OSHA Updates Rule on Medical Records Access
The Occupational Safety and Health Administration (OSHA) has issued a final rule revising its procedures for accessing employee medical records, with specific requirements for safeguarding electronic medical records that are more consistent with current medical recordkeeping practices. The revisions also shift authority to manage the procedures from the OSHA Assistant Secretary to an OSHA Medical Records Officer (MRO), which OSHA views as a more “efficient” process. As a result of these revisions, employers may learn at an earlier point in the inspection process whether OSHA personnel will be authorized to review medical records and should have greater clarity about the protocols OSHA will follow when reviewing the information. The final rule was issued on July 30, it modifies 29 CFR § 1913 and is available here.
Background on OSHA’s Procedure for Medical Records Access
To carry out its statutory obligations, OSHA needs to review employee medical records from time to time. For instance, OSHA may review medical records to determine whether employers are in compliance with existing OSHA standards and regulations. OSHA may also review medical records to check whether employer voluntary safety and health programs are effective. Employee medical information may also be reviewed during an OSHA rulemaking to develop or revise OSHA standards.
In 1980, OSHA promulgated Rules of Agency Practice and Procedure Concerning OSHA Access to Employee Medical Records in an effort to preclude abuse of personally identifiable medical information. Under the 1980 rule, OSHA personnel were required to obtain a written access order to request and review medical information from employers. The order needed to include the statutory purpose for which access was sought, a general description of the kind of employee medical information that would be examined, and why there was a need to examine personally identifiable information. Additional explanation was required if medical information was to be examined on-site, and what type of information would be copied and removed off-site. In addition, the order needed to include the contact information for the Principle Investigator and the period of time during which employee medical information would be retained.
The 1980 rule also set forth several procedures for OSHA personnel to follow when accessing and reviewing personally identifiable medical information. For example, it required that all hard copy records that contained personally identifiable employee medical information be kept separate from other agency files, and, when not in use, stored in a locked cabinet or vault. OSHA personnel could photocopy such information, but duplication needed to be kept to the minimum extent necessary to accomplish the purpose for which the information was obtained. Protective means, including hand-delivery and U.S. mail, were required to be used for any inter-agency transfers. Personnel could not use inter-office mailing channels.
The procedural safeguards in the 1980 rule were developed at a time when employee medical records were maintained in hard copies, and until now, had not been updated to correspond with changes in recordkeeping practices, such as electronic medical records. According to the preamble of the revised rule, OSHA determined that it was necessary to make revisions in order to enhance employee privacy, clarify certain provisions, and to address the access and safeguarding of personally identifiable employee medical information maintained in electronic form.
Key Revisions
While keeping much of the 1980 rule in effect, the revised rule updates four significant aspects of the original rule.
First, the revised rule replaces the 1980 rule’s term “written access order” with the term “medical access order” or “MAO,” which is the term that is more commonly used by OSHA when requesting and accessing medical records. In conjunction with this revision, the revised rule also expressly clarifies that MAOs are not considered administrative subpoenas; rather, an MAO would need to be accompanied by an administrative subpoena, consistent with OSHA’s longstanding practice, to compel the production of medical records.
Second, the revised rule transfers responsibilities from the Assistant Secretary to the OSHA Medical Records Officer (MRO). The MRO is tasked with administering and implementing the rule: specifically, authorizing and monitoring OSHA access to personally identifiable medical information pursuant to an MAO, and inter-agency and public disclosure of personally identifiable medical information. The MRO is also authorized to issue written directives allowing OSHA personnel to review information in the absence of obtaining an MAO.
Third, the revised rule introduces measures to protect electronically stored medical records from unauthorized access at 29 CFR § 1913.10(n). It establishes new procedures for designating specific security roles and responsibilities for OSHA officials. It also creates measures to implement technology safeguards to protect against electronic breaches. The revision remedies out-dated provisions of the 1980 rule, which was issued when electronic medical records did not exist.
Fourth, given the existing security procedures in 29 CFR § 1913.10(i) and the new safeguards to protect private medical information in electronic medical records, the revised rule eliminates the requirement to remove direct personal identifiers from medical records that were formerly set forth in 29 CFR § 1913.10(g).
Click here to continue reading.












