In 1980 OSHA promulgated rules governing access to and maintenance of
employee medical records (29 C.F.R. sec. 1910.20, Access to employee
exposure and medical records). (The following discussion omits citations to
specific statutory language.) Although directed at managing medical
information, these regulations define the scope of occupational medicine
practice through their expansive definition of workplace-related medical
information. These rules were written for records maintained in a company-
based occupational medicine department, but they specifically include
nonemployee physicians and clinics that provide occupational medical services.
Any physician who treats workplace-related injuries or illnesses or does
preplacement or work fitness evaluations is subject to these regulations.
OSHA promulgated the rules to:
1. Ensure employees, their representatives, and OSHA access to the employees’
2. Require employers to supply medical care providers sufficient information
about toxic exposures to allow the treatment and long- term evaluation of
3. Create a way for medical care providers to report potential hazardous
exposures to OSHA without violating the employer’s trade secrets.
4. Ensure that employee medical records are maintained for a sufficient period
(30 years after the termination of employment) to allow the monitoring of
conditions with long latency.
These rules are directed at employers rather than medical care providers. The
employer is expected to see that the medical care personnel follow the rules,
and it is the employer that is subject to administrative sanctions if the rules
are not followed. Physicians employed in a company occupational medicine
department that does not comply with the rules may be subject to sanctions as
company representatives. Nonemployee physicians may be subject to
sanctions if they contractually accept the responsibility for maintaining
employee medical information. This can become a problem if the employer
goes out of business without arranging for an orderly transition in responsibility
for the employees’ medical information. An abrupt termination of business may
leave the physician with the duty and financial responsibility to maintain the
records or transfer them properly.
OSHA clearly intended these rules to supplement, rather than replace,
traditional practices: “Except as expressly provided, the rules do not affect
existing legal and ethical obligations concerning the maintenance and
confidentiality of employee medical information, the duty to disclose
information to a patient/employee or any other aspect of the medical-care
relationship, or affect existing legal obligations concerning the protection of
trade secret information.” The rules do not pose any ethical problems beyond
those already inherent in occupational medicine practice. In the case of
providing access to trade secret information, they help resolve an existing