[Federal Register Volume 85, Number 147 (Thursday, July 30, 2020)] [Rules and Regulations] [Pages 45780-45793] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2020-15562] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF LABOR Occupational Safety and Health Administration 29 CFR Part 1913 [Docket No. OSHA-2020-0005] RIN 1218-AC95 Rules of Agency Practice and Procedure Concerning Occupational Safety and Health Administration Access to Employee Medical Records AGENCY: Occupational Safety and Health Administration (OSHA); Labor. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: OSHA is issuing a final rule to amend the regulation addressing the rules of agency practice and procedure concerning OSHA access to employee medical records. The final rule transfers the approval of written medical access orders (MAO) from the Assistant Secretary for Occupational Safety and Health (Assistant Secretary) to the OSHA Medical Records Officer (MRO) and makes the MRO responsible for making determinations regarding inter- [[Page 45781]] agency transfer and public disclosure of personally identifiable medical information in OSHA's possession. DATES: This final rule is effective on July 30, 2020. ADDRESSES: In accordance with 29 U.S.C. 2112(a)(2), OSHA designates, Mr. Edmund C. Baird, Associate Solicitor of Labor for Occupational Safety and Health, Office of the Solicitor, Room S-4004, U.S. Department of Labor, 200 Constitution Avenue NW, Washington, DC 20210, to receive petitions for review of the final rule. FOR FURTHER INFORMATION CONTACT: Press inquiries: Mr. Frank Meilinger, OSHA, Office of Communications; telephone: (202) 693-1999; email: [email protected]. General and technical information: Dr. Michael Hodgson, Director, OSHA Office of Occupational Medicine and Nursing; telephone: (202) 693- 1768; email: [email protected]. SUPPLEMENTARY INFORMATION: The final rule also amends Sec. 1913.10 to clarify that a written MAO does not constitute an administrative subpoena, eliminates outdated requirements for the removal of direct personal identifiers when OSHA personnel review medical information away from a worksite, and establishes new procedures for the access and safeguarding of personally identifiable employee medical information in electronic form. The revisions to Sec. 1913.10 in the final rule will increase employee privacy and enhance OSHA's ability to safeguard personally identifiable medical information. Table of Contents I. Background II. Legal Authority III. Summary and Explanation of the Final Rule IV. State Plans V. Regulatory Flexibility Certification VI. Environmental Impact Analysis VII. Federalism VIII. Unfunded Mandates IX. Consultation and Coordination With Indian Tribal Governments X. Office of Management and Budget Review Under the Paperwork Reduction Act of 1995 I. Background A. Introduction In order to carry out its statutory obligations, OSHA often reviews employee medical records. For example, OSHA may need to review employee medical records during a compliance inspection to determine whether an employer is in compliance with OSHA standards and regulations, or to verify that an employer has taken steps to correct existing violations. Access to employee medical records may also be necessary during inspections to determine the effectiveness of voluntary employer safety and health programs. OSHA also reviews medical records when gathering information during agency rulemaking to develop or revise occupational safety and health standards. Several OSHA standards and regulations mandate medical records access, including 29 CFR 1910.1020, Access to Employee Exposure and Medical Records, which sets forth procedures by which exposure and medical records can be accessed by employees, their designated representatives, and OSHA. This regulation, which applies to employers with employees exposed to toxic substances and harmful physical agents, provides OSHA representatives with prompt access to employee exposure and medical records and to analysis thereof using exposure or medical records. See 29 CFR 1910.1020(e)(3). In addition, several of OSHA's substance-specific standards include provisions for OSHA access to employee medical records. (e.g., 29 CFR 1910.25(n)(4) (Lead), and 29 CFR 1910.1028(k) (Benzene)). In many instances, OSHA must examine and copy employee medical information in personally identifiable form. Personally identifiable employee medical information as defined by 29 CFR 1913.10(b)(2) means employee medical information accompanied by either direct identifiers (name, address, social security number, payroll number) or by information which could reasonably be used in particular circumstances indirectly to identify specific employees (e.g., date of birth, race, sex, date of initial employment, job title). An employee medical record may include individual health histories as well as medical opinions and evaluations generated during diagnosis, physical examinations, or medical treatment by a health care professional. Because of the substantial personal privacy interests involved, OSHA authority to access personally identifiable employee medical information is exercised only after the agency has made a careful determination of the need for the information, and only when appropriate safeguards are in place to prevent unauthorized access. Once this information is accessed, OSHA examination and use is limited to only that information needed to accomplish a relevant statutory purpose. Also, personally identifiable employee medical information is retained by OSHA only for so long as needed to accomplish the purpose for access, is kept secured while being used, and is not disclosed to other agencies or members of the public except in narrowly defined circumstances. In addition, the examination and use of personally identifiable employee medical information is limited to only OSHA personnel with a need to review such information. This rule is not an Executive Order (E.O.) 13771 regulatory action because this rule is not significant under E.O. 12866. Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), the Office of Information and Regulatory Affairs designated this rule not a `major rule', as defined by 5 U.S.C. 804(2). B. OSHA's Regulation at 29 CFR 1913.10 On May 25, 1980, OSHA issued a final rule entitled Rules of Agency Practice and Procedure Concerning OSHA Access to Employee Medical Records (45 FR 35284). The final rule was developed and published in concert with the promulgation of 29 CFR 1910.1020, Access to Employee Exposure and Medical Records (45 FR 35212). During the rulemaking, there was universal agreement that if OSHA obtained access to employee medical records, the access should be accompanied by stringent internal agency procedures to preclude abuse of personally identifiable medical information. Provided these procedures were established, many participants in the rulemaking endorsed OSHA access to employee medical records without the consent of the employee for occupational safety and health purposes (see 45 FR 35218). Except as provided in 29 CFR 1913.10(b)(3) through (6), the rules of agency practice and procedure apply to all requests by OSHA personnel to obtain access to records to examine and copy personally identifiable employee medical information, whether or not access is mandated by 29 CFR 1910.1020. Among other things, the regulation at 29 CFR 1913.10 establishes certain responsibilities for specific OSHA officials when the agency accesses personally identifiable employee medical information. The regulation also includes provisions addressing the internal use of employee medical records by agency personnel, as well as requirements for inter-agency transfer and public disclosure of such records. The regulation includes security procedures for the use and storage of employee medical records while in the agency's possession. Finally, the regulation sets forth internal [[Page 45782]] agency requirements for the retention and destruction of records. A key provision set forth in Sec. 1913.10 is that, with few exceptions, each request by an OSHA representative to examine or copy personally identifiable employee medical information must be made pursuant to a written access order. The written access order is an authorization for specific OSHA personnel to examine or copy personally identifiable employee medical information contained in records held by an employer or other record holder. The rules of agency practice and procedure in Sec. 1913.10 make clear that each written access order must state the statutory purpose for which access is sought, a general description of the type of employee medical information that will be examined and why there is a need to examine personally identifiable information, whether the medical information will be examined on-site, what type of information will be copied and removed off-site, and the anticipated time during which OSHA expects to retain the employee medical information in personally identifiable form. In order to enhance employee privacy, and clarify certain provisions, OSHA has determined that it is necessary to revise its regulation at Sec. 1913.10. For example, OSHA's previous regulation at Sec. 1913.10 used the term ``written access order.'' However, this final rule revises the regulatory text to include the more commonly used term ``medical access order'' or ``MAO.'' The final rule also amends the regulation at 29 CFR 1913.10 to transfer certain responsibilities from the Assistant Secretary to the OSHA Medical Records Officer (MRO). Specifically, the MRO will now be responsible for the overall administration and implementation of the procedures contained in Sec. 1913.10. These new responsibilities include making determinations regarding (1) OSHA access to personally identifiable employee medical information pursuant to a MAO, and (2) inter-agency transfer and public disclosure of personally identifiable employee medical information. The final rule also transfers responsibility from the Assistant Secretary to the MRO for issuing written directives that authorize OSHA compliance personnel to review certain information without obtaining a MAO. The final rule clarifies that a MAO does not constitute an administrative subpoena, and eliminates requirements for the removal of direct personal identifiers when OSHA personnel review medical information away from a workplace. The deletion of requirements for the removal of direct personal identifiers will be offset by new provisions designed to strengthen employee privacy. Finally, the final rule establishes new internal OSHA requirements, based on existing agency policy, for the access and safeguarding of personally identifiable employee medical information maintained in electronic form. The procedures set forth in Sec. 1913.10 are internal agency procedures and do not affect employer compliance with OSHA requirements. Employers and employees will benefit from the revisions to Sec. 1913.10 in several ways. First, since the process for determining whether there is a need for OSHA to review employee medical information will be more efficient, employers will know sooner if such a review is authorized at their worksite. Second, the elimination of the outdated requirement to remove direct personal identifiers before taking medical information off-site for review will reduce the amount of an employer's time and physical space needed by OSHA personnel when they visit a specific workplace. Third, the revisions will benefit employees because the procedures in Sec. 1913.10 to protect the security and privacy of employee medical records will be strengthened, especially with regard to medical information in electronic form. Fourth, the elimination of the requirement to remove direct personal identifiers before taking medical information off-site will enhance employee privacy because the removal process always carries with it the possibility that medical information will be misidentified or mislabeled, which could result in unauthorized staff mistakenly reviewing that information. Finally, deletion of the time-consuming de- identification procedures will mean that authorized OSHA personnel can conduct follow-up consultations with employees about their health more quickly. The notice and comment rulemaking procedures of 5 U.S.C. 553 of the Administrative Procedure Act (APA) do not apply to ``interpretive rules, general statements of policy, or rules of agency organization, procedure, or practice.'' 5 U.S.C. 553(b)(A). The provisions in 29 CFR 1913.10 are rules of agency procedure and practice within the meaning of section 553(b)(A) of the APA. Therefore, publication in the Federal Register of a notice of proposed rulemaking and request for comments is not required. Furthermore, because this rule is procedural rather than substantive, the normal requirement of 5 U.S.C. 553(d) that a rule not be effective until at least 30 days after publication in the Federal Register is inapplicable. OSHA also finds good cause to provide an immediate effective date for this rule, because it imposes no obligations on parties outside the federal government and therefore no advance notice is required to enable employers or other private parties to come into compliance. II. Legal Authority The Occupational Safety and Health Act of 1970, 29 U.S.C. 651 et seq. (OSH Act) authorizes the Secretary to issue two types of occupational safety and health rules: Standards and regulations. Standards, which are authorized by section 6 of the Act, specify remedial measures to be taken to prevent and control employee exposure to identified occupational safety and health hazards, while regulations are the means to effectuate other statutory purposes, including the maintaining of records. For example, the OSHA requirements at 29 CFR 1910.95 are a ``standard'' because they include remedial measures to address the specific and already identified hazard of employee exposure to occupational noise. In contrast, a ``regulation'' is a purely administrative effort designed to uncover violations of the Act and discover unknown dangers. The procedural regulations in 29 CFR 1913.10 are necessary to enable the use of employee medical records by OSHA consistent with the employee's right of privacy. In section 2(b) of the OSH Act, Congress declared the overriding purpose of the Act is ``to assure so far as possible every working man and woman in the Nation safe and healthful working conditions.'' (29 U.S.C. 651.) Congress also explicitly declared that this must be accomplished, among other ways, ``by providing an effective enforcement program . . .'' (29 U.S.C. 651(b)(10)). For the Secretary of Labor to conduct an effective enforcement program, he or she must determine whether occupational safety and health hazards exist in the workplace. To that end, the OSH Act authorizes the Secretary to enter and inspect workplaces and to conduct reasonable investigations into working conditions. Section 8(a) of the OSH Act authorizes OSHA to enter, inspect, and investigate places of employment, and section 8(b) permits OSHA to subpoena both witnesses and evidence when conducting inspections and investigations. (29 U.S.C. 657(a) and (b)). As noted above, in some instances, it may be necessary for OSHA to examine personally identifiable employee medical information. Section [[Page 45783]] 8 of the OSH Act recognizes OSHA's right of access to medical records, and records access is mandated by OSHA standards and regulations, including 29 CFR 1910.1020(e)(3) (access to employee exposure and medical records). OSHA relies on administrative subpoenas to compel production of medical records by employers and other record holders. OSHA is issuing the final rule pursuant to authority expressly granted in section 8 of the OSH Act. Section 8(c)(1) requires each employer to ``make, keep, preserve, and make available to the Secretary [of Labor] or the Secretary of Health and Human Services, such records regarding his activities relating to this Act as the Secretary, in cooperation with the Secretary of Health and Human Services, may prescribe by regulation as necessary or appropriate for the enforcement of this Act or for developing information regarding the causes and prevention of occupational accidents and illnesses'' (29 U.S.C. 657(c)(1)). Employee medical records are included within the type of records addressed by this provision. Section 8(g)(1) of the OSH Act provides that the Secretary and Secretary of Health and Human Services are authorized to compile, analyze, and publish, either in summary or detailed from, all records or information obtained under this section (29 U.S.C. 657(g)(1)). Section 8(g)(2) is the general rulemaking authority of the OSH Act and provides that the Secretary and the Secretary of Health and Human Services shall prescribe such rules and regulations as he may deem necessary to carry out their responsibilities under this Act, including rules and regulations dealing with the inspection of an employer's establishment. III. Summary and Explanation of the Final Rule Section 1913.10(b)--Scope and Application OSHA's regulation at 29 CFR 1913.10(b), Scope and application, defines the circumstances under which the procedural regulations in Sec. 1913.10 will apply. Except as provided in paragraphs (b)(3) through (6), the policies and procedures in Sec. 1913.10 apply to all requests by OSHA personnel to access personally identifiable employee medical information. In general, 29 CFR 1913.10 requires OSHA personnel to obtain a MAO (previously ``written access order,'' but referred to in this section as ``MAO'' as it is in the final rule) when accessing personally identifiable employee medical information. However, under certain circumstances, the regulation states that OSHA access may be accomplished without obtaining a MAO. For example, Sec. 1913.10(d)(4)(i) provides that a MAO is not needed when an employee gives specific written consent for OSHA to access their medical records. Also, Sec. 1913.10(b)(3) through (5) include several categories of records that are not subject to Sec. 1913.10 and therefore may be accessed without obtaining a MAO. These categories of records include medical information that is not in personally identifiable form, injury and illness records required by 29 CFR part 1904, death certificates, employee exposure records, and medical information obtained in the course of litigation. In addition, previous Sec. 1913.10(b)(6) provided that the policies and procedures in Sec. 1913.10 do not apply when a written directive by the Assistant Secretary authorizes appropriately qualified personnel to conduct limited review of specific medical information mandated by an OSHA standard or of specific biological monitoring test results. This final rule amends Sec. 1913.10(b)(6) to state that the MRO is now responsible for issuing these written authorization directives. OSHA Directive CPL 02-02-072, Rules of agency practice and procedure concerning OSHA access to employee medical records, August 22, 2007, includes authorization for review of three categories of information based on the provisions in Sec. 1913.10(b)(6). The directive authorizes OSHA compliance personnel to review (1) medical opinions mandated by OSHA standards, (2) information required by a medical surveillance program, and (3) certain information used to verify compliance with the injury and illness recordkeeping requirements in 29 CFR part 1904. OSHA personnel do not need a MAO when they access the information at a workplace pursuant to a written directive under Sec. 1913.10(b)(6). Instead, OSHA personnel follow the procedures set forth in the written directive. The 2007 directive includes provisions on how OSHA personnel may access the specific types of information and how the information should be protected once in the agency's possession. OSHA believes the MRO is in the best position to make determinations regarding written authorization under Sec. 1913.10(b)(6). Section 1913.10(c)(2) already provides that the MRO must have experience or training in the evaluation, use, and privacy protection of medical records, and, as discussed below in this preamble, paragraph (c) of Sec. 1913.10 has been amended to provide that the MRO is now responsible for the overall administration of the policies and procedures in Sec. 1913.10. Also, as part of the final rule, paragraph (c) now states that the MRO is specifically responsible for making determinations regarding the approval of MAOs, inter-agency transfer, and public disclosure of identifiable employee medical records. Given all the new MRO responsibilities set forth in paragraph (c), as well as the existing duties in the other paragraphs of the regulation, it is appropriate to also make the MRO responsible for written authorization under paragraph (b)(6). Accordingly, final Sec. 1913.10(b)(6) states that the provisions of 29 CFR 1913.10 do not apply where a written directive by the MRO authorizes appropriately qualified personnel to conduct limited review of specific medical information mandated by an occupational safety and health standard or of specific biological monitoring test results. OSHA will also amend Directive CPL 02-02-072 to reflect the new regulatory text in paragraph (b)(6). Section 1913.10(c)--Responsible Persons OSHA's regulation at 29 CFR 1913.10(c) establishes certain responsibilities for OSHA personnel when the agency accesses personally identifiable employee medical information. Paragraph (c) is largely a summary of duties established by other paragraphs in Sec. 1913.10 and sets forth specific responsibilities for the Assistant Secretary, MRO, and Principal OSHA Investigator. The final rule amends several provisions in paragraph (c) to emphasize the responsibilities of the MRO. Under the previous regulation, paragraph (c)(1) provided that the OSHA Assistant Secretary was responsible for the overall administration and implementation of the policies and procedures in Sec. 1913.10. This responsibility included making determinations regarding (1) OSHA access to personally identifiable employee medical information and (2) interagency transfer or public disclosure of personally identifiable employee medical information. Also under the previous regulation, Sec. 1913.10(d)(1) provided that each request by an OSHA representative to access information through a written access order must be approved by the Assistant Secretary upon the recommendation of the MRO. Section 1913.10(c)(2) of the previous regulation provided that the Assistant Secretary was responsible for designating an OSHA official with experience or training in the evaluation, [[Page 45784]] use, and privacy protection of medical records to be the MRO. The MRO, who reported directly to the Assistant Secretary on matters related to Sec. 1913.10, was responsible for making recommendations to the Assistant Secretary on whether to approve or deny written access orders, and served as the central reviewer of the sufficiency and justification of these documents. The MRO was also responsible for responding to employee, collective bargaining agent, and employer objections to written access orders. In addition, Sec. 1913.10(c)(2) of the previous regulation stated that the MRO was responsible for controlling the use of direct personal identifiers; controlling internal agency use and security of personally identifiable employee medical information; assuring that the results of agency analysis of personally identifiable employee medical information are, where appropriate, communicated to employees; preparing an annual report for the Assistant Secretary on OSHA's experience with respect to Sec. 1913.10; and assuring that adequate notice is given of intended inter- agency transfers or public disclosures of personally identifiable employee medical information. The other OSHA official with important responsibilities when the agency accesses employee medical information is the Principal OSHA Investigator. Section 1913.10(c)(3) provides that the Principal OSHA Investigator is the OSHA employee designated on the MAO who is primarily responsible for ensuring that OSHA examination and use of employee medical information is in accordance with the provisions of the MAO and Sec. 1913.10. In most instances, the Principal OSHA Investigator named on a MAO is an employee from an OSHA Regional or Area Office and determines how and when employee medical information will be accessed during an OSHA inspection or investigation. In practice, the Principal OSHA Investigator is responsible for ensuring that the provisions of the MAO and Sec. 1913.10 are followed by OSHA personnel when medical information is accessed at a specific workplace. As provided in Sec. 1913.10(c)(3), the Principal OSHA Investigator must be professionally trained in medicine, public health, or similar fields (epidemiology, toxicology, industrial hygiene, biostatistics, environmental health) when access is made pursuant to a MAO. The provisions in Sec. 1913.10(c)(3) concerning the Principal OSHA Investigator are unchanged by the final rule. The final rule retains the Assistant Secretary's responsibility to designate an OSHA official as MRO. However, this responsibility is now set forth in Sec. 1913.10(c)(1). Like the previous regulation, Sec. 1913.10(c)(1) of the final rule states that the Assistant Secretary shall designate an OSHA official with experience or training in the evaluation, use, and privacy protection of medical records to be the OSHA Medical Records Officer. The final rule also states that the Assistant Secretary may change the designation of the MRO at will. The final rule includes several changes to paragraph (c)(2), OSHA Medical Records Officer. Some of these changes transfer specific responsibilities from the Assistant Secretary to the MRO while other responsibilities assigned to the MRO in Sec. 1913.10(c)(2) are carried over from the previous regulation. The final rule amends paragraph (c)(2) to provide that the MRO is now responsible for the overall administration and implementation of the procedures contained in Sec. 1913.10. OSHA believes there are two central principles that form the basis of the procedural requirements in Sec. 1913.10: (1) There should be a thorough review of all efforts to examine or copy personally identifiable employee medical information before the information is obtained and (2) personally identifiable information must be carefully protected once obtained. OSHA also believes the MRO is in the best position to ensure that the central principles of Sec. 1913.10 are carried out by the agency. As already noted, paragraph (c)(1) of the final rule, like the previous regulation, provides that the MRO must have experience and training in the evaluation, use, and privacy protection of medical records. Historically, a physician from OSHA's Office of Occupational Medicine and Nursing (OOMN) has been designated as MRO, and, in most cases, the person designated has been the Director of OOMN. As a result, the MRO has had an extensive background in both medicine and administration. Additionally, under the previous regulation, the MRO was already responsible for ensuring the sufficiency and justification of MAOs and making recommendations to the Assistant Secretary on whether to approve or deny such documents. The MRO also has several duties set forth throughout the other paragraphs in Sec. 1913.10 and therefore has a good understanding of the day-to-day implementation of the regulation. Under the final rule, the MRO will now be responsible for making determinations regarding whether to approve or deny MAOs, any inter- agency transfer, and public disclosures of personally identifiable employee medical information, as well as whether to issue written directives authorizing OSHA personnel to conduct limited review of certain medical information without an MAO. Accordingly, the extensive medical and administrative experience, the responsibilities under the previous regulation, and the new responsibilities assigned by this final rule make the MRO the logical OSHA official to have responsibility for the overall administration and implementation of the procedures in Sec. 1913.10. While the final rule limits the role of the Assistant Secretary in the day-to-day implementation of Sec. 1913.10, the Assistant Secretary still maintains an important oversight responsibility. As in the previous regulation, the Assistant Secretary retains the responsibility for naming an OSHA official as MRO, with the ability to replace the MRO at will, and the MRO must still report to the Assistant Secretary on matters related to Sec. 1913.10. In practice, the MRO will continue to consult with the Assistant Secretary on MAO approval, inter-agency transfers, and public disclosures of personally identifiable employee medical information. In addition, paragraph (l) requires the MRO to prepare an annual report for the Assistant Secretary on matters related to the approval and purpose of MAOs, objections to MAOs, and inter- agency transfers and public disclosures during the previous year. The responsibility to designate an OSHA official as MRO, continued consultation, and receiving reports from the MRO will keep the Assistant Secretary informed about OSHA's overall implementation of Sec. 1913.10. Accordingly, like the previous regulation, the final rule at paragraph (c)(2) provides that the MRO is responsible for reporting directly to the Assistant Secretary on matters concerning Sec. 1913.10. Under the final rule, the MRO is also now responsible for making determinations concerning (1) access to personally identifiable employee medical information and (2) interagency transfer or public disclosure of personally identifiable employee medical information. These two responsibilities had been assigned to the Assistant Secretary in previous Sec. 1913.10(c)(1). Section 1913.10(c)(2)(i) of the final rule states that the MRO is responsible for making determinations concerning [[Page 45785]] OSHA access to personally identifiable employee medical information under Sec. 1913.10(d). Paragraph (d) addresses OSHA access to personally identifiable employee medical information by MAO. With the exception of two circumstances described at the end of paragraph (d), each request by OSHA to examine or copy personally identifiable employee medical information is made pursuant to an MAO. Paragraph (d)(2) sets criteria the agency must follow when it seeks access to identifiable medical information, and paragraph (d)(3) sets forth the content to be included in the MAO. In order to be valid, an MAO must be approved by the MRO using the criteria in paragraph (d)(2). First, the MRO must consider whether the information to be examined or copied is relevant to a statutory purpose and whether there is a need to gain access to the information. The MRO has the responsibility, on a case-by-case basis, to ensure that access is sought only where there is a genuine need to do so. OSHA believes that a finding of relevance and need by the MRO is a significant safeguard against excessive use of the agency's authority to access personally identifiable employee medical information. Paragraph (d)(2) next states that consideration must be given to whether the personally identifiable employee medical information subject to the MAO is limited to only that information needed to accomplish the purpose for access. This provision is aimed at preventing OSHA access to extraneous medical information unrelated to the purpose for access. Lastly, paragraph (d)(2) states that the MRO must determine that the personnel authorized to review the medical information are limited to those who have a need for access and have appropriate professional qualifications. The limiting of personnel that can review and analyze information to only those who have a need for access and who have appropriate professional qualifications is important for maintaining the confidentiality of employee medical records. OSHA believes the MRO is in the best position to evaluate the criteria in paragraph (d) and make determinations on whether to approve or deny MAOs. Typically, the MRO has extensive subject-matter clinical experience and expertise in occupational medicine. This allows the MRO to evaluate whether, and to what extent, employee medical information needs to be accessed by OSHA. Accordingly, paragraph (d)(2) has been amended to state that, before approving an MAO, the MRO must determine that the documents meet the criteria in that paragraph. For similar reasons, the MRO is also now responsible for making determinations concerning inter-agency transfer and public disclosure of personally identifiable employee medical information. Section 1913.10(m) describes the circumstances under which personally identifiable employee medical information can be transferred to another agency or disclosed to the public. The requirements in paragraph (m) remain unchanged from the previous regulation. However, the provisions in paragraph (m), as well as paragraph (c)(2), are amended by the final rule to provide that the MRO, not the Assistant Secretary, is now responsible for making determinations regarding inter-agency transfer and public disclosure of personally identifiable employee medical information. The individual provisions in paragraph (m) are amended to cross reference with the new MRO responsibility established in Sec. 1913.10(c)(2)(vii). The following discussion of the individual provisions in paragraph (m) clarifies the MRO's new responsibility for making determinations concerning inter-agency transfer and public disclosure set forth in Sec. 1913.10(c)(2). The previous regulation at Sec. 1913.10(m)(1) stated that personally identifiable employee medical information shall not be transferred to another agency or office outside of OSHA (other than the Office of the Solicitor of Labor) or disclosed to the public (other than to the affected employee or the original recordholder) except when required by law or when approved by the Assistant Secretary. The final rule amends paragraph (c)(2)(vii) to make clear that the MRO is now responsible for making these determinations. The final rule also amends paragraph (m) to provide that the MRO must follow specific criteria when making determinations concerning inter- agency transfer and public disclosure of personally identifiable employee medical information. OSHA's longstanding position is that inter-agency transfer and public disclosure of personally identifiable employee medical information should be carefully considered, and paragraph (m) addresses these issues. Inter-agency transfer and public disclosure of personally identifiable employee medical information are not categorically prohibited by the regulation for two reasons. OSHA believes (1) it cannot legally make such a commitment and (2) situations arise where transfer or disclosure is appropriate. Under certain circumstances, as a matter of law, OSHA is compelled to transfer information to another agency or disclose it to a non-governmental individual. For example, OSHA might be required to provide the information in response to a lawful subpoena. In other circumstances, disclosure may also be appropriate. For example, in order to resolve a public health problem, OSHA may need to transfer employee medical information to another federal or state agency. In such situations, the transfer of employee medical information may be critical in identifying an emerging health issue, compiling data on worker fatalities from specific exposure, or evaluating the effectiveness of workplace controls designed to prevent occupational illness at manufacturing facilities. OSHA notes that inter-agency transfer and public disclosure of personally identifiable employee medical information is not a common occurrence. In the last five years, the agency has made only three inter-agency transfers of personally identifiable employee medical information to another federal or state agency. OSHA also notes that inter-agency transfer and public disclosure of employee medical information not in personally identifiable form is not subject to provisions in Sec. 1913.10. Paragraph (m) of Sec. 1913.10 includes strict limitations on inter-agency sharing and public disclosure of employee medical information. Except when required by law, all inter-agency transfer or public disclosure of personally identifiable employee medical information must be approved by the MRO in accordance with the criteria in paragraph (m). Paragraph (m)(2) states that, except as provided for in paragraph (m)(3), the MRO shall not approve a request for an inter-agency transfer, which has not been consented to by the affected employee, unless the request is by a public health agency. Under this provision, transfer of medical information is permitted only to a public health agency for a substantial public health purpose. The regulation goes on to state that the MRO can approve the transfer only if the public health agency (1) needs the information for substantial public health purposes, (2) will not use the information to make individual determinations concerning affected employees which could be to their detriment, (3) has regulations or written established procedures providing protection for personally identifiable medical information substantially equivalent to Sec. 1913.10, [[Page 45786]] and (4) satisfies an exemption to the Privacy Act to the extent the Privacy Act applies to the requested information. Because OSHA collects medical information only for a public health purpose, OSHA believes it is appropriate to restrict all subsequent discretionary transfers to those agencies with an equivalent public health purpose. The MRO must review each request for a transfer on a case-by-case basis by taking into account each of the listed criteria in paragraph (m)(2). Most importantly, in order to protect individual privacy, the MRO must be satisfied that the recipient agency's privacy protections are equivalent to OSHA's. Paragraph (m)(3) contains two exceptions to the requirements of paragraph (m)(2). First, upon the approval of the MRO, personally identifiable employee medical information can be shared with the National Institute for Occupational Safety and Health (NIOSH). Like OSHA, NIOSH is a public health agency and its research activities complement OSHA's regulatory responsibilities. OSHA's ability to analyze employee medical records is often improved by gaining NIOSH assistance, and medical information collected by OSHA may have major research value for NIOSH. Also, because of its frequent use of medical information, and sensitivity to individual privacy, NIOSH has procedures in place that provide for the protection of personally identifiable medical information that are substantially equivalent to Sec. 1913.10. As a result, employee medical information may be transferred to NIOSH if approved by the MRO without further inquiry into the sufficiency of its programs for protecting medical records. Paragraph (m)(3) also permits, upon the approval of the MRO, the inter-agency transfer of personally identifiable employee medical information to the U.S. Department of Justice when necessary with respect to a specific action under the OSH Act. For example, the Justice Department prosecutes criminal violations under the OSH Act, as well as civil penalty collection actions. The Justice Department also represents OSHA in Freedom of Information Act (FOIA) lawsuits. Personally identifiable employee medical information may be relevant in these legal actions, and OSHA must be able to share information in these circumstances. Paragraphs (m)(4) and (5) address public disclosure of personally identifiable employee medical information which has not been consented to by the affected employee. Paragraph (m)(4) provides that the MRO shall not approve a request for public disclosure of employee medical information containing personal identifiers unless there are compelling circumstances affecting the health or safety of an individual. Also, paragraph (m)(5) states that the MRO shall not approve a request for public disclosure of employee medical information which contains information which could reasonably be used indirectly to identify specific employees when the disclosure would constitute a clearly unwarranted invasion of personal privacy. Finally, paragraph (m)(6) retains the provision from the previous regulation that, except as to inter-agency transfer to NIOSH or the Department of Justice, the MRO shall ensure that advance notice is provided to any collective bargaining agent representing affected employees and to the employer on each occasion OSHA intends to transfer personally identifiable employee medical information to another agency or disclose it to a member of the public other than to an affected employee. When feasible, the MRO must take reasonable steps to assure that advance notice is provided to affected employees when the employees' medical information to be transferred or disclosed contains direct personal identifiers. Finally, the final rule at Sec. 1913.10(c)(2) retains several provisions from the previous regulation. Specifically, paragraph (c)(2)(iii) continues to provide that the MRO is responsible for responding to MAO objections, and paragraph (c)(2)(iv) continues to provide that the MRO is responsible for overseeing the internal use and security of personally identifiable employee medical information. Two other MRO responsibilities in paragraph (c)(2) have been retained from the previous regulation but have been renumbered under the final rule. Paragraph (c)(2)(v), formerly paragraph (c)(2)(vi), continues to provide that the MRO is responsible for assuring that the results of agency analyses of personally identifiable medical information are, where appropriate, communicated to employees. Paragraph (c)(2)(vi), formerly paragraph (c)(2)(vii), retains the provision that the MRO is responsible for preparing an annual report of OSHA's experience under Sec. 1913.10. Section 1913.10(d)(1)--Requirements for Medical Access Orders OSHA's previous regulation at Sec. 1913.10(d)(1) stated that, except as provided in paragraph (d)(4), each request by an OSHA representative to examine or copy personally identifiable employee medical information contained in a record held by an employer or other record holder shall be made pursuant to a written access order which has been approved by the Assistant Secretary upon the recommendation of the OSHA Medical Records Officer. Paragraph (d)(1) went on to state that, if deemed appropriate, a written access order may constitute, or be accompanied by, an administrative subpoena. As explained above, the MRO is now responsible for the approval or denial of MAOs, and paragraph (d)(1) has been revised to reflect this change. The final rule also amends paragraph (d)(1) to make clear that a MAO does not constitute an administrative subpoena. An administrative subpoena is a written order issued by OSHA to require an employer, or any other person, to produce listed records, documents, testimony and/or other supporting evidence relevant to an inspection or investigation under the OSH Act. If the person served with a subpoena refuses to honor (or only partially honors) the order, the subpoena is subject to judicial review and enforcement by a U.S. District Court. OSHA Regional Administrators have authority to issue administrative subpoenas and are also authorized to delegate to Area Directors the authority to issue routine administrative subpoenas. OSHA's policies and procedures for issuing an administrative subpoena are set forth in OSHA Instruction ADM 01-00-002, August 19, 1991. In contrast, a MAO is an authorization for specified OSHA personnel to examine or copy personally identifiable employee medical information contained in a record held by an employer or some other record holder. Since an MAO relates to internal OSHA procedures, it cannot be used to compel the production of records, nor be enforced in a U.S. District Court. Historically, OSHA has not treated an MAO as equivalent to an administrative subpoena. OSHA's longstanding practice has been to rely on an administrative subpoena to compel production of medical records by employers. See OSHA's August 22, 2007, Instruction CPL 02-02-072, Rules of agency practice and procedure concerning OSHA access to employee medical records. MAOs set forth internal OSHA procedure for assuring appropriate confidentiality of medical records is observed by OSHA personnel. As a result, except when reasonably certain that the employer will grant access to employee medical [[Page 45787]] information, OSHA personnel present an administrative subpoena to the employer concurrently with an MAO. The final rule amends Sec. 1913.10(d)(1) to state that except as provided in paragraph (d)(4), each request by an OSHA representative to examine or copy personally identifiable employee medical information contained in a record held by an employer or other recordholder shall be made pursuant to a written medical access order which has been approved by the OSHA Medical Records Officer. A medical access order does not constitute an administrative subpoena. Section 1913.10(g)--Removal of Direct Personal Identifiers OSHA's previous regulation at Sec. 1913.10(g) provided that all direct personal identifiers (e.g., name, address, Social Security Number, payroll number) must be removed by OSHA personnel whenever employee medical information obtained pursuant to a written access order is taken off-site, unless otherwise directed by the MRO. The regulation also required the Principal OSHA Investigator to code the medical information and the list of direct personal identifiers with a unique identifying number for each employee and then hand deliver or mail the list of identifiers to the MRO. The MRO thereafter controlled the use and distribution of the list of coded identifiers to those with a need to know its contents. In addition, the numerical coded medical information was to be used and kept secured as though still in a directly identifiable form. Paragraph (g) was originally promulgated by OSHA when the rules of agency practice and procedure were issued in 1980. At that time, electronic medical records did not exist, and the employee records that did exist were maintained almost entirely in paper form. Since 1980, the number of medical records maintained by employers and other record holders has substantially increased, and the majority of these records are now maintained in electronic form. The final rule revises Sec. 1913.10 by deleting the outdated procedures set forth in paragraph (g). OSHA is eliminating this internal requirement for several reasons. First, existing access and safeguarding requirements in Sec. 1913.10 already address privacy concerns when OSHA takes medical information away from a workplace for off-site review. Specifically, paragraph (h) of Sec. 1913.10 provides that only authorized personnel may examine or copy personally identifiable employee medical information. As explained below, OSHA experience is that this process can result in coding and re-coding errors in individual employee medical records. Likewise, it provides that, unless an exception applies, OSHA personnel and contractors are authorized to use information only for the purpose for which it was obtained. In addition, paragraph (h)(5) states that, whenever practicable, the examination of personally identifiable employee medical information shall be conducted on-site with a minimum of medical information taken off-site in a personally identifiable form. Additionally, paragraph (i) of Sec. 1913.10 includes security procedures for handling personally identifiable employee medical information. For example, paragraph (i)(1) provides that files containing personally identifiable employee medical information shall be segregated from other agency files and, when not in active use, must be kept in a locked cabinet or vault. In practice, the locking requirement extends to when medical information is transported from the workplace, as OSHA personnel place records in a locked trunk during transport by automobile. Second, paragraph (n) of this final rule establishes new requirements for the access and safeguarding of personally identifiable employee medical information in electronic form. As discussed more extensively below, paragraph (n) of the final rule provides that the Principal OSHA Investigator is responsible for preventing any careless, accidental, or unintentional disclosure of, modification to, or destruction of electronic medical records. Paragraph (n)(3) of the final rule provides that the transfer and/or duplication of medical records in electronic form must be kept to the minimum necessary to accomplish the purpose for which it was obtained. Also, paragraph (n)(4) states that electronic files containing personally identifiable employee medical information shall be downloaded only to a computer hard drive or laptop that is secured (e.g., password protected). Paragraph (n)(4) now includes the Government standards that address secure access to Government systems and the data they contain: Federal Information Processing Standards (FIPS) 201-2, ``Personal Identity Verification (PIV) of Federal Employees and Contractors''; and HSPD-12, ``Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors (HSPD- 12).'' In addition, paragraph (n)(5) provides that electronic files containing personally identifiable employee medical information must be encrypted before transferred to authorized individuals. OSHA believes the safeguards for electronic medical records established by this final rule, which are based on existing OSHA practices and policy, enhance privacy protection and reduces the need to remove direct personal identifiers when OSHA personnel take personally identifiable employee medical information off-site. OSHA's experience is that de-identification increases the risk of mislabeling or misidentifying employee medical records and places a burden on agency resources by requiring additional OSHA staff time to accurately conduct de-identification and copying of employee medical records. In some cases, depending on the number of employees at a specific facility, OSHA employees may spend several hours finding and removing each direct personal identifier within each affected employee's medical record. The deletion of paragraph (g) will reduce the amount of time and physical space needed by OSHA personnel at a worksite. Finally, the deletion of de-identification procedures in paragraph (g) will simplify follow-up communication from authorized OSHA personnel with individual employees after evaluation of their medical information. For example, by not having to complete a potentially extensive de-identification process, critical medical information about an employee will be reviewed by an OSHA physician sooner, and this will allow the physician to conduct follow-up consultation with the employee in a timely manner. Also, because personally-identifiable information will remain in the medical records taken from a workplace for off-site review, it will make it easier for the OSHA physician to identify employees, compare associated records, and contact individual employees. For all of the above reasons, OSHA has concluded that the removal of direct personal identifier requirements in paragraph (g) should be deleted. Section 1913.10(n)--Medical Records Maintained in Electronic Form In many cases, employers and other record holders maintain personally identifiable employee medical information in electronic form. OSHA's regulation at 29 CFR 1910.1020 provides that a ``record'' includes any item, collection, or grouping of information regardless of the form or process by which it is maintained (e.g., paper, document, microfilm, X-ray film, or [[Page 45788]] automated data processing). Medical records may also be maintained on media such as magnetic tape, computer disks, USB storage devices (e.g., thumb drives), and online computer storage. Historically, OSHA personnel have followed the requirements in 29 CFR 1913.10 when accessing personally identifiable employee medical information maintained in electronic form. However, the regulation did not include provisions that specifically addressed electronic medical records. The final rule establishes new internal policies and procedures in paragraph (n) to Sec. 1913.10 that specifically address OSHA access, use, and safeguarding of personally identifiable employee medical information maintained in electronic form. Since the rules of agency practice and procedure were first issued in 1980, medical professionals have increasingly relied on the use and storage of medical records in electronic form. These records tend to improve the quality of health care and have several practical advantages over paper records. For example, electronic medical records can be accessed by health care professionals at any time from any given location. Legible records can also lead to more accurate diagnosis, treatment, and drug prescription. Electronic medical records are cost- effective because they take up less storage space and can be stored indefinitely. However, because they are in electronic form, these records also present unique challenges to security, privacy, and data integrity. OSHA believes the best way to protect the security and confidentiality of personally identifiable employee medical information in electronic form is to prevent unauthorized access to such information. Several effective administrative, technological, and physical measures can be taken to protect electronic medical information from unauthorized access, use, disclosure, disruption, modification, or destruction. These methods include establishing specific security roles and responsibilities for OSHA officials, technology safeguards such as encryption or firewalls to protect against electronic breaches, ID/password protection for devices and information systems, and the use of anti-virus and intrusion detection software. The establishment of new internal OSHA policies and procedures in paragraph (n) of this final rule will effectively protect the security, privacy, and data integrity of employee medical information in electronic form. Section 1913.10(n)(1) of the final rule provides that, in general, when accessing and/or copying personally identifiable employee medical information in electronic form, OSHA personnel shall follow the requirements set forth in 29 CFR 1913.10. As noted above, OSHA personnel have historically followed the rules of agency practice and procedure in Sec. 1913.10 when accessing employee medical information in electronic form, and many of the provisions in Sec. 1913.10 are applicable regardless of the format used to maintain information. As a result, unless specifically addressed in paragraph (n), OSHA personnel should continue to follow the rules of agency practice and procedure in paragraphs (a) through (m) when accessing and safeguarding electronic employee medical information. Section (n)(2) of the final rule includes responsibilities for the Principal OSHA Investigator when OSHA personnel access personally identifiable employee medical information in electronic form. Specifically, paragraph (n)(2) states that when personally identifiable employee medical information in electronic form is taken off-site, the Principal OSHA Investigator is primarily responsible for ensuring that such information is properly used and kept secured. This provision is based on the requirement in paragraph (h)(1) of Sec. 1913.10, which provides that the Principal OSHA Investigator is responsible for ensuring that medical information is used and kept secured in accordance with Sec. 1913.10. Other specific responsibilities assigned to the Principal OSHA Investigator in paragraph (n)(2) include preventing any accidental or unintentional disclosure of, modification to, or destruction of personally identifiable employee medical information in electronic form (paragraph (n)(2)(i)); controlling the flow of data into, through, and from agency computer operations (paragraph (n)(2)(ii)); and ensuring that distribution and review of medical information in electronic form is limited to only those OSHA personnel and contractors with a need for access (paragraph (n)(2)(iii)). The requirement in paragraph (n)(2)(iii) is derived from Sec. 1913.10(d)(2)(iii), which provides that, before approving a MAO, the MRO must determine that personnel authorized to review and analyze personally identifiable employee medical information are limited to those who have a need for access and have appropriate qualifications. As discussed above, the Principal OSHA Investigator is the OSHA employee in the field with primary responsibility for ensuring that the examination and use of employee medical information is in accordance with Sec. 1913.10. As such, the Principal OSHA Investigator is responsible for ensuring that the provisions in paragraph (n) are followed by OSHA personnel when electronic medical information is accessed from a specific workplace. For example, this would include ensuring that access to personally identifiable employee medical records in electronic form is limited to only authorized personnel with a need to review the information, ensuring that employee medical information is only downloaded to a secured device (e.g., password protected), and verifying that medical information is deleted or destroyed when no longer needed by the agency. Section 1913.10(n)(3) of the final rule provides that the transfer and/or duplication of medical information in electronic form shall be kept to the minimum necessary to accomplish the purpose for which it was obtained. This provision is similar to paragraph (i)(3) of Sec. 1913.10, which states that the photocopying or other duplication of personally identifiable employee medical information shall be kept to the minimum necessary to accomplish the purpose for which the information was obtained. In some cases, personally identifiable employee medical information in electronic form needs to be transferred or duplicated to facilitate internal OSHA review. For example, in order to conduct a proper workplace inspection or investigation, it may be necessary for OSHA personnel to transfer employee medical records to another OSHA employee with expertise on a specific occupational health hazard. Paragraph (n)(3) of the final rule permits the transfer and duplication of electronic medical information but only to authorized individuals with a need to review the information. Transfer and duplication are also limited to the minimum necessary to accomplish the purpose for which it was obtained. An example of this limitation might include the review of a medical record to determine whether an employee has sustained a work- related injury or illness. In such cases, review of a medical record would extend only to information about the employee's injury or illness. In this example, the transfer and/or duplication of electronic medical information unrelated to the injury or illness would not be permitted. Additionally, OSHA believes the likelihood that medical information in electronic form will be lost, altered, or destroyed increases during transfer or duplication. The duplication of electronic medical information can also [[Page 45789]] raise concern about data integrity. For example, the copying or deleting of employee medical information from one document to another raises concern about the accuracy of the information. Accordingly, personally identifiable electronic medical information should be transferred only to authorized individuals with a need to know the information and should be duplicated only to facilitate authorized internal agency review. Consistent with existing OSHA policy, Sec. 1913.10(n)(4) of the final rule states that electronic files containing personally identifiable employee medical information shall be downloaded only to a computer hard drive or laptop that is in accordance with Federal Information Processing Standard (FIPS) 201-2, ``Personal Identity Verification (PIV) of Federal Employees and Contractors,'' and ``Homeland Security Presidential Directive 12: Policy for Common Identification Standard for Federal Employees and Contractors (HSPD- 12).'' The use of secured technology when downloading medical records will help to ensure that information is (1) accessed only by authorized individuals with a need-to-know and (2) not modified or deleted. In accordance with current OSHA and Federal Government policy, the use of password protection is easy to implement, cost-effective, and a reliable method for securing electronic information. By downloading employee medical information to a secured hard drive or laptop, OSHA personnel will be able to ensure that only individuals that know the password can open a document and read its content. This practice also provides a level of protection that goes with the document no matter where it is stored or sent. Finally, because tampering with a secured device takes time and effort, providing this level of protection acts as a deterrent to accessing document content by unauthorized individuals. Additionally, it is important for OSHA personnel to follow proper security practices when using password protected devices containing personally identifiable employee medical information. Authorized individuals must not share their ID with others, should log-off when leaving a terminal, and use their own ID to access employee medical records. Also, authorized individuals should not keep written facsimiles of passwords or access codes. Other security measures, such as the use of firewalls, anti-virus software, and intrusion detection software should also be used to protect data integrity. Again, the Principal OSHA Investigator is responsible for ensuring that proper security measures are in place in the field to protect the confidentiality of personally identifiable employee medical records in electronic form. Moreover, it is critically important that mobile devices be encrypted or use password protection when used to download, transfer, or store electronic medical information. Mobile devices are for individual use, and are not designed for centralized IT management. These devices can easily be manipulated, damaged, or stolen. By encryption, OSHA means the process of changing plain text into cypher text for the purpose of security. The use of encryption results in the encoding of information in such a way so that only authorized individuals can access the information. Section 1913.10(n)(5) of the final rule states that electronic files containing personally identifiable employee medical information shall not be transferred to authorized personnel through email attachment unless appropriately encrypted. The transfer of employee medical information by email attachment increases the risk that such information will be sent to an unauthorized individual. The transfer of personally identifiable employee medical information in electronic form must be made through secured means. See Sec. 1913.10(n)(4), discussed above (``Electronic files containing personally identifiable employee medical information shall only be downloaded to a computer hard drive or laptop that is secured.''). Appropriate methods for the transfer of personally identifiable employee medical information in electronic form may include the use of password protected or encrypted files on a secured agency website designed for confidential information, the mailing of encrypted computer disks or USB drives, the emailing of password protected medical records (Adobe secured), and the printing and hand delivery of paper records. Paragraph (n)(6) provides that when an employer or other record holder(s) provides access to employee medical information through a properly encrypted email attachment, the attachment shall be downloaded to a secured hard drive or laptop. After the attachment is downloaded, the email shall be permanently deleted. In some cases, employers and other record holders provide OSHA with access to employee medical information through an encrypted email attachment. As noted above, the use of email attachments to transfer medical records makes it more likely that the information will be sent to unauthorized individuals. Paragraph (n)(6) ensures that medical information received in an encrypted email attachment is downloaded to a secured device. After downloading the attachment from the employer or other record holder, the email must be permanently deleted to prevent transfer to unauthorized individuals. By permanently deleted, OSHA means that the email should be deleted so that it cannot be retrieved. Some email programs automatically delete trashed emails after a certain amount of time. Other programs retain emails until the user runs out of space. However, the intent of this provision is that, once the attachment is downloaded, OSHA personnel should immediately and permanently delete the incoming email. Most email programs have a ``delete forever'' function that allows the user to select emails in the trash folder for permanent deletion. Section 1913.10(n)(7) of the final rule states that personally identifiable employee medical information in electronic form shall be secured when not in use. This provision is based on paragraph (i)(1) of Sec. 1913.10, which states that agency files containing personally identifiable employee medical information shall be segregated from other agency files, and when not in active use, files containing this information shall be kept secured in a locked cabinet or vault. Paragraph (n)(7) is intended to prevent unauthorized access or modification to employee medical information in electronic form. In addition to all of the procedures in paragraph (n) addressing the use of electronic information by OSHA personnel, when not in use, such information must be stored in a secured manner. For example, when not in use, personally identifiable employee medical information should be stored on a password protected hard drive or laptop. Another example might be the storing of information on a password protected agency website designed to store confidential information. Also, if employee medical records are kept on computer disk or other electronic storage media, when not in use, the disk or media should be stored under lock and key. Paragraph (n)(7)(i) of the final rule also emphasizes the importance of proper storage by specifically stating that medical information in electronic form shall only be maintained or stored where facilities and conditions are designed to prevent unauthorized access. Paragraph (n)(7)(ii) provides that personally identifiable employee medical information in electronic form shall be maintained only for so long as [[Page 45790]] needed to accomplish the purpose for access. This provision is derived from paragraph (j)(1) of Sec. 1913.10, which provides that consistent with OSHA records disposition programs, personally identifiable employee medical information shall be destroyed or returned to the original record holder when no longer needed for the purposes for which they were obtained. In OSHA's view, maintaining medical records only for so long as needed helps to ensure that such information will not be accessed by unauthorized individuals. In some cases, after its initial use by the agency, personally identifiable employee medical information may not be used again until sometime in the future. For example, medical information used as the basis for an OSHA citation may be used during the hearing stage of an enforcement case before the Occupational Safety and Health Review Commission. The medical information may not be used while the case is on appeal, but there may be a need for the information if the case is remanded for further judicial proceedings. Similarly, an investigation of an apparently new health hazard may produce uncertain results. Before completely closing out this investigation, it may be appropriate to await the outcome of an ongoing research study or parallel investigation elsewhere in the country. In these cases, Sec. 1913.10(j) provides that the medical information should be transferred to the MRO. Also, under Sec. 1913.10(l)(2), the MRO must conduct an annual review of all centrally-held information to determine which information is no longer needed for the purposes for which it was obtained. These requirements apply equally to personally identifiable employee medical information stored in electronic form. Paragraph (n)(7)(iii) of the final rules states that when no longer needed, the Principal OSHA Investigator shall ensure that all personally identifiable employee medical information on electric files has been deleted, destroyed, or returned to the original record holder. The requirement in paragraph (n)(7)(iii) is intended to ensure that the Principal OSHA Investigator is responsible for OSHA access and use of electronic medical information from beginning to end. When no longer needed, the Principal OSHA Investigator must make sure that authorized OSHA personnel follow proper procedures for the deletion, destruction and disposal of personally identifiable employee medical information. In practice, the Principal OSHA Investigator must ensure that media containing employee medical information is sanitized or destroyed before disposal or release for reuse in accordance with approved methods. In addition, if electronic medical records are returned to the original record holder, the Principal OSHA Investigator must ensure that all data is returned, and no data remains in the possession of OSHA personnel. Paragraph (n)(7)(iv) states that the disposal of personally identifiable employee medical information maintained in electronic form shall be accomplished in such a manner as to make the data unattainable by unauthorized personnel. When no longer needed, electronic media must be handled and sanitized appropriately to prevent unauthorized disclosure or modification of personally identifiable employee medical information. OSHA personnel use several types of electronic media to access, use, and maintain personally identifiable employee medical information, including hard drives, laptops, USB storage drives (e.g., thumb drives), CDs, DVDs, and digital storage cards such as camera cards. In order to meet the requirement in paragraph (n)(7)(iv), and depending on the type of electronic media used, OSHA personnel may need to re-use, recycle, or destroy the electronic media containing medical information. Also, when employee medical information in electronic form is no longer needed, it is important to ensure that deleted data is not easily recoverable. Residual data may allow unauthorized individuals to reconstruct data and thereby gain access to personally identifiable employee medical information. Sanitization is one method that can be used to ensure that deleted data cannot be reconstructed. Sanitization is the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed. There are different types of sanitization for each type of media, including cleaning, purging, and destroying. Cleaning is the removal of data from devices in such a way that there is assurance that the data cannot be reconstructed using normal system functions or software file/data recovery utilities. For example, cleaning may include using software or hardware products to overwhelm media with non-sensitive data. Purging is generally done before releasing media beyond control, such as before discarding old media, and includes degaussing or exposing media to a strong magnetic field in order to disrupt recorded magnetic domains. Destruction of media is the ultimate form of sanitization. In some cases, OSHA personnel maintain employee medical information on media that may not be able to be reused such as computer disks and camera cards. In these situations, when no longer needed, electronic media containing personally identifiable employee medical information should be disposed of using approved secure data destruction. Several methods exist to dispose of electronic media containing medical information. For example, computer disks can be rendered unusable by shredding, incinerating, or pulverizing. Many OSHA Regional and Area Offices already have equipment that can shred or burn disks. Other offices contract with private companies to perform this task in a secure manner. As a reminder, in order to address security and privacy concerns, disposal operations should be conducted in accordance with approved DOL or OSHA methods. In addition, OSHA is responsible for the management of records pursuant to the Federal Records Act of 1950, as amended (44 U.S.C. Chapters 21, 29, 31, 33). The retention and destruction of Federal records must be conducted in accordance with the procedures described in the Federal Records Act. Finally, in the future, OSHA personnel will be using media types not specifically mentioned in this preamble. The processes mentioned in this document should guide media sanitization and disposal decisions regardless of the type of media in use. In the future, OSHA will issue guidance to agency staff as new technology is developed. IV. State Plans The 28 states and U.S. territories with their own OSHA-approved occupational safety and health plans are encouraged, but not required, to adopt these rules of agency practice and procedure concerning employee medical record access that Federal OSHA is promulgating to 29 CFR 1913.10 in this final rule. The states and U.S. territories with OSHA-approved occupational safety and health plans covering private employees and state and local government employees are Alaska, Arizona, California, Hawaii, Indiana, Iowa, Kentucky, Maryland, Michigan, Minnesota, Nevada, New Mexico, North Carolina, Oregon, Puerto Rico, South Carolina, Tennessee, Utah, Vermont, Virginia, Washington, and Wyoming. In addition, six states and U.S. territories have OSHA- approved state Plans that apply to state and local government employees only: Connecticut, Illinois, [[Page 45791]] Maine, New Jersey, New York, and the Virgin Islands. This final rule describes a Federal program change for which State Plan adoption is not required. However, State Plans are required to have standards, and an enforcement program, that are ``at least as effective in providing safe and healthful employment'' as those of Federal OSHA. In order to be ``at least as effective'' as Federal OSHA, a State Plan must appropriately utilize its authority for access to medical records, and must have effective procedures to assure that the privacy of those records is protected in a manner consistent with applicable state and federal privacy laws. Therefore, although adoption of this rule is not required, State Plans must have procedures covering this issue that are at least as effective as those of Federal OSHA and are encouraged to adopt requirements comparable to those in 29 CFR 1913.10. Within 60 days of the effective date of this final rule, a State Plan must submit a notice of intent indicating whether they already have a similar policy in place, intend to adopt new policies and procedures, or do not intend to adopt this final rule. If a State Plan does not adopt at first, but at some later point decides to adopt this final rule or an at least as effective version of this final rule, the State Plan must notify OSHA of this change in intent. Within 60 days of adoption, the State Plan must provide an electronic copy of the regulation or policy, or a link to where their policy is posted on the State Plan's website. The State Plan must also provide the date of adoption and identify differences, if any, between their policy and this final rule. OSHA will provide summary information on the State Plan responses to this instruction on its website at: www.osha.gov/dcsp/osp/index.html. V. Regulatory Flexibility Certification The notice and comment procedures of section 553 of the APA do not apply ``to interpretative rules, general statements of policy, or rules of agency organization, procedure, or practice.'' 5 U.S.C. 553(b)(A). Rules that are exempt from APA notice and comment requirements are also exempt from the Regulatory Flexibility Act (RFA). See SBA Office of Advocacy, A Guide for Government Agencies: How to Comply with the Regulatory Flexibility Act (August 2017); also found at http://www.sba.gov/sites/default/files/rfaguide5F05125F0.pdf. This is a rule of agency procedure, practice, and interpretation within the meaning of that section; and therefore, is exempt from both the notice and comment rulemaking procedures of the APA and the requirements of the RFA. VI. Environmental Impact Analysis In accordance with the requirements of the National Environmental Policy Act (NEPA) (42 U.S.C. 4231 et seq.), Council on Environmental Quality NEPA regulations (40 CFR parts 1500 through 1518), and the Department of Labor NEPA regulations (29 CFR part 11), OSHA has determined that this final rule will not have a significant impact on the external environment. VII. Federalism OSHA reviewed this final rule in accordance with the most recent Executive order on federalism (Executive Order 13132, 64 FR 43255, August 10, 1999). This Executive order requires Federal agencies, to the extent possible, to refrain from limiting state policy options, consult with states prior to taking any action that would restrict state policy options, and take such actions only when clear constitutional authority exists and the problem is national in scope. This rule does not have ``federalism implications.'' The rule does not have ``substantial direct effects on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government'' and therefore is not subject to Executive Order 13132 (Federalism). VIII. Unfunded Mandates The Department has concluded that this rule is not a ``significant regulatory action'' within the meaning of Executive Order 12866, reaffirmed by Executive Order 13563, because it is not likely to (1) have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local, or Tribal governments or communities; (2) create a serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in Executive Order 12866. Therefore, no economic impact analysis under section 6(a)(3)(C) of Executive Order 12866 has been prepared. For the same reason, and because no notice of proposed rulemaking was published, no statement is required under section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1532. In any event, this rulemaking is procedural and interpretive in nature and is thus not expected to have a significant economic impact. IX. Consultation and Coordination With Indian Tribal Governments OSHA reviewed this rule in accordance with Executive Order 13175 (65 FR 67249, November 6, 2000) and determined that it does not have ``tribal implications'' as defined in that order. The rule does not have substantial direct effects on one or more Indian tribes, on the relationship between the Federal Government and Indian tribes, or on the distribution of power and responsibilities between the Federal Government and Indian tribes. X. Office of Management and Budget Review Under the Paperwork Reduction Act of 1995 The Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.) and OMB regulations (5 CFR part 1320) require agencies to obtain approval from OMB before conducting any collection of information. The PRA defines a ``collection of information'' as ``the obtaining, causing to be obtained, soliciting, or requiring the disclosure to third parties or the public of facts or opinions by or for an agency regardless of form or format'' (44 U.S.C. 3502(3)(A)). The PRA does not apply to this final rule because it amends existing internal agency procedures and does not impose any new recordkeeping or information collection requirements that require OMB approval. Authority and Signature This document was prepared under the direction of Loren Sweatt, Principal Deputy Assistant Secretary for Occupational Safety and Health. It is issued under Section 8 of the Occupational Safety and Health Act (29 U.S.C. 657), 5 U.S.C. 553, 5 U.S.C. 552a(e), 5 U.S.C. 301, and Secretary of Labor's Order No. 5-2012 (77 FR 3912). Signed at Washington, DC, on July 14, 2020. Loren Sweatt, Principal Deputy Assistant Secretary of Labor for Occupational Safety and Health. Final Rule Part 1913 of title 29 of the Code of Federal Regulations is hereby amended as follows: [[Page 45792]] PART 1913--[AMENDED] 0 1. The authority citation for part 1913 is revised to read as follows: Authority: 29 U.S.C. 657; 5 U.S.C. 553; 5 U.S.C. 301; Secretary of Labor's Order No. 8-76 (41 FR 25059), 5-2002 (67 FR 65008), or 1- 2012 (77 FR 3912) as applicable. 0 2. Amend Sec. 1913.10 by: 0 a. Revising paragraphs (b)(6), (c)(1) and (2), and (d)(1) and (2); 0 b. Removing and reserving paragraph (g); 0 c. Revising paragraph (m); and 0 d. Adding paragraph (n). The revisions and addition read as follows: Sec. 1913.10 Rules of agency practice and procedure concerning OSHA access to employee medical records. * * * * * (b) * * * (6) This section does not apply where a written directive by the OSHA Medical Records Officer authorizes appropriately qualified personnel to conduct limited reviews of specific medical information mandated by an occupational safety and health standard, or of specific biological monitoring test results. * * * * * (c) * * * (1) Assistant Secretary. The Assistant Secretary of Labor for Occupational Safety and Health (Assistant Secretary) shall designate an OSHA official with experience or training in the evaluation, use, and privacy protection of medical records to be the OSHA Medical Records Officer. The Assistant Secretary may change the designation of the OSHA Medical Records Officer at will. (2) OSHA Medical Records Officer. The OSHA Medical Records Officer shall be responsible for the overall administration and implementation of the procedures contained in this section. The OSHA Medical Records Officer shall report directly to the Assistant Secretary on matters concerning this section and be responsible for: (i) Making final determinations concerning the approval or denial of medical access orders (paragraph (d) of this section); (ii) Assuring that medical access orders meet the requirements of paragraphs (d)(2) and (3) of this section; (iii) Responding to objections concerning medical access orders (paragraph (f) of this section); (iv) Overseeing internal agency use and security of personally identifiable employee medical information (paragraphs (g) through (j) of this section); (v) Assuring that the results of agency analyses of personally identifiable medical information are, where appropriate, communicated to employees (paragraph (k) of this section); (vi) Preparing an annual report of OSHA's experience under this section (paragraph (l) of this section); and (vii) Making final determinations concerning inter-agency transfer or public disclosure of personally identifiable employee medical information (paragraph (m) of this section). The Medical Records Officer shall also assure that advance notice is given of intended inter-agency transfers or public disclosures. * * * * * (d) * * * (1) Requirement for medical access order. Except as provided in paragraph (d)(4) of this section, each request by an OSHA representative to examine or copy personally identifiable employee medical information contained in a record held by an employer or other recordholder shall be made pursuant to a written medical access order which has been approved by the OSHA Medical Records Officer. A medical access order does not constitute an administrative subpoena. (2) Approval criteria for medical access order. Before approving a medical access order, the OSHA Medical Records Officer shall determine that: (i) The medical information to be examined or copied is relevant to a statutory purpose and there is a need to gain access to this personally identifiable information; (ii) The personally identifiable medical information to be examined or copied is limited to only that information needed to accomplish the purpose for access; and (iii) The personnel authorized to review and analyze the personally identifiable medical information are limited to those who have a need for access and have appropriate professional qualifications. * * * * * (m) Inter-agency transfer and public disclosure. (1) Personally identifiable employee medical information shall not be transferred to another agency or office outside of OSHA (other than to the Office of the Solicitor of Labor) or disclosed to the public (other than to the affected employee or the original recordholder) except when required by law or when approved by the OSHA Medical Records Officer. (2) Except as provided in paragraph (m)(3) of this section, the OSHA Medical Records Officer shall not approve a request for an inter- agency transfer of personally identifiable employee medical information, which has not been consented to by the affected employees, unless the request is by a public health agency which: (i) Needs the requested information in a personally identifiable form for a substantial public health purpose; (ii) Will not use the requested information to make individual determinations concerning affected employees which could be to their detriment; (iii) Has regulations or established written procedures providing protection for personally identifiable medical information substantially equivalent to that of this section; and (iv) Satisfies an exemption to the Privacy Act to the extent that the Privacy Act applies to the requested information (see 5 U.S.C. 552a(b); 29 CFR 70a.3). (3) Upon the approval of the OSHA Medical Records Officer, personally identifiable employee medical information may be transferred to: (i) The National Institute for Occupational Safety and Health (NIOSH); and (ii) The Department of Justice when necessary with respect to a specific action under the Occupational Safety and Health Act. (4) The OSHA Medical Records Officer shall not approve a request for public disclosure of employee medical information containing direct personal identifiers unless there are compelling circumstances affecting the health or safety of an individual. (5) The OSHA Medical Records Officer shall not approve a request for public disclosure of employee medical information which contains information which could reasonably be used indirectly to identify specific employees when the disclosure would constitute a clearly unwarranted invasion of personal privacy (see 5 U.S.C. 552(b)(6); 29 CFR 70.26). (6) Except as to inter-agency transfers to NIOSH or the Department of Justice, the OSHA Medical Records Officer shall ensure that advance notice is provided to any collective bargaining agent representing affected employees and to the employer on each occasion that OSHA intends to either transfer personally identifiable employee medical information to another agency or disclose it to a member of the public other than to an affected employee. When feasible, the OSHA Medical Records Officer shall take reasonable steps to assure that advance notice is provided to affected employees when [[Page 45793]] the employee medical information to be transferred or disclosed contains direct personal identifiers. (n) Medical records maintained in electronic form. (1) In general, when accessing and/or copying personally identifiable employee medical information in electronic form, OSHA personnel shall follow all of the requirements set forth in this section. (2) When personally identifiable employee medical information in electronic form is taken off-site, the Principal OSHA Investigator is primarily responsible for ensuring that such information is properly used and kept secured. (i) The Principal OSHA Investigator is responsible for preventing any accidental or unintentional disclosure of, modification to, or destruction of personally identifiable employee medical information in electronic form. (ii) The Principal OSHA Investigator is responsible for controlling the flow of data into, through, and from agency computer operations. (iii) The Principal OSHA Investigator shall ensure the distribution and review of medical information in electronic form is limited to only those OSHA personnel and contractors with a need for access. (3) The transfer and/or duplication of medical information in electronic form shall be kept to the minimum necessary to accomplish the purpose for which it was obtained. (4) Electronic files containing personally identifiable employee medical information shall be downloaded only to a computer hard drive or laptop that is secured in accordance with Federal Information Processing Standard (FIPS) 201-2 ``Personal Identity Verification (PIV) of Federal Employees and Contractors'' and ``Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors (HSPD-12).'' (5) Electronic files containing personally identifiable employee medical information shall not be transferred to authorized personnel through email attachment unless appropriately encrypted. (6) When an employer or other record holder(s) provides access to employee medical information through a properly encrypted email attachment, the attachment shall be downloaded to a secured hard drive or laptop. After the attachment is downloaded, the email shall be permanently deleted. (7) Personally identifiable employee medical information in electronic form shall be secured when not in use. (i) Medical information in electronic form shall only be maintained or stored where facilities and conditions are designed to prevent unauthorized access. (ii) Personally identifiable employee medical information in electronic form shall be maintained only for so long as needed to accomplish the purpose for access. (iii) When no longer needed, the Principal OSHA Investigator shall ensure that all personally identifiable employee medical information on electronic files has been deleted, destroyed, or returned to the original record holder. (iv) The disposal of personally identifiable employee medical information maintained in electronic form shall be accomplished in such a manner as to make the data unattainable by unauthorized personnel. [FR Doc. 2020-15562 Filed 7-29-20; 8:45 am] BILLING CODE 4510-26-P