HIPAA vs OSHA: What to Do When Laws Collide

As if compliance isn’t already challenging enough, you might find yourself in a situation where the only way to comply with one law is to violate another. Such is the case—or so it may seem—when lab personnel exercise their Occupational Safety and Health Administration (OSHA) rights to access workplace illness and injury records containing protected health information (PHI) about other lab employees that you’re not allowed to disclose under Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy laws. Consider the following scenario.

SITUATION

An employee representative asks to see your lab’s OSHA logs. This is a legitimate request under the OSHA recordkeeping standard (29 CFR 1904.35(b)(2)(iv)) and refusing it would subject you to fines. On the other hand, the records contain sensitive PHI about the health of lab employees and the injuries or illnesses they might have suffered at work.

QUESTION

What should you do?

1. Disclose the records to ensure compliance with OSHA
2. Withhold the records to ensure compliance with HIPAA
3. Remove all names and identifying information and then disclose the records

ANSWER

A. Disclose the records.

EXPLANATION

Technically, C is also an option. But you don’t have to go to the trouble of purging OSHA 300 Logs of identifying information (assuming the illnesses and injuries involved aren’t “privacy cases” under the OSHA Recordkeeping Rule). Who says that it’s okay to disclose OSHA logs that contain private medical information about workers without redacting them?

OSHA does—in an August 2, 2004 interpretation letter. To understand why OSHA trumps HIPAA, you need to know a little about how HIPAA works. The HIPAA Privacy Rule makes it illegal to use or disclose PHI about individuals without their permission unless you first purge the PHI of names and other information identifying the individual. Information in the OSHA 300 about lab employees’ medical conditions and work injuries and illnesses would very likely be considered PHI.

But there are also exceptions when you don’t need permission to disclose PHI. One of these exceptions is when the disclosure is “required by law” (HIPAA Regs, Sec. 164.512(a)). According to OSHA, this includes disclosing OSHA logs to an employee representative (or a current or former employee) in response to a request for access. “Even if HIPAA is implicated by the employer’s disclosure of the OSHA Log,” the OSHA letter says, “the exception for disclosures required by law applies here because the Recordkeeping rule requires that employees, former employees, and employee representatives have access to the complete Log, including employee names, except for privacy cases” [OSHA Interpretation Letter, August 2, 2004].

OSHA Privacy Rules

Keep in mind that there are also privacy requirements within the OSHA Recordkeeping Rule regarding how you log certain illnesses and injuries. You can’t list the employee’s name but must instead list “privacy case” in the log for the following:

• Injuries/illnesses to intimate body parts or the reproductive system;
• Sexual assaults;
• Mental illnesses;
• HIV infection, hepatitis, or tuberculosis;
• Needlestick or sharps cut injuries; and
•  Any other case when the employee asks that his or her name not be entered in the log.

You must also keep a confidential privacy log that’s separate from the 300 Log in which each case has an identifying number and corresponding employee name.