Is Recording an Injury or Illness in Compliance with OSHA Regulations a Violation of HIPAA?
Recording an injury or illness in compliance with OSHA regulations is not a violation of HIPAA because most employers do not have to comply with HIPAA; and, when they do, HIPAA does not apply to individually identifiable health information maintained in an employment record.
Under OSHA’s recordkeeping and reporting requirements (29 CFR §1904), employers in non-excluded industries with workforces above a certain size must maintain Form 300 Logs and Form 301 Incident Reports for each recordable workplace injury or illness. The injuries and illnesses must be summarized each year and submitted to OSHA via Form 300A.
Under HIPAA’s applicability standard (45 CFR §160.102), HIPAA applies to health plans, health care clearinghouses, and qualifying healthcare providers (collectively “covered entities”), and to business associates that provide a service for a covered entity. These organizations must safeguard Protected Health Information from impermissible uses and disclosures.
HIPAA Entities in their Roles as Employers
There are two reasons why recording an injury or illness in compliance with OSHA regulations is not a violation of HIPAA. The first is that when individually identifiable health information is maintained by an employer in their role as an employer (i.e., in employment records), the individually identifiable health information is not Protected Health Information (45 CFR §160.103) .
Get The FREE
OSHA & HIPAA Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
As Form 300 Logs and Form 301 Incident Reports qualify as employment records, and as covered entities and business associates are not required to protect individually identifiable health information when it does not qualify as Protected Health Information, it cannot be a violation of HIPAA to record an injury or illness on Form 300 or Form 301 because HIPAA does not apply.
Disclosures of PHI to Comply with OSHA
The second reason why recording an injury or illness in compliance with OSHA regulations is not a violation of HIPAA is that the Privacy Rule (45 CFR §164.512) permits a healthcare provider to disclose Protected Health Information to an employer “to comply with its obligations under 29 CFR §1904” – the OSHA recordkeeping and reporting requirements referenced above.
In addition, healthcare providers can disclose Protected Health Information to employers so employers can evaluate whether an injury or illness qualifies as a reportable event or to support workplace-related medical surveillance. The only condition related to these disclosures is that patients are given a written notice explaining the motive for the disclosure.
Providing HIPAA Training on OSHA Compliance
There are not many times when HIPAA and OSHA regulations intertwine. However, it is important that when they do, members of the workforce know when and how to report details of an injury (i.e., when required by law) without disclosing more than the minimum necessary Protected Health Information to achieve the objective of the disclosure.
Generally, OSHA training is “event-specific” training inasmuch as (for example) training on the bloodborne pathogens standard should be provided to members of the workforce likely to be exposed to bloodborne pathogens. However, it can be equally important for some elements of OSHA compliance to be included in HIPAA training. Covered entities and business associates who require help on providing HIPAA training on OSHA compliance should seek professional compliance advice.
