OSHA requirements are set by statute, standards and regulations. Our interpretation letters explain these requirements and how they apply to particular circumstances, but they cannot create additional employer obligations. This letter constitutes OSHA's interpretation of the requirements discussed. Note that our enforcement guidance may be affected by changes to OSHA rules. Also, from time to time we update our guidance in response to new information. To keep apprised of such developments, you can consult OSHA's website at http://www.osha.gov.January 12, 2018Mr. Tom Binner & Ms. Dawn KrizVirginia Ship Repair Association150 Boush St., Suite 802Norfolk, VA 23510Dear Mr. Binner and Ms. Kriz:Thank you for your letter to the Occupational Safety and Health Administration (OSHA) regarding the recordkeeping regulation contained in 29 CFR Part 1904 - Recording and Reporting Occupational Injuries and Illnesses.Your letter requests clarification of OSHA's injury and illness recordkeeping requirements pertaining to an employer that supervises temporary workers on a day-to-day basis, but has limited access to their medical records when an injury or illness occurs. You indicate that some temporary staffing agencies refuse to provide the host employer with supporting medical information that would enable the host firm to determine whether or how to record a case. Your letter includes an example where a temporary agency refuses to give access to an employee's medical records due to the privacy requirements in the Health Insurance Portability and Accountability Act of 1970 (HIPAA).Recording Injuries and Illnesses of Temporary WorkersOSHA's injury and illness recordkeeping regulation at 29 CFR 1904.31(a) requires employers to record the recordable injuries and illnesses of employees they supervise on a day-to-day basis, even if these workers are not carried on the employer's payroll. The requirements in Section 1904.31 are based on the consideration that the supervising employer is in the best position to obtain the necessary injury and illness information due to its control over the workplace and its familiarity with the work tasks and the work environment. Day-to-day supervision occurs when "in addition to specifying the output, product or result to be accomplished by the person's work, the employer supervises the details, means, methods and processes by which the work is to be accomplished." See, OSHA's Frequently Asked Question (FAQ) 31-1 at www.osha.gov/recordkeeping/entryfaq.html.Section 1904.31(b)(4) provides that companies and their subcontractors should coordinate their efforts to ensure that each injury and illness is recorded only once - by the employer who provides day-to-day supervision at the worksite. This means that the employer who actually provides day-to-day supervision is responsible for recording cases on their OSHA Log regardless of the wording of the parties' contract.Under OSHA's recordkeeping regulation, the employer that provides day-to-day supervision must make reasonable efforts to acquire the necessary information to satisfy their Part 1904 recording responsibilities. However, in situations where the controlling employer is not able to obtain medical information from the employer of a leased or temporary employee, the controlling employer should record injuries or illnesses based on the information that is available. Please know that, in order to produce accurate records, it is OSHA's expectation that employers will share information about work-related injuries and illnesses. See, the January 19, 2001 preamble to OSHA's final rule revising the Part 1904 recordkeeping regulation (66 Federal Register 5916 at 6041).HIPAA Privacy RuleThe HIPAA privacy rule, issued by the U.S. Department of Health and Human Services (HHS), 45 CFR 160 and 164, provides extensive safeguards and procedures for assuring the confidentiality of individually identifiable health information. As required by HIPAA, the provisions of the privacy rule only apply to "covered entities." The term "covered entity" includes health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically. See, 45 CFR 160.103. As a result, the requirements of the HIPAA privacy rule would only apply to a temporary staffing agency if it meets the definition of a "covered entity."The fundamental requirement of the HIPAA privacy rule is that covered entities may not use or disclose protected health information (PHI) without the written authorization of the person who is the subject of the information. However, the privacy rule includes several exceptions for disclosing PHI without individual authorization. See, 45 CFR 164.512, Uses and disclosures for which an authorization or opportunity to agree or object is not required. The exception at Section 164.512(b) provides that a covered entity may use or disclose PHI for public health activities. Most importantly, Section 164.512(b)(1)(v)C) specifically permits a covered entity to use or disclose PHI in order to comply with obligations under Part 1904.(b) Standard: Uses and disclosures for public health activities - (1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: (v) An employer, about an individual who is a member of the workforce of the employer, if:(C) The employer, needs such findings in order to comply with its obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; andAccordingly, in situations where a temporary staffing agency meets the definition of a covered entity, Section 164.512(b)(1)(v)(C) would permit them to disclose PHI to the controlling employer for purposes of compliance with Part 1904.The following Letters of Interpretation posted on OSHA's web site may also provide you with further useful information:06/23/2003 - "Recording criteria for cases involving workers from a temporary help service, employee leasing service, or personnel supply service": https://www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=INTERPRETATIONS&p_id=2451808/02/2004 - "OSHA 300 Log requirements versus HIPAA privacy requirements": https://www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=INTERPRETATIONS&p_id=24898We hope you find this information helpful. OSHA requirements are set by statute, standards, and regulations. Our interpretation letters explain these requirements and how they apply to particular circumstances, but they cannot create additional employer obligations. This letter constitutes OSHA's interpretation of the requirements discussed. Note that our enforcement guidance may be affected by changes to OSHA rules. Also, from time to time we update our guidance in responses to new information. To keep appraised of such developments, you can consult OSHA's website at http://www.osha.gov.Sincerely,Amanda L. Edens, DirectorDirectorate of Technical Support and Emergency Management