July 27, 2018

Eric Weinberger
133 Norwood Ave
Asheville, NC 28804

Dear Mr. Weinberger:

Thank you for your letter to the Occupational Safety and Health Administration (OSHA) regarding the recordkeeping regulation contained in 29 CFR Part 1904 - Recording and Reporting Occupational Injuries and Illnesses. In an effort to provide the public with prompt and accurate responses, we developed and continue to refine a set of Frequently Asked Questions (FAQ), in addition to maintaining a log of Letters of Interpretation (LOI) on the OSHA Recordkeeping web site at www.osha.gov/recordkeeping.

In your letter, you state that your company is considering developing a software application that would make it easier for employers to comply with OSHA's recordkeeping regulation. Your letter requests clarification on who should have access to information entered on the recordkeeping forms, including information related to privacy concern cases. You also ask whether OSHA certifies software that claims to help companies meet OSHA's recording and reporting regulation. Your paraphrased questions, followed by OSHA's responses, are below.

OSHA's recordkeeping regulation provides access to the injury and illness recordkeeping forms to certain individuals. Section 1904.35 provides a right of access to employees, former employees, and employee representatives. Under section 1904.40, employers must provide a complete copy of any records required by 29 CFR 1904 to an authorized government representative within four (4) business hours. For example, employers must provide access to the recordkeeping forms to compliance officers from OSHA when they conduct workplace safety and health inspections or investigations under the Occupational Safety and Health Act of 1970 (OSH Act).

Question 1: Do government representatives have access to the list of employee names involved in privacy concern cases?

Response: Yes. Section 1904.29(b)(6) requires the employer to withhold the injured or ill employee's name from the OSHA 300 log for injuries and illnesses involving privacy concern cases. Instead of entering the employee's name, the employer must enter "privacy concern case" in the space where the employee's name would normally be entered. This approach allows employers to provide access to information from the 300 log to another employee, a former employee, or an authorized employee representative as required by section 1904.35 while at the same time protecting the privacy of workers who have sustained a recordable injury or illness that raises privacy concerns.

The recordkeeping regulation also provides that the employer must keep a separate confidential list of privacy concern cases, and the list must include the employee's name and the case number from the OSHA 300 log. This separate list is intended to allow a government representative to obtain the employee's name during a workplace inspection in case further investigation is warranted and to assist employers to keep track of such cases in the event that further revisions to the entry become necessary. See, the January 19, 2001 preamble to OSHA's final rule revising the recordkeeping regulation, 66 Federal Register 5916 at 6024. Accordingly, the employer must provide the confidential list of case numbers and employee names involved in privacy concern cases to government representatives upon request.

Question 2: In addition to government representatives, does anyone else have access to the confidential list of employee names involved in privacy concern cases?

Response: Yes. Section 1904.29(b)(10) includes requirements for the protection of employee privacy when the employer decides to voluntarily disclose information from the OSHA 300 and 301 forms to persons other than those with a mandatory right of access under the recordkeeping regulation. In addition to the authorized government representatives listed in section 1904.40, those persons listed in section 1904.29(b)(10) may have access to the confidential list of employee names involving privacy concern cases. The employer may disclose the complete forms, with personally identifying information only:

• (i) to an auditor or consultant hired by the employer to evaluate its safety and health program;
• (ii) to the extent necessary for processing a claim for workers' compensation or other insurance benefits; or
• (iii) to a public health authority or law enforcement agency for uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required under 45 CFR § 164.512 of the final rule on Standards for Privacy of Individually Identifiable Health Information.

Section 1904.29(b)(10) further requires the employer to remove or hide employee names or other personally identifying information before disclosing the forms to persons other than government representatives, employees, former employees or authorized representatives, as required by sections 1904.40 and 1904.35. When disclosing the forms to an employee, former employee, or employee representative, section 1904.35(b)(2)(iv) indicates that the employer cannot remove from the OSHA 300 log the names of the employees or any other information, but the employer may not record employee names on the OSHA 300 log, in the first instance, for the "privacy concern cases" described by section 1904.29(b)(6)-(9).

Question 3: Can a company comply with the access to records requirements by providing government representatives and other authorized persons with permanent login access to an online database application containing the records?

Response: Nothing in OSHA's recordkeeping regulation prevents employers from providing online access to recordkeeping information. However, individuals with a right of access under the recordkeeping regulation have the option to request, and the employer must provide, copies of recordkeeping information in paper form. See, 66 Fed. Reg. at 6023 and 6096-97. Further, online access would still need to meet the specific access requirements in the regulation. For example, while government representatives have complete access to the recordkeeping forms, including the confidential list of employee names involved in privacy concern cases, individual employees only have complete access to their own 301 incident reports, and not to the list of employee names involved in privacy concern cases. As a result, the system would need to be designed in a way so that certain individuals could only access the specific information they are entitled to view.

Question 4: Does software that claims to meet the OSHA recording and reporting requirements in 29 CFR 1904 need to be certified?

Response: No. OSHA does not approve, endorse, recommend, or certify any product or process. It has been OSHA's longstanding policy and practice not to endorse any commercial products, so OSHA will not certify software purporting to help employers meet OSHA recording and reporting requirements.

We hope you find this information helpful. OSHA requirements are set by statute, standards, and regulations. Our interpretation letters explain these requirements and how they apply to particular circumstances, but they cannot create additional employer obligations. This letter constitutes OSHA's interpretation of the requirements discussed. Note that our enforcement guidance may be affected by changes to OSHA rules. Also, from time to time we update our guidance in responses to new information. To keep appraised of such developments, you can consult OSHA's website at http://www.osha.gov.

Sincerely,

Amanda L. Edens, Director
Directorate of Technical Support and Emergency Management