On July 30, the Occupational Safety and Health Administration (OSHA) revised its internal procedures for accessing employee medical records. The final rule shifts the authority for access from the assistant secretary of occupational safety and health to the OSHA medical records officer (MRO) (85 Federal Register 45780).
The MRO now can issue written medical access orders (MAOs) and is responsible for decisions about the transfer and public disclosure of personally identifiable employee medical information in OSHA’s possession. The rule also clarifies that a written MAO does not constitute an administrative subpoena.
The rule establishes new procedures for the access and safeguarding of personally identifiable employee medical information maintained in electronic form.
OSHA often reviews employee medical records to fulfill its statutory obligations, including:
- Determining whether an employer is in compliance with OSHA standards and regulations;
- Verifying that an employer has taken steps to correct existing violations;
- Determining the effectiveness of voluntary employer safety and health programs; and
- Gathering information during agency rulemaking to develop or revise occupational safety and health standards.
The regulation concerning access to employee exposure and medical records (29 CFR 1910.1020) established procedures by which exposure and medical records can be accessed by employees, their designated representatives, and OSHA. The standards for benzene (1910.1028) and lead (1910.1025) also contain provisions for OSHA access to medical records.
In general, OSHA personnel must request a written MAO to access personally identifiable employee medical information. The agency now believes the MRO is in the best position to make determinations about medical records access and personally identifiable medical information. Besides making determinations about approval of MAOs, the agency MRO also will make decisions about interagency transfers and public disclosures of identifiable employee medical records.
Under the previous regulations, the OSHA assistant secretary, an assistant secretary within the Department of Labor, was responsible for the overall administration and implementation of the policies and procedures concerning access to employee medical records. The assistant secretary will continue to designate the agency MRO but have limited day-to-day responsibility for medical record access.
The agency’s long-standing position is that interagency transfer and public disclosure of personally identifiable employee medical information should be considered carefully. However, the agency believes interagency transfer and public disclosures of employee medical records are not categorically prohibited because OSHA cannot legally make such a commitment and situations may arise when transfer or disclosure is appropriate.
For example, OSHA may need to transfer employee medical information to another federal or state agency to resolve a public health problem. OSHA has made only three interagency transfers of personally identifiable employee medical information in the last 5 years to another federal or state agency.
There is an exception for sharing medical records with the National Institute for Occupational Safety and Health (NIOSH). OSHA believes its ability to analyze employee medical records is often improved by gaining NIOSH assistance, and medical information collected by OSHA may have major research value for NIOSH. The institute has its own procedures for the protection of personally identifiable medical information.