Appendix A - Excerpts from Tracking of Workplace Injuries and Illnesses Final Rule Describing Significant Substantive Comments and Significant Changes Related to the ICR
(OMB Control No. 1218-0176)
In the final rule excerpts below, OSHA provides a summary of the discussion of public comments that pertain to the ICR.
I. Legal Authority
OSHA is issuing this final rule pursuant to authority expressly granted by sections 8 and 24 of the Occupational Safety and Health Act (the “OSH Act” or “Act”). (29 U.S.C. 657, 673). Section 8(c)(1) of the Act requires each employer to “make, keep and preserve, and make available to the Secretary [of Labor] or the Secretary of Health and Human Services, such records regarding his activities relating to this chapter as the Secretary [of Labor] . . . may prescribe by regulation as necessary or appropriate for the enforcement of this chapter or for developing information regarding the causes and prevention of occupational accidents and illnesses.” (29 U.S.C. 657(c)(1)). Section 8(c)(2) directs the Secretary to prescribe regulations “requiring employers to maintain accurate records of, and to make periodic reports on, work-related deaths, injuries and illnesses other than minor injuries requiring only first aid treatment and which do not involve medical treatment, loss of consciousness, restriction of work or motion, or transfer to another job.” (29 U.S.C. 657(c)(2)). Finally, section 8(g)(2) of the OSH Act broadly empowers the Secretary to “prescribe such rules and regulations as he may deem necessary to carry out [his] responsibilities under this chapter.” (29 U.S.C. 657(g)(2)).
Section 24 of the OSH Act (29 U.S.C. 673) contains a similar grant of authority. This section requires the Secretary to “develop and maintain an effective program of collection, compilation, and analysis of occupational safety and health statistics” and “compile accurate statistics on work injuries and illnesses which shall include all disabling, serious, or significant injuries and illnesses.” (29 U.S.C. 673(a)). Section 24 also requires employers to “file such reports with the Secretary as he shall prescribe by regulation.” (29 U.S.C. 673(e)). These reports are to be based on “the records made and kept pursuant to” section 8(c) of the OSH Act. (29
U.S.C. 673(e)).
The OSH Act requires cooperation with the Secretary of Health and Human Services concerning regulations that address reporting and record-keeping, and consultation concerning the development and maintenance of a program for occupational safety and health statistics. OSHA has a lengthy history of cooperation and consultation with the Department of Health and Human Services in this regard, particularly with its sub-agency, the National Institute for Occupational Safety and Health. With respect to this rule, OSHA informally received feedback from NIOSH on its proposal, including reviewing a draft of NIOSH’s comment, and provided NIOSH, and HHS more generally, with opportunities to provide comment on both the proposed and this final rule before publication.
Further support for the Secretary’s authority to require employers to keep and submit records of work-related illnesses and injuries is in the Congressional Findings and Purpose at the beginning of the OSH Act. (See 29 U.S.C. 651). In that section, Congress declares the overarching purpose of the Act is “to assure so far as possible every working man and woman in the Nation safe and healthful working conditions.” (29 U.S.C. 651(b)). One of the ways in which the Act is meant to achieve this goal is “by providing for appropriate reporting procedures . . . [that] will help achieve the objectives of this chapter and accurately describe the nature of the occupational safety and health problem.” (29 U.S.C. 651(b)(12)). Notably, the statute does not require this information to be transmitted to OSHA. And, section 8(d) of the Act provides that any information the Secretary collects under the Act “shall be obtained with a minimum burden upon employers.” (29 U.S.C. 657(d)).
The OSH Act authorizes the Secretary of Labor to issue two types of occupational safety and health rules: standards and regulations. Standards aim to correct particular identified workplace hazards, while regulations further the general enforcement and detection purposes of the OSH Act. (See Workplace Health & Safety Council v. Reich, 56 F.3d 1465, 1468 (D.C. Cir. 1995) (citing La. Chem. Ass’n v. Bingham, 657 F.2d 777, 781–82 (5th Cir. 1981)); United Steelworkers of Am. v. Auchter, 763 F.2d 728, 735 (3d Cir. 1985)). Recordkeeping requirements promulgated under the Act are characterized as regulations. (See 29 U.S.C. 657 (using the term “regulations” to describe recordkeeping requirements)). An agency may revise a prior rule if it provides a reasoned explanation for the change. (See Motor Vehicle Mfrs. Ass’n v. State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 42 (1983)).1
When promulgating regulations pursuant to sections 8 and 24 of the OSH Act, OSHA must comply with the Administrative Procedure Act (APA) (5 U.S.C. 553), which requires the agency to publish notice of a proposed rule in the Federal Register and to provide an opportunity for interested persons to comment on the rulemaking. In the NPRM, OSHA invited comment on “all aspects of the proposed rule” (83 FR at 36505), and specifically encouraged comment on four questions regarding: (1) the risks and benefits of electronically collecting the information; (2) other agencies or organizations that use automated coding systems for text data in data collections; (3) other agencies or organizations that use automated de-identification systems to remove personal identifying information (PII) from text data before making the data available to the public; and (4) privacy issues regarding the submission of EINs. (83 FR at 36500).
OSHA received 1,880 comments on the proposed rule.2 Pursuant to the APA, 5 U.S.C. 553, OSHA has reviewed these comments and responded to the material issues commenters raised. (See Genuine Parts Co. v. Envtl. Prot. Agency, 890 F.3d 304, 313 (D.C. Cir. 2018) (although an agency “‘is not required to discuss every item of fact or opinion included in the submissions it receives in response to a Notice of Proposed Rulemaking, it must respond to those comments which, if true, would require a change in the proposed rule.’”) (quoting La. Fed. Land Bank Ass’n v. Farm Credit Admin., 336 F.3d 1075, 1080 (D.C. Cir. 2003))).
Some commenters raised issues such as the requirement for certain employers to submit their 300A data to OSHA (e.g., Document ID 2057-A1, pp. 2-3; 2053, p. 3) and the employee protection provisions added by the 2016 final rule (e.g., Document ID 2006-A1, p. 4; 2009-A1, p. 4; 2023-A1). These comments were beyond the scope of this rulemaking, and this final rule does not make any changes to the relevant provisions. Nevertheless, OSHA acknowledges and shares some of the concerns these comments suggest. First, in relation to concerns raised about possible publication of data submitted electronically to OSHA from Form 300A—and as identified in the NPRM and later in this final rule—the agency takes the position that these data are exempt from public disclosure under FOIA. It should likewise be noted that OSHA uses and will continue to use 300A data to prioritize its inspections and enforcement actions. Among other considerations, disclosure of 300A data through FOIA may jeopardize OSHA’s enforcement efforts by enabling employers to identify industry trends and anticipate the inspection of their particular workplaces. As OSHA has explained elsewhere, OSHA is strongly opposed to disclosure of 300A data, has not made such data public, and does not intend to make any such data public for at least the approximately four years after its receipt that OSHA intends to use the data for enforcement purposes.
In response to concerns about the application of the 2016 final rule to employee drug testing and incident-based incentive programs, OSHA notes that the employee protection provisions promulgated by that final rule and codified at 29 CFR 1904.35 neither ban drug testing employees involved in workplace injury or illnesses, nor prohibit incident-based incentive programs. Rather, § 1904.35(b)(1)(iv) merely prohibits employers from implementing these programs to penalize workers “for reporting a work-related injury or illness.” Id. (emphasis added). On October 11, 2018, OSHA issued a memorandum that explained this regulatory text and OSHA’s position on workplace incentive programs and post-incident drug testing. See U.S. Dep’t of Labor, Clarification of OSHA’s Position on Workplace Safety Incentive Programs and Post-Incident Drug Testing Under 29 CFR § 1904.35(b)(1)(iv) (Oct. 11, 2018). That memorandum—which referred to the 2016 final rule and its preamble—reiterated the rule’s limited scope and expressed how it “does not prohibit workplace safety incentive programs or post-incident drug testing.” Id. To the extent the 2016 preamble suggested otherwise, it has been superseded. While not the focus of this particular rulemaking, that memorandum accurately reflects OSHA’s position and addresses the commenters’ concerns.
II. Summary and Explanation of Final Rule
A. Rescission of Requirement for Certain Establishments to Submit Data from OSHA Forms 300 and 301 to OSHA Electronically
As discussed in detail below, OSHA has determined that collecting the data from Forms 300 and 301, as was recently required under the 2016 final rule, would subject sensitive worker information to a meaningful risk of public disclosure. OSHA has also concluded that the extent of the incremental benefits of collecting the data for OSHA’s enforcement targeting and compliance assistance activities remains uncertain. Finally, OSHA has found that collecting the data and analyzing them for use would require OSHA to divert significant resources from agency priorities such as fully utilizing the 300A data and severe injury reports OSHA already collects electronically and that have proven useful in its experience for targeting areas of concern.
After considering all of the comments in the record and balancing the risk to worker privacy against the uncertain extent of the benefits of collecting the data and OSHA’s resource priorities, OSHA has determined that the final rule is necessary to preserve sensitive worker information and conserve agency resources for initiatives with more concrete benefits to OSHA’s mission of assuring safe and healthful workplaces.
Concerns about the Potential Release of Sensitive Worker Information
A central reason OSHA proposed rescinding the requirement for certain employers to electronically submit information from Forms 300 and 301 to OSHA was “to protect sensitive worker information from potential disclosure under the Freedom of Information Act (FOIA).” (83 FR at 36494). As explained in greater detail below, although OSHA believes data from Forms 300 and 301 would be exempt from disclosure under FOIA exemptions, OSHA is concerned that it still could be required by a court to release the data. Many commenters echoed this concern.
OSHA’s position in this final rule is consistent with the principles articulated in the Privacy Act, OMB Circular A-130, and the Department’s position on the sensitive nature of worker injury and illness records before 2016. (See Document ID 1930-A1, pp. 2-3; 66 FR 5916, 6055-57 (Jan. 19, 2001)). In 2001, for example, OSHA noted that it “historically has recognized that the Log and Incident Report (Forms 300 and 301, respectively) may contain information of a sufficiently intimate and personal nature that a reasonable person would wish it to remain confidential.” (66 FR at 6055). OSHA further explained that access to Forms 300 and 301 should be limited to workers and their representatives—in other words, those with a “need to know.” (66 FR at 6057). OSHA explained in 2001:
OSHA agrees that confidentiality of injury and illness records should be maintained except for those persons with a legitimate need to know the information. This is a logical extension of the agency’s position that a balancing test is appropriate in determining the scope of access to be granted employees and their representatives. Under this test, “the fact that protected information must be disclosed to a party who has [a particular] need for it . . . does not strip the information of its protection against disclosure to those who have no similar need.”
(66 FR at 6057 (quoting Fraternal Order of Police Lodge No. 5. v. City of Philadelphia, 812 F.2d 105, 118 (10th Cir. 1987))). Commenters agreed with OSHA that access to 300 and 301 data should be limited to those with a “need to know” (i.e., workers, their representatives, and OSHA upon request) (Document ID 2070-A1, p. 8; 2084-A2). Thus, OSHA has always applied a balancing test to weigh the value of worker privacy against the usefulness of releasing the data. The 2016 final rule represented a departure from the balance OSHA has historically struck in favor of achieving uncertain incremental benefits for OSHA enforcement and outreach. This final rule restores OSHA’s historical emphasis on protecting the privacy of workers and its longstanding practice of releasing sensitive data on a case-by-case basis only to those with a “need to know.”
Multiple commenters commented that the proposed rule is consistent with the privacy protections in the Privacy Act of 1974 (Pub. Law 93-579) and Section 4(g) of OMB Circular A-130. (E.g., Document ID 1930-A1, p. 2; 1981-A1, p. 3; 2041-A1, p. 2; see also Document ID 2036-A1, p. 4) (“[C]ompelled disclosure of the incredibly private, personally identifiable information required by OSHA Forms 300 and 301 is contrary to the well-established principle that an individual’s right to privacy regarding medical conditions and treatment is of paramount importance.”). Although the Privacy Act does not apply to Forms 300 and 301, the statute’s articulation that privacy is “‘a personal and fundamental right’” highlights the importance of this issue. (Document ID 1981-A1, p. 3 (quoting Pub. Law 93-579, Section 2(a)(4))). Furthermore, Section 4(g) of OMB Circular A-130 stresses that “‘[p]rotecting an individual’s privacy is of utmost importance.’” (Document ID 1981-A1, p. 3 (quoting OMB Circular A-130 (2016), available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf)). To that end, Section 4(g) also states that “[t]he Federal Government shall consider and protect an individual’s privacy throughout the information life cycle.” (OMB Circular A-130). This final rule complies with this instruction by limiting the potential disclosure of PII and other sensitive worker information.
Many commenters agreed with OSHA’s privacy concerns, pointing to the Department’s “‘special responsibility to protect PII from loss and misuse,’” and arguing that OSHA should not collect the data from Forms 300 and 301 because it cannot guarantee the protection of PII that may be submitted with the data. (Document ID 2045-A1, p. 3) (quoting Department of Labor, Guidance on the Protection of Personal Identifiable Information, available at: https://www.dol.gov/general/ppii). Commenters agreed with OSHA that the information reported on Forms 300 and 301 is sensitive, and that the risk of disclosing this sensitive worker information is not worth the uncertain incremental benefits of collecting the data. (E.g., Document ID 1985-A1, pp. 1-2; 2045-A1, pp. 2-3). Other comments agreed with OSHA that collecting Form 300A provides concrete enforcement benefits without putting private worker information at risk of disclosure. (E.g., Document ID 2008, pp. 2-3).
Some commenters cautioned that the 300 and 301 data could include PII, which the Department defines as “‘any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means[,]’” such as “‘name, address, social security number or other identifying number or code, telephone number, email address, etc.’” (E.g., Document ID 2045, pp. 2-3) (quoting Department of Labor, Guidance on the Protection of Personal Identifiable Information, available at: https://www.dol.gov/general/ppii)). Although some of these commenters are under the mistaken impression that employers would be required to submit PII such as name, address, or the name of the treating physician under the prior final rule (compare e.g., Document ID 2041-A1, pp. 1-2 with 81 FR at 29660-61), OSHA shares these commenters’ concern that collection of data from Forms 300 and 301 poses a risk of the release of PII.
It is foreseeable that, despite instructions not to include such information, some employers would submit PII inadvertently in Forms 300 and 301, for example in the narrative description of the incident in Column F of the 300 Log. (See 81 FR at 29662; Document ID 2019-A1, pp. 2-3). Although one commenter’s experience demonstrated employers’ capability of fully redacting PII from a small dataset (Document ID 2077-A1, pp. 1, 2), “[i]t has been OSHA’s experience that information entered in Column F of the 300 Log may contain personally-identifiable information. For example, when describing an injury or illness, employers sometimes include names of employees.” (81 FR at 29662).
Whereas in the past, OSHA has manually screened smaller datasets for PII, the dataset at issue in this rulemaking would be far too large to screen manually for employer compliance with an instruction not to include PII, and OSHA is concerned that alternative approaches would not sufficiently alleviate the risk of disclosure. For example, OSHA stated in the 2016 final rule that it would “review” the data for PII using software – and some commenters urged a similar review (e.g., Document ID 1989-A1, p. 1; 2004-A1, p. 1) – but this software is imperfect. As discussed in the NPRM, “it is not possible to guarantee the non-release of PII.” (83 FR at 36498 (citing “De-Identification of Personal Information,” p. 5, Simson L. Garfinkel, NISTIR 8053, October 2015, Document ID 2060)). No commenters provided evidence to the contrary. Therefore, OSHA finds that it would not be able to guarantee that all PII inadvertently submitted to OSHA would be protected from disclosure. (83 FR at 36498).
Moreover, even if PII could be completely removed from the data, concerns about re-identification would remain. As many commenters noted, several data points on Forms 300 and 301 could be combined to reveal the identity of workers who reported work-related injuries or illnesses, particularly in a small town. (E.g., Document ID 2032-A1; 2044-A1, p. 5 (quoting prior comment); 2045-A1, pp. 2-3, 5; 2070-A1, pp. 3, 11, 15-16). As the Phylmar Regulatory Roundtable (PRR) explained:
For example, even with the employee’s name removed, PRR members believe it would be easy to determine a worker’s identity when reviewing the information in the remaining fields on Form 300: job title (field C), where the event occurred (E), and details on the injury and body parts affected (F). On the 301 Report, combining multiple data points, for example, the date of the injury or illness (11), what time the employee began work (12), time of event (13), what was the employee doing just before the incident occurred (14), what happened (15), and what was the injury or illness (16), could also result in identifying the worker. While individual fields, standing alone, would not be considered traditional “PII,” (e.g., name, address), once linked, there is a substantial risk that employees may be identified, thus violating their privacy.
(Document ID 2070-A1, p. 3). Thus, even with PII removed from the data, in many circumstances it may be possible to combine data points to identify specific workers who reported injuries or illnesses along with personal details about their conditions.
These privacy concerns are real and important. As OSHA stated in the NPRM, some of the information collected on Forms 300 and 301 may be sensitive for workers. (E.g., 83 FR at 36495). For example, many of the questions on Form 301 seek answers that could contain sensitive information about workers, including:
Was the employee treated in an emergency room?
Was the employee hospitalized overnight or as an in-patient?
Date of birth.
Date of injury.
What was the employee doing just before the incident occurred? Describe the activity, as well as the tools, equipment, or material the employee was using. Be specific. Examples: “climbing a ladder while carrying roofing materials”; “spraying chlorine from hand sprayer”; “daily computer key-entry.”
What happened? Tell us how the injury occurred. Examples: “When ladder slipped on wet floor, worker fell 20 feet”; “Worker was sprayed with chlorine when gasket broke during replacement”; “Worker developed soreness in wrist over time.”
What was the injury or illness? Tell us the part of the body that was affected and how it was affected; be more specific than “hurt,” “pain,” or “sore.” Examples: “strained back”; “chemical burn, hand”; “carpal tunnel syndrome.”
What object or substance directly harmed the employee? Examples: “concrete floor”; “chlorine”; “radial arm saw.”
(83 FR at 36495-96). Some commenters disagreed that injury descriptions like those above are sensitive (e.g., Document ID 2048-A1, p. 2; 1978-A1, p. 2; 2048-A1, p. 2), but other commenters provided additional examples of sensitive information that could appear on Form 300 or 301, such as contracting an infectious disease from a patient, being assaulted in the workplace, or being diagnosed with depression or post-traumatic stress disorder. (E.g., Document ID 2044-A1, pp. 5-6 (quoting prior comment); 2070-A1, pp. 15-16). A commenter also noted that some records could implicate the privacy of non-employees, such as patients involved in the occurrence of a workplace injury or illness. (Document ID 1960-A1).
Other commenters disagreed with OSHA’s preliminary determination that the data from Forms 300 and 301 are sensitive. (E.g., Document ID 1961-A1, p. 2; 2081-A2, p. 1; 1984-A1, p. 2; 1978-A1, p. 2; 2017-A1, p. 3). For example, one commenter maintained that information such as a description of an injury is integral to OSHA’s investigation and is not private or privileged, like medical advice or other communication between a patient and doctor. (Document ID 2017-A1, p. 3). OSHA agrees that not all of the 300 and 301 data are always sensitive, but maintains that some of the data are sensitive and remain sensitive even if not legally privileged and even though OSHA intends to continue to use these data during onsite inspections.
Commenters asserting that OSHA’s privacy concerns are disingenuous (e.g., Document ID 1976-A1, pp. 2-3; 1984-A1, pp. 1-2; 2022-A1, p. 3; 2038-A1, p. 2; Document ID 1978-A1, p. 2; 2088-A1, p. 3) fail to appreciate the real possibility of the disclosure of sensitive worker information. The comment (and others like it) that “[t]he risk to worker privacy is very minimal and unlikely to materialize” (Document ID 2011-A1, p. 5) discounts the risk to worker privacy that OSHA’s experience – of having to remove PII and other information that could re-identify the ill or injured worker during manual screening of forms prior to release – has shown. Although many advocacy groups submitted similarly-worded comments stating that the data from Forms 300 and 301 are not sensitive (e.g., Document ID 1976-A1, p. 3; 2058-A1, p. 2; 2059-A1, p .2; 1976-A1, p. 3), private citizens and health advocacy organizations expressed concern about the sensitive nature of the data and emphasized the importance of keeping sensitive worker information out of the public eye. (E.g., Document ID 1938; 1975; 1979; 2006-A1, p. 2). OSHA agrees with the latter commenters that sensitive information can be included in the data on these Forms and should be protected against public disclosure.
Moreover, many of those taking the view that privacy concerns about the data were overstated expressed their confidence that OSHA could guarantee the protection of any PII contained in the data, a confidence that OSHA does not share. (E.g., Document ID 2031 (“The 2016 provisions clearly stated that no information that would identify individual workers was to be reported. If such information was accidentally submitted, OSHA made it clear it would never be released to the public.”); 2038-A1, p. 2 (“The 2016 provisions clearly state that no information tied to any individual worker(s) was to be reported. If such information was inadvertently submitted, OSHA ensured [sic] us it would never be released to the public.”)).
It is true, as some commenters noted, that OSHA considered the issue of worker privacy in the 2016 final rule and included protections to reduce the likelihood of sensitive information being made public, (Document ID 2028-A1, p. 6), but OSHA no longer views such protections as sufficient. OSHA noted in 2016, for example, that “consistent with FOIA, the agency does not intend to post personally identifiable information on the Web site.” (81 FR at 29659 (emphasis added)). Yet OSHA did not – and cannot – guarantee non-release of PII. In fact, OSHA acknowledged in 2016 that Forms 300 and 301 could contain PII in the fields that employers were required to submit. (See 81 FR at 29662 (“It has been OSHA’s experience that information entered in Column F of the 300 Log may contain personally-identifiable information. For example, when describing an injury or illness, employers sometimes include names of employees.”)). Although OSHA previously thought to address this issue with software, de-identification software is not 100% effective, and OSHA believes that some PII could be released even after being processed through the software. (83 FR at 36498).
Moreover, even if software could guarantee full scrubbing of PII, the possibility still remains that the data could be re-identified with the worker who reported the injury or illness. (83 FR at 36498). When discussing the agency’s past experience of withholding private worker information from disclosure under FOIA, OSHA referred to the practice of manually redacting Forms 300 and 301 on a case by case basis. (81 FR at 29658). For example, OSHA noted that it “would not disclose the information in Column C [of Form 300] (Job Title), if such information could be used to identify the injured or ill employee.” (81 FR at 29658). OSHA thus acknowledged even in the 2016 final rule that the worker’s job title could be used to identify the injured or ill worker in some situations and that OSHA had protected that information in the past through manual review of the file and invocation of FOIA Exemption 7(c). (81 FR at 29658). The 2016 rule’s proposed use of de-identification software would not address this issue.
Commenters argued that data similar to those on Forms 300 and 301 have been available to workers and their representatives since the passage of the Act (i.e., those with a “need to know”) (E.g., Document ID 1984-A1, p. 2; 2088-A3, p. 5 (comments dated March 10, 2014)), but those data have always been screened manually for PII. Such screening may have been possible before the 2016 final rule for individual files requested on a case by case basis, but OSHA could not possibly review each individual form that would be submitted electronically under the 2016 final rule to determine whether a worker’s job title could be used to identify the worker.
The same principle distinguishes OSHA’s practice of posting information about severe injuries and fatalities on its website, which some commenters cited as proof that the information on Forms 300 and 301 is not too sensitive to publish. (E.g., Document ID 1961-A1, p. 2; 1976-A1, p. 3; 2038-A1, p. 2; 2054-A1, p. 4). Although OSHA has not identified specific worker complaints about OSHA’s posting of severe injury data in the past, as asserted by one commenter (Document ID 2054-A1, p. 4; see also Document ID 2015-A1, p. 1), OSHA receives only approximately 800 severe injury reports per month, and manually screens each severe injury report for PII or other sensitive worker information before posting. OSHA’s past practice of manually redacting these data before releasing them has no application to the mass collection of Forms 300 and 301 data from 36,903 establishments – data drawn from what OSHA estimates would be more than 775,000 forms – which could only be screened using software with limitations delineated elsewhere in this preamble and in the 2018 NPRM.
Although OSHA believes the 300 and 301 data would be exempt from disclosure under FOIA Exemptions 6 and 7(c), OSHA still could be required by a court to release the data, as discussed in the NPRM and echoed by many commenters. (83 FR at 36498; see also Document ID 1930-A1, pp. 3-4; 1979; 1981-A1, pp. 2-3; 2075-A1, p. 5; 2084-A1, p. 3). The risk of disclosure of sensitive information is not speculative, as some commenters claimed (e.g., Document ID 2056-A1, pp. 1-2). One FOIA requester has already sued the Department in multiple lawsuits seeking injury and illness data: one lawsuit seeks the 300A data collected through the Injury Tracking Application, and one lawsuit seeks to force OSHA to collect the 2017 data from Forms 300 and 301 for the requestor’s use in research. See Public Citizen v. U.S. Dep’t of Labor, Civ. No. 18-cv-117 (D.D.C. filed Jan. 19, 2018); Public Citizen Health Research Group v. Acosta, Civ. No. 18-cv-1729 (D.D.C. filed July 25, 2018). In a decision denying the government’s motion to dismiss in Public Citizen Health Research Group v. Acosta, the court concluded that the plaintiffs would likely be entitled to a significant portion of the 300 and 301 data if collected by OSHA, despite OSHA’s conclusion that the data would be exempt from disclosure under FOIA. Public Citizen Health Research Group v. Acosta, Civ. No. 18-cv-1729 (D.D.C. December 12, 2018) (order denying motion to dismiss and preliminary injunction). In addition, in New York Times Co. v. U.S. Dep’t of Labor, 340 F. Supp. 2d 394 (S.D.N.Y 2004) and Finkel v. U.S. Dep’t of Labor, No. 05–5525, 2007 WL 1963163 (D.N.J. June 29, 2007), two separate courts ordered OSHA to release injury and illness data that OSHA argued were exempt from disclosure under FOIA Exemption 4. (See Document ID 2019-A1, p. 7; 2070-A1, p. 4).
OSHA disagrees with comments arguing that OSHA mischaracterized the Finkel and Public Citizen lawsuits and the risk of the disclosure of sensitive information under FOIA. (See Document ID 2048-A1, pp. 2-3; 2012-A1, p. 11; 2022-A1, p. 2). OSHA agrees with Mr. Finkel and other commenters that the Finkel lawsuit did not result in a court ordering disclosure of PII (see, e.g., Document ID 2048-A1, p. 1; Finkel v. U.S. Dep’t of Labor, No. 05–5525, 2007 WL 1963163 (D.N.J. June 29, 2007)). The Public Citizen Health Research Group, Finkel and New York Times lawsuits do, however, demonstrate the power of courts to order OSHA to release injury and illness data that OSHA considers sensitive information exempt from disclosure, over OSHA’s objections. In another case, the Sixth Circuit Court of Appeals ordered the release of data the Federal Aviation Administration tried to protect from disclosure, despite the possibility that multiple data points could be combined to re-identify particular individuals who had participated in a strike. (Norwood v. FAA, 993 F.2d 570, 574-75 (6th Cir. 1993)). OSHA is concerned a similar outcome could result if it collects the data from Forms 300 and 301 and then attempts to withhold the data in response to FOIA requests on the ground that the data could well contain sensitive information that OSHA cannot guarantee would be removed. “[O]nce the information is disclosed [under FOIA], it can never be made private.” (See Document ID 2075-A1, p. 5).
Some commenters asserted that OSHA should collect the 300 and 301 data but limit its release in various ways (Document ID 2006-A1, pp. 2-3), or that OSHA could never be required to disclose sensitive worker information under FOIA (e.g., Document ID 2006-A1, p. 3; 2012-A1, p. 11; 2022-A1, p. 2; 2028-A1, pp. 2, 7). These comments ignore the reality reflected in these lawsuits that the Department would not retain complete control over the data once they are collected. And, given that OSHA cannot guarantee complete removal of PII or data that could be re-identified with a particular worker from such a large dataset, court-ordered publication of the data from Forms 300 and 301 could well result in the disclosure of sensitive worker information. Other commenters presented alternatives to fully rescinding the requirement to collect the data from Forms 300 and 301, such as excluding job title and precise date of injury to reduce the likelihood of re-identification. (Document ID 1993-A1, p. 2; 2028-A1, p. 7). OSHA notes that even without the job title and precise date fields, however, employers could include sensitive information, such as worker and patient names, in the narrative description of the injury and how it occurred. (Document ID 1960-A1; 81 FR at 39662). OSHA has had to redact this kind of information during manual screening in the past prior to release. (81 FR at 39662).
The American Nurses Association (ANA) expressed concern about potential disclosure of sensitive worker information under FOIA but believes that the case-level data are important for performing root-cause analyses to prevent incidents of workplace injuries and illnesses. (Document ID 2000-A1, pp. 1-2). The ANA notes that 29 CFR 1904.8 requires employers to record on the OSHA Form 300 all work-related needlestick injuries and cuts from sharp objects that are contaminated with another person’s blood or other potentially-infectious material, but that employers are prohibited from recording an injured worker’s name. (Document ID 2000-A1, pp. 2-3). Given the protections afforded these cases under § 1904.29(b)(6) through (b)(9), the ANA asks whether it would be viable for OSHA to continue to require electronic submission of OSHA 300 Log for needlestick and sharps injuries to help inform the future prevention of needlestick and sharps injuries. (Document ID 2000-A1, p. 3).
OSHA notes the importance of the OSHA 300 Log for needlestick injuries and cuts from sharp objects for identifying hazards in healthcare settings, and encourages employers to use their own data from Forms 300 and 301 to identify workplace hazards, as OSHA does during onsite inspections. Like any other OSHA 300 Log, however, the possibility of personal information being reported to OSHA inadvertently remains despite the prohibition against recording names, as does the risk of re-identification through job title or another reported field. These data might then be subject to release under FOIA. Therefore, OSHA declines the invitation to retain the reporting requirements for case-characteristic data for the OSHA 300 Log for needlestick injuries and cuts from sharp objects.
After reviewing all of the comments on this issue, OSHA has determined collecting the data would expose sensitive worker information to a meaningful risk of disclosure. OSHA cannot justify that risk given its resource allocation concerns and the uncertain incremental benefits to OSHA of collecting the data, as discussed elsewhere in this preamble. OSHA has determined that the best use of its resources is to focus on data it already receives – including a large set of data from Form 300A, as well as discrete data about urgent issues from severe injury reports – and has found useful in its past experience.
Experience of the Mine Safety and Health Administration (MSHA) and Other Federal and State Agencies
The experience of MSHA and other federal and state agencies with collecting and publishing similar data, as many commenters noted (e.g., Document ID 2007, p. 8; 2011-A1, p. 6; 2012-A1, p. 6; 2028-A1, p. 2), does not mean OSHA is required to collect the data from Forms 300 and 301. As explained below, other federal and state agencies may weigh worker privacy concerns differently based on their missions, priorities, and budgets.
OSHA acknowledges, for example, comments that MSHA has been collecting similar data – albeit from a much small number of establishments – for many years (e.g., Document ID 2011-A1, p. 7) and has posted data on the web for more than fifteen years (Document ID 2012-A1, pp. 6, 10). MSHA maintains the data in a comprehensive database that it makes available to the public. (E.g., Document ID 1965-A1, p. 52). Commenters noted that MSHA has not experienced any security breaches or complaints or controversy about employee privacy, despite the fact that MSHA’s database includes small employers.3 (E.g., Document ID 2012-A1, p. 10). Commenters further noted that “MSHA has a robust system in place to protect [PII] from inappropriate disclosure.” (E.g., Document ID 2011-A1, pp. 7-8).
There are security controls in place to prevent database contamination should nefarious acts be taken against the front-end website. The information has to be reviewed by at least three approving authorities prior to it being introduced and or uploaded into the appropriate database for further analysis and data manipulation. Data extracts are redacted of the PII prior to being released for public consumption.
(Document ID 2088-A1, p. 12) (quoting MSHA, Privacy Impact Assessment Questionnaire, MSHA Standardized Information System (MSIS) - FY2017, available at: https://www.dol.gov/oasam/ocio/programs/pia/msha/MSHA-MSIS.htm).
Although three layers of review might make sense given MSHA’s budget and the much smaller number of employers under the agency’s jurisdiction, it would require OSHA to commit an unwarranted level of resources to provide three layers of review for the volume of records it would receive. Under the 2016 final rule, OSHA would collect between 38 and 77 times more injury reports than MSHA – that is, approximately 775,000 reports, versus MSHA’s 10,000-20,000. OSHA estimates, based on the time it has taken OSHA staff to review and remove personal information from other OSHA data, that it would take two levels of review and 7 minutes per record, on average, to assess the record and remove personal information. Such review would cost OSHA approximately $7.5 million each year.4
Other commenters pointed out that “[t]he Federal Railroad Administration (FRA) posts accident investigation reports filed by railroad carriers or made by the Secretary of Transportation, and the Federal Aviation Administration (FAA) posts National Transportation Safety Board reports about aviation accidents.” (Document ID 2012-A1, p. 10; see also 2028-A1, p. 7). Some of these commenters noted that the information posted by these agencies includes personally identifiable information, such as age, gender, job history, medical information, or information about the accident. (Document ID 2028-A1, p. 7). In addition, some state workers’ compensation systems have online search capacity for data including the claimant’s name and the description of the injury. (Document ID 1993-A1, p. 2).
Again, OSHA acknowledges that other federal and state agencies have collected somewhat similar data for a number of years, but notes that each of these agencies has a unique mission, varying priorities, and different resource constraints. In this final rule, OSHA is balancing the issues of worker privacy and OSHA’s resource priorities against the uncertain incremental benefits of collecting the data from Forms 300 and 301. Because OSHA has determined that the extent of the incremental benefits to OSHA of collecting the data is uncertain – and because OSHA can still obtain the data from employers if needed for specific enforcement actions – the agency is choosing to protect worker privacy and commit the agency’s resources to fully utilizing 300A and severe injury report data that its experience has already demonstrated are useful. Other federal and state agencies may weigh worker privacy concerns differently based on their missions, priorities, and budgets.
The Health Information Portability and Accountability Act (HIPAA) and Americans with Disabilities Act (ADA)
One commenter indicated that PII should never be included in published data because such action would conflict with HIPAA and could require employees in healthcare settings to violate patients’ privacy rights, subjecting those employees to legal and licensing problems. (Document ID 1936). Another commenter noted that – like HIPAA – the ADA protects medical information from unnecessary disclosure and limits who can access an employee’s medical records (including only providing them to government personnel investigating compliance upon request). (Document ID 2036-A1, p. 5). OSHA disagrees that HIPAA and the ADA would apply to its electronic collection of Forms 300 and 301 for the reasons set forth in the 2016 final rule, (see 81 FR at 29665-66), but agrees that privacy-related policy concerns reflected in these laws buttress its determination that these data should not be collected in this way.
Technological Limitations of De-identification Software
In the NPRM, OSHA proposed to amend the recordkeeping regulations to protect worker privacy by no longer requiring employers to submit electronically detailed injury and accident information. (E.g, 83 FR at 36494). Specifically, OSHA explained the concern about potential disclosure of sensitive worker information under the Freedom of Information Act (FOIA). (E.g., 83 FR at 36494). Although software is available to scrub identifying information from electronic data, the software cannot eliminate the risk of disclosure of PII. (83 FR at 36498). Even if all PII were removed from the data, a risk remains that some data could still be re-identified with a particular individual. (83 FR at 36498).
Many commenters echoed OSHA’s concerns that, under the prior final rule, PII or data that could be re-identified with a particular individual could be released under FOIA. (Document ID 2070-A1, pp. 3, 4-5; 2055-A1, p. 2). These commenters stated that OSHA’s plan to de-identify PII through software is insufficient to protect worker privacy. (Document ID 2070-A1, p. 5; 2055-A1, p. 2). For example, one commenter stated that in the case of a unique injury occurring in a small town, the sensitive details of an injury might easily be associated with a specific individual even without naming that individual. (Document ID 2032-A1).
Although OSHA stated in the 2016 final rule that “the [a]gency will use software that will search for, and de-identify, personally identifiable information before the submitted data are posted” (81 FR at 29662), OSHA did not guarantee complete removal of PII through de-identification software as some commenters claimed. (See Document ID 2031 (“OSHA made it clear [information that would identify individual workers] would never be released to the public.”); 2038-A1, p. 2 (“OSHA ensured [sic] us [information tied to individual workers] would never be released to the public.”)). In fact, OSHA stated that it intended to protect sensitive information from release, (81 FR at 29659), but that is not a guarantee. Commenters noting that OSHA has not cited any concrete evidence of problems or errors in de-identification since promulgating the 2016 final rule, nor any evidence that the information on Forms 300 and 301 would be particularly vulnerable to disclosure (Document ID 2020-A1, pp. 3-5; 2033-A1, p. 4), fail to give due weight to the possibility that sensitive worker information could be released despite OSHA’s best efforts. Claims that the concerns about disclosure after de-identification are “speculative” and raise only a “remote” risk of disclosure (Document ID 2020-A1, p. 4) likewise ignore OSHA’s past experience of needing to remove PII and other sensitive information from Forms 300 and 301 on a case-by-case basis prior to release to prevent re-identification, as discussed above in more detail.
After carefully considering commenters’ submissions on this issue, OSHA finds that there is a meaningful risk to worker privacy if OSHA requires employers to electronically file detailed injury and illness data on Forms 300 and 301 because de-identification software cannot fully eliminate the risk of disclosure of PII or re-identification of a specific individual and manual review of the data would not be feasible. OSHA’s past experience with case-by-case release of 300 and 301 data and severe injury reports reveals that these concerns are far from speculative. These risks weigh in favor of the rescinding requirements to submit the data from Forms 300 and 301 to OSHA electronically.
Risk of Cyber Attack
In the NPRM, OSHA stated that electronically-stored data might incentivize cyber-attacks on the Department’s IT system. OSHA noted that there was a potential compromise of user information for OSHA’s Injury Tracking Application (ITA) in 2017, demonstrating that such a large data collection will inevitably encounter malware. (83 FR at 36498, Fn. 2).
Several commenters agreed with OSHA that worker privacy could be compromised by a data breach, cyber-attack, or malware, and that collecting such a large amount of data electronically could incentivize cyber-attacks on the Department. (E.g., Document ID 2076-A1, p. 5). Some of these commenters noted the 2017 potential compromise of OSHA’s ITA as a basis for these concerns. (Document ID 2034-A1, p. 2; 2076-A1, p. 5). Commenters also included examples of large scale breaches of government data systems in other agencies. (Document ID 2034-A1, pp. 1-2; 2042-A1, p. 2). In addition, commenters cited a 2016 report by the House Oversight Committee finding that the federal government was vulnerable to cyber-attacks (Document ID 2034-A1, p. 1), and a Federal Information Security Modernization Act (FISMA) Report to Congress for Fiscal Year 2017 finding that the Occupational Safety and Health Review Commission had an overall rating of “At Risk” (Document ID 2070-A1, p. 8).
One commenter asserted that OSHA should be just as capable as MSHA of safeguarding the data since the Department consolidated Information Technology (IT) services in 2014. (Document ID 2082-A2, p. 5; see also Document ID 2088-A1, p. 12 (noting that MSHA has strong information security controls in place)).
OSHA notes that the ITA data meet the security requirements for government data, and after reconsidering this issue, OSHA does not find that collecting the data from Forms 300 and 301 would increase the risk of a successful cyber-attack. Some risk remains, however, that a cyber-attack could occur and result in the release of data. Moreover, OSHA shares the concerns of some commenters about how having thousands of businesses upload a large volume of additional data could generally increase risk for cyber-security issues. (See, e.g., Document ID 2045-A1, p. 3; 2075-A1, pp. 4-5).
Limitations on OSHA’s Capacity to Collect and Use the Data from Forms 300 and 301
In the NPRM, OSHA expressed doubt about the necessity for and ability to use the large volume of data that would be generated by Forms 300 and 301, given its resources and competing priorities. As explained below, OSHA has prior experience with using the 300A data successfully and believes that it is the best resource for enforcement targeting and compliance assistance. OSHA also receives and effectively uses data concerning the most severe injuries and illnesses. In contrast, the agency has no prior experience using the case-specific data collected on Forms 300 and 301 for enforcement targeting or compliance assistance and is unsure how much benefit such data would have for these purposes or the level of resources needed to attain any benefit. (83 FR at 36498). OSHA noted that the agency’s efforts to realize these uncertain benefits by collecting, processing, analyzing, distributing, and programmatically applying the data would be costly. (83 FR at 36498-99).
Several commenters agreed that OSHA may not be able to make beneficial use of the large volume of data it would receive under the 2016 Rule. (Document ID 2034-A1, p. 2; 2070-A1, p. 9). The United States Postal Service also expressed concern that any technical complications OSHA experienced due to the large volume of data being submitted could hinder timely reporting, leading to steep monetary penalties for employers. (Document ID 2034-A1, p. 2).
Other commenters claimed that OSHA has the capacity to collect and code this volume of data. (Document ID 2011-A5, p. 1 (commenting on 2013 NPRM); 2026-A1, p. 3; 2029). The Attorneys General of NJ, MA, MD, NY, PA, RI, and WA jointly commented that OSHA’s lack of experience with this volume of data is unsurprising because OSHA has not tried to collect the Form 300 and 301 data yet. (Document ID 2028-A1, p. 3). They noted that for this reason it is also unsurprising that the benefits are uncertain at this point. (Document ID 2028-A1, p. 3). Another commenter observed that OSHA does have experience evaluating Form 300 Logs and Form 301 Incident Reports while conducting workplace investigations, so OSHA should be able to make use of such information collected through electronic submissions. (Document ID 2063-A1, pp. 1-2).
Although OSHA is technically capable of collecting the 300 and 301 data through a secure Web portal similar to the one used for 300A data collection, no such portal was built when the 2016 rule was being developed or after it was finalized. Diverting resources now to build such a portal would take away from OSHA’s enforcement efforts. Likewise, the cost of collecting the additional 300 and 301 data in that manner would be substantial (see Section IV, Final Economic Analysis and Regulatory Flexibility Certification). OSHA has accordingly concluded that worker privacy concerns and OSHA’s resource priorities – including fully utilizing the 300A data that it already has collected from 214,574 establishments – outweigh the uncertain benefits of seeking to collect and process the data from Forms 300 and 301.
Several commenters observed that other agencies, as well as other divisions within the Department of Labor, collect, track, and utilize similar data. (E.g., Document ID 2026, pp. 2-3). Some of these commenters encouraged consultation with other agencies who collect this type of data, including NIOSH, MSHA, Bureau of Labor Statistics (BLS), FRA, and FAA, to learn about database design and best practices for collecting this kind of data. (Document ID 1965-A1, pp. 179-80; 2012-A1, p. 9; 2085-A1, p. 16 (quoting comments on 2013 NPRM)). Given OSHA’s successful use of summary data from Form 300A and severe injury reports to target its enforcement and outreach efforts, and given its privacy concerns and its current resources and priorities, OSHA has determined to continue to invest its time and money in an approach that is known to be effective, while continuing its use of 300 and 301 data in onsite inspections.
OSHA also received a comment from NIOSH, offering to help with data analysis. Specifically, NIOSH commented that it is well-positioned to play a leading role in helping OSHA use data collected in Forms 300 and 301 to prevent occupational injuries and illnesses. (Document ID 2003-A2, p. 3). NIOSH explained that it has the experience and capacity to analyze the data, as well as interest in using the data to provide guidance to employers for the prevention of occupational injury and illness, and to provide data analysis results and analytical tools that should enhance OSHA’s targeting. (Document ID 2003-A2, p. 3). NIOSH noted that it has already developed auto-coding methods for categorizing occupation and industry based on free text data and has successfully utilized similar free text data collected from workers’ compensation claims. (Document ID 2003-A2, p. 5). While NIOSH acknowledged that the data collected from Forms 300 and 301 would pose a greater analysis challenge because of the amount of data, NIOSH stated that the large data set would be useful to identify patterns and prevent workplace injuries. (Document ID 2003-A2, p. 6).
OSHA appreciates the value of inter-agency efforts to achieve shared goals of preventing occupational injuries and illnesses and looks forward to continued coordination with NIOSH and other agencies where appropriate. However, OSHA has determined that NIOSH’s ability to analyze data collected from Forms 300 and 301 does not reduce the burden on OSHA to collect the data. Even if NIOSH could make the data useful for OSHA’s enforcement targeting and outreach efforts, which NIOSH itself has suggested would present analytical challenges due to the volume of the data, OSHA and employers would be left covering the expense of collection, not to mention additional expense associated with the need to process and otherwise manually review data from the forms – costs that would detract from OSHA’s priorities of enforcement and compliance assistance to reduce workforce hazards.
After reviewing commenters’ submissions related to OSHA’s capacity to use the large volume of data that would be generated by the submission of Forms 300 and 301, the agency remains concerned about the costs of collecting and processing this large volume of data. OSHA has considered the comments about the benefits of electronically collecting the data and, as explained more fully below, has determined that the incremental benefits of electronic collection of these data to OSHA’s enforcement targeting and compliance assistance activities remain uncertain. In OSHA’s judgment, those uncertain benefits are outweighed by the cost of developing a system to manage that volume of data, particularly when making use of the data would divert resources away from OSHA’s current priority of fully utilizing Form 300A and severe injury data for targeting and outreach.
Uncertain Extent of Benefits from Collecting the Data from Forms 300 and 301
In the proposed rule, OSHA preliminarily determined that the extent of the incremental benefits of electronically collecting data from Forms 300 and 301 is uncertain. (E.g., 83 FR at 36498-99). OSHA explained that the collection of data from the summary Form 300A provides the agency with the information it needs to identify and target establishments with high rates of work-related injuries and illnesses. (83 FR at 36498). For example, OSHA noted that it had collected summary 300A data for 2016 from 214,574 establishments. (83 FR at 36498). OSHA further explained that it was able to use those data to design a targeted enforcement mechanism for establishments experiencing higher rates of injuries and illnesses. (E.g., 83 FR at 36498). OSHA noted its plans to further refine this approach by using the greater volume of 2017 summary data. (83 FR at 36498).
The proposed rule also discussed OSHA’s long-time use of summary data in enforcement. (83 FR at 36498). Before the 2016 rule, OSHA had collected these data for 17 years under its OSHA Data Initiative (ODI) and used those data to identify and target high-rate establishments through the Site-Specific Targeting (SST) Program. (83 FR at 36498). OSHA stopped the ODI in 2013 and the SST in 2014 while it developed the 2016 final rule, but the agency noted that those prior programs have still given it considerable experience with using 300A data for targeting. (83 FR at 36498).
Conversely, OSHA explained that it has no prior experience with using the case-specific data from Forms 300 and 301 to identify and target establishments for enforcement or outreach purposes. (83 FR at 36498). For example, OSHA is unsure how much benefit such data would have for these purposes, but has determined that considerable effort and resources would be required to realize those uncertain benefits. (83 FR at 36498-99). The agency estimated that establishments with 250 employees or more would report data from approximately 775,210 Form 301s annually, a total volume three times the number of Form 300As from which data were uploaded for 2016, while also presenting more complicated information than that captured by Form 300A. (83 FR at 36498). To gain enforcement value from the case-specific 300 and 301 data, OSHA explained that it would need to divert resources from other priorities, such as the utilization of Form 300A data, which OSHA’s long experience has shown to be useful. (83 FR at 36498-99).
OSHA asked stakeholders to submit comments on the benefits and disadvantages of the proposed removal of the requirement for employers with 250 or more employees to submit the data from OSHA Forms 300 and 301 to OSHA electronically on an annual basis, including the usefulness of the data for enforcement targeting (83 FR at 36499), and received a number of comments in response. Many of the commenters agreed that the enforcement benefits stemming from electronically collecting the Form 300 and 301 data are uncertain. (E.g., Document ID 2034-A1, pp. 2-3; 2036-A1, pp. 7-8). One commenter also suggested that OSHA has not shown that it is fully and effectively using currently-available data (Document ID 2019-A1, p. 3), and another indicated that OSHA has not demonstrated that there are significant gaps in the current data that compromise OSHA’s execution of its mission, that electronically collecting the Form 300 and 301 data will address those gaps, or that the protocols described by the 2016 final rule will efficiently and effectively compile necessary information to lead to significant improvements in achieving OSHA’s goals (Document ID 2003-A2, p. 3). Commenters further noted that OSHA did not explain in 2016 how it would effectively use the Form 300 and 301 data to the benefit of its enforcement and compliance assistance programs. (E.g., Document ID 2019-A1, p. 3; 2044-A1, p. 6). Other commenters concluded that collecting Form 300A data is sufficient for OSHA’s targeting and enforcement purposes and electronically collecting the Form 300 and 301 data has no clear benefit. (E.g., Document ID 1970-A1; 2034-A1, pp. 2-3).
Commenters also asserted that Form 300 and 301 data do not predict current hazards or take into account any corrective actions by the employer, nor do they show if OSHA should have issued a citation in response to a recorded occurrence. (E.g., Document ID 2057-A1, p. 3; 2075-A1, p. 3). Put another way, the fact that an employer records an incident does not necessarily correlate to workplace hazards or compliance inadequacy or otherwise indicate that the reporting employer is responsible for the incident. (E.g., Document ID 2075-A1, p. 3). For example, the E-Recordkeeping Coalition stated that, “[b]ased on a qualitative analysis of [its] members’ 300 and 301 data, only a small percentage of that data would indicate any regulatory compliance insufficiency.” (Document ID 2076-A1, p. 3). Relatedly, one commenter posited that collecting the Forms 300 and 301 data does not serve the purpose of a “no-fault” recordkeeping system. (Document ID 2057-A1, p. 3).
According to some commenters, maintaining Form 300 and 301 data electronically would not aid OSHA in identifying, and engaging in enforcement, at high-risk workplaces, (e.g., Document ID 2042-A1, p. 2), or otherwise provide any real value to the agency’s enforcement targeting strategies or decisions (e.g., Document ID 2075-A1, p. 3; 2076-A1, p. 3). A comment in the record concerning OSHA’s 2013 NPRM, from a commenter that generally supported OSHA’s collection of Form 300 and 301 data, noted that use of the Form 301 narratives can be cumbersome. (Document ID 2085-A8, p. 31). The Phylmar Regulatory Roundtable pointed out that OSHA can still collect the Form 300 and 301 data after it has determined to inspect an establishment, using the data to target specific areas of the workplace during the inspection, and stated that doing so results in a fair, objective process, rather than injecting unfairness and subjectivity into OSHA’s targeting decisions. (Document ID 2070-A1, p. 8). OSHA agrees that the best use of the Form 300 and 301 data is for identifying hazards during onsite inspections, and OSHA will continue using the data in this manner.
OSHA disagrees with commenters asserting that OSHA now ignores many key benefits it previously asserted would be derived from electronically collecting and publishing the Form 300 and 301 data. (E.g., Document ID 2028-A1, p. 3; 2054-A1, p. 6). Rather, OSHA is now re-assessing the uncertain incremental benefits to OSHA enforcement and compliance assistance activities and re-balancing those benefits against worker privacy concerns and OSHA’s current resource priorities. That balancing takes into account, as is appropriate, how OSHA can and will continue to collect and use data from Forms 300 and 301 as needed, as well as data from severe injury reports, for on-site inspections and specific enforcement.
OSHA’s position in this final rule on the uncertain benefits of collecting data from Forms 300 and 301 outside the context of an onsite inspection is not inconsistent with its position in the Mar-Jac Poultry case (see U.S. v. Mar-Jac Poultry, Inc., 153 Fed. Appx. 562 (11th Cir. Oct. 9, 2018) (unpublished)), as some commenters suggested. (E.g., Document ID 2015-A1, pp. 8-11; 2054-A1, pp. 8-9). In that case, OSHA took the position that the 300 logs had value for identifying potential violations during an onsite inspection, and OSHA maintains that belief. Indeed, OSHA intends to continue using the data from Forms 300 and 301 for that purpose. OSHA notes that case involved the use of 300A data from an establishment OSHA is inspecting to expand the scope of the inspection; it did not address the usefulness, for enforcement purposes, of collecting a high volume of Form 300 and 301 data.
One commenter disagreed with rescinding the requirement to submit data from Forms 300 and 301 to OSHA without taking certain steps identified in the 2016 final rule – including “looking at examples of electronic data collection efforts by other federal agencies” and “form[ing] a working group with BLS to assess data quality, timeliness, accuracy, and public use of the collected data.” (Document ID 2012-A1, p. 15). OSHA did not, however, bind itself to take such actions in order to reconsider the decision whether to collect the data was justified in light of the risk to worker privacy and the agency’s best use of its resources. Furthermore, other agencies’ experiences are not directly relevant to OSHA’s resource priorities and unique mission. OSHA routinely consults with other agencies as part of its rulemaking process and did so for this rule. Because OSHA issues this final rule as a result of its re-balancing of the risk to worker privacy with the rule’s uncertain benefits and the agency’s resource priorities, OSHA has determined that further consultation with other agencies is neither necessary nor appropriate.
OSHA agrees, as some commenters noted, that public health principles dictate data-based approaches. (E.g., Document ID 2006-A1, p. 2; 2014-A1, p. 2). OSHA disagrees, however, that collecting the data from Forms 300 and 301 is therefore necessary; OSHA is already collecting the 300A data and using those data to inform its enforcement targeting. OSHA is uncertain how much additional value the data from Forms 300 and 301 would provide for enforcement and compliance assistance at this time and has therefore determined that fully utilizing the 300A data and severe injury report data is the best use of OSHA’s resources. OSHA will continue to obtain the data from Forms 300 and 301 from employers, as needed, for on-site inspections and specific enforcement actions, and OSHA will likewise continue to assess and utilize data from the severe injury reports it receives and that have proven useful in identifying and addressing areas of need.
According to some commenters, having a comprehensive batch of data from Forms 300 and 301 would allow OSHA to understand employer misconduct more broadly, and this dataset could make up for OSHA’s inability to visit all of the worksites within its jurisdiction. (E.g., Document ID 2015-A1, p. 7; 2056-A1, p. 2; 2082-A2, p. 5). Others asserted that the data can serve as a guide for agency inspections, providing compliance officers with the number, type, severity, and distribution of injuries at a particular workplace. (Document ID 2012-A1, p. 2; 1965-A1, p. 179 (NAS Report)).5 OSHA has determined that the 300A data are sufficient for enforcement targeting and compliance assistance, and notes again that it can still use Forms 300 and 301 to guide inspections by collecting the data onsite, without the need to divert resources to creating a Web portal never built during or after the 2016 rule’s development.
Some commenters indicated that having electronic access to the data would facilitate OSHA’s effective use of the data (e.g., Document ID 2056-A1, p. 2) by, for example, providing timely, searchable, sortable information with which OSHA could identify and understand trends, and that reducing the amount of information available to the agency would make it less effective. (E.g., Document ID 1974; 1994; 2020-A1, p. 11; 2082-A2, p. 5; 2085-A1, pp. 5-7). Others, assuming the data would be published, suggested that employees would use publicly available information to analyze whether their employers are underreporting, to identify hazards and prevent injuries, and to determine where they may want to work (e.g., Document ID 2012-A1, pp. 5, 13; 2022-A1, pp. 1, 2; 2047-A1, pp. 3-4; 2050-A1, p. 1; 2083-A1, p. 2; 2085-A1, pp. 19-20 (quoting Document ID 2085-A10, pp. 13, 178 (NAS report)), and that employers would use the data to benchmark effectively, and to identify injury trends in the industry to prevent incidents before they occur (e.g, Document ID 2007-A1, p. 5; 2011-A3, p. 8; 2012-A1, p. 6; 2022-A1, p. 2). One commenter suggested that employers could use the data to assess the safety record of contractors before hiring them. (Document ID 2085-A1, p. 18). Commenters also argued that electronic access to the data would eliminate delays and obstacles to accessing the data for employees and their representatives. (E.g., Document ID 2020-A1, p. 11; 2086-A1, p. 3). Other commenters opined that requiring employers to report their Forms 300 and 301 electronically could improve the consistency and quality of what employers report, providing employers and employees with an opportunity to decrease injuries and illnesses both at particular establishments and company-wide. (E.g., Document ID 2010-A2, p. 1; 2082-A2, pp. 2-3; 2085-A1, p. 11).
OSHA begins by noting that many of the benefits discussed by commenters would not materialize. Because OSHA has determined publishing the data would do more harm than good for reasons described more fully below and in the privacy discussion above, OSHA would not make the data public even if collected. In addition, as noted above, OSHA has already taken the position that data from Form 300A is exempt from disclosure under FOIA and that OSHA will not make such data public for at least the approximately four years after its receipt that OSHA intends to use the data for enforcement purposes. Therefore, the benefits some commenters ascribed to publication of the data would not be realized. Without publication, the research benefits claimed by many commenters (e.g., Document ID 1965-A1, p. 1; 2004-A1, p. 1; 2011-A1, pp. 2-3 (quoting the NAS report), 6-11; 2012-A1, pp. 3-4, 6-7; 2015-A1, pp. 2-6; 2082-A2, pp. 2-3; 2088-A1, pp. 2, 7-8) also fall away. To the extent case-specific data are crucial in conducting root-cause analyses, which can reduce and prevent workplace illnesses and injuries (Document ID 2000-A1, p. 1), employers can still use their own data, or share it with researchers voluntarily, for this purpose. OSHA acknowledges that the 300 and 301 data would have benefits for occupational safety and health research, but notes that researchers already have access to BLS data and severe injury data. OSHA has determined that the best use of the agency’s resources at this time is full utilization of 300A and severe injury data, not providing 300 and 301 data to researchers despite the uncertain incremental benefits of the data to OSHA and especially when OSHA itself will continue to protect workers by accessing Forms 300 and 301 through on-site inspections and for specific enforcement actions as needed.
With respect to the remaining potential benefits for enforcement identified by the commenters, OSHA simply notes that those benefits are uncertain, and collecting and utilizing these data would be costly. OSHA cannot justify diverting resources from fully utilizing 300A data and severe injury data, which OSHA’s experience has shown to be useful for enforcement and compliance assistance, to collect data with uncertain benefits to OSHA’s core mission.
NIOSH and other commenters stated that the data from Forms 300 and 301 could be used for future research to identify patterns and trends across workplaces that could be masked by aggregated, summary data from Form 300A. (Document ID 2003-A2, pp. 6-7; 2007-A1, p. 4). In addition, the NAS report echoed a number of the benefits of collection identified by some commenters, including research for surveillance and prevention purposes, employer benchmarking, employee assessment of safety and health conditions at various workplaces, and intervention and education by public health agencies. (Document ID 1965-A1, pp. 177-179). The NAS report suggests that electronic collection of Form 300 and 301 data would supplement BLS Survey of Occupational Injuries and Illnesses (SOII) data, letting OSHA focus its interventions and prevention efforts on hazardous industries, workplaces, exposures, and high-risk groups. (Document ID 1965-A1, p. 179). According to the report, collecting the Form 300 and 301 data would allow for expanding and targeting outreach to employers, particularly smaller employers, to improve hazard identification and prevention efforts, and would give OSHA the opportunity to advise employers on how their rates of injury and illness compare with the rest of their industry. (Document ID 1965-A1, p. 178).
OSHA will continue to work with NIOSH, other government agencies, and interested stakeholders to share information and leverage efficiencies to reduce workplace injuries and illnesses as appropriate. And while OSHA appreciates the findings and recommendations of the NAS Report that commenters identified, the approaches suggested by NAS would require substantial investment of time and money to develop. OSHA has determined that at this juncture, the protection of worker safety and health will best be furthered by allocating its resources in more concrete ways in which OSHA can more fully draw on its existing experience, such as utilizing the 300A and severe injury data it is already collecting and analyzing for enforcement and compliance assistance activities.
Several commenters pointed out ways in which OSHA has used Forms 300 and 301 and similar data in the past to further its mission of ensuring safe and healthy workplaces. (E.g., Document ID 2003-A2, pp. 6-7; 2012-A1, pp. 3-4). For example, commenters asserted that OSHA has previously analyzed Form 300 and 301 data from multiple workplaces to identify frequently-recurring injuries and to better protect workers’ safety and health, and used information from severe injury reports to understand injury causation and to inform the agency’s compliance assistance and outreach efforts. (Document ID 2012-A1, pp. 3-4; 2003-A2, pp. 6-7). Employers have had to submit severe injury reports, containing information similar to what is included on Form 301, to OSHA since 2015. (Document ID 2003-A2, p. 6). To the extent OSHA has evaluated small batches of similar data in the past to further its mission of protecting worker safety and health, commenters suggest that a broader collection could be similarly useful.
OSHA agrees that data from Forms 300 and 301 and similar data can be helpful, but disagrees that its past experience justifies the broad collection envisioned in 2016. As NIOSH acknowledged in its comment, the volume of Form 300 and 301 data employers were required to submit under the 2016 final rule would far exceed the number of severe injury reports OSHA receives. (Document ID 2003-A2, p. 6). Collecting and using a high volume of data – without the relevancy filters imposed by severe injury reports or on-site inspections – would require substantial resources to process and analyze. OSHA has determined that, at the current time, the resources OSHA would need to devote to developing that capacity and determining best how use the data would better achieve the mission of the agency by being allocated to full utilization of the 300A and severe injury data. OSHA will thus continue to obtain and use data from Forms 300 and 301 from employers as needed for on-site inspections and specific enforcement actions, as has proven helpful in the past.
Moreover, as OSHA notes elsewhere in this preamble, before making 300 and 301 records requested on an ad hoc basis or severe injury reports public, the agency manually screens all of those records for PII and data that could re-identify workers. But the sheer volume of the data, which is expected to come from over 775,000 reports, would make the costs to manually screen all of the 300 and 301 data enormous; OSHA believes those resources are better allocated to activities closer to OSHA’s core enforcement mission. One commenter suggested that collecting the data from Forms 300 and 301 electronically would benefit workers by allowing them access to these records without fear of retaliation for requesting the records from their employers. (Document ID 2083-A1, p. 2). But OSHA notes that workers have a right under 29 CFR 1904.35 to access to their own employers’ 300 and 301 data, and Section 11(c) of the OSH Act, 29 U.S.C. 660(c), prohibits employers from retaliating against workers for exercising that right. Another commenter asserted that a worker’s medical provider could benefit from OSHA’s electronic collection and publication of 300 and 301 data and using the data to assess conditions at the relevant workplace. (Document ID 2010-A2, p. 4) (commenting on the 2013 NPRM). But OSHA again notes that workers retain the right to access 300 and 301 data from their own employers and share it with their medical providers.
After considering these comments, OSHA has determined that because it already has systems in place to use the 300A data for enforcement targeting and compliance assistance without impacting worker privacy, and because the Form 300 and 301 data would provide uncertain additional value, the Form 300A data are sufficient for enforcement targeting and compliance assistance at this time. OSHA will continue to request copies of Forms 300 and 301 during its inspections, and make use of data from severe injury reports, as appropriate.
Collecting and Processing the 300 and 301 Data would Divert Agency Resources from Higher Priority Initiatives
As OSHA stated in the NPRM, electronically collecting and taking steps necessary to try to use Form 300 and 301 data would require the agency to divert resources from other priorities, including the analysis of Form 300A data. As explained above, OSHA has already collected summary 300A data from 214,574 establishments, and expects that volume to increase. OSHA is seeking to fully utilize these data, and has designed and implemented a targeted enforcement mechanism for industries experiencing higher rates of injuries and illnesses. OSHA likewise evaluates severe injury reports, which it receives shortly after accidents, to target its enforcement and compliance-assistance efforts.
Many commenters agreed that OSHA would need to significantly increase or divert its resources from other priorities to collect, process and analyze the electronically submitted Form 300 and 301 data. (E.g., Document ID 2008-A1, p. 2; 2019-A1, pp. 2, 6-7, 9-10; 2044-A1, p. 6 (citing 83 FR at 36496)). Some noted that, without diverting resources from other priorities, OSHA might not be able to analyze and use the data as it intended when it finalized the 2016 final rule (Document ID 2070-A1, p. 9), and that OSHA already has access to other data sources it can analyze and more potential violators than it can investigate with its resource constraints (Document ID 2055-A1, p. 2). By rescinding the requirement to collect electronically Form 300 and 301 data, OSHA will better focus on pre-existing, successful enforcement efforts. (E.g., Document ID 2044-A1, p. 6; 2075-A1, p. 4). Commenters also agreed with OSHA that the uncertain benefits of requiring employers to electronically submit Forms 300 and 301 do not outweigh the costs and burdens to OSHA and employers and the risk to worker privacy. (E.g., Document ID 1985-A1, p. 1; 2008-A1, p. 2; 2024-A1, p. 1).
Other commenters suggested that requiring electronic submission of the Form 300 and 301 data would help OSHA allocate its resources and identify injury trends, their causes, and emerging hazards to improve its enforcement and outreach efforts beyond what OSHA can accomplish with the 300A data. (E.g., Document ID 1929; 1961-A1, pp. 1-2; 2007-A1, pp. 1-5; 2011-A1, p. 6; 2054-A1, pp. 1, 6-7, 8-9). One commenter theorized that having access to the detailed information contained in Forms 300 and 301, rather than simply the summary data from Form 300A, can improve OSHA’s use of its enforcement resources to target the highest priority issues. (Document ID 2007-A1, p. 5). But these commenters provide no evidence to support their claims, and OSHA finds none in the record. OSHA’s own experience with using Form 300 and 301 data is insufficient to support these theories. These commenters’ speculation therefore does not alter OSHA’s view that diverting OSHA’s focus from longstanding and successful agency priorities is not justified to achieve the uncertain benefits of electronically collecting data from Forms 300 and 301.
Commenters pointed to OSHA’s statements in the 2016 final rule that collecting data from Forms 300 and 301 would allow the agency to leverage its resources to execute its mission by helping its compliance assistance programs, encouraging employers and workers to identify and address workplace hazards to avoid the perception of being an unsafe place to work, and providing data to employers, workers, unions and academics that would assist them in researching and innovating to improve workplace safety and health. (Document ID 2007-A1, p. 3; 2017-A1, p. 2). Although OSHA identified these potential benefits, OSHA never quantified them. This final rule does not ignore those prior statements or the possibility that benefits could result from collecting the data, but concludes that the scope of any such benefits is uncertain. OSHA does not believe that these uncertain benefits justify the diversion of OSHA’s resources from other agency initiatives with a proven record of effectiveness.
Some commenters asserted that a recent Office of the Inspector General (OIG) report auditing OSHA’s fatality and severe injury reporting program (OIG, Dep’t of Labor, OSHA Needs to Improve the Guidance for Its Fatality and Severe Injury Reporting Program to Better Protect Workers, 02-18-203-10-105 (OIG report), available at: https://www.oig.dol.gov/public/reports/oa/viewpdf.php?r=02-18-203-10-105&y=2018) demonstrates a need for improved reporting, noting that the OIG report concluded employers underreport fatalities and severe injuries by as much as 50 percent (E.g., Document ID 2017-A1, p. 2; 2051-A1, p. 3). Commenters noted that the OIG report found that OSHA cannot effectively target compliance and enforcement efforts without complete information on work-related fatalities and severe injuries. (E.g., Document ID 2051-A1, p. 3; 2089-A1, p. 2). Another commenter suggested that the collection and publication of data from Forms 300 and 301 would create “publicly available checks” and increased accountability for employers. (Document ID 2062-A1, p. 2).
OSHA disagrees that the OIG report indicated a need to collect more injury and illness data. Rather, the report recommends that OSHA take steps to better enforce and implement the severe injury reporting requirements. (OIG report, p. 1). Specifically, the OIG recommended that OSHA (1) develop and provide guidance to staff to detect and prevent underreporting; (2) consistently issue citations for underreporting; (3) clarify guidance for documentation of OSHA’s essential decisions, evidence required to demonstrate abatement by the employer, and requirements for monitoring employer-conducted investigations; and (4) emphasize the importance of conducting inspections for incidents that resulted in a fatality, two or more in-patient hospitalizations, emphasis programs, or imminent danger. (OIG report, p. 15). OSHA is committed to implementing these recommendations as indicated in OSHA’s formal response to the report, (OIG report, pp. 21-23), and OSHA has determined such implementation is more likely to address OIG concerns than electronically collecting Forms 300 and 301.
OSHA will use the OIG report’s findings to shape and improve its severe injury reporting objectives. Indeed, this rulemaking seeks to improve OSHA’s capacity to direct its resources to current initiatives such as implementing the severe injury reporting requirements, rather than collecting new data with uncertain benefits. OSHA’s current priorities include fully utilizing the data from the Form 300As and severe injury reports it is already collecting to improve its enforcement and outreach objectives to ensure compliance with the OSH Act. Again, investing in a program to collect, process, and analyze data from hundreds of thousands of Forms 300 and 301 would constrain OSHA’s ability to achieve these and other priority enforcement goals.
Regarding the suggestion that collection and publication of data from Forms 300 and 301 might increase compliance with electronic reporting requirements (Document ID 2062-A1, p. 2), OSHA finds it can better hold employers accountable through the appropriate allocation of resources to enforcement efforts and compliance assistance, rather than collecting data with uncertain benefits. This commenter provides no evidence for the speculative suggestion that publication of the data would create an incentive for employers to report fatalities and severe injuries. (Document ID 2062-A1, p. 2).
Collecting 300/301 Data Could Lead to Less Accurate Records
Commenters expressed concern that requiring employers to report electronically the data from Forms 300 and 301 could have a negative impact on accurate recordkeeping. For example, some employers may not prepare Forms 300 and 301 accurately for fear that the information would become public and cause reputational harm or subject them to targeted OSHA inspections. (Document ID 2019-A1, p. 7; 2044-A1, p. 34 (commenting on 2013 NPRM); 2055-A1, p. 2). Commenters also indicated that employers fear that publishing Form 300 and 301 data will expose confidential and proprietary information to their competitors and adversaries. (Document ID 2070-A1, pp. 9-10; 2076-A1, pp. 6-7). For example, public disclosure of location information may allow competitors to determine confidential business locations or acquisitions that have not been publicized, or publication of the substances or chemicals that were involved in injuries and illnesses may identify products, inventions, or proprietary technologies that are in research and development. (Document ID 2070-A1, pp. 9-10). The collection’s focus on lagging indicators, which measure past safety performance, also may not be representative of a company’s current safety efforts. (Document ID 2044-A1, p. 30) (commenting on 2013 NPRM). One commenter explained that Forms 300 and 301 are most useful to the employer when they contain robust information about the details of workplace injuries and illnesses, but that employers will have incentives to sanitize their reports if they believe they will become public, and be mischaracterized, as a result of electronic submission to OSHA. (Document ID 2019-A1, p. 7).
Commenters also noted that workers may be reluctant to report accurately their data for Forms 300 and 301 for fear that the details of their reports will become public and reveal their private information. (Document ID 2030; 2085-A8, p. 8 (commenting on 2013 NPRM)). One commenter noted that the Confidential Information Protection and Statistical Efficiency Act of 2002 requires BLS to keep this kind of data confidential. (Document ID 2053-A1, p. 2). In enacting the CIPSEA, Congress found that ensuring the confidentiality of sensitive information submitted to the government “is essential in continuing public cooperation in statistical programs.” (Pub. L. 107-347 sec. 511(a)(5)). While the CIPSEA applies to BLS, not OSHA, OSHA shares Congress’s concern that fear of sensitive information becoming public could undermine accurate reporting.
Other commenters expressed concern that employers will hide workplace injuries if they are not required to file Forms 300 and 301 electronically. (Document ID 1976-A1, p. 1; 1996-A1, p. 1; 1999-A1, p. 1; 2002-A1, p. 1). OSHA finds these comments to be speculative and unsupported by its experience reviewing Forms 300 and 301 through on-site inspections. OSHA also does not find that requiring employers to submit their 300 and 301 data electronically would motivate them to report injuries and illnesses they otherwise would not have recorded. One commenter noted that the cost to large employers of submitting their 300 and 301 data was not burdensome because compliance would have cost approximately $258.34 per establishment per year, which would be an average of less than one dollar per employee per year. (Document ID 2012-A1, p. 12). Although OSHA acknowledges that the requirement to submit data from Forms 300 and 301 to OSHA would have been economically feasible for large employers, OSHA’s central rationale for rescinding these requirements is not to reduce employer costs but rather to protect worker privacy and to direct agency resources towards fully utilizing the data it is already collecting to advance improvements to health and safety for workers.
OSHA has determined that publishing the data could also cause more harm than good. Workers would know in advance that some details of their injuries would be public and on the internet. Deterring worker reporting through fear of publication could make the records less accurate. And, because employers are required to report workplace injuries and illnesses regardless of fault, OSHA no longer considers collection of employers’ injury and illness records likely to “nudge” them to make their workplaces safer, which OSHA identified in 2016 as a benefit of publishing the 300 and 301 data. (See 81 FR 29629; Document ID 2007-A1, pp. 4-5). OSHA finds that the final rule may ensure more accurate records on Forms 300 and 301 by alleviating employers’ and workers’ fears about the consequences of the records becoming public, and will allow employers to devote more of their resources towards compliance with safety and health standards.
State Plan Issues
In the NPRM, OSHA noted that, pursuant to section 18 of the OSH Act (29 U.S.C. 667) and the requirements of 29 CFR 1904.37 and 1902.7, within 6 months after publication of the final OSHA rule, state-plan states must promulgate occupational injury and illness recording and reporting requirements substantially identical to those in 29 CFR part 1904. (83 FR at 36505). All other injury and illness recording and reporting requirements (for example, industry exemptions, reporting of fatalities and hospitalizations, record retention, or employee involvement) that are promulgated by state-plan states may be more stringent than, or supplemental to, the federal requirements, but, because of the unique nature of the national recordkeeping program, states must consult with OSHA and obtain approval of such additional or more stringent reporting and recording requirements to ensure that they will not interfere with uniform reporting objectives under 29 CFR 1904.37 and 1902.7. (See 83 FR at 36505).
Some commenters responded to this section of the NPRM with concerns that centralized, federal collection is the most efficient and cost-effective way to compile detailed data for enforcement and prevention, and that the analysis of small, discrete quantities of data from multiple state databases will make important trends less apparent. (Document ID 2062-A1. p. 1; 2028-A1, pp. 5-6; 1965-A1, pp. 6-7). Commenters theorized that the detailed reporting requirements of the prior final rule would have enabled both federal OSHA and state plans to target their prevention and enforcement measures at particular employers and industries. (Document ID 2028-A1, p. 3; 2046-A1, p. 2).
Commenters also asserted that, as a result of this final rule, some states would have to set up separate reporting systems at significant cost to maintain reporting requirements consistent with the prior final rule. (Document ID 2028-A1, p. 5; 2088-A1, p. 13). The California Department of Industrial Relations is in favor of the reporting requirements of the prior final rule because national collection would be more efficient than state-by-state collection, among other reasons. (Document ID 2062-A1, p. 3). Commenters also pointed out that some state-level agencies, such as the Washington State Department of Labor and Industries (“WA L&I”), have gathered detailed data through their workers’ compensation system and collaborated with NIOSH in analyzing the data to inform targeted enforcement strategies. (Document ID 1993-A1, p. 1; 1965-A1, pp. 57-59). One commenter pointed to the NAS Report, which noted that “only 20 percent of states reported having substantial epidemiologic and surveillance capacity in occupational health” and concluded that this lack of surveillance capacity “results . . . in . . . missed opportunities for collaboration across public health domains to address convergent public health concerns that affect workers as well as the general public.” (Document ID 1965-A1, p. 122 (NAS Report)). One group of commenters expressed concern that OSHA’s consultation requirement would make it harder for states to implement such systems and noted that states without state plans or with state plans limited to public sector workers will not have the opportunity to have access to detailed data like that required by the prior rule. (Document ID 2028-A1, pp. 5-6).
As OSHA noted in the NPRM, the effectiveness of the Form 300 and 301 data as an enforcement and prevention tool in advancing worker safety is unclear. The suggestion that the data would be useful to states without state plans (Document ID 2028-A1, pp. 5-6), is speculative, as OSHA has determined that the benefits of collecting such data on a national scale are uncertain and do not outweigh the collection’s burdens and costs. (83 FR at 36498). OSHA finds that the Form 300A collection adequately serves its enforcement purposes at this time without jeopardizing worker privacy, and OSHA is committed to sharing these data with state-plan states, including those covering only public sector workers. OSHA cannot justify collecting Form 300 and 301 data where the data’s usefulness is unclear. (83 FR at 36498).
OSHA disagrees that this final rule would necessarily hinder states in implementing their own requirements for collection of Form 300 and 301 data. As OSHA explained in the NPRM, the rule does not preempt state law. (83 FR at 36505). The consultation requirement is not intended to limit state plans to strict conformity with the rule but rather to aid states in avoiding interference with OSHA’s unique recordkeeping program. There is no evidence in the record that individual state collection of Form 300 and 301 data would cause such interference. To the extent some state agencies, such as WA L&I, have already collected similar data, this shows that some states have mechanisms to collect the data they need without OSHA’s collecting electronically the Form 300 and 301 data. If state agencies determine that a detailed data collection system is best for their states, then they may pursue such a system in consultation with OSHA.
OSHA acknowledges that systems to collect this volume of data would be costly for states to implement. Centralized collection might be more efficient and cost-effective than state-by-state collection, but OSHA has doubts about the usefulness of the data and concerns about the costs of collection as noted elsewhere in this preamble. States are empowered to do as OSHA has and weigh the substantial costs of collection against the likely utility of the data. OSHA also notes, in response to a comment that some states have more limited surveillance capacity than others (Document ID 1965-A1, p. 57), that those states will have access to the summary data collected by OSHA, and that OSHA itself must appropriately allocate its resources for surveillance to best serve OSHA’s mission of protecting all workers. States are empowered to share the data gathered at the state level at their discretion and consistent with any applicable laws. In promulgating this rule, OSHA erects no barrier to communication among state agencies.
B. New Requirement to Include Employer Identification Number with Injury and Illness Data Submitted to OSHA Electronically Under 29 CFR 1904.41
The NPRM included a provision that would require covered employers to submit their Employer Identification Number (EIN) electronically along with their injury and illness data submission in the proposed rule. (83 FR at 36494). OSHA explained that it had limited the proposed data collection in its 2013 NPRM (78 FR 67254) to Improve Tracking of Workplace Injuries and Illnesses to records that employers were already required to collect under part 1904. Accordingly, the May 2016 final rule only required the electronic submission of such records. These records do not include the employer’s EIN.
After collecting and analyzing the first year of data (i.e., Calendar Year 2016 Form 300A data), however, OSHA and BLS realized that collecting EINs could help the agencies make full use of the data collected. The proposed EIN submission requirement grew out of that realization. As the agency explained in the proposal, this change could have a number of benefits. (83 FR at 36499-500). For example, OSHA posited that collecting EINs would increase the likelihood that BLS would be able to match data collected by OSHA under the electronic reporting requirements in 29 CFR part 1904 to data collected by BLS for the Survey of Occupational Injury and Illnesses (SOII). The ability to accurately match the data is critical for evaluating how BLS might use OSHA-collected data to supplement the SOII, which in turn would enhance the ability of OSHA and other users of the SOII data to identify occupational injury and illness trends and emerging issues. Furthermore, the ability of BLS to match the OSHA-collected data also has the potential to reduce the burden on employers who are required to report injury and illness data both to OSHA (for the electronic recordkeeping requirements in part 1904) and to BLS (for the SOII).6
OSHA also noted in the proposal that without the EIN, there is no methodological approach to match completely the establishments that submit data through both OSHA’s collection of injury and illness data under § 1904.41 and the BLS data collection for the SOII. BLS cannot provide its collected data to OSHA because the Confidential Information Protection and Statistical Efficiency Act of 2002 (Pub. L. 107-347, 116 Stat. 2899 (2002)) prohibits BLS from releasing establishment-specific data to either OSHA or the general public. (83 FR at 36500). Although OSHA can provide the data it collects to BLS, without the EIN it is very difficult to match the establishments in OSHA’s data collection to the establishments in BLS’s data collection. Not having the EIN increases the resources necessary to match the data and reduces the accuracy of the match.
OSHA further explained its preliminary determination that including the EIN in the electronic reporting to OSHA would improve BLS’s ability to match accurately the OSHA-collected data with the SOII data. (83 FR at 36500). OSHA suggested that, after evaluation of the accuracy of the data matching, it might be possible for BLS to use the OSHA-collected data to generate occupational injuries and illnesses estimates, reducing burden on employers by decreasing duplicative reporting. If the EIN is not collected and the data from the two sources cannot be accurately matched, reducing this burden becomes nearly impossible.
Finally, OSHA suggested that including the EIN as part of electronic reporting could improve the quality and utility of the collected data. (83 FR at 36500). For example, OSHA noted that it could use the EIN to identify errors such as multiple submissions of data from the same establishment and to link multiple years of data submissions from the same establishment. (83 FR at 36500). The agency also observed that the EIN could be used to match against other databases that contain this identifier to add additional characteristics to the data. (83 FR at 36500). For example, OSHA routinely collects the employer’s EIN during an inspection and enters the EIN into the OSHA Information System (OIS). OSHA noted in the proposal that Form 300A submissions with an EIN could be linked to the OIS to identify the previous enforcement history of the establishment when the inspection records contain the EIN. (83 FR at 36500).
In the proposal, OSHA also noted that EINs do not have the same level of protection as Social Security numbers. (83 FR at 36500). In fact, many employers’ EINs are available in a variety of public sources, including filings with the U.S. Securities and Exchange Commission, the Federal Communications Commission’s Commission Registration System, and the DOL‘s Employee Benefits Security Administration. (83 FR at 36500). Businesses also have to share EINs with contractors and clients for tax reporting, such as filing an IRS Form 1099. (83 FR at 36500). As a result, OSHA explained, the Department has not generally withheld EINs from disclosure. (83 FR at 36500).
OSHA asked stakeholders to comment on its proposal to add the EIN submission requirement generally. (83 FR at 36499). The agency also specifically invited public comment on the advantages and disadvantages of requiring employer submission of EINs and on whether employers required to electronically report information to OSHA under part 1904 would consider the EIN to be exempt from disclosure, either as confidential business information or for another reason. (83 FR at 36500). In addition, OSHA asked if there were any circumstances where the EIN would be considered PII and whether there were privacy concerns that might arise from employers submitting their EIN. (83 FR at 36500).
Commenters submitted a number of comments in response to OSHA’s request. These comments generally fall into three categories: (1) comments related to the benefits of collecting EINs, (2) comments focusing on whether an employer’s EIN is commercially confidential or sensitive, and (3) comments suggesting alternatives to the agency’s proposal that might achieve the agency’s goal of reducing respondent burden and increasing the utility of the data collected, without the submission of EINs. Each of these issues, commenters’ submissions, and the agency’s final determinations are laid out in more detail below.
Benefits of Collecting the EIN
As discussed above, OSHA preliminarily determined that collecting EINs would have a number of benefits, including streamlining reporting for employers who are required to report injury and illness data both to OSHA and BLS, improving the agencies’ ability to match their data, and improving the quality and utility of the collected data. (83 FR at 36499-500). OSHA received many comments on the benefits of collecting the EIN.
Many commenters agreed with OSHA that collection of the EIN would enhance the utility of the data and therefore improve worker safety and health. (E.g., Document ID 2012-A1, p. 15). Several commenters provided specific examples of how the EIN can be used by OSHA for research purposes, such as identifying employers with patterns of injuries (E.g., Document ID 2015-A1, p. 7) and matching against other databases that contain the EIN to add characteristics to the data. (E.g., Document ID 2003-A2, p. 7). Several commenters also noted that using the EIN to enhance research is consistent with recommendations from the NAS Report. (E.g., Document ID 2003-A2, p. 7). Still other commenters observed that collecting EINs would allow OSHA to improve the quality and utility of the data collected, and provided many examples of the benefits associated with having this data element. (E.g., Document ID 2088-A1, p. 14; 2012-A1, p. 15; 2003-A2, p. 7). For example, some commenters noted that adding the EIN would enhance the value of the data for enforcement and compliance assistance by allowing OSHA to identify the relationship between establishments rather than having to rely on company names that can be similar across different businesses. (E.g., Document ID 2007-A1, pp. 8-9; 2012-A1, p. 15; 2074-A1, p. 5).
Many commenters also agreed with OSHA that collecting the EIN along with data submissions under part 1904 could potentially reduce duplicative reporting for employers that are also required to submit data both to BLS under the SOII. (E.g., Document ID 2088-A1, p. 14; 2036-A1, p. 8). Several commenters noted that using the EIN to reduce duplication of burden is consistent with the NAS report. (E.g., Document ID 2085-A1, p. 20).
Other commenters, however, disagreed, observing that there “appears to be little value to OSHA gained in collecting the EIN.” (Document ID 2084-A2, p. 5).
After carefully reviewing all the comments submitted on this subject, OSHA finds that collection of the EIN will result in the benefits detailed by commenters. Having this common identifier will help OSHA understand exactly which establishment the Form 300A data represents, link establishments between databases, and track data over time. The difficulties involved in matching and tracking establishments by name and address introduce uncertainty which in turn reduces the utility of the data collected. A numerical identifier that is common over time and between databases eliminates these uncertainties. Collecting the EIN is also an essential first step towards eliminating duplicative reporting to OSHA and BLS in the future. In short, collection and use of the EIN presents the most practical and efficient solution for matching and linking the BLS and OSHA data sets and at the same time increases the utility and accuracy of the data within OSHA’s data set.
Sensitivity of the EIN
Although nearly all of the commenters who opined on the potential benefits of collecting the EIN agreed with OSHA that the collection would be beneficial, a number of commenters argued that any benefits to OSHA in collecting the EIN were outweighed by the risks if the EIN is publicly disclosed. (Document ID 2064-A1, p. 2). For example, some commenters expressed concern about the commercial sensitivity of the EIN and the potential for fraud. (E.g., Document ID 2057-A1, p. 5). Some commenters maintained that the EIN was confidential business information comparable to a Social Security number. (E.g., Document ID 2041-A1, p. 2; 2066-A1, p. 2). One commenter stated that it did not object to OSHA’s proposal to include EINs with Form 300A filings, provided that OSHA maintains this information as confidential. (Document ID 2049-A1, p. 2).
Others, though not claiming that the EIN was confidential commercial information, nonetheless asserted that collecting the EIN could harm businesses and that such harm outweighed any benefits of collection. (E.g., Document ID 2084-A2, p. 5; 2039-A1, p. 3). For example, one commenter asserted that employers are concerned about making EINs more widely available through FOIA requests “given the high potential for fraud. For example, a 2013 audit by the U.S. Department of the Treasury identified 767,071 corporate tax returns with potentially fraudulent refunds totaling almost $2.3 billion due to stolen and falsely obtained EINs.” (Document ID 2057-A1, p. 5). Commenters also stated that the risk of bad actors causing “irreparable harm” through malicious use of the EIN “far outweighs the issues involved in duplicative reporting.” (Document ID 2039-A1, p. 3; see also Document ID 2084-A2, p. 5; 2064-A1, p. 2).
Other commenters conceded that the EIN was not commercially confidential and did not oppose OSHA’s proposal to collect the EIN with injury and illness data. (E.g., Document ID 2036-A1, p. 8; 2070-A1, p. 17). For example, Mark Dreux of the Corn Refiners Association (CRA) stated: “Because employers are required to disclose their EINs in many different contexts . . . CRA’s members do not consider it to be confidential or proprietary business information.” (Document ID 2036-A1, p. 8). Consequently, CRA indicated that its members did not have any concerns with the proposed requirement to submit EINs in conjunction with injury and illness data to facilitate the exchange of data between OSHA and BLS. (Document ID 2036-A1, p. 8). In fact, CRA’s members agreed with OSHA that “the submission of employers’ EINs will simplify and avoid duplicative reporting of information between the two agencies.” (Document ID 2036-A1, p. 8; see also Document ID 2070-A1, p. 17). Other employers simply noted that they did not object to collection of EINs. (E.g., Document ID 1930-A1, p. 5). There were no comments that claimed the EIN is Personally Identifiable Information (PII). Several commenters specifically stated that it is not PII. (E.g., Document ID 1969; 2070-A1, p. 17).
After reviewing these comments, OSHA concludes that the EIN is not confidential commercial information, nor is it too sensitive to collect with injury and illness data. The EIN is a government-issued number (thus, not commercial), and as discussed above, many commenters conceded that EINs are routinely made public (thus, not confidential). Many companies must include their EINs on public filings or in filings that are later disclosed in response to FOIA requests. (See 83 FR at 36500). For these reasons, OSHA has determined the EIN is not too sensitive to collect given the possibility of release to the public under FOIA.
OSHA also reviewed the Treasury Inspector General for Tax Administration’s 2013 report, Stolen and Falsely Obtained Employer Identification Numbers Are Used to Report False Income and Withholding, referenced in a comment (see Document ID 2057-A1, p. 5). The report does not indicate any harm done to the legitimate business owners of the stolen EINs. While the report shows that tax fraud involving misused EINs exists, it does not provide any indication that collection of the EIN by OSHA would put employers at increased risk or exacerbate the problem of false tax returns. OSHA does not agree that the findings of this report are relevant to the agency’s collection of the EIN with injury and illness data.
Alternative Proposals and Miscellaneous Issues
Several commenters encouraged OSHA to seek and use alternative methods to achieve the goal of reducing respondent burden and increasing the utility of the data collected without collecting the EIN, such as exploring technological approaches to resolve the duplication issue (Document ID 2039-A1, p. 3), and others suggested that OSHA should not need the EIN “to determine whether it has correct information when comparing it with [BLS].” (Document ID 2073-A1, p. 2). One commenters suggested that OSHA should delay collection of the EIN “unless there is relative certainty that the data can and will be used for its intended purpose.” (Document ID 2019-A1, p. 8).
OSHA agrees that further collaboration with BLS to identify methods for reducing respondent burden is vital. Collection and use of the EIN presents the most practical and efficient solution for matching and linking the two agencies’ separate data sets at this time. OSHA does not agree that a delay in the collection is warranted. The benefits of having these data are clear, as discussed above. Any delay in the collection of the EIN would delay the reduction in respondent burden and increased utility of the Form 300A data collected.
The final rule requires employers to provide the EIN of their establishments when submitting their injury and illness data. As discussed above, evidence in the docket shows the EIN is a widely available public record. Employers routinely made their EIN available to both government and private entities, and OSHA already collects and stores EINs in its inspection records. OSHA concludes the collection and storage of the EINs through the ITA will pose minimal adverse effects to establishments that provide these data. At the same time, OSHA concludes the benefits of collecting these data are substantial. Having the EIN will increase the utility of the data by both BLS and OSHA and may reduce the burden on employers that are required to respond to both the BLS and OSHA data collections. OSHA will continue to collaborate with BLS to identify technological approaches to reduce respondent burden, including exploring changes to both data collection systems and real-time sharing of OSHA data with BLS.
Compliance Dates
The requirement to include the EIN for each establishment submitting injury and illness data under 29 CFR 1904.41 will become effective on [INSERT DATE 30 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]. The compliance date for this provision is March 2, 2020. The EIN will therefore be required for covered establishments submitting their 300A data from 2019, but not for covered establishments submitting their 300A data from 2018, which have to be submitted by March 2, 2019.
III. Final Economic Analysis and Regulatory Flexibility Certification
A. Introduction
Executive Orders 12866 and 13563 require that OSHA estimate the benefits, costs, and net benefits of proposed and final regulations. Executive Orders 12866 and 13563, the Regulatory Flexibility Act (5 U.S.C. 601 – 612) and the Unfunded Mandates Reform Act (UMRA) (2 U.S.C. 1501 – 1571) also require OSHA to estimate the costs, assess the benefits, and analyze the impacts of certain rules that the agency promulgates. Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety, and other effects; distributive impacts; and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, reducing costs, harmonizing rules, and promoting flexibility.
In its preliminary economic analysis (PEA) in the proposal, OSHA estimated that this rule would have net cost savings of $8.28 million per year at a 3 percent discount rate, including $8.23 million per year for the private sector and $52,754 per year for the government. Annualized at a 7 percent discount rate, OSHA estimated that the proposed rule would have net cost savings of $8.25 million per year, including $8.18 million per year for the private sector and $64,070 per year for the government. Annualized at a perpetual 7 percent discount rate, the estimate rose to net cost savings of $8.35 million per year. The agency stated its belief that the electronic collection of information in the Forms 300 and 301 poses risks to worker privacy and additional cost to employers and OSHA that outweigh the uncertain enforcement benefits of collecting that information. (83 FR at 36501).
In this final economic analysis, OSHA estimates that the rule would have net cost savings of $15.9 million per year at a 3 percent discount rate, including $8.4 million per year for the private sector and $7.5 million per year for the government. Annualized at a 7 percent discount rate, the rule would have net cost savings of $15.86 million per year, including $8.37 million per year for the private sector and $7.5 million per year for the government. Annualized at a perpetual 7 percent discount rate, the rule would have net cost savings of $16million per year. The agency has determined that the rescission of the requirement to submit electronically the Forms 300 and 301 data will benefit worker privacy by preventing routine government collection of information that may be quite sensitive, including descriptions of workers’ injuries and the body parts affected. OSHA has determined that, at this time, avoiding this risk to worker privacy outweighs the uncertain incremental benefits to enforcement gained from electronically collecting the data. In addition, the rule will allow OSHA to focus its resources on the collection of 300A data and the data provided through the new serious injury and illness reporting system.
OSHA finds that the new requirement for establishments to submit their EIN will help both OSHA and BLS make full use of the data the agencies collect. Collecting the EIN is helpful to understanding exactly which establishment the Form 300A data represents, linking establishments between databases, and tracking data over time. The difficulties involved in matching and tracking establishments by name and address introduce uncertainty, which in turn reduces the utility of the data collected. A numerical identifier that is common over time and between databases eliminates these uncertainties. Collecting the EIN is also a positive first step towards eliminating duplicative reporting to OSHA and BLS in the future. In short, OSHA concludes that collection of the EIN presents the most practical and efficient solution for matching and linking the BLS and OSHA data sets and at the same time increases the quality and utility of the collected data.
The final rule is not an “economically significant regulatory action” under EO 12866 or UMRA (2 U.S.C. 1532(a)), and it is not a “major rule” under the Congressional Review Act (CRA) (5 U.S.C. 801 et seq.). The agency estimates that the rulemaking imposes far less than $100 million in annual economic costs. In addition, it does not meet any of the other criteria specified by UMRA or CRA for a significant regulatory action or major rule. The final rule is a deregulatory action under Executive Order 13771 (82 FR 9339 (January 30, 2017)).
The final rule will make two changes to the existing recording and reporting requirements in part 1904. First, OSHA will eliminate the requirement for establishments that are required to keep injury and illness records under part 1904, and that had 250 or more employees in the previous year, to electronically submit information from OSHA recordkeeping Forms 300 and 301 to OSHA or OSHA’s designee, on an annual basis. Second, OSHA will require covered employers to submit their EIN electronically along with other injury and illness data they are required to submit to OSHA. These changes in existing requirements are identical to those included in the proposal. The final rule does not make any other changes to an employer's obligations regarding injury and illness records.
In the subsections below, OSHA will first examine the cost savings, costs, net cost savings, and benefits of the activities outlined above, including a discussion of the comments submitted on these topics. The agency will then turn to its economic feasibility finding and its certification under the Regulatory Flexibility Act.
B. Cost Savings
As discussed in more detail below, OSHA preliminarily estimated that the proposed elimination of the requirement that establishments with 250 or more employees submit information electronically from their OSHA Forms 300 and 301 would result in cost savings to employers and to the government. (See 83 FR at 36501-02). Numerous commenters responded that businesses are already required to keep these data and that reporting the data to OSHA was not a costly additional requirement. (E.g., Document ID 1943; 1945; 1947; 2077-A1, p. 2). One commenter stated that making the data from Forms 300 and 301 available “is a reasonable cost of doing business.” (Document ID 1942). None of these comments challenged OSHA’s specific cost estimates; rather, they simply asserted that the costs were not substantial. OSHA’s estimate of the cost savings to employers from eliminating the requirement to submit the data from Forms 300 and 301 is consistent with OSHA’s finding in 2016 regarding the incremental cost of submitting these data. And, as detailed earlier in this preamble, even though any related costs may be minor for larger employers, OSHA has decided to rescind the requirement to submit the data from Forms 300 and 301 primarily to protect sensitive worker information from the risk of public disclosure, and to focus its resources on fully utilizing the 300A data and severe injury reports OSHA already collects rather than diverting resources from those efforts given the uncertain extent of any incremental benefits the 300 and 301 data would have for OSHA’s enforcement and outreach activities.
For the PEA, OSHA relied on the Final Economic Analysis (FEA) in the May 2016 final rule (see 81 FR at 29674-87), updated to include more recent data and some modifications in OSHA’s methodology. OSHA obtained the estimated cost of electronic data submission by multiplying the compensation per hour of the person expected to perform the task of electronic data submission by the time required to submit the data. (83 FR at 36501).
In the PEA, as in the 2016 FEA, OSHA selected an employee in the occupation of Industrial Health and Safety Specialist as being at the appropriate salary level. The agency stated that the mean hourly wage for Standard Occupational Classification (SOC) code 29-9011, Industrial Health and Safety Specialists, in the May 2016 data from the BLS Occupational Employment Survey (OES), was $34.85. However, OSHA recognized that not all firms assign the responsibility for recordkeeping to an Industrial Health and Safety Specialist. For example, a smaller firm may use a bookkeeper or a plant manager, while a larger firm may use a higher-level specialist. Therefore, OSHA asked for comment on whether Industrial Health and Safety Specialist is the appropriate salary level for the employee performing this task. (83 FR at 36501).
OSHA did not receive any comments on this question; nor did commenters object to the mean hourly rate used in the PEA. Therefore, OSHA finds that Industrial Health and Safety Specialist is the appropriate salary level. The updated mean hourly rate for this position, per the May 2017 OES data, is $35.38.7 OSHA notes that this is the raw wage and does not include the other fringe benefits that make up full hourly compensation or overhead costs calculated in this analysis.
In the PEA, OSHA multiplied the mean hourly wage for Industrial Health and Safety Specialist ($34.85) by the applicable mean fringe benefit factor for workers in private industry as reported in the June 2017 data from the BLS National Compensation Survey (1.44) to obtain the estimated total compensation (wages and benefits) of $50.18 per hour. (83 FR at 36501).
OSHA did not receive any comments on this point. Therefore, OSHA is retaining the estimate, with updates based on the June 2018 data from the BLS National Compensation Survey.8 The Survey again reported a mean fringe benefit factor of 1.44 for workers in private industry. Multiplying the mean fringe benefit factor by the updated hourly wage of $35.38 produces an estimated total compensation of $50.95 (an increase of 1.5 percent from the PEA, due to the increase in the mean hourly wage). OSHA believes that the calculated cost of $50.95 per hour is a reasonable estimated total hourly compensation for a typical record keeper.
As noted in the PEA, overhead costs are indirect expenses that cannot be tied to producing a specific product or service. Common examples include rent, utilities, and office equipment. Unfortunately, there is no general consensus on the cost elements that fit this definition. The lack of a common definition has led to a wide range of overhead estimates. Consequently, the treatment of overhead costs needs to be case-specific. For the PEA, OSHA adopted an overhead rate of 17 percent of base wages. OSHA explained that the 17 percent rate was consistent with the overhead rate used for sensitivity analyses in the FEA in support of the 2017 final rule delaying the deadline for submission of 300A data (82 FR 55761) and the FEA in support of OSHA’s 2016 final standard on Occupational Exposure to Respirable Crystalline Silica.9 (83 FR at 36501).
To calculate the total labor cost for an Industrial Health and Safety Specialist, Standard Occupational Classification (SOC) code 29-9011 for the PEA, OSHA added three components together: base wage ($34.85) + fringe benefits ($15.33, derived as 44% of $34.85) + applicable overhead costs ($5.92, derived as 17% of $34.85). This increased the labor cost of the fully-loaded hourly wage for an Industrial Health and Safety Specialist to $56.10. (83 FR at 36501).
OSHA did not receive any comments concerning its use of overhead or the calculations to add an overhead charge to the loaded wage rate. Therefore, for the FEA, OSHA has calculated the total labor cost for an Industrial Health and Safety Specialist, Standard Occupational Classification (SOC) code 29-9011, using the same method. The three components are added together: base wage ($35.38) + fringe benefits ($15.57, derived as 44% of $35.38) + applicable overhead costs ($6.01, derived as 17% of $35.38). This increases the labor cost of the fully-loaded hourly wage for an Industrial Health and Safety Specialist to $56.96. OSHA considers this to be a reasonable estimate of total labor costs.
To estimate the time required for the data submission in the PEA, OSHA used the same estimated unit time requirements as reported by BLS in its paperwork burden analysis for the Survey of Occupational Injuries and Illnesses (SOII) (OMB Control Number 1220-0045). BLS estimated 10 minutes per recordable injury/illness case for electronic submission of the information on Form 300 (Log of Work-Related Injuries and Illnesses) and Form 301 (Injury and Illness Incident Report). OSHA also noted that, in the 2016 FEA, the agency estimated 2 minutes more time than the BLS paperwork burden, for a total of 12 minutes per recordable case (10 minutes per case for Form 301 entries plus 2 minutes per case for entry of Form 300 log entries), to account for the differences between BLS and OSHA submission requirements. (83 FR at 36501-02).
OSHA received two comments about its preliminary time and burden hour calculations. (Document ID 2012-A1, p. 12). The first commenter argued that OSHA’s estimated establishment-specific costs of the electronic submission of data to OSHA are likely to be far higher than the actual costs to employers, since the PEA assumed that all the data will be entered manually for electronic submission. (Document ID 2012-A1, p. 12). The commenter wrote that OSHA noted in the 2016 rule that establishments that already keep their records electronically may have lower submission times if they can export or transmit the required information rather than entering it into the web form. (Document ID 2012-A1, p. 12) (quoting 81 FR 29690)). The commenter asserted that OSHA ignored this potential decrease in burden hours in the PEA. (Document ID 2012-A1, p. 12).
OSHA recognizes that many large establishments will already be keeping their records electronically and would likely have submitted their data electronically through a batch upload or other bulk electronic transmission, thus reducing the time that would have been needed to comply with the electronic reporting requirement and the corresponding cost estimate. The agency does not have precise information regarding the percentage of employers that fall into that category. Even if the percentage of those large employers is substantial, OSHA does not have, and commenters did not provide, data on the ease with which those employers could package this information and transmit it in the format required.10 Therefore, as in the 2016 final rule, OSHA is retaining the time estimate that assumed manual data entry for electronic submission.
In addition, to the extent that the commenter is arguing that the agency’s omission of this fact from the PEA was an attempt to obscure a potential decrease in the proposal’s estimated cost savings, OSHA notes that the statement regarding potential time savings was made in response to a comment submitted during the 2016 rulemaking—a comment that did not cause the agency to change its time estimate. Moreover, the agency was clear in the PEA that its methodology was based on the numbers in the 2016 rule. (See 83 FR 36501).
The second commenter on this issue similarly argued that OSHA’s cost estimate of 12 minutes per recordable case is based on the wrong data point. The commenter maintained that OSHA’s preliminary cost analysis failed to disaggregate the time spent preparing Forms 300, 300A, and 301 (which an employer must incur regardless of whether the form must be submitted to OSHA electronically) from the time spent electronically submitting Forms 300 and 301 to OSHA. The commenter argues that OSHA’s cost estimate should be based only on the marginal time of electronic reporting itself. (Document ID 2033-A1, p. 6).
OSHA agrees that the time estimate (and, thus, the cost savings estimate) should account only for the incremental time spent on each data submission—that is precisely why the agency calculated cost savings in that manner in the PEA and continues to do so in this FEA. (See 83 FR at 36501-02; see also 81 FR at 29676 (discussing the time needed to submit the Forms 300 and 301 data electronically). The cost of keeping records, including Forms 301, 301 and 300A were accounted for in previous OSHA final rules and ICRs. The 2016 rule imposed additional costs for electronic submission, and those were reported in that FEA. (See 81 FR at 29676). This current final rule removes only those newly imposed costs.
Therefore, having considered all the comments in the record on this issue, OSHA continues to rely the time estimates from the PEA. OSHA believes that the original estimate of 12 minutes per recordable case is a reasonable average.
In the proposal, OSHA estimated the number of injuries and illnesses that would have been reported by covered establishments with 250 or more employees under the 2016 final rule (and, thus, the number that would no longer be required to be reported under the proposal). To do so, OSHA assumed that the total number of recordable cases in establishments with 250 or more employees was proportional to the establishments’ share of employment within each industry.11 OSHA then used the most recent SOII data to estimate that, without the final rule, covered establishments with 250 or more employees would report 775,210 injury and illness cases per year. The PEA thus estimated that cost per case at $11.22 (12/60 x $56.10), and the total cost at $8,699,173 ($11.22 per case x 775,210 cases).12 (83 FR at 36502).
OSHA did not receive any comments on these estimates. OSHA continues to find the above methodology and estimates to be reasonable and has used them in the final rule, with updates based on the new wage rate and establishment totals.13 The final cost per case to report the information from Forms 300 and 301 is estimated at $11.39 (12/60 x $56.96), and the total cost is $8,829,642 ($11.39 per case x 775,210 cases).14 Therefore, removing the requirement to submit the information from OSHA Forms 300 and 301 to OSHA electronically would result in a total cost savings to the private sector of $8,829,642.15
As noted in the PEA, the 2016 FEA included government costs for the rule because creating a reporting and data collection system was a significant fraction of the total costs of the regulation. OSHA estimated that not collecting the case-specific data from OSHA Forms 300 and 301 would generate a small additional cost savings for the government because that portion of the reporting and data collection system has not yet been created and would not have to be created under this final rule. OSHA estimated a lump sum savings from not creating the software to collect the data from Forms 300 and 301 to be $450,000. OSHA did not receive any comments about the cost to the government of creating software to collect the data from Forms 300 and 301 and finds that the original estimates are reasonable in light of overall costs expected, so in the FEA OSHA will retain the estimate of $450,000. Annualized at 3 percent over 10 years, this would represent a savings to the government of $52,754 per year; annualized at 7 percent over 10 years, the cost savings would be slightly higher: $64,070. This estimate underestimates costs to the government of having a system for collection of this data. It includes the costs of software development, but it does not include other administrative costs, or the analysis that would be needed in order to use the data received by the system for enforcement purposes.
A significant source of costs that was identified during the preparation of this economic analysis is the anticipated costs of attempting to remove PII and information that enables re-identification of individuals from data that would have been collected under the 2016 final rule. This cost was not considered in the rulemaking preceding the 2016 final rule because OSHA anticipated using software for this purpose. As explained above, a court could require OSHA to release the data as a result of a FOIA request. This risk is not insignificant—in a recent decision, subsequent to publication of the NPRM for this rule, in a lawsuit seeking to order OSHA to enforce the requirement for covered employers to submit their Form 300 and 301 data from 2017 to OSHA electronically, the court concluded that OSHA would likely be required to release a significant portion of the data to the plaintiffs under FOIA despite OSHA’s concerns about employee privacy. See Public Citizen Health Research Group v. Acosta, No. 18-1729, slip op. at 9 (D.D.C. Dec. 12, 2018). The court reasoned that, if some records present a meaningful possibility of re-identification, OSHA could redact any sensitive information “on a case by case basis.” Id. If the Form 300 and 301 data were to be released, OSHA would need to manually review the data to be released—from approximately 775,000 cases annually—to remove PII and other information that could allow re-identification of ill or injured workers. This review would be necessary because, as noted above, software cannot guarantee full scrubbing of PII and has no ability to judge re-identifiable information. OSHA has therefore added annual costs for case-by-case review.
As noted above, OSHA estimates, based on the time it has taken OSHA staff to review and remove personal information from other OSHA data, that case-by-case review would require two levels of review. OSHA anticipates that the first level review would be done by a GS-12, Step 5 Analyst (on the Washington, DC locality GS pay scale) and that analyst’s work would be reviewed by a GS-14, Step 5 Supervisor (also on the Washington, DC locality pay scale).
The government hourly labor costs for the work of these employees were calculated in the following manner. Federal GS-12, Step 5 Analysts would conduct most of the review work. The fully-loaded hourly wage of a GS-12, Step 5 Analyst is calculated by taking the annual salary, dividing by the requisite 2087 hours worked per year, adding a fringe benefit factor of 1.6, and finally adding a 17 percent overhead charge. Using that formula, the fully-loaded hourly wage rate of a GS-12, Step 5 Analyst is $78.38 (annual salary of $92,421/2087 hours = base wage of $44.28 x 1.6 + $44.28 x .17 = $78.38). A GS-14, Step 5 Supervisor would review the review work. Using the same formula, the fully-loaded hourly wage rate of the supervisor is $110.14 (annual salary of $129,869/2087 hours = base wage of $62.23 x 1.6 + $62.23 x .17 =$110.14).
The cost calculation for manually reviewing Form 300 and 301 data, and removing any PII and other information that could allow re-identification of ill or injured workers, is as follows. OSHA is estimating that the first level review by the GS-12, Step 5 Analyst would take, on average, six minutes per record to review the record and redact any PII and other information that could allow re-identification of ill or injured workers. The agency is also estimating that all records would need to be reviewed. The first level review would have an estimated total annual cost of $6,076,323 (775,210 records x 6 minutes per record x 1 hour per 60 minutes x $78.38 per hour). The second level review completed by the GS-14, Step 5 Supervisor is estimated to take, on average, one minute per record and, again, all records would need to undergo this second level review. The supervisor review of the first-level review has an estimated total annual cost of $1,423,064 (775,210 records x 1 minute per record x 1 hour per 60 minutes x $110.14). The total labor cost to review and remove PII by examination of each record is estimated to be $7,499,387 ($6,076,323 + $1,423,064) annually.
OSHA notes that these numbers are broadly consistent with the annual costs of MSHA’s data collection and publication program (from the MSHA ICR Supporting Statement, https://www.reginfo.gov/public/do/DownloadDocument?objectID=76285301).
C. New Costs (from the EIN Collection)
In the PEA, OSHA also estimated the potential new costs of amending the recordkeeping regulation to require covered employers to submit their EINs electronically along with their injury and illness data submission. The agency anticipated that some employees given this task would already know their employer’s EIN from their other duties, but others would need to spend some time finding out this information. OSHA estimated an average of 5 minutes for an employee to find out his or her employer’s EIN and to enter it on the submission form. Therefore, OSHA estimated that the unit cost for a submission would be the loaded wage of the employee who submitted the information multiplied by his or her time plus overhead, or $4.68 [(5/60) x $56.10]. (83 FR at 36502).
OSHA did not receive any comments on this estimate, and the agency has determined that the preliminary estimate was reasonable. Therefore, OSHA has retained the 5 minute estimate in this FEA. The updated unit cost for a submission would be the wage of the employee who submitted the information multiplied by his or her time plus overhead, or $4.75 [(5/60) x $56.96].
In the PEA, OSHA explained that the currently-implemented electronic reporting system is already designed to retain information about each establishment based on the login information, including the EIN. Therefore, employers would only have to provide OSHA their EIN once, so this would not be a recurring cost. However, it would be an additional one-time cost for employers who are newly reporting data because, for example, the establishment is new or the employer newly reached the reporting threshold for employment size. OSHA estimated that each year there will be about 10.15 percent more establishments that will be required to report their EIN. OSHA derived the 10.15 percent figure from the U.S. Census Bureau’s Statistics of U.S. Businesses (SUSB), specifically the employment change data set,16 which shows the increase in U.S. business establishments from 2014 to 2015. In 2015, there were 689,819 new establishments, out of a total of 6,795,201 establishments. Dividing the first figure by the second gives a change of about 10.15 percent. (83 FR at 36502). There were no comments criticizing OSHA’s use of the SUSB data or the methodology to estimate the number of new reporting establishments each year, and OSHA continues to find the above methodology and estimates to be reasonable. Therefore, OSHA is retaining these estimates for the FEA.
In the PEA, OSHA estimated costs for covered establishments to provide their EINs, using establishment and employment data from the U.S. Census County Business Patterns (CBP).17 The three categories of included establishments included in the CBP data are: (1) all establishments with 250 or more employees in industries that are required to routinely keep OSHA injury and illness records, (2) establishments with 20-249 employees in certain high-hazard industries, as defined in the Appendix to the May 2016 final rule, and (3) farms and ranches with 20 or more employees. CBP data do not include numbers of farms and ranches with 20 or more employees, so in the May 2016 final rule, OSHA used data from the 2012 Census of Agriculture. Updated data from the 2017 Census of Agriculture were not available for the PEA, so the PEA used the 2012 count of 20,623 farms with 20 or more employees. CBP data also showed that there were 36,903 establishments with 250 or more employees in industries required to routinely keep records and 405,666 establishments with 20-249 employees in the designated high-hazard industries. Combining these figures with 20,623 farms and ranches results in a total of 463,192 establishments that would be required to submit an EIN under the proposed rule. With a cost per establishment of $4.68, the total first year cost of providing EINs would be $2,165,751 (463,192 x $4.68). The annualized cost over ten years at a 3 percent discount rate was $253,892, and at a 7 percent discount rate the cost was $308,354. (83 FR at 36502).
OSHA did not receive any comments on these estimates, and the agency has determined that the preliminary estimates were reasonable. Therefore, OSHA is retaining them (with the available updates) in the FEA. Because updated establishment data were not available, OSHA has retained the PEA estimate of 463,192 establishments that would be required to submit and EIN under the final rule. With a cost per establishment of $4.75, the updated total first year cost of providing EINs would be $2,200,162 (463,192 x $4.75).18 When this cost is annualized over ten years, the annualized cost at a 3 percent discount rate is $257,926 and at a 7 percent discount rate the cost is $313,254.
As noted above, OSHA estimates that 463,192 establishments (including establishments with more than 250 employees, those with 20-249 employees in certain NAICS codes, and farms with more than 20 employees) will be subject to reporting their EIN in the first year under this rule. In the PEA, the agency explained that with 10.15 percent new establishments each year, there would be an additional 47,012 establishments each year that would newly need to report their EIN, resulting in an additional cost of $4.68 x 47,012 or $219,858. (83 FR at 36502). OSHA did not receive any comments on the estimated additional costs for new establishments each year, and the agency has determined that this is a reasonable estimate. Therefore, the agency has retained these estimates in the final rule. The final cost for those establishments, using the updated unit cost for a submission ($4.75), will be $4.75 x 47,012 or $223,307. As explained in the PEA, the cost for new establishments each year does not occur in the first year. (83 FR at 36502). Therefore, OSHA annualized 9 years of new establishment costs over ten years, which results in annualized costs of $216,608 at a discount rate of 3 percent and $207,676 at a 7 percent discount rate.
OSHA noted in the PEA that the EIN data field is already included in the reporting system design, so the agency did not anticipate any additional government costs associated with submittal of the EIN. (83 FR at 36502). Commenters did not object to this determination, and the agency has no reason to believe that any such costs will be incurred by the government. Therefore, OSHA is not accounting for any additional government costs associated with EIN submittal in the final rule.
* * * *
G. Regulatory Flexibility Certification
In the PEA, OSHA explained that the current requirement for annual electronic submission of information from OSHA Forms 300 and 301 affects only a very small minority of small firms. In many industry sectors, there are no small firms with at least 250 employees. Even in those industry sectors where the definition of small firm includes some firms with at least 250 employees, the overwhelming majority of small firms have fewer than 250 employees. There will, however, be some small firms affected in some industries. OSHA estimated that removing this requirement as proposed would result in a cost savings of, on average, $236 per establishment for each establishment with 250 or more employees affected by the 2016 final rule.19 OSHA preliminarily determined that such a small amount of cost savings would not have a significant impact on a firm with 250 or more employees. (83 FR at 36503). Commenters did not object to these determinations. OSHA reaffirms its preliminary finding and also finds that the updated cost savings of $239 per establishment for each establishment with 250 or more employees affected by the 2016 final rule will not have a significant impact on a firm with 250 or more employees.20
The PEA also included a certification that the proposed rule would not have a significant economic impact on a substantial number of small entities. (83 FR at 36503). OSHA did not receive any comments on this certification. As with the proposal, the final rule will result in an overall reduction of costs. Removing the requirement for establishments with 250 or more employees to submit the information from OSHA Forms 300 and 301 annually to OSHA would reduce costs, and the estimated cost of the EIN requirement is $4.75 per establishment, a negligible amount. Hence, per sec. 605 of the Regulatory Flexibility Act, OSHA certifies that this final rule will not have a significant economic impact on a substantial number of small entities.
______________________________________________________________________________
Additional Comment Considered by OSHA, But Not Discussed in the Preamble to the Final Rule
One commenter requested that OSHA reassess the industries covered by the reporting requirement list in Appendix A to 1904.41 to reduce the paperwork burdens on small employers. (Document ID 2009-A1, p. 4). In the NPRM, OSHA did not propose any changes to the requirement that employers electronically submit Form 300A data. And, in its request for comments, the Agency made clear that it was only seeking comment on the proposed changes to § 1904.41, and not on any other aspects of part 1904. (83 FR 36497). Therefore, OSHA has determined that this comment is outside the scope of this rulemaking, and the Agency will not address it.
1 In the NPRM and in the final rule, OSHA has offered reasoned analysis for its preliminary and now final determination to rescind the requirement for covered employees to submit their 300 and 301 data to OSHA electronically. OSHA has likewise considered and discussed the comments raised by those who also argue that OSHA’s decision runs afoul of the APA, (e.g., Document ID 2012-A1, pp. 9, 15; 2028-A1, pp. 1-3, 6, 8), as well as other comments in the record. In short, this rule is a product of reasoned decision-making, has the support of substantial evidence in the record as a whole, and is appropriate based on policy concerns and OSHA’s obligations under the Act.
2 Of these, 1,641 were nearly identical form letters.
3 MSHA has been subject to cyber attack in the past, however. See Ted Hesson, “Morning Shift: DOL Takes Stock After Hack,” POLITICO (Apr. 25, 2018) (detailing successful hack), https://www.politico.com/newsletters/morning-shift/2018/04/25/travel-ban-at-scotus-182935.
4 See the Final Economic Analysis for details on this calculation.
5 The National Academies of Science, Engineering, and Medicine (NAS) report, titled A Smarter National Surveillance System for Occupational Safety and Health in the 21st Century (Document ID 1965-A1) was the result of a joint request from NIOSH, BLS, and OSHA to NAS, asking NAS to conduct a study in response to the need for a more coordinated, cost-effective set of approaches for occupational safety and health surveillance in the United States. (See Document ID 1965-A1, p. x). Commenters submitted copies of the report to the record. (See Document ID 1965-A1; 2085-A10). Where those commenters and others have specifically referenced findings, recommendations, or other statements contained in the report in their comments, OSHA has responded to them in this preamble. However, because the report is not, and was not intended to be, commentary on this rulemaking, the agency does not find it is appropriate or necessary to respond to statements contained therein where those statements were not referenced by commenters in their submissions to the record.
6 As OSHA explained in the NPRM, the SOII is an establishment survey and is a comprehensive source of national estimates of nonfatal injuries and illnesses that occur in the workplace. (83 FR at 36499). The survey collects data on non-fatal injuries and illnesses for each calendar year from a sample of employers based on recordable injuries and illnesses as defined by OSHA in 29 CFR part 1904. (83 FR at 36499). Using data from the survey, BLS estimates annual counts and rates by industry and state for workers in private industry and state and local government. (83 FR at 36499-500). In addition, the SOII provides details about the most severe injuries and illnesses (those involving days away from work), including characteristics of the workers involved and details of the circumstances surrounding the incident, using data collected on Forms 300A and 301 from the sampled establishments. (83 FR at 36500 (citing BLS Handbook of Methods: https://www.bls.gov/opub/hom/soii/home.htm)).
7 See https://www.bls.gov/oes/current/oes299011.htm.
8 See https://www.bls.gov/news.release/ecec.nr0.htm.
9 See the sensitivity analyses in the Improved Tracking FEA (https://www.gpo.gov/fdsys/pkg/FR-2017-11-24/pdf/2017-25392.pdf, page 55765) and the FEA in support of OSHA’s 2016 final standard on Occupational Exposure to Respirable Crystalline Silica (81 FR 16285) (https://www.gpo.gov/fdsys/pkg/FR-2016-03-25/pdf/2016-04800.pdf pp.16488-16492.). The methodology was modeled after an approach used by the Environmental Protection Agency. More information on this approach can be found at: U.S. Environmental Protection Agency, "Wage Rates for Economic Analyses of the Toxics Release Inventory Program," June 10, 2002 (Ex. 2066). This analysis itself was based on a survey of several large chemical manufacturing plants: Heiden Associates, Final Report: A Study of Industry Compliance Costs Under the Final Comprehensive Assessment Information Rule, Prepared for the Chemical Manufacturers Association, December 14, 1989, Ex. 2065.
10 To the extent some establishments may not have an internet connection on site, that could also increase the time burden and thus raise the cost estimate.
11 OSHA solicited comment on this assumption in the PEA but received none and so has retained this method for estimating total recordable cases for this FEA.
12 Note that totals summarized in the text may not precisely sum from underlying elements due to rounding. The precise calculation of the numbers in the FEA appears in the spreadsheet in the rulemaking docket titled “FEA calculations.”
13 This cost estimate was developed prior to the NPRM, and is subject to change based on subsequent developments to OSHA’s ITA.
14 In addition, note that the totals in Table 1 of this section of the preamble and the totals summarized in the text may not precisely sum from underlying elements due to rounding. The precise calculation of the numbers in the FEA appears in the spreadsheet in the rulemaking docket titled “FEA calculations.”
15 Overall, the estimated cost savings to private industry of removing the requirement for electronic reporting of case data is 25 percent greater than the 2016 estimated cost of promulgating the provision ($6,948,487). There are three reasons for this 25 percent increase: the number of establishments with more than 250 employees has grown, the mean hourly wage has increased, and OSHA is now including a 17 percent overhead estimate in the cost estimates.
16 See https://www2.census.gov/programssurveys/susb/datasets/2015/us_state_emplchange_2014-2015.txt.
17 For the CBP, see https://www.census.gov/programs-surveys/cbp.html.
18 In addition, note that the totals in Table 1 of this section of the preamble, as well as totals summarized in the text, may not precisely sum from underlying elements due to rounding. The precise calculation of the numbers in the FEA appears in the rulemaking docket in the spreadsheet titled “FEA calculations.”
19 This number was derived by dividing the total estimated cost savings to private industry of $8,699,173 from the proposal by 36,903 affected establishments with 250 or more employees. (83 FR at 36503).
20 This number is derived by dividing the total final cost savings to private industry of $8,831,000 by 36,903 affected establishments with 250 or more employees.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Modified | 0000-00-00 |
File Created | 0000-00-00 |