Rules of Agency Practice and Procedure Concerning OSHA Access to Employee Medical Records

29 CFR 1913.10 ecfr download 080217.pdf

Ionizing Radiation Standard (29 CFR 1910.1096)

Rules of Agency Practice and Procedure Concerning OSHA Access to Employee Medical Records

OMB: 1218-0103

Document [pdf]
Download: pdf | pdf
eCFR — Code of Federal Regulations
About GPO
 
|   Newsroom/Media
 
|  
Congressional Relations
 
|  
Inspector General
 
|  
Careers
 
|  
Contact
 
|  
askGPO
 
|  
Help
 

 

Home
 
|  
Customers
 
|  
Vendors
 
|  
Libraries
 
FDsys:
GPO's Federal Digital System
About FDsys
Search Government Publications
Browse Government Publications

 
 

ELECTRONIC CODE OF FEDERAL REGULATIONS
View past updates to the e-CFR.
Click here to learn more.

e-CFR Navigation Aids

e-CFR data is current as of August 2, 2017

Browse / Search Previous

• Browse
• Simple Search

Title 29 → Subtitle B → Chapter XVII → Part 1913 → §1913.10

• Advanced Search
* Boolean
  * Proximity

Title 29: Labor

PART 1913—RULES OF AGENCY PRACTICE AND PROCEDURE CONCERNING OSHA ACCESS TO EMPLOYEE MEDICAL RECORDS


• Search History
• Search Tips
• Corrections
• Latest Updates
• User Info
• FAQs
• Agency List
• Incorporation By Reference
Related Resources
The Code of Federal Regulations
(CFR) annual edition is the codification
of the general and permanent rules
published in the Federal Register by the
departments and agencies of the
Federal Government produced by the
Office of the Federal Register (OFR) and
the Government Publishing Office.
Download the Code of Federal
Regulations in XML.
Parallel Table of Authorities and Rules
for the Code of Federal Regulations and
the United States Code
Text | PDF
Find, review, and submit comments on
Federal rules that are open for comment
and published in the Federal Register
using Regulations.gov.
Purchase individual CFR titles from
the U.S. Government Online Bookstore.
Find issues of the CFR (including issues
prior to 1996) at a local Federal
depository library.
[A1]

§1913.10   Rules of agency practice and procedure concerning OSHA access to employee medical records.
(a) General policy. OSHA access to employee medical records will in certain circumstances be important to the
agency's performance of its statutory functions. Medical records, however, contain personal details concerning the lives of
employees. Due to the substantial personal privacy interests involved, OSHA authority to gain access to personally
identifiable employee medical information will be exercised only after the agency has made a careful determination of its
need for this information, and only with appropriate safeguards to protect individual privacy. Once this information is
obtained, OSHA examination and use of it will be limited to only that information needed to accomplish the purpose for
access. Personally identifiable employee medical information will be retained by OSHA only for so long as needed to
accomplish the purpose for access, will be kept secure while being used, and will not be disclosed to other agencies or
members of the public except in narrowly defined circumstances. This section establishes procedures to implement these
policies.
(b) Scope and application. (1) Except as provided in paragraphs (b) (3) through (6) below, this section applies to all
requests by OSHA personnel to obtain access to records in order to examine or copy personally identifiable employee
medical information, whether or not pursuant to the access provisions of 29 CFR 1910.1020(e).
(2) For the purposes of this section, “personally identifiable employee medical information” means employee medical
information accompanied by either direct identifiers (name, address, social security number, payroll number, etc.) or by
information which could reasonably be used in the particular circumstances indirectly to identify specific employees (e.g.,
exact age, height, weight, race, sex, date of initial employment, job title, etc.).
(3) This section does not apply to OSHA access to, or the use of, aggregate employee medical information or medical
records on individual employees which is not in a personally identifiable form. This section does not apply to records
required by 29 CFR part 1904, to death certificates, or to employee exposure records, including biological monitoring
records treated by 29 CFR 1910.1020(c)(5) or by specific occupational safety and health standards as exposure records.
(4) This section does not apply where OSHA compliance personnel conduct an examination of employee medical
records solely to verify employer compliance with the medical surveillance recordkeeping requirements of an occupational
safety and health standard, or with 29 CFR 1910.1020. An examination of this nature shall be conducted on-site and, if
requested, shall be conducted under the observation of the recordholder. The OSHA compliance personnel shall not
record and take off-site any information from medical records other than documentation of the fact of compliance or noncompliance.
(5) This section does not apply to agency access to, or the use of, personally identifiable employee medical
information obtained in the course of litigation.
(6) This section does not apply where a written directive by the Assistant Secretary authorizes appropriately qualified
personnel to conduct limited reviews of specific medical information mandated by an occupational safety and health
standard, or of specific biological monitoring test results.
(7) Even if not covered by the terms of this section, all medically related information reported in a personally
identifiable form shall be handled with appropriate discretion and care befitting all information concerning specific
employees. There may, for example, be personal privacy interests involved which militate against disclosure of this kind of
information to the public (See, 29 CFR 70.26 and 70a.3).
(c) Responsible persons—(1) Assistant Secretary. The Assistant Secretary of Labor for Occupational Safety and
Health (Assistant Secretary) shall be responsible for the overall administration and implementation of the procedures
contained in this section, including making final OSHA determinations concerning:

https://www.ecfr.gov/cgi-bin/text-idx?SID=2b45f7974ef11f2431d5cbbdc0074844&mc=true&node=se29.7.1913_110&rgn=div8[8/4/2017 2:07:01 PM]

eCFR — Code of Federal Regulations

(i) Access to personally identifiable employee medical information (paragraph (d)), and
(ii) Inter-agency transfer or public disclosure of personally identifiable employee medical information (paragraph (m)).
(2) OSHA Medical Records Officer. The Assistant Secretary shall designate an OSHA official with experience or
training in the evaluation, use, and privacy protection of medical records to be the OSHA Medical Records Officer. The
OSHA Medical Records Officer shall report directly to the Assistant Secretary on matters concerning this section and shall
be responsible for:
(i) Making recommendations to the Assistant Secretary as to the approval or denial of written access orders
(paragraph (d)),
(ii) Assuring that written access orders meet the requirements of paragraphs (d) (2) and (3) of this section,
(iii) Responding to employee, collective bargaining agent, and employer objections concerning written access orders
(paragraph (f)),
(iv) Regulating the use of direct personal identifiers (paragraph (g)),
(v) Regulating internal agency use and security of personally identifiable employee medical information (paragraphs
(h) through (j)),
(vi) Assuring that the results of agency analyses of personally identifiable medical information are, where appropriate,
communicated to employees (paragraph (k)),
(vii) Preparing an annual report of OSHA's experience under this section (paragraph (l)), and
(viii) Assuring that advance notice is given of intended inter-agency transfers or public disclosures (paragraph (m)).
(3) Principal OSHA Investigator. The Principal OSHA Investigator shall be the OSHA employee in each instance of
access to personally identifiable employee medical information who is made primarily responsible for assuring that the
examination and use of this information is performed in the manner prescribed by a written access order and the
requirements of this section (paragraphs (d) through (m). When access is pursuant to a written access order, the Principal
OSHA Investigator shall be professionally trained in medicine, public health, or allied fields (epidemiology, toxicology,
industrial hygiene, biostatistics, environmental health, etc.).
(d) Written access orders—(1) Requirement for written access order. Except as provided in paragraph (d)(4) below,
each request by an OSHA representative to examine or copy personally identifiable employee medical information
contained in a record held by an employer or other recordholder shall be made pursuant to a written access order which
has been approved by the Assistant Secretary upon the recommendation of the OSHA Medical Records Officer. If deemed
appropriate, a written access order may constitute, or be accompanied by, an administrative subpoena.
(2) Approval criteria for written access order. Before approving a written access order, the Assistant Secretary and the
OSHA Medical Records Officer shall determine that:
(i) The medical information to be examined or copied is relevant to a statutory purpose and there is a need to gain
access to this personally identifiable information,
(ii) The personally identifiable medical information to be examined or copied is limited to only that information needed
to accomplish the purpose for access, and
(iii) The personnel authorized to review and analyze the personally identifiable medical information are limited to those
who have a need for access and have appropriate professional qualifications.
(3) Content of written access order. Each written access order shall state with reasonable particularity:
(i) The statutory purposes for which access is sought,
(ii) A general description of the kind of employee medical information that will be examined and why there is a need to
examine personally identifiable information,
(iii) Whether medical information will be examined on-site, and what type of information will be copied and removed
off-site,
(iv) The name, address, and phone number of the Principal OSHA Investigator and the names of any other authorized
persons who are expected to review and analyze the medical information.
(v) The name, address, and phone number of the OSHA Medical Records Officer, and
(vi) The anticipated period of time during which OSHA expects to retain the employee medical information in a
personally identifiable form.
(4) Special situations. Written access orders need not be obtained to examine or copy personally identifiable
employee medical information under the following circumstances:
(i) Specific written consent. If the specific written consent of an employee is obtained pursuant to 29 CFR
1910.1020(e)(2)(ii), and the agency or an agency employee is listed on the authorization as the designated representative
to receive the medical information, then a written access order need not be obtained. Whenever personally identifiable
employee medical information is obtained through specific written consent and taken off-site, a Principal OSHA
Investigator shall be promptly named to assure protection of the information, and the OSHA Medical Records Officer shall
be notified of this person's identity. The personally identifiable medical information obtained shall thereafter be subject to

https://www.ecfr.gov/cgi-bin/text-idx?SID=2b45f7974ef11f2431d5cbbdc0074844&mc=true&node=se29.7.1913_110&rgn=div8[8/4/2017 2:07:01 PM]

eCFR — Code of Federal Regulations

the use and security requirements of paragraphs (h) through (m) of this section.
(ii) Physician consultations. A written access order need not be obtained where an OSHA staff or contract physician
consults with an employer's physician concerning an occupational safety or health issue. In a situation of this nature, the
OSHA physician may conduct on-site evaluation of employee medical records in consultation with the employer's
physician, and may make necessary personal notes of his or her findings. No employee medical records, however, shall
be taken off-site in the absence of a written access order or the specific written consent of an employee, and no notes of
personally identifiable employee medical information made by the OSHA physician shall leave his or her control without
the permission of the OSHA Medical Records Officer.
(e) Presentation of written access order and notice to employees. (1) The Principal OSHA Investigator, or someone
under his or her supervision, shall present at least two (2) copies each of the written access order and an accompanying
cover letter to the employer prior to examining or obtaining medical information subject to a written access order. At least
one copy of the written access order shall not identify specific employees by direct personal identifier. The accompanying
cover letter shall summarize the requirements of this section and indicate that questions or objections concerning the
written access order may be directed to the Principal OSHA Investigator or to the OSHA Medical Records Officer.
(2) The Principal OSHA Investigator shall promptly present a copy of the written access order (which does not identify
specific employees by direct personal identifier) and its accompanying cover letter to each collective bargaining agent
representing employees whose medical records are subject to the written access order.
(3) The Principal OSHA Investigator shall indicate that the employer must promptly post a copy of the written access
order which does not identify specific employees by direct personal identifier, as well as post its accompanying cover letter
(See, 29 CFR 1910.1020(e)(3)(ii)).
(4) The Principal OSHA Investigator shall discuss with any collective bargaining agent and with the employer the
appropriateness of individual notice to employees affected by the written access order. Where it is agreed that individual
notice is appropriate, the Principal OSHA Investigator shall promptly provide to the employer an adequate number of
copies of the written access order (which does not identify specific employees by direct personal identifier) and its
accompanying cover letter to enable the employer either to individually notify each employee or to place a copy in each
employee's medical file.
(f) Objections concerning a written access order. All employee, collective bargaining agent, and employer written
objections concerning access to records pursuant to a written access order shall be transmitted to the OSHA Medical
Records Officer. Unless the agency decides otherwise, access to the records shall proceed without delay notwithstanding
the lodging of an objection. The OSHA Medical Records Officer shall respond in writing to each employee's and collective
bargaining agent's written objection to OSHA access. Where appropriate, the OSHA Medical Records Officer may revoke
a written access order and direct that any medical information obtained by it be returned to the original recordholder or
destroyed. The Principal OSHA Investigator shall assure that such instructions by the OSHA Medical Records Officer are
promptly implemented.
(g) Removal of direct personal identifiers. Whenever employee medical information obtained pursuant to a written
access order is taken off-site with direct personal identifiers included, the Principal OSHA Investigator shall, unless
otherwise authorized by the OSHA Medical Records Officer, promptly separate all direct personal identifiers from the
medical information, and code the medical information and the list of direct identifiers with a unique identifying number for
each employee. The medical information with its numerical code shall thereafter be used and kept secured as though still
in a directly identifiable form. The Principal OSHA Investigator shall also hand deliver or mail the list of direct personal
identifiers with their corresponding numerical codes to the OSHA Medical Records Officer. The OSHA Medical Records
Officer shall thereafter limit the use and distribution of the list of coded identifiers to those with a need to know its contents.
(h) Internal agency use of personally identifiable employee medical information. (1) The Principal OSHA Investigator
shall in each instance of access be primarily responsible for assuring that personally identifiable employee medical
information is used and kept secured in accordance with this section.
(2) The Principal OSHA Investigator, the OSHA Medical Records Officer, the Assistant Secretary, and any other
authorized person listed on a written access order may permit the examination or use of personally identifiable employee
medical information by agency employees and contractors who have a need for access, and appropriate qualifications for
the purpose for which they are using the information. No OSHA employee or contractor is authorized to examine or
otherwise use personally identifiable employee medical information unless so permitted.
(3) Where a need exists, access to personally identifiable employee medical information may be provided to attorneys
in the Office of the Solicitor of Labor, and to agency contractors who are physicians or who have contractually agreed to
abide by the requirements of this section and implementing agency directives and instructions.
(4) OSHA employees and contractors are only authorized to use personally identifiable employee medical information
for the purposes for which it was obtained, unless the specific written consent of an employee is obtained as to a
secondary purpose, or the procedures of paragraphs (d) through (g) of this section are repeated with respect to the
secondary purpose.
(5) Whenever practicable, the examination of personally identifiable employee medical information shall be performed
on-site with a minimum of medical information taken off-site in a personally identifiable form.
(i) Security procedures. (1) Agency files containing personally identifiable employee medical information shall be
segregated from other agency files. When not in active use, files containing this information shall be kept secured in a
locked cabinet or vault.
(2) The OSHA Medical Records Officer and the Principal OSHA Investigator shall each maintain a log of uses and
transfers of personally identifiable employee medical information and lists of coded direct personal identifiers, except as to
necessary uses by staff under their direct personal supervision.

https://www.ecfr.gov/cgi-bin/text-idx?SID=2b45f7974ef11f2431d5cbbdc0074844&mc=true&node=se29.7.1913_110&rgn=div8[8/4/2017 2:07:01 PM]

eCFR — Code of Federal Regulations

(3) The photocopying or other duplication of personally identifiable employee medical information shall be kept to the
minimum necessary to accomplish the purposes for which the information was obtained.
(4) The protective measures established by this section apply to all worksheets, duplicate copies, or other agency
documents containing personally identifiable employee medical information.
(5) Intra-agency transfers of personally identifiable employee medical information shall be by hand delivery, United
States mail, or equally protective means. Inter-office mailing channels shall not be used.
(j) Retention and destruction of records. (1) Consistent with OSHA records disposition programs, personally
identifiable employee medical information and lists of coded direct personal identifiers shall be destroyed or returned to the
original recordholder when no longer needed for the purposes for which they were obtained.
(2) Personally identifiable employee medical information which is currently not being used actively but may be needed
for future use shall be transferred to the OSHA Medical Records Officer. The OSHA Medical Records Officer shall conduct
an annual review of all centrally-held information to determine which information is no longer needed for the purposes for
which it was obtained.
(k) Results of an agency analysis using personally identifiable employee medical information. The OSHA Medical
Records Officer shall, as appropriate, assure that the results of an agency analysis using personally identifiable employee
medical information are communicated to the employees whose personal medical information was used as a part of the
analysis.
(l) Annual report. The OSHA Medical Records Officer shall on an annual basis review OSHA's experience under this
section during the previous year, and prepare a report to the Assistant Secretary which shall be made available to the
public. This report shall discuss:
(1) The number of written access orders approved and a summary of the purposes for access,
(2) The nature and disposition of employee, collective bargaining agent, and employer written objections concerning
OSHA access to personally identifiable employee medical information, and
(3) The nature and disposition of requests for inter-agency transfer or public disclosure of personally identifiable
employee medical information.
(m) Inter-agency transfer and public disclosure. (1) Personally identifiable employee medical information shall not be
transferred to another agency or office outside of OSHA (other than to the Office of the Solicitor of Labor) or disclosed to
the public (other than to the affected employee or the original recordholder) except when required by law or when
approved by the Assistant Secretary.
(2) Except as provided in paragraph (m)(3) of this section, the Assistant Secretary shall not approve a request for an
inter-agency transfer of personally identifiable employee medical information, which has not been consented to by the
affected employees, unless the request is by a public health agency which:
(i) Needs the requested information in a personally identifiable form for a substantial public health purpose,
(ii) Will not use the requested information to make individual determinations concerning affected employees which
could be to their detriment,
(iii) Has regulations or established written procedures providing protection for personally identifiable medical
information substantially equivalent to that of this section, and
(iv) Satisfies an exemption to the Privacy Act to the extent that the Privacy Act applies to the requested information
(See, 5 U.S.C. 552a(b); 29 CFR 70a.3).
(3) Upon the approval of the Assistant Secretary, personally identifiable employee medical information may be
transferred to:
(i) The National Institute for Occupational Safety and Health (NIOSH) and
(ii) The Department of Justice when necessary with respect to a specific action under the Occupational Safety and
Health Act.
(4) The Assistant Secretary shall not approve a request for public disclosure of employee medical information
containing direct personal identifiers unless there are compelling circumstances affecting the health or safety of an
individual.
(5) The Assistant Secretary shall not approve a request for public disclosure of employee medical information which
contains information which could reasonably be used indirectly to identify specific employees when the disclosure would
constitute a clearly unwarranted invasion of personal privacy (See, 5 U.S.C. 552(b)(6); 29 CFR 70.26).
(6) Except as to inter-agency transfers to NIOSH or the Department of Justice, the OSHA Medical Records Officer
shall assure that advance notice is provided to any collective bargaining agent representing affected employees and to the
employer on each occasion that OSHA intends to either transfer personally identifiable employee medical information to
another agency or disclose it to a member of the public other than to an affected employee. When feasible, the OSHA
Medical Records Officer shall take reasonable steps to assure that advance notice is provided to affected employees
when the employee medical information to be transferred or disclosed contains direct personal identifiers.
[45 FR 35294, May 23, 1980; 45 FR 54334, Aug. 15, 1980, as amended at 71 FR 16674, Apr. 3, 2006]

https://www.ecfr.gov/cgi-bin/text-idx?SID=2b45f7974ef11f2431d5cbbdc0074844&mc=true&node=se29.7.1913_110&rgn=div8[8/4/2017 2:07:01 PM]

eCFR — Code of Federal Regulations

Need assistance?
732 North Capitol Street, NW, Washington, DC 20401-0001     202.512.1800

Privacy  
|  
Important Links  
|  
Accessibility  
|  
Sitemap  
|  
COOP

https://www.ecfr.gov/cgi-bin/text-idx?SID=2b45f7974ef11f2431d5cbbdc0074844&mc=true&node=se29.7.1913_110&rgn=div8[8/4/2017 2:07:01 PM]


File Typeapplication/pdf
File TitleeCFR — Code of Federal Regulations
File Modified2017-08-04
File Created2017-08-04

© 2024 OMB.report | Privacy Policy