What Are OSHA Reporting Requirements?
OSHA requires that workplaces subject to its jurisdiction report work-related injuries and illnesses.
Under OSHA regulations, within eight (8) hours after the death of any employee as a result of a work-related incident, the employer must report the fatality to the Occupational Safety and Health Administration (OSHA), U.S. Department of Labor.
Within twenty-four (24) hours after the in-patient hospitalization of one or more employees or an employee’s amputation or an employee’s loss of an eye, as a result of a work-related incident, the employer must report the in-patient hospitalization, amputation, or loss of an eye to OSHA.
What Are OSHA Recordkeeping Requirements?
OSHA requires that certain work-related injuries or illnesses be recorded, in addition to being reported. This requirement is known as the OSHA recordkeeping requirement.
OSHA regulations require that a work-related injury or illness must be recorded under the Occupational Safety and Health (OSH) Act if it results in one or more of the following:
- Days away from work.
- Restricted work or transfer to another job.
- Medical treatment beyond first aid.
- Loss of consciousness.
- A significant injury or illness diagnosed by a physician or other licensed health care professional.
The OSH Act regulations also indicate that cases involving cancer, chronic irreversible disease, a fractured or cracked bone, or a punctured eardrum must always be recorded.
An injury is considered work-related if an event or exposure in the workplace caused or contributed to the condition or significantly aggravated a pre-existing condition.
HIPAA and OSHA: Does OSHA Require Recordkeeping of PHI?
HIPAA and OSHA intersect, in that OSHA requires recordkeeping of certain information that constitutes information that is protected health information (PHI) under HIPAA.
The HIPAA Privacy Rule requires covered entities (health care providers, health plans, and healthcare clearinghouses) to implement safeguards to prevent PHI from improper use or disclosure of protected health information.
The fundamental requirement of the HIPAA privacy rule is that covered entities may not use or disclose protected health information (PHI) without the written authorization of the person who is the subject of the information. Many employers are not covered entities. Employers who are not covered entities generally are not subject to the Privacy Rule restriction on use or disclosure of PHI without written authorization.
Even if an employer with OSHA recordkeeping obligations is a covered entity, however, the Privacy Rule contains an exception to the general restriction. Under this exception, a covered entity may use or disclose PHI for public health activities. Public health activities can include government-required recording of illness or injury. Under the Privacy Rule, covered entities are specifically permitted to use or disclosure PHI in order to comply with OSHA recordkeeping requirements.