Yesterday OSHA announced and today OSHA officially published its Final Rule amending its Electronic Recordkeeping Rule. After years of advocacy for change to (or to rescind) OSHA’s controversial Obama-era rule to “Improve Tracking of Workplace Injuries and Illnesses” (aka the E-Recordkeeping Rule), and a transition to the de-regulatory platform of the Trump Administration, OSHA has finally approved changes (hopefully just the first step) to pare down the E-Recordkeeping Rule.

On July 30, 2018, OSHA announced a Notice of Proposed Rulemaking to amend the E-Recordkeeping Rule. 83 Fed. Reg. 36494 (July 30, 2018). The proposed Rule included only one significant change to the current regulation. Specifically, the proposal sought to rescind the requirement for the largest employers — those with individual establishments with 250 or more employees — to annually submit to OSHA’s online web portal the data from their 300 logs and 301 detailed incident reports of recorded injuries and illnesses.

The proposal left intact the requirement for these large employers and many more smaller employers to annually submit 300A annual summary data. Perhaps even more concerning to employers than leaving in place a portion of the electronic data submission requirements, the final rule does not disturb in any manner the controversial and duplicative “anti-retaliation” provisions, or the interpretations of those provisions included in the Preamble to the 2016 Final Rule. These are the provisions that endeavored to restrict employers’ authority to discipline employees for late injury reporting or for safety violations, as well as limit employer’s ability to perform post-incident drug testing and to provide safety incentives. For more information about these elements of the E-Recordkeeping Rule, check out our previous blog article regarding the E-Recordkeeping Anti-Retaliation provisions.

Tortured History and Difficulties Implementing E-Recordkeeping

Historically, unless OSHA opened an enforcement inspection at an employer’s workplace or the Bureau of Labor Statistics requested an employer participate in its annual injury data survey, employers’ injury and illness recordkeeping data was maintained internally. In a major policy shift, President Obama’s OSHA enacted the E-Recordkeeping Rule to require hundreds of thousands of employers to submit injury and illness data, later to be published by OSHA in an online database available for public viewing. Specifically, on May 11, 2016, OSHA published its Final Rule for injury and illness recordkeeping electronic data submissions, which fundamentally changed OSHA’s long-standing injury and illness recordkeeping program. Specifically, the 2016 E-Recordkeeping Rule required:

  1. All establishments with 250 or more employees in industries covered by the recordkeeping regulation to submit to OSHA annually their injury and illness data and information from their OSHA 300 Logs, 301 Incident Reports, and 300A Annual Summaries;
  2. Establishments with 20-249 employees in select “high hazard industries” to annually submit information from their 300A Annual Summaries only;
  3. All submissions to be done electronically, via a purportedly secure OSHA website portal; and
  4. Employer’s injury data to be publicized in a “user-friendly” database for all the world to see.

Given the breadth and sensitive nature of the data required to be submitted under the rule, employers were alarmed and raised concerns about how the data would be mined, taken out of context, distorted, misunderstood, and certainly used against them by insurance companies, union organizers, competitors, the media, plaintiffs’ attorneys, prospective employees, etc. It was also clear that its use would most certainly undermine the “no-fault” nature of OSHA’s injury and illness recordkeeping scheme; i.e., we record all injuries, even if they do not reflect anything at all about the effectiveness of an employer’s safety program (e.g., allergic reactions to bee stings, forklift incidents caused by a drunk employee, other unforseeable misconduct, or even acts of nature).

Since promulgation in May 2016, implementation of the Rule has been mired in difficulty, and frankly, OSHA has seemed tortured about whether and how to move forward with the rule. The original July 1, 2017 data submission deadline for 2016 summary data became a moving target and source of uncertainty. First, the agency had serious difficulty launching and operating its electronic portal, the Injury Tracking Application (ITA). OSHA’s initial roll-out of the ITA was delayed, and then, almost immediately after it was rolled out, website security concerns caused another setback, legitimizing employers’ privacy concerns about the data collection. Specifically, the Department of Homeland Security notified OSHA there was a potential compromise of user information during a test run period. Then, shortly before that first deadline, OSHA announced an indefinite suspension of the submission deadline, and later published a Notice of Proposed Rulemaking to extend the deadline to December 1, 2017. The proposed new December 1st deadline was cleared by the Office of Management and Budget later than expected, so OSHA ultimately pushed the deadline to December 31, 2017.

While OSHA was repeatedly pushing the data submission deadline, the agency made several announcements forecasting expected changes to (and possible rescission of) the rule, including a Spring 2018 announcement that it would not require submission of 300 and 301 data from any employer, just the 300A Annual Summary data.

Then there were (are) the legal challenges. Shortly after the rule was promulgated, industry groups brought a legal challenge to the anti-retaliation elements of the rule and sought a preliminary injunction to prohibit enforcement of those portions of the rule. (TEXO ABC/AGC v. Perez, No. 3:16-cv-01998-D (N.D. Tex. July 8, 2016)). On November 28, 2016, a Texas federal district court denied the preliminary injunction to halt enforcement of the Rule. But on June 29, 2017, the Trump Administration filed a motion to stay the challenge on the basis that OSHA was considering revisions to the rule, and the Judge administratively closed the case pending further rulemaking by OSHA. Most people tracking the Rule and these proceedings assumed this move by OSHA signaled the agency’s intent to rescind at least the anti-retaliation provisions.

Industry opponents of the Rule also brought a separate legal challenge to the electronic data submission and publication elements of the rule (Nat’l Assn. of Home Builders et al. v. Perez et al., No. 5:17-cv-00009 (W.D. Okla. Jan. 4, 2017)). However, on July 10, 2017, the Trump Administration joined a request by the industry plaintiffs to stay that legal challenge because the new Administration indicated an intent to reopen the rulemaking to either rescind or amend the rule. The District Court Judge granted that stay, as well.

Thus, both cases challenging both aspects of the rule have remained dormant since last year, based on the Trump Administration’s representation that it would review and likely revise the rule.

Finally, in addition to the two legal challenges in Texas and Oklahoma, employers should also monitor a lawsuit filed by Public Citizen on January 19, 2018, in the U.S. District Court for the District of Columbia, challenging OSHA’s justification for not publishing or producing already-collected data in response to a Freedom of Information Act (FOIA) request. (Public Citizen Foundation v. Dep’t of Labor, No. 1:18-cv-00117 (D.D.C. Jan. 19, 2018)). In October and November of 2017, Public Citizen issued FOIA requests for the summary injury and illness records submitted under the rule, but OSHA denied those requests, claiming they are exempt from FOIA because their release would “disclos[e] OSHA’s techniques and procedures for law enforcement investigations,” and that the data reflects employers’ confidential business information. Last summer, OSHA moved for and Public Citizen opposed summary judgment. In its opposition, Public Citizen included a Declaration from former Assistant Secretary of Labor for OSHA, Dr. David Michaels, in which he stated:

The objective of the rule was to provide information to prospective employees, who would likely prefer to work in safer establishments. These data would also be useful to current employees, who could see if their injury risk was higher than those of workers at comparable establishments. It would also assist employers in benchmarking their safety activities with other employers, something not possible for them to do at present.

The intent of the rule from the beginning was to provide these data as quickly as possible, since stale data would be of little value in addressing the uses listed above. I often use the phrase “real time” to describe the time framework.

The outcome of this case could have a major impact on employers. If the court rejects OSHA’s justification for withholding recordkeeping data from the public, then the unions, public advocacy groups, and plaintiffs’ attorneys may have quick access to years’ of employer injury data. Regardless, even if the court accepts OSHA’s justification for withholding the data, it does not appear that it will stand the passage of time. In other words, there will come a point where OSHA is no longer using the data to target enforcement resources, making moot the FOIA exemption for techniques and procedures for law enforcement investigations, so the data will likely become available to the public after some time.

January 25, 2019 Final Rule

All of that brings us to today. After a couple of years of informal changes through guidance, extended deadlines, legal challenges, and numerous comments requesting significant changes to the E-Recordkeeping Rule (including comments filed by Conn Maciel Carey LLP on behalf of a large coalition of employers and trade groups),

OSHA finally rolled out its final amendments to the Rule. Rather than settling the status of this Rule, this Rule will continue to face industry backlash and further litigation. Here specifically is what the new Final Amended Rule provides:

  1. Amend 29 C.F.R. § 1904.41 by removing the requirement for establishments with 250 or more employees to electronically submit information from OSHA Forms 300 and 301; and
  2. Require employers to submit their Employer Identification Number (EIN) along with the data.

OSHA’s rationale for the proposal is based on protecting worker privacy by eliminating the electronic collection of case-specific data containing identifying employee information and sensitive health information about specific individuals. The agency recognizes that collection of such information, which is all over OSHA 300 Logs and 301 Detailed Incident Reports, adds uncertain enforcement value, yet poses a potential privacy risk because, even if the agency successfully scrubbed the portal data to protect this information, it might still be made public pursuant to a FOIA request. As OSHA stated in the Preamble to the new amended rule:

OSHA has determined that the rule will benefit worker privacy by preventing routine government collection of information that may be quite sensitive, including descriptions of workers’ injuries and the body parts affected, and thereby avoiding the risk that such information might be publicly disclosed under [FOIA] or through the Injury Tracking Application. OSHA has also concluded that the extent of any incremental benefits of collecting the data from Forms 300 and 301 for OSHA enforcement and compliance assistance activities is uncertain. OSHA has determined that avoiding this risk to worker privacy outweighs the data’s uncertain incremental benefits to enforcement. The rule will allow OSHA to focus agency resources on the collection and use of 300A data described above, and severe injury reports, as well as data from other initiatives that its past experience has proven useful – instead of diverting those resources toward developing a Web portal for, and then collecting, manually reviewing, and analyzing data from Forms 300 and 301.

Because no such employee-identifying privacy concerns exist from 300A Annual Summary data (because employee-specific or even injury-specific information is not included on 300A forms), OSHA’s proposal maintains a requirement to submit that data.

The second element of the amended rule — requiring employers to submit EINs with the data submission, was implemented to facilitate data sharing with the Bureau of Labor Statistics. Specifically, without EIN information, BLS was having difficulty determining whether and where the data OSHA was collecting overlapped with the data BLS was collecting.

OSHA’s decision to narrow the scope of the rule is not surprising. It had already telegraphed that intent in two Regulatory Agendas, in numerous speeches, in postings on its website, and in court filings in the legal challenges to the Rule. Indeed, for all practical purposes, OSHA had already rescinded the requirement to submit 300 and 301 data because the ITA portal was never designed to be able to accept that level of data.

However, the scope of the change is much too small, and fails to address most of Industry’s concerns with the rule. Remember that only workplaces with 250+ employees were ever going to have to submit 300 and 301 level data. By eliminating that one requirement on that one subset of workplaces affects the tiniest percentage of workplaces. Every employer that was required to submit injury data yesterday, is still required to submit injury data now, and most employers that were covered by this rule will be submitting the exact same data they were already required to submit. So the revisions fall far short of what many in Industry would like to see, and perhaps what many expected, given President Trump’s commitment to deregulation.

Ultimately, OSHA made the right decision to not collect 300 and 301 level data, but the amended rule does not go nearly far enough to fix the many problems with the E-recordkeeping Rule. For example, OSHA did not, but should still:

  1. Add some express provision(s) to prevent the data that is collected from being published, or at least not published along with employer-identifying information (i.e., precisely how BLS handles the injury data it has collected for decades).
  2. Strike the duplicative and unworkable anti-retaliation elements.
  3. Modify the definition of “high hazard industry” that has swept thousands of small employers into this rule. Right now, the threshold average DART rate that makes an industry “high hazard” and therefore covered by the data submission requirements, is essentially exactly average. If OSHA recalibrates the definition of high hazard industry to where it has always been under the SST program, a great burden would be lifted from many small employers.
  4. Modify the size threshold from workplaces with 25 employees to 100 employees, would also unburden the really small employers currently affected by this rule.

It is also important to note that because those changes were not made in this rulemaking, the legal challenges that were halted to accommodate OSHA’s reconsideration of the rule will almost certainly re-activate. Should either or both of those challenges be successful, or motivate OSHA to further revisit the rule, more changes could be in the offing.