Voglio sapere a riguardo di…

khammond on DSKJM1Z7X2PROD with RULES2

32608

Federal Register / Vol. 86, No. 116 / Monday, June 21, 2021 / Rules and Regulations
The COVID19 log required by the ETS differs from the OSHA 300 log that employers are required to maintain under the OSHA injury and illness recordkeeping regulation at 29 CFR part 1904. Most importantly, under 29 CFR
part 1904, employers are required to make several determinations regarding the recordability of specific injuries and illnesses before information is entered on the 300 log. For example, employers are not required to record non-workrelated illnesses and injuries on their OSHA 300 logs. Therefore, in order to determine whether to record COVID19
illness on the OSHA 300 log, employers must determine whether the illness is work-related. Under paragraph q2ii, employers are required to enter information on the COVID19 log regardless of whether an employees illness is the result of a work-related exposure. Also, under 29 CFR part 1904, employers must generally provide access to the 300 log to employees, former employees, and their representatives with the names of injured or ill employees included on the form. By contrast, employers must maintain the COVID19 log as though it is a confidential medical record and must not disclose it except when providing access as required by paragraph q3, or other federal law. As a result, while some COVID19 illnesses may qualify for entry on both logs, the OSHA 300 log may not be used as a substitute for the COVID19 log required by this section.
Finally, as explained in a Note to paragraph q, employers must continue to record all work-related confirmed cases of COVID19 on their OSHA
Forms 300, 300A, and 301, or on equivalent forms, if required to do so under 29 CFR part 1904. The recordkeeping regulation at 29 CFR part 1904 includes additional requirements for the recording of work-related COVID19 illness from this ETS. Under 29 CFR part 1904, COVID19 is a recordable illness and employers are responsible for recording cases of COVID19 if: 1 The case is a confirmed case of COVID19 as defined by the Centers for Disease Control and Prevention CDC; 2 the case is workrelated as defined by 29 CFR 1904.5;
and 3 the case involves one or more of the general recording criteria in set forth in 29 CFR 1904.7 e.g., medical treatment beyond first aid, days away from work.
Paragraph q2iiB also requires that the information in the COVID19
log be maintained as though it is a confidential medical record and must not be disclosed except as required by this ETS or other federal law. OSHA

VerDate Sep<11>2014

21:53 Jun 17, 2021

Jkt 253001

historically has recognized that occupational safety and health records maintained by employers may contain information of a sufficiently intimate and personal nature that a reasonable person would wish to remain confidential. While the entries of information on the COVID19 log may be brief, they may contain information that could result in a serious confidentiality or privacy concern if disclosed to other employees, former employees, or their representatives.
Accordingly, under this section, the disclosure of personal information entered on the COVID19 log is limited to the access provisions set forth in paragraph q3, or as required by other federal laws. Otherwise, employers must maintain the log as though it is a confidential medical record.140
One of the major federal regulations addressing the privacy of individuals health information is the U.S.
Department of Health and Human Services HHS regulations at 45 CFR
parts 160 and 164, known as the Health Insurance Portability and Accountability Act of 1996 HIPAA
Privacy Rule. The Privacy Rule protects the privacy of individually identifiable health information referred to as protected health information or PHI maintained or transmitted by HIPAA-covered entities 141 and their business associates. The Privacy Rule is also balanced to ensure that appropriate uses and disclosures of PHI can be made when necessary to treat a patient, to protect the nations public health, and for other important purposes. A covered entity may not use or disclose PHI
140 Please note that the employer is still required to enter work-related COVID19 cases on the 300
log pursuant to 29 CFR part 1904 and must provide access to them under 29 CFR part 1904.35b2iv.
However, employees do have the right to ask employers to record their injury or illness on the 300 log as a privacy concern case. In such a case, employers do not enter the employees name on the 300 log. Instead, the employer enters privacy case in the space normally used for the employees name. Per 29 CFR part 1904.29b6, the employer would then keep a separate, confidential list of the case numbers and employee names for their privacy concern cases so they can update the cases and provide the information to the government if asked to do so see 29 CFR part 1904.29b69. Also, 29 CFR part 1904.29b9 provides that, even after the employees name has been removed, if an employer has a reasonable basis to believe that the information describing a privacy concern case may identify the employee, the employer may use discretion in describing the case on the OSHA
recordkeeping forms to protect the identity of the employee while still accomplishing the purpose of keeping the record.
141 Covered entities are health plans, health care clearinghouses, and health care providers who conduct certain standard transactions electronically see 45 CFR 160.103.

PO 00000

Frm 00234

Fmt 4701

Sfmt 4700

except as permitted or required by the Privacy Rule see 45 CFR part 164.502.
The term covered entity includes health plans, health care clearing houses, and health care providers who transmit health information in electronic form. For OSHA purposes, this mainly refers to a health care provider, defined in the Privacy Rule as any person or organization that furnishes, bills, or is paid for health care in the normal course of business.
The HIPAA Privacy Rule excludes certain individually identifiable health information from the definition of PHI.
For example, employment records held by a covered entity in its role as an employer are not PHI and the HIPAA
Privacy Rule would not affect the disclosure of health information contained in employment records to OSHA see 45 CFR part 160.103.
With respect to disclosures of PHI
made by covered entities directly to OSHA, the agency notes that the Privacy Rule specifically permits disclosures of PHI without an individuals authorization for certain purposes. Of particular significance is 45 CFR part 164.512, Uses and disclosures for which an authorization or opportunity to agree or object is not required. These standards do not compel a covered entity to disclose PHI. Instead, they permit the covered entity to make the requested disclosure without obtaining authorization from the individuals who are the subjects of the PHI. Section 164.512a of the Privacy Rule permits covered entities to use and disclose PHI, without an individuals authorization, when they are required to do so by another law. HHS has made clear that this provision encompasses an array of binding legal authorities, including statutes, agency orders, regulations, or other federal, state, or local governmental actions having the effect of law see 65 FR 82668. As a result, the Privacy Rule, in and of itself, generally does not provide a justification for a covered entity to refuse to disclose PHI
to OSHA as required by an OSHA
standard or regulation. Based on its finding that the ETS is necessary to address the grave danger that the SARS
CoV2 virus presents to workers, OSHA
further finds that the COVID19 log is critical to convey the specified information in a timely manner that is critical for worker protection.
A covered entity may also disclose PHI without an individuals authorization to public health authorities and to health oversight agencies see 45 CFR parts 164.512b and d. The preamble to the Privacy Rule issued in 2000 specifically mentions OSHA as an example of both
E:FRFM21JNR2.SGM

21JNR2