US Dept of Labor

Occupational Safety & Health AdministrationWe Can Help

Standard Interpretations - Table of Contents
• Standard Number: 1904; 1904.35(b)(2)(iv)

This letter constitutes OSHA's interpretation only of the requirements discussed and may not be applicable to any situation not delineated within the original correspondence.

August 2, 2004

Mr. Bill Kojola
Industrial Hygienist
Department of Safety and Health
815 Sixteenth St., NW
Washington, DC 20006

Dear Mr. Kojola:

Thank you for your February 27, 2004 letter to the Occupational Safety and Health Administration (OSHA) regarding the Injury and Illness Recording and Reporting Requirements contained in 29 CFR Part 1904. Your letter was forwarded to my office by Richard Fairfax, Director, Directorate of Enforcement Programs. The Division of Recordkeeping Requirements, within my Directorate, is responsible for the administration of the OSHA injury and illness recordkeeping system nationwide. Please excuse the delay in responding to your request.

You state that employers are claiming they must remove all the names from the OSHA 300 Log before providing access in order to comply with the privacy requirements contained in the Health Insurance Portability and Accountability Act (HIPAA). Specifically, you ask OSHA to clarify the recordkeeping requirements contained in 29 CFR Part 1904 vs. the HIPAA requirements.

We do not believe that HIPAA provides a basis for employers to remove employees' names from the Log before providing access. Even if HIPAA is implicated by the employer's disclosure of the OSHA Log, the statue and implementing regulation expressly permit the disclosure of protected health information to the extent required by law. See 45 CFR 164.512(a). This exception for disclosures required by law applies here because the Recordkeeping rule requires that employees, former employees, and employee representatives have access to the complete Log, including employee names, except for privacy concern cases. See 29 CFR 1904.35(b)(2)(iv).

Thank you for your interest in occupational safety and health.  We hope you find this information helpful.  OSHA requirements are set by statute, standards, and regulations. Our interpretation letters explain these requirements and how they apply to particular circumstances, but they cannot create additional employer obligations.  This letter constitutes OSHA's interpretation of the requirements discussed.  Note that our enforcement guidance may be affected by changes to OSHA rules.  Also, from time to time we update our guidance in response to new information.  To keep appraised of such developments, you can consult OSHA's website at If you have any further questions please contact the Division of Recordkeeping Requirements at (202) 693-1702.


Keith Goddard, Director
Directorate of Evaluation and Analysis

Standard Interpretations - Table of Contents

Thank You for Visiting Our Website

You are exiting the Department of Labor's Web server.

The Department of Labor does not endorse, takes no responsibility for, and exercises no control over the linked organization or its views, or contents, nor does it vouch for the accuracy or accessibility of the information contained on the destination server. The Department of Labor also cannot authorize the use of copyrighted materials contained in linked Web sites. Users must request such authorization from the sponsor of the linked Web site. Thank you for visiting our site. Please click the button below to continue.