§ 1913.10 Rules of agency practice and procedure concerning OSHA access to employee medical records.
(a) General policy. OSHA access to employee medical records will in certain circumstances be important to the agency's performance of its statutory functions. Medical records, however, contain personal details concerning the lives of employees. Due to the substantial personal privacy interests involved, OSHA authority to gain access to personally identifiable employee medical information will be exercised only after the agency has made a careful determination of its need for this information, and only with appropriate safeguards to protect individual privacy. Once this information is obtained, OSHA examination and use of it will be limited to only that information needed to accomplish the purpose for access. Personally identifiable employee medical information will be retained by OSHA only for so long as needed to accomplish the purpose for access, will be kept secure while being used, and will not be disclosed to other agencies or members of the public except in narrowly defined circumstances. This section establishes procedures to implement these policies.
(b) Scope and application. (1) Except as provided in paragraphs (b) (3) through (6) below, this section applies to all requests by OSHA personnel to obtain access to records in order to examine or copy personally identifiable employee medical information, whether or not pursuant to the access provisions of 29 CFR 1910.1020(e).
(2) For the purposes of this section, “personally identifiable employee medical information” means employee medical information accompanied by either direct identifiers (name, address, social security number, payroll number, etc.) or by information which could reasonably be used in the particular circumstances indirectly to identify specific employees (e.g., exact age, height, weight, race, sex, date of initial employment, job title, etc.).
(3) This section does not apply to OSHA access to, or the use of, aggregate employee medical information or medical records on individual employees which is not in a personally identifiable form. This section does not apply to records required by 29 CFR part 1904, to death certificates, or to employee exposure records, including biological monitoring records treated by 29 CFR 1910.1020(c)(5) or by specific occupational safety and health standards as exposure records.
(4) This section does not apply where OSHA compliance personnel conduct an examination of employee medical records solely to verify employer compliance with the medical surveillance recordkeeping requirements of an occupational safety and health standard, or with 29 CFR 1910.1020. An examination of this nature shall be conducted on-site and, if requested, shall be conducted under the observation of the recordholder. The OSHA compliance personnel shall not record and take off-site any information from medical records other than documentation of the fact of compliance or non-compliance.
(5) This section does not apply to agency access to, or the use of, personally identifiable employee medical information obtained in the course of litigation.
(6) This section does not apply where a written directive by the OSHA Medical Records Officer authorizes appropriately qualified personnel to conduct limited reviews of specific medical information mandated by an occupational safety and health standard, or of specific biological monitoring test results.
(7) Even if not covered by the terms of this section, all medically related information reported in a personally identifiable form shall be handled with appropriate discretion and care befitting all information concerning specific employees. There may, for example, be personal privacy interests involved which militate against disclosure of this kind of information to the public (See, 29 CFR 70.26 and 70a.3).
(c) Responsible persons—(1) Assistant Secretary. The Assistant Secretary of Labor for Occupational Safety and Health (Assistant Secretary) shall designate an OSHA official with experience or training in the evaluation, use, and privacy protection of medical records to be the OSHA Medical Records Officer. The Assistant Secretary may change the designation of the OSHA Medical Records Officer at will.
(2) OSHA Medical Records Officer. The OSHA Medical Records Officer shall be responsible for the overall administration and implementation of the procedures contained in this section. The OSHA Medical Records Officer shall report directly to the Assistant Secretary on matters concerning this section and be responsible for:
(i) Making final determinations concerning the approval or denial of medical access orders (paragraph (d) of this section);
(ii) Assuring that medical access orders meet the requirements of paragraphs (d)(2) and (3) of this section;