The Occupational Safety & Health Administration (OSHA) has issued a final rule revising its procedures for accessing employee medical records, with specific requirements for safeguarding electronic medical records that are more consistent with current medical recordkeeping practices. The revisions also shift authority to manage the procedures from the OSHA Assistant Secretary to an OSHA Medical Records Officer (MRO), which OSHA views as a more “efficient” process. As a result of these revisions, employers may learn at an earlier point in the inspection process whether OSHA personnel will be authorized to review medical records and should have greater clarity about the protocols OSHA will follow when reviewing that information. The final rule was issued on July 30. It modifies 29 C.F.R. § 1913 and is available here.
Background on OSHA’s Procedures for Medical Records Access
To carry out its statutory obligations, OSHA needs to review employee medical records from time to time. For instance, OSHA may review medical records to determine whether employers are in compliance with existing OSHA standards and regulations. OSHA may also review medical records to check whether employer voluntary safety and health programs are effective. Employee medical information may also be reviewed during an OSHA rulemaking to develop or revise OSHA standards.
In 1980, OSHA promulgated Rules of Agency Practice and Procedure Concerning OSHA Access to Employee Medical Records in an effort to preclude abuse of personally identifiable medical information. Under the 1980 rule, OSHA personnel were required to obtain a written access order to request and review medical information from employers. The order needed to include the statutory purpose for which access was sought, a general description of the kind of employee medical information that would be examined, and why there was a need to examine personally identifiable information. Additional explanation was required if medical information was to be examined on-site, and what type of information would be copied and removed off-site. In addition, the order needed to include the contact information for the Principal Investigator and the period of time during which employee medical information would be retained.
The 1980 rule also set forth several procedures for OSHA personnel to follow when accessing and reviewing personally identifiable medical information. For example, it required that all hard copy records that contained personally identifiable employee medical information be kept separate from other agency files, and, when not in use, stored in a locked cabinet or vault. OSHA personnel could photocopy such information, but duplication needed to be kept to the minimum extent necessary to accomplish the purpose for which the information was obtained. Protective means, including hand-delivery and U.S. mail, were required to be used for any inter-agency transfers. Personnel could not use inter-office mailing channels.
The procedural safeguards in the 1980 rule were developed at a time when employee medical records were maintained in hard copies, and until now, had not been updated to correspond with changes in recordkeeping practices, such as electronic medical records. According to the preamble of the revised rule, OSHA determined that it was necessary to make revisions in order to enhance employee privacy, clarify certain provisions, and to address the access and safeguarding of personally identifiable employee medical information maintained in electronic form.
While keeping much of the 1980 rule in effect, the revised rule updates four significant aspects of the original rule.
First, the revised rule replaces the 1980 rule’s term “written access order” with the term “medical access order” or “MAO,” which is the term that is more commonly used by OSHA when requesting and accessing medical records. In conjunction with this revision, the revised rule also expressly clarifies that MAOs are not considered administrative subpoenas. Rather, an MAO would need to be accompanied by an administrative subpoena, consistent with OSHA’s longstanding practice, to compel the production of medical records.
Second, the revised rule transfers responsibilities from the Assistant Secretary to the OSHA Medical Records Officer (MRO). The MRO is tasked with administering and implementing the rule: specifically, authorizing and monitoring OSHA access to personally identifiable medical information pursuant to an MAO, and inter-agency and public disclosure of personally identifiable medical information. The MRO is also authorized to issue written directives allowing OSHA personnel to review information in the absence of obtaining an MAO.
Third, the revised rule introduces measures to protect electronically stored medical records from unauthorized access at 29 C.F.R. §1913.10(n). It establishes new procedures for designating specific security roles and responsibilities for OSHA officials. It also creates measures to implement technology safeguards to protect against electronic breaches. This revision remedies outdated provisions of the 1980 rule, which was issued when electronic medical records did not exist.
Fourth, given the existing security procedures in 29 C.F.R. §1913.10(i) and the new safeguards to protect private medical information in electronic medical records,the revised rule eliminates the requirement to remove direct personal identifiers from medical records that was formerly set forth in 29 C.F.R. §1913.10(g). According to OSHA, this will significantly reduce the risk of human error in identifying and redacting private information by hand and will help ensure that personally identifiable medical information is handled in a consistent manner. The revised rule requires that all electronic files with personally identifiable employee medical information be encrypted before they are transferred. The Principal Investigator must also ensure that personally identifiable information on electronic files has been deleted, destroyed, or returned to the original record holder.
Employers should be aware that OSHA may seek employee medical records during the course of an inspection or in the course of carrying out other statutory obligations. Employers should also be aware that 29 C.F.R. §1913.10 sets forth procedures and safeguards for such access, including procedures for employers, collective bargaining agents, and employees to lodge objections to an MAO.
If an employer is the recipient of an MAO, it should closely review the MAO to ensure that the requested information is limited to only the information needed to accomplish the stated purpose of access. The employer may promptly lodge any objections with the MAO, but should continue to comply with posting requirements and notify individual employees as appropriate. It is prudent to coordinate with OSHA investigators regarding procedures for access and/or transmittal of the information. Employers should be proactive in understanding the steps that OSHA will take to maintain the security and confidentiality of the information.