HIPAA and OSHA
HIPAA and OSHA are both federal laws. HIPAA and OSHA both touch upon individual health. HIPAA is a federal law, whose purpose is to regulate the privacy and security of patient protected health information. OSHA is short for the Occupational Safety and Health Administration. The Occupational Safety and Health Administration is an agency of the United States Department of Labor (DOL). The federal Occupational Safety and Health Act of 1970, commonly called the OSH Act, created OSHA. OSHA enforces the provisions of the OSH Act. The OSH Act regulates health and safety in the workplace.Â
What is OSHA?
With the Occupational Safety and Health Act of 1970, Congress created the Occupational Safety and Health Administration (OSHA) to ensure safe and healthful working conditions for working men and women by setting and enforcing standards and by providing training, outreach, education and assistance.
OSHA regulations and standards are regulatory requirements established and published by the Department of Labor. The standards and regulations serve as criteria for measuring whether employers are in compliance with the OSH Act laws regulating workplace health safety. OSHA standards are published in Title 29 of the Code of Federal Regulations (CFR) and are divided into separate standards for General Industry, Construction, and Maritime. OSHA enforces the regulations and has the authority to issue fines for noncompliance.
HIPAA and OSHA share a similar regulatory structure. The Department of Health and Human Services (HHS) rather than the Department of Labor, issues HIPAA regulations. HHS has the authority to issue penalties for HIPAA noncompliance, while DOL has the authority to issue penalties for OSHA noncompliance. HHS has the authority to amend or impose new HIPAA regulations, while the DOL has the authority to issue OSHA regulations.
What Does OSHA Regulate?
OSHA regulates workplace safety and health. Examples of OSHA regulations include:
- Regulations designed to minimize the presence of airborne contaminants in the workplace.
- Regulations requiring employers to offer personal protective equipment, such as gloves and masks, to employees whose jobs require such equipment.
- Regulations of workplace chemicals, such that employee exposure to the harmful effects of such chemicals are minimized.
- Regulations of specific industries. For example, OSHA regulates the construction industry by regulating scaffold, forklift, and crane use operation.
- Regulations designed to ensure emergency preparedness and fire safety.
What Are OSHA Reporting Requirements?
OSHA requires that workplaces subject to its jurisdiction report work-related injuries and illnesses.
Under OSHA regulations, within eight (8) hours after the death of any employee as a result of a work-related incident, the employer must report the fatality to the Occupational Safety and Health Administration (OSHA), U.S. Department of Labor.
Within twenty-four (24) hours after the in-patient hospitalization of one or more employees or an employee’s amputation or an employee’s loss of an eye, as a result of a work-related incident, the employer must report the in-patient hospitalization, amputation, or loss of an eye to OSHA.
What Are OSHA Recordkeeping Requirements?
OSHA requires that certain work-related injuries or illnesses be recorded, in addition to being reported. This requirement is known as the OSHA recordkeeping requirement.Â
OSHA regulations require that a work-related injury or illness must be recorded under the Occupational Safety and Health (OSH) Act if it results in one or more of the following:
- Death.
- Days away from work.
- Restricted work or transfer to another job.
- Medical treatment beyond first aid.
- Loss of consciousness.
- A significant injury or illness diagnosed by a physician or other licensed health care professional.
The OSH Act regulations also indicate that cases involving cancer, chronic irreversible disease, a fractured or cracked bone, or a punctured eardrum must always be recorded.
An injury is considered work-related if an event or exposure in the workplace caused or contributed to the condition or significantly aggravated a pre-existing condition.
HIPAA and OSHA: Does OSHA Require Recordkeeping of PHI?
HIPAA and OSHA intersect, in that OSHA requires recordkeeping of certain information that constitutes information that is protected health information (PHI) under HIPAA.
The HIPAA Privacy Rule requires covered entities (health care providers, health plans, and healthcare clearinghouses) to implement safeguards to prevent PHI from improper use or disclosure of protected health information.
The fundamental requirement of the HIPAA privacy rule is that covered entities may not use or disclose protected health information (PHI) without the written authorization of the person who is the subject of the information. Many employers are not covered entities. Employers who are not covered entities generally are not subject to the Privacy Rule restriction on use or disclosure of PHI without written authorization.
Even if an employer with OSHA recordkeeping obligations is a covered entity, however, the Privacy Rule contains an exception to the general restriction. Under this exception, a covered entity may use or disclose PHI for public health activities. Public health activities can include government-required recording of illness or injury. Under the Privacy Rule, covered entities are specifically permitted to use or disclosure PHI in order to comply with OSHA recordkeeping requirements.
