With abundant compliance restrictions from governing bodies such as the Occupational Safety and Health Administration (OSHA) and the U.S. Department of Health & Human Services (HHS) and regulations such as the Health Insurance Portability and Accountability Act (HIPAA), it is imperative to be sure your healthcare organization is protected from legal risks.

This whitepaper serves to begin conversations for employee health departments and occupational medicine clinics specifically around the necessity of segregating an Occupational Health Record or Employee Health Record from personal health information that is stored in a General Medical Record or Private Health Record.

Where does the information belong?

  • Independent medical evaluations
  • Immunization records (as appropriate)
  • Employee exposure records
  • Accident or injury records
  • Other work-related medical history

Employee data is governed by OSHA (not covered by HIPAA)

  • Personal health care
  • Preventative care
  • Acute + chronic diagnosis/treatment plans
  • Immunization records
  • Past medical/social histories

Medical record is governed by HIPAA

What are the implications?

OSHA mandates keeping occupational health records, which are controlled by employers, independent and distinct from non-occupational health records controlled by patients (American Health Information Management Association (AHIMA), “The Privacy and Security of Occupational Health Records”). Additionally, according to OSHA’s “Access to Employee Exposure and Medical Records” regulation (29 CFR 1910.1020), occupational health records must be retained 30 years after termination of an employee, while minimum general medical record retention varies by state.

Navigating these record keeping obligations can become increasingly difficult in hospital employee health

departments, where an employee may also be a hospital patient. Not storing information properly and poorly monitoring security settings could lead to personal health information being inadvertently available to hospital staff who have access to patient medical records.

Because of these stipulations, the American Health Information Management Association highlights the critical importance of “designing an electronic health record system that is able to manage and segregate different types of health record systems with differing rules of access, use, and disclosure as needed” (AHIMA, “The Privacy and Security of Occupational Health Records”). 

These scenarios are practical examples that could be applicable to employee health or occupational medicine: 

During an annual flu shot, an employee discloses she is pregnant. While that information may be documented in her general medical record, the employer should have no way to access that information but should only be informed that she has received her immunization. 

An employee attends a fitness exam required by his employer and discloses on a medical history form that he has diabetes and is allergic to iodine. If his diabetes doesn’t affect his ability to perform his job functions, it shouldn’t be documented in his occupational health record (with the exception of it being required by law or if there is a threat to public safety). However, his allergy to iodine could be added to both records. 

How might providers currently be managing this? 

  1. Documenting in separate systems that never interface, which forces duplicate documentation in cases where information could rightfully be documented into both records, such as immunizations, medications, or allergies. 
  2. Documenting with paper or generic spreadsheets, leading to extra manual work especially when providing reports for employers or managers. An additional challenge is to audit access of the records. 
  3. Documenting in a single software. Note that this solution will only work with complete segregation of the general medical record from the occupational health record—if this is not the case this method may be a breach of law. 

What is the ideal solution? 

The ideal solution is a software solution built specially to keep occupational health records separate but also interface the appropriate information into the general medical record like medications, allergies, and immunizations when applicable. 

Additionally, role-based access, individual permission settings, enforcing unique user login with strong passwords, and user access audit reports are crucial tactics to effectively manage records based on mandated policies. 

A compliant solution should also maintain workers’ compensation cases separately and independently of any other record and be able to provide Work Status Reports for employers that only include relevant work restrictions and no other confidential information. 

What should I do next? 

Consult your health information management department and/or compliance departments to ensure you are in compliance with federal and state privacy and security regulations to mitigate potential legal risk. 

To further research if gaps exist between current practices and industry best practices, the resources referenced below are recommended for additional discovery. 


American Health Information Management Association (AHIMA). “The Privacy and Security of Occupational Health Records.” Journal of AHIMA 84, no.4 (April 2013): 52-56. Web. 4 Aug 2016. http://library.ahima.org/doc?oid=106321#.V5DYG_mANBc.

HHS.gov. “Minimum Necessary Requirement.” U.S. Department of Health and Human Services, n.d. Web. 4 Aug. 2016. http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html.

HHS.gov. “Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?” U.S. Department of Health and Human Services, n.d. Web. 4 Aug. 2016. http://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html.

Occupational Safety & Health Administration. “Clinicians.” United States Department of Labor, n.d. Web. 4 Aug. 2016. https://www.osha.gov/dts/oom/clinicians/.

Occupational Safety & Health Administration. “Regulations (Standards – 29 CFR 1910.1020).” Web. 15 Aug 2016. https://www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=STANDARDS&p_id=10027