Share this article on:
In healthcare, OSHA and HIPAA compliance are both essential. There are separate standards that must be adhered to for compliance, but there are broad similarities in terms of reporting, recordkeeping, and enforcement.
The Occupational Safety and Health Act (OSH Act)
The Occupational Safety and Health Act (OSH Act) was signed into law more than 50 years ago and remains as relevant today as it was when President Nixon added his signature to the bill on December 29, 1970. The OSH Act covers the private sector and the federal government and requires employers to create and maintain a safe and healthful working environment, and ensure employees are protected from hazards in the workplace.
The OSH Act created the Occupational Safety and Health Administration (OHSA) within the Department of Labor, which is responsible for outreach, education, assistance, and is also the enforcer of compliance with the OSH Act. OHSA sets health and safety standards against which employers are measured. Those standards are published in Title 29 of the Code of Federal Regulations (29 U.S.C. §§ 651 to 678), and there are standards that apply to different industry sectors. The construction, maritime, and agriculture sectors each have their own set of standards due to the unique hazards and risks in those sectors, with separate standards set for general industry, which includes medical and dental offices.
OSHA standards have been set for a variety of health and safety areas, including fire safety, electrical safety, blood-borne pathogens, ionization radiation, hazardous materials, medical and first aid, personal protective equipment, emergency preparedness, and the general working environment.
OHSA conducts inspections of workplaces to ensure compliance and has the authority to impose financial penalties and sanctions. There is a tiered penalty structure of minimum and maximum penalties, although State Plans exist where states have control of OSHA regulations and can implement their own penalty structures.
The Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) has been in effect for half the time of the OSH Act, with HIPAA signed into law by President Clinton on August 21, 1996. HIPAA set standards for the healthcare industry that must be followed by HIPAA-covered entities (healthcare providers, health plans, and healthcare clearinghouses) that conduct transactions involving protected health information electronically. HIPAA also applies to business associates of HIPAA-covered entities that are required to interact with protected health information.
When HIPAA was signed into law, the main aims of the legislation were to ensure individuals could retain health insurance coverage when between jobs, to introduce standards to reduce wastage in healthcare, and to help prevent healthcare fraud. Updates to the legislation over the years have seen HIPAA expanded to include standards covering the privacy and security of healthcare data and to give individuals rights over their healthcare data.
The Department of Health and Human Services is responsible for outreach, providing training materials and guidance, and enforcing HIPAA compliance, with the administrative standards regulated by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HIPAA Privacy, Security and Breach Notification Rules Regulated by the HHS’ Office for Civil Rights. State Attorneys General also play a role in HIPAA enforcement.
Each of those regulators can impose financial penalties and sanctions for non-compliance, in accordance with a tiered penalty structure based on the level of culpability.
OSHA and HIPAA Compliance
OSHA and HIPAA compliance is policed by different federal agencies and each set of regulations has different requirements for covered organizations, but there are some similarities between OSHA and HIPAA compliance.
OSHA and HIPAA compliance programs require all compliance efforts to be documented. Documentation may be requested during investigations and audits as proof of compliance. OSHA requires deaths, serious injuries, time off work due to injury or illness, medical treatment beyond first aid, restricted work and transfers to other jobs, loss of consciousness, and other issues to be recorded, and for all OHSA compliance documentation to be maintained. Employers must also update and maintain medical records for their employees. HIPAA requires all compliance efforts such as policies, procedures, and training to be recorded, along with records of any identified HIPAA violations and data breaches. HIPAA does not cover employee medical records but does cover the medical records of patients. There are minimum retention periods for documentation, although OHSA and HHS retention periods differ.
Both sets of legislation have strict reporting requirements. OHSA requires deaths and serious workplace injuries to be reported, while HIPAA requires breaches of protected health information to be reported. There are strict time frames for reporting in both the OSHA and HIPAA standards.
Ongoing OSHA and HIPAA compliance programs must be established that ensure working practices remain compliant. The failure of covered entities to ensure OSHA and HIPAA compliance can both result in substantial financial penalties. If there is an apparent violation of the HIPAA Rules or OSHA standards, individuals are permitted to file a complaint with regulators, but since there is no private cause of action in HIPAA or the OSH Act, it is not possible for individuals to sue for violations.
Federal and state regulators are responsible for investigating complaints, determining if there has been non-compliance, and deciding if financial penalties or sanctions are appropriate.