September 18, 2020

Volume X, Number 262

September 17, 2020

Subscribe to Latest Legal News and Analysis

September 16, 2020

Subscribe to Latest Legal News and Analysis

September 15, 2020

Subscribe to Latest Legal News and Analysis

OSHA Updates Rule on Medical Records Access

The Occupational Safety & Health Administration (OSHA) has issued a final rule revising its procedures for accessing employee medical records, with specific requirements for safeguarding electronic medical records that are more consistent with current medical recordkeeping practices. The revisions also shift authority to manage the procedures from the OSHA Assistant Secretary to an OSHA Medical Records Officer (MRO), which OSHA views as a more “efficient” process. As a result of these revisions, employers may learn at an earlier point in the inspection process whether OSHA personnel will be authorized to review medical records and should have greater clarity about the protocols OSHA will follow when reviewing that information. The final rule was issued on July 30.  It modifies 29 C.F.R. § 1913 and is available here.

Background on OSHA’s Procedures for Medical Records Access

To carry out its statutory obligations, OSHA needs to review employee medical records from time to time. For instance, OSHA may review medical records to determine whether employers are in compliance with existing OSHA standards and regulations. OSHA may also review medical records to check whether employer voluntary safety and health programs are effective. Employee medical information may also be reviewed during an OSHA rulemaking to develop or revise OSHA standards.

In 1980, OSHA promulgated Rules of Agency Practice and Procedure Concerning OSHA Access to Employee Medical Records in an effort to preclude abuse of personally identifiable medical information. Under the 1980 rule, OSHA personnel were required to obtain a written access order to request and review medical information from employers. The order needed to include the statutory purpose for which access was sought, a general description of the kind of employee medical information that would be examined, and why there was a need to examine personally identifiable information. Additional explanation was required if medical information was to be examined on-site, and what type of information would be copied and removed off-site. In addition, the order needed to include the contact information for the Principal Investigator and the period of time during which employee medical information would be retained.

The 1980 rule also set forth several procedures for OSHA personnel to follow when accessing and reviewing personally identifiable medical information. For example, it required that all hard copy records that contained personally identifiable employee medical information be kept separate from other agency files, and, when not in use, stored in a locked cabinet or vault. OSHA personnel could photocopy such information, but duplication needed to be kept to the minimum extent necessary to accomplish the purpose for which the information was obtained. Protective means, including hand-delivery and U.S. mail, were required to be used for any inter-agency transfers. Personnel could not use inter-office mailing channels.

The procedural safeguards in the 1980 rule were developed at a time when employee medical records were maintained in hard copies, and until now, had not been updated to correspond with changes in recordkeeping practices, such as electronic medical records. According to the preamble of the revised rule, OSHA determined that it was necessary to make revisions in order to enhance employee privacy, clarify certain provisions, and to address the access and safeguarding of personally identifiable employee medical information maintained in electronic form.

Key Revisions

While keeping much of the 1980 rule in effect, the revised rule updates four significant aspects of the original rule.

First, the revised rule replaces the 1980 rule’s term “written access order” with the term “medical access order” or “MAO,” which is the term that is more commonly used by OSHA when requesting and accessing medical records. In conjunction with this revision, the revised rule also expressly clarifies that MAOs are not considered administrative subpoenas. Rather, an MAO would need to be accompanied by an administrative subpoena, consistent with OSHA’s longstanding practice, to compel the production of medical records. 

Second, the revised rule transfers responsibilities from the Assistant Secretary to the OSHA Medical Records Officer (MRO). The MRO is tasked with administering and implementing the rule: specifically, authorizing and monitoring OSHA access to personally identifiable medical information pursuant to an MAO, and inter-agency and public disclosure of personally identifiable medical information. The MRO is also authorized to issue written directives allowing OSHA personnel to review information in the absence of obtaining an MAO.

Third, the revised rule introduces measures to protect electronically stored medical records from unauthorized access at 29 C.F.R. §1913.10(n). It establishes new procedures for designating specific security roles and responsibilities for OSHA officials. It also creates measures to implement technology safeguards to protect against electronic breaches. This revision remedies outdated provisions of the 1980 rule, which was issued when electronic medical records did not exist.

Fourth, given the existing security procedures in 29 C.F.R. §1913.10(i) and the new safeguards to protect private medical information in electronic medical records, the revised rule eliminates the requirement to remove direct personal identifiers from medical records that was formerly set forth in 29 C.F.R. §1913.10(g). According to OSHA, this will significantly reduce the risk of human error in identifying and redacting private information by hand and will help ensure that personally identifiable medical information is handled in a consistent manner. The revised rule requires that all electronic files with personally identifiable employee medical information be encrypted before they are transferred. The Principal Investigator must also ensure that personally identifiable information on electronic files has been deleted, destroyed, or returned to the original record holder.

Best practices

Employers should be aware that OSHA may seek employee medical records during the course of an inspection or in the course of carrying out other statutory obligations.  Employers should also be aware that 29 C.F.R. §1913.10 sets forth procedures and safeguards for such access, including procedures for employers, collective bargaining agents, and employees to lodge objections to an MAO.

If an employer is the recipient of an MAO, it should closely review the MAO to ensure that the requested information is limited to only the information needed to accomplish the stated purpose of access. The employer may promptly lodge any objections with the MAO, but should continue to comply with posting requirements and notify individual employees as appropriate. It is prudent to coordinate with OSHA investigators regarding procedures for access and/or transmittal of the information. Employers should be proactive in understanding the steps that OSHA will take to maintain the security and confidentiality of the information.

© 2020 Beveridge & Diamond PC National Law Review, Volume X, Number 259


About this Author

Jayni A. Lanham Environmental, Health, & Safety Attorney Beveridge & Diamond Baltimore, MD

Jayni draws on her experience with environmental, health, and safety (EHS) regimes to help clients assess risk, develop compliance strategies, and build strong legal and technical cases when faced with litigation or enforcement.

Jayni counsels companies in a variety of industries on regulatory compliance and represents them in litigation and enforcement proceedings related to a broad range of federal and state EHS laws. Jayni is a leader of Beveridge & Diamond’s Occupational Safety and Health group and has significant experience advising clients on compliance...

Sarah A. Kettenmann Environmental Attorney Beveridge & Diamond New York, NY

Sarah uses her knowledge of environmental law and the physical sciences to help clients solve complex problems in a conservation-minded manner.

She maintains a diverse environmental practice, which includes litigation matters involving toxic torts and products liability and class action litigation concerning environmental and regulatory claims. Her regulatory practice includes advising clients on compliance with, and enforcement of, land use restrictions and remediation, and due diligence for waste facility permits under federal and state statutes. She also counsels clients on procedural and substantive aspects of permitting and environmental impact review, and related strategic planning for project development. She further advises clients on Occupational Safety and Health Act (OSHA) and Toxic Substances Control Act (TSCA) compliance and enforcement. Sarah is a co-author of the Air Quality chapter in the Environmental Law and Regulation in New York treatise.

Before joining Beveridge & Diamond, Sarah clerked for the Hon. Chase T. Rogers, Chief Justice of the Connecticut Supreme Court, from June 2014 to July 2015. During her time at Pace Law School, Sarah served as a judicial extern for Judge Laura Taylor Swain in the United States District Court for the Southern District of New York (S.D.N.Y.). She interned in the Civil Division of the U.S. Attorney’s Office, S.D.N.Y., where she assisted with settlements under the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA) and under the Fair Housing Act to increase accessibility for people with disabilities. She also interned in the King’s County District Attorney’s Office and served as an environmental policy adviser and legal extern in the United Nations General Assembly, Permanent Mission of Saint Kitts & Nevis to the United Nations. She was as a research assistant in the Pace University Center for Environmental Legal Studies and acquisitions editor for Pace Environmental Law Review.

At Yale University, Sarah wrote her master's project on international legal frameworks for recovering electronic waste and also conducted field research on the impact of a proposed biofuels production plant in south Hawaii Island.

Prior to law school, Sarah participated in the first federally funded research expedition dedicated solely to examining the accumulation of plastic debris in the North Atlantic Ocean. Before that, she worked as a research associate for the Environmental Law Institute in Washington, D.C., where she assisted staff attorneys and senior attorneys on law and policy projects designed to strengthen environmental governance domestically and internationally.