Standard Interpretations - Table of Contents|
| Standard Number:||1904; 1904.35(b)(2)(iv)|
|This letter constitutes OSHA's interpretation only of the requirements discussed and may not be applicable to any situation not delineated within the original correspondence.|
August 2, 2004
Mr. Bill Kojola
Department of Safety and Health
815 Sixteenth St., NW
Washington, DC 20006
Dear Mr. Kojola:
Thank you for your February 27, 2004 letter to the Occupational Safety and Health Administration (OSHA) regarding the Injury and Illness Recording and Reporting Requirements contained in 29 CFR Part 1904. Your letter was forwarded to my office by Richard Fairfax, Director, Directorate of Enforcement Programs. The Division of Recordkeeping Requirements, within my Directorate, is responsible for the administration of the OSHA injury and illness recordkeeping system nationwide. Please excuse the delay in responding to your request.
You state that employers are claiming they must remove all the names from the OSHA 300 Log before providing access in order to comply with the privacy requirements contained in the Health Insurance Portability and Accountability Act (HIPAA). Specifically, you ask OSHA to clarify the recordkeeping requirements contained in 29 CFR Part 1904 vs. the HIPAA requirements.
We do not believe that HIPAA provides a basis for employers to remove employees' names from the Log before providing access. Even if HIPAA is implicated by the employer's disclosure of the OSHA Log, the statue and implementing regulation expressly permit the disclosure of protected health information to the extent required by law. See 45 CFR 164.512(a). This exception for disclosures required by law applies here because the Recordkeeping rule requires that employees, former employees, and employee representatives have access to the complete Log, including employee names, except for privacy concern cases. See 29 CFR 1904.35(b)(2)(iv).
Thank you for your interest in occupational safety and health. We hope you find this information helpful. OSHA requirements are set by statute, standards, and regulations. Our interpretation letters explain these requirements and how they apply to particular circumstances, but they cannot create additional employer obligations. This letter constitutes OSHA's interpretation of the requirements discussed. Note that our enforcement guidance may be affected by changes to OSHA rules. Also, from time to time we update our guidance in response to new information. To keep appraised of such developments, you can consult OSHA's website at http://www.osha.gov. If you have any further questions please contact the Division of Recordkeeping Requirements at (202) 693-1702.
Keith Goddard, Director
Directorate of Evaluation and Analysis
|Standard Interpretations - Table of Contents|