What is an OSHA Privacy Policy?
Generally, for each reportable illness or injury that occurs in the workplace, the employer must record the name of the injured or ill employee; the person’s job title; where and how the injury occurred; and how many days the employee was away from work on light or restricted duty, if any. Employers must also record what kind of injury or illness (e.g., hearing loss, poisoning, skin disorder) occurred or developed. Under OSHA’s “privacy concern policy,” certain injuries and illnesses must be treated as private, meaning the employer cannot log the employee’s name on the OSHA Form 300. The OSHA Privacy Policy is discussed below.
What is an OSHA Privacy Policy? Privacy Cases
The OSHA 300 Form requires employers to check one of six boxes, to categorize the injury or illness. These include:
- Injury
- Skin disorder
- Respiratory condition
- Poisoning
- Hearing loss
- All other illnesses
If an employer has a “privacy concern” case, the employer is prohibited by the OSHA privacy policy from entering the employee’s name on the OSHA 300 Log. The employer must instead, under the OSHA privacy policy, enter the phrase “privacy case” in the space normally used for the employee’s name. Employers must keep separate, confidential records containing the employee’s name and case number.
Withholding the employee’s name from the log will protect these employees’ privacy when another employee, a former employee, or an authorized employee representative is provided access to the OSHA 300 Log. Under OSHA regulations, employees, former employees, and authorized employee representatives have the right to access the employer’s OSHA injury and illness records. The regulations contain this right so employees can stay informed as to what hazardous conditions at the workplace exist, and which caused injury or illness. However, employees, former employees, personal representatives, and authorized employee representatives may not see the confidential records.
What is an OSHA Privacy Policy? Specific Examples
Under the OSHA Privacy Policy, employers must withhold employees’ names from the log for the following injuries and illnesses:
- An injury or illness to an intimate body part or the reproductive system;
- An injury or illness resulting from sexual assault;
- Mental illnesses;
- HIV infection, hepatitis, or tuberculosis;
- Needlestick injuries and cuts from sharp objects that are contaminated with another person’s blood or other potentially infectious material; and
- Other illnesses, if an employee voluntarily requests that his or her name not be entered on the log.
Under the OSHA privacy policy rule, employers may not classify any other types of injuries and illnesses as privacy concern cases. The list above is a complete list of injuries and illnesses under the OSHA privacy policy.
OSHA Privacy Policy and Personally Identifiable Information
In some instances, an employer has removed an employee’s name, but still believes that the employee may be identified from the other information on the form. If the employer has a reasonable basis to believe that information describing the privacy concern case may be personally identifiable even though the employee’s name has been omitted, the employer may use discretion in describing the injury or illness on the OSHA 300 Log. The employer must enter enough information to identify the cause of the incident and the general severity of the injury or illness, but need not include details of an intimate or private nature. For example, an injury to a reproductive organ could be described as “lower abdominal injury.”
OSHA Privacy Policy: Situations Under Which Names Can be Disclosed
Employers may disclose names and personally identifying information only:
- To an auditor or consultant hired by the employer to evaluate the safety and health program;
- To the extent necessary for processing a claim for workers’ compensation or other insurance benefits; or
- To a public health authority or law enforcement agency for uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required under the HIPAA Privacy Rule.