Standard Interpretations - Table of Contents
• Standard Number: 1904; 1904.35(b)(2)(iv)

This letter constitutes OSHA's interpretation only of the requirements discussed and may not be applicable to any situation not delineated within the original correspondence.

August 2, 2004

Mr. Bill Kojola
Industrial Hygienist
Department of Safety and Health
815 Sixteenth St., NW
Washington, DC 20006

Dear Mr. Kojola:

Thank you for your February 27, 2004 letter to the Occupational Safety and Health Administration (OSHA) regarding the Injury and Illness Recording and Reporting Requirements contained in 29 CFR Part 1904. Your letter was forwarded to my office by Richard Fairfax, Director, Directorate of Enforcement Programs. The Division of Recordkeeping Requirements, within my Directorate, is responsible for the administration of the OSHA injury and illness recordkeeping system nationwide. Please excuse the delay in responding to your request.

You state that employers are claiming they must remove all the names from the OSHA 300 Log before providing access in order to comply with the privacy requirements contained in the Health Insurance Portability and Accountability Act (HIPAA). Specifically, you ask OSHA to clarify the recordkeeping requirements contained in 29 CFR Part 1904 vs. the HIPAA requirements.

We do not believe that HIPAA provides a basis for employers to remove employees' names from the Log before providing access. Even if HIPAA is implicated by the employer's disclosure of the OSHA Log, the statue and implementing regulation expressly permit the disclosure of protected health information to the extent required by law. See 45 CFR 164.512(a). This exception for disclosures required by law applies here because the Recordkeeping rule requires that employees, former employees, and employee