Medical Access Order
Overview
OSHA published a Final Rule to amend its internal procedures to transfer certain responsibilities from the Assistant Secretary to the OSHA Medical Records Officer. The amended rule also improves internal efficiency, establishes new internal requirements for the access and safeguarding of personally identifiable employee medical information maintained in electronic form, and simplifies procedures for the removal of medical records from a worksite without degradation of privacy protections. The revised procedures are internal agency procedures and do not affect employer compliance with OSHA requirements.
OSHA standard 29 CFR 1913.10(a) states: OSHA access to employee medical records will, in certain circumstances, be important to the agency's performance of its statutory functions. Medical records, however, contain personal details concerning the lives of employees. Due to the substantial personal privacy interests involved, OSHA authority to gain access to personally identifiable employee medical information will be exercised only after the agency has made a careful determination of its need for this information, and only with appropriate safeguards to protect individual privacy.
Once this information is obtained, OSHA examination and the use of it will be limited to only that information needed to accomplish the purpose (or access). Personal identifiable employee medical information will be retained by OSHA only for so long as needed to accomplish the purpose for access. This will be kept secure while being used and will not be disclosed to other agencies or members of the public except in narrowly defined circumstances.