Employees have the right to view their employer’s OSHA 300 log (29 CFR Part 1904), but since the enactment of the Health Insurance Portability and Accountability Act (HIPAA), some employers have insisted that they must remove all employee names from the log before providing access.
Responding to a question from Bill Kojola of the AFL-CIO’s Department of Safety and Health, Keith Goddard, OSHA Director, Directorate of Evaluation and Analysis, wrote in an August 2, 2004 letter that employers may not remove names before providing access.
Goddard cited the statute and implementing regulation (45 CFR 164.512(a)) which expressly permit the disclosure of protected health information to the extent required to implement OSHA requirements. He wrote, “[T]he Recordkeeping rule requires that employees, former employees and employee representatives have access to the complete log, including employee names, except for privacy concern cases.” He referred readers to 29 CRF 1904.35(b)(2)(iv).
Part 1904.29 lists a limited number of specific illnesses or injuries that are considered “privacy concern cases” in which an employer is not permitted to enter an employee’s name on the 300 log. Aside from these cases, employers should make the log available with all employee names included.