall be downloaded only to a computer hard drive or laptop that is secured in accordance with Federal Information Processing Standard (FIPS) 201–2 ‘‘Personal Identity Verification (PIV) of Federal Employees and Contractors’’ and ‘‘Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors (HSPD– 12).’’
Electronic files containing personally identifiable employee medical information shall not be transferred to authorized personnel through email attachment unless appropriately encrypted.
When an employer or other record holder(s) provides access to employee medical information through a properly encrypted email attachment, the attachment shall be downloaded to a secured hard drive or laptop. After the attachment is downloaded, the email shall be permanently deleted.
Personally identifiable employee medical information in electronic form shall be secured when not in use.
Medical information in electronic form shall only be maintained or stored where facilities and conditions are designed to prevent unauthorized access.
Personally identifiable employee medical information in electronic form shall be maintained only for so long as needed to accomplish the purpose for access.
When no longer needed, the Principal OSHA Investigator shall ensure that all personally identifiable employee medical information on electronic files has been deleted, destroyed, or returned to the original record holder.
The disposal of personally identifiable employee medical information maintained in electronic form shall be accomplished in such a manner as to make the data unattainable by unauthorized personnel.
[45 FR 35294, May 23, 1980; 45 FR 54334. Aug. 15. 1980; 71 FR 16674, April 3, 2006; 85 FR 45792-45793, July 30, 2020]