In the world of COVID-19, it seems that information constantly is changing, and many do not know how to proceed forward. OSHA and the CDC have issued guidance to help employers provide a safe and healthful workplace for workers during the COVID-19 pandemic. Even though OSHA has issued proactive recommendations on how to control the spread of COVID-19, many workers are concerned about their working conditions. The agency has received thousands of COVID-19-related workplace health and safety complaints and, in response, the agency has opened investigations into these allegations. Part of the OSHA investigation process includes the examination of employee records. In the wake of COVID-19, one big question employers have been asking is how to handle disclosure of employee medical records.
OSHA has statutory authority to request and examine employee records pursuant to the agency’s purpose of protecting workers and ensuring that they are provided a safe and healthful work environment. See 29 C.F.R. § 1913.10. Such records include employee medical records, which often include personally identifiable information. Personally identifiable information draws major privacy concerns. Personally identifiable information is “employee medical information accompanied by either direct identifiers (name, address, social security number, payroll number) or by information which could reasonably be used in particular circumstances indirectly to identify specific employees (e.g., date of birth, race, sex, date of initial employment, job title).” See 29 C.F.R. § 1913.10(b)(2). OSHA can make a written request to an employer to access this information so long as the request identifies the specific statutory purpose, general information to be examined, reason for the inquiry, location of the examination, type of information that will be copied or moved off-site, and time anticipated needed.
OSHA recently issued a revision to the rules of agency practice and procedures concerning the agency’s access to employee medical records (29 C.F.R. § 1913.10). The revision focuses on internal procedures of accessing and using employee medical records containing personally identifiable information. The revision aims to “increase employee privacy and enhance OSHA’s ability to safeguard personally identifiable medical information.” The revision made a number of changes to the agency’s previous policy.
First, the revision replaces “written access order” with “medical access order” (“MAO”). This change was implemented because MAO is more commonly used than the previous term. OSHA is required to have a MAO to access personally identifiable medical information. A MAO is not necessary to access medical information that is not in personally identifiable form, injury and illness records required by 29 C.F.R. § 1904, death certificates, employee exposure records, and medical information obtained in the course of litigation.
Second, the revision transfers authority from the Assistant Secretary for Occupational Safety and Health (“Assistant Secretary”) to the OSHA Medical Records Officer (“MRO”) to administer and implement all § 1913.10 procedures. With this change, the MRO is responsible for determining (1) OSHA’s access to personally identifiable information pursuant to a MAO, (2) inter-agency transfer of such information, and (3) public disclosure of personally identifiable medical information in OSHA’s possession. Additionally, the MRO is now also responsible for authorizing compliance personnel to review certain limited information without obtaining a MAO. OSHA supports these changes in responsibility by asserting that the training and experience of the MRO position equips them with the best tools to make these decisions. The MRO must be specifically trained in evaluation, use, and privacy protection of employee medical information and often has a medical and administrative background. The MRO reports directly to the Assistant Secretary.
Third, the revision clarifies that a MAO is not an administrative subpoena. This clarification specifically speaks to the weight of authority these orders carry. An administrative subpoena is backed by the enforcement of the D.C. District Court and can compel an employer to produce documents. A MAO is for internal use and cannot be enforced by the D.C. District Court.
Fourth, the revision eliminates the requirement that direct personal identifiers be removed from records when OSHA examines them away from the workplace. This change is part of an efficiency initiative. OSHA anticipates that by eliminating the requirement that employers remove all direct identifiers prior to transferring records to OSHA for examination, OSHA will be able to reduce the time and physical space necessary to complete on-site inspections.
Fifth, the revision establishes procedures for safe access to and storage of electronic records, such as password protections, firewalls, and encryptions. This last revision is implemented to combat privacy concerns to accommodate for modern data policies.
Because this is classified as an internal procedure revision, OSHA did not have to issue the proposed revision and provide a public comment period before finalizing the change. OSHA issued the final rule on July 29, 2020.
State OSHA programs are encouraged but not required to adopt this federal OSHA revision. There are twenty-eight states and territories that have OSHA-approved programs. These states and territories are required to adopt standards and regulations that are “at least as effective” as federal OSHA policies. Thus, these states must adopt or already have procedures in place on this issue that are at least as effective. OSHA will provide summary information on the State Plan responses to this revision: www.osha.gov/dcsp/osp.
Although COVID-19 is not directly mentioned in the revision explanation, it seems clear that OSHA is acting in response to the pandemic. In the explanation of the revisions, OSHA identifies when disclosure of personal information would be appropriate: “For example, in order to resolve a public health problem, OSHA may need to transfer employee medical information to another federal or state agency.” The explanation continues to say that such disclosure can be instrumental in “identifying an emerging health issue, compiling data on worker fatalities from specific exposure, or evaluating the effectiveness of workplace controls designed to prevent occupational illness at manufacturing facilities.” Furthermore, OSHA explains that consent from the employee is required unless the request to access such information is by a public health agency for a substantial public health purpose. Additionally, OSHA asserts that use of personally identifiable employee medical records is necessary to determine if an injury or illness is work-related. OSHA also argues that deletion of personally identifiable information may impact the accuracy of the information and delay OSHA from addressing the issue. If OSHA has the identifying information, they can contact and interview the worker directly. The reduction in time required for on-site inspections due to these changes is critical in the modern environment of COVID-19. If OSHA agents have to spend less time on-site, then more investigations can be performed in less time, and there is a lesser chance of spread of COVID-19 because there is a decreased period of possible exposure. Thus, the rule revision seems to be a direct response to COVID-19 and attempts to implement contact tracing and data collection.
Employers must be aware of these OSHA policy changes because it directly impacts their liability when exchanging records with OSHA. Workers’ rights groups must also be aware because the rule revisions specifically target employee privacy rights. It will be interesting to see if there will be litigation challenging the constitutionality of OSHA’s rule revision and these new procedures related to OSHA access, holding, and disclosure of employee medical records.
Pages 47-52 of this document contains the revised language of 29 C.F.R. § 1913.10.