OSHA requirements are set by statute, standards and regulations. Our interpretation letters explain these requirements and how they apply to particular circumstances, but they cannot create additional employer obligations. This letter constitutes OSHA's interpretation of the requirements discussed. Note that our enforcement guidance may be affected by changes to OSHA rules. Also, from time to time we update our guidance in response to new information. To keep apprised of such developments, you can consult OSHA's website at https://www.osha.gov.

December 22, 1998

Dr. Maria Mazorra, M.D.
Chief, Occupational Medicine
Bath Iron Works Corporation
700 Washington Street
Bath, Maine 04530-2558

Dear Dr. Mazorra:

This is a response to your letter of October 14, addressed to the Occupational Safety and Health Administration's (OSHA's) Directorate of Compliance Programs, regarding OSHA access to employee medical records created and maintained as required by 29 CFR 1910.1030 Bloodborne Pathogens Standard. You specifically ask whether OSHA inspectors have a right of access to HIV results from post exposure evaluation without specific consent granted by the individual tested.

Yes, OSHA has access to medical records in accordance with 29 CFR 1910.1020(e)(3) and does have a right of access to HIV results without specific consent of the individual tested. OSHA's access to personally identifiable medical records is, however, subject to regulations published in the Rules of Agency Practice and Procedure Concerning OSHA Access to Employee Medical Records, 29 CFR 1913.10. These regulations, available on OSHA's website (www.osha.gov), address privacy concerns of employees. OSHA's authority to gain access to personally identifiable employee medical information is exercised only after the Agency makes a careful determination of its need for this information. In the case of HIV test results from post-exposure evaluations, OSHA may request access to identify work-related seroconversion and to assure that tested employees are provided appropriate post-exposure evaluation, care, and counseling.

As was done in the situation you described, OSHA is required by 1913.10 to prepare and present a written access order to examine or copy identifiable employee medical information. The access order must meet specific requirements before it will be approved by OSHA's Medical Records Officer, a licensed physician, and signed by the Assistant Secretary. Paragraphs (d)(2) and (d)(3) provide those requirements, which include that the medical information to be examined or copied is relevant to a statutory purpose, that there is a need to gain access to this personally identifiable information, and that the medical information is limited to the information needed to accomplish the purpose for access. The access order must state why OSHA needs to examine personally identifiable information. It must also contain contact information for the Principal OSHA Investigator and for the OSHA Medical Records Officer. Questions or objections concerning the access order can be directed to either of these two people.

Paragraph (f) of the 1913.10 describes how OSHA must respond if an employee, collective bargaining agent, or employer objects to the written access order. The OSHA Medical Records Officer must respond in writing to each employee's and collective bargaining agent's written objection. When deemed appropriate, the OSHA Medical Records Officer may revoke a written access order and direct that medical information obtained by it be promptly returned or destroyed.

When the Principal OSHA Investigator presents a written access order, the employer must promptly post a copy of the order and its accompanying cover letter, with direct personal employee identifiers omitted, 1913.10(e)(3). If OSHA and the employer or collective bargaining agent agree that individual notice is appropriate, OSHA must provide copies of the cover letter and access order with personal identifiers removed so that the employer may notify each affected employee or place a copy in each of the employees' medical files, 1913.10(e)(4).

29 CFR 1913.10 also addresses employee medical information that is taken off-site. Paragraph (g) of the regulation requires:

"Whenever employee medical information obtained pursuant to a written access order is taken off-site with direct personal identifiers included, the principal OSHA Investigator shall, unless otherwise authorized by the OSHA Medical Records Officer, promptly separate all direct personal identifiers from the medical information, and code the medical information and the list of direct identifiers with a unique identifying number for each employee. The medical information with its numerical code shall thereafter be used and kept secured as though still in a directly identifiable form ...The OSHA Medical Records Officer shall thereafter limit the use and distribution of the list of coded identifiers to those with a need to know its contents."

Further measures to ensure the security of employee medical information are included in paragraphs 1913.10(i) and (j).

In your letter, you also expressed concern that OSHA's access order was inconsistent with Maine law. Ultimately, OSHA's access to medical records as required by federal law takes precedence over a state law or statute. We did, however, investigate provisions in the Maine statutes and found that OSHA's access to HIV test results is not contrary to Maine's law. A subsection of a statute that you mentioned (Title 5, section 19203, subsection 9 of the State of Maine Statutes) provides that the results of an HIV test may be disclosed as part of a medical record when release or disclosure of that record is authorized pursuant to provisions of other state or federal law, rule or regulation (see also Title 22, section 1711-C, subsection 11). Accordingly, OSHA's access to HIV test results under the bloodborne pathogens standard and pursuant to 1913.10 is permissible under Maine statutes.

In closing, OSHA agrees with you that HIV test results must be carefully guarded because of their sensitive nature and possible repercussions should tests results be positive. Extensive effort and care is taken by the OSHA Medical Records Officer, the Principal OSHA Investigator, and any other authorized persons to this end. In addition, the bloodborne pathogens standard itself strictly limits employer access to confidential information. If you have remaining concerns about the specific access order presented to your company, I encourage you to contact the Principal OSHA Investigator or Medical Records Officer listed in that order, or you may contact OSHA's Office of Health Compliance Assistance at (202) 693-2190 for additional assistance.


Richard E. Fairfax
Directorate of Compliance Programs