HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OSHA and HIPAA Compliance

In healthcare, OSHA and HIPAA compliance are both essential despite being separate standards. However, although separate, there are broad similarities in terms of reporting, recordkeeping, and enforcement.

The Occupational Safety and Health Act (OSH Act)

The Occupational Safety and Health Act (OSH Act) was signed into law more than 50 years ago and remains as relevant today as it was when President Nixon added his signature to the bill on December 29, 1970. The OSH Act covers the private sector and the federal government, and requires employers to create and maintain a safe and healthful working environment, and ensure employees are protected from hazards in the workplace.

The OSH Act created the Occupational Safety and Health Administration (OSHA) within the Department of Labor, which is responsible for outreach, education, and assistance, and is also the enforcer of compliance with the OSH Act. OSHA sets workplace health and safety standards which are published in Title 29 of the Code of Federal Regulations (29 U.S.C. §§ 651 to 678). The construction, maritime, and agriculture sectors each have their own set of standards due to the unique hazards and risks in those industries. Businesses in all other industries – including the healthcare industry – have to comply with the general standards unless a “State Plan” exists which has more stringent regulations than the OSH Act.

Although many of the workplace health and safety standards are general in their nature (i.e., sanitation, ventilation, work surfaces, etc.), there are many that are particularly relevant to the healthcare industry due to the nature of risks that occur in healthcare environments.  These include – but are not limited to – the Bloodborne Pathogens Standard (as amended by the Needlestick Safety and Prevention Act), the Ionization Radiation Standard (which will apply to employees and patients in the vicinity of an x-ray machine), and the Personal Protective Equipment Standard – which is particularly relevant in light of OSHA´s Emergency Temporary Standard implemented to protect workers in COVID-19 settings.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It is also the case that healthcare facilities will have to take other regulatory Acts into account when complying with the OSH Act. For example, any measures implemented to comply with the OSHA Fire prevention Plan Standard will have to comply with the physical safeguards of the HIPAA Security Rule and CMS´ Emergency Preparedness Rule. Finally, it is important that businesses in the healthcare industry are aware of the General Duty clause. This clause covers any risk to safety and health not covered by the other standards and – in a healthcare setting – would include workplace duties that could aggravate an existing injury or health condition and exposure to workplace violence by patients and their families.

The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) has been in effect for half the time of the OSH Act, with HIPAA signed into law by President Clinton on August 21, 1996. HIPAA instructed the Secretary for Health and Human Services to develop privacy and security standards for the healthcare industry that must be followed by HIPAA-covered entities (healthcare providers, health plans, and healthcare clearinghouses) that conduct transactions involving protected health information electronically. Certain HIPAA standards also apply to business associates of HIPAA-covered entities and subcontractors when protected health information is shared with or disclosed to them under a Business Associate Agreement.

When HIPAA was signed into law, the main aims of the legislation were to ensure individuals could retain health insurance coverage when between jobs, to introduce standards to reduce wastage in healthcare, and to help prevent healthcare fraud. Updates to the legislation over the years have seen HIPAA expanded to include standards covering the security of healthcare data and patients´ rights, and to ensure individuals are promptly informed when a breach of unsecured protected health information occurs – potentially leaving them exposed to theft and identity fraud if their personal information is used to obtain insured healthcare services in their name.

The Department of Health and Human Services is responsible for outreach, providing training materials and guidance, and enforcing HIPAA compliance, with the administrative standards regulated by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HIPAA Privacy, Security and Breach Notification Rules Regulated by the HHS’ Office for Civil Rights. State Attorneys General also play a role in HIPAA enforcement, while non-covered entities (such as vendors of personal health devices) are accountable to the Federal Trade Commission. Each of those regulators can impose financial penalties and sanctions for non-compliance, in accordance with a tiered penalty structure based on the level of culpability.

OSHA and HIPAA Compliance

OSHA and HIPAA compliance is policed by different federal agencies and each set of regulations has different requirements for covered organizations, but there are some similarities between OSHA and HIPAA compliance.

OSHA and HIPAA compliance programs require all compliance efforts to be documented. Documentation may be requested during investigations and audits as proof of compliance. OSHA requires deaths, serious injuries, time off work due to injury or illness, medical treatment beyond first aid, restricted work and transfers to other jobs, loss of consciousness, and other issues to be recorded, and for all OSHA compliance documentation to be maintained. Employers must also update and maintain medical records for their employees.

HIPAA requires all compliance efforts such as policies, procedures, and training to be documented, along with records of any identified HIPAA violations and data breaches. All HIPAA documentation has to be retained for a minimum of six years, while OSHA´s documentation requirements vary by standard. For example, under OSHA, documents relating to workplace injuries and illnesses have to be retained for a minimum of five years, while documentation relating to training should be retained until the employee leaves the businesses.

Both sets of legislation have strict reporting requirements. OHSA requires deaths and serious workplace injuries to be reported, while HIPAA requires breaches of unsecured protected health information to be reported. There are strict time frames for reporting in both the OSHA and HIPAA standards – which can be reduced by state laws such as the Texas medical Records Privacy Act or a State Plan which preempts OSHA due to having more stringent reporting requirements.

Ongoing OSHA and HIPAA compliance programs must be established that ensure working practices remain compliant. The failure of covered entities to ensure OSHA and HIPAA compliance can both result in substantial financial penalties. If there is an apparent violation of the HIPAA Rules or OSHA standards, individuals are permitted to file a complaint with regulators, but since there is no private cause of action in HIPAA or the OSH Act, it is not possible for individuals to sue for violations.

Federal and state regulators are responsible for investigating complaints, determining if there has been non-compliance, and deciding if financial penalties or sanctions are appropriate.

FAQs

Could a single event violate both OSHA and HIPAA simultaneously?

Although OSHA relates to workplace health and safety and HIPAA relates to the privacy and security of Protected Health Information, there are circumstances in which both Acts could be violated simultaneously. For example, a fire that injures employees and destroys Protected Health Information could violate both OSHA and HIPAA if measures have not been taken to mitigate the risk of injury and back-up data.

In a healthcare environment, who is responsible for OSHA and HIPAA compliance?

OSHA does not instruct employers to assign responsibility for OSHA compliance, but HIPAA does. HIPAA requires Covered Entities to assign a Privacy Officer and a Security Officer (Business Associates are only required to assign a Security Officer). Due to healthcare organizations having to comply with multiple regulations, it would make sense for the HIPAA Privacy or Security Officer to also be responsible for OSHA compliance.

Does OSHA apply to all members of the workforce in the same way that HIPAA does?

Not always. Whereas HIPAA applies to “persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate” this is not the case with OSHA – which generally only applies to paid members of the workforce.

Exceptions exist in different industries and different states. For example, the Environmental Protection Agency adopted OSHA’s Hazardous Waste Operations and Emergency Response (HAZWOPER) standard which recognizes uncompensated workers as part of the workforce. Some State Plans have also recognized uncompensated workers to ensure OSHA safety and health standards are implemented in services such as volunteer fire departments.

Wasn´t the COVID-19 Emergency Temporary Standard (ETS) withdrawn by OSHA?

In January 2022, OSHA withdrew the general “vaccination and testing” COVID ETS as an enforceable Emergency Temporary Standard, but it still serves as a proposed rule for a permanent standard. However, the Healthcare COVID ETS still remains in force under the General Duty clause; and, in March 2022, OSHA announced an inspection initiative directed at hospitals and skilled nursing care facilities that treat or handle COVID-19 patients.

Could an OSHA inspection result in a HIPAA Privacy Rule violation if PHI is disclosed?

Under the HIPAA Privacy Rule, the disclosure of PHI is permitted without an individual´s authorization if the disclosure is for a public health activity. As a healthcare facility is a public health venue, any disclosure of PHI to an OSHA inspector would be permitted if it were relevant to the inspection and the HIPAA Minimum Necessary standard was complied with. Disclosing PHI that is not relevant to the inspection or disclosing more than the minimum necessary would be a violation of the HIPAA Privacy Rule.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.