Compliance OSHA and HIPAA: Where the Two Overlap

The Doctor's Office That Got Hit From Both Sides

A medical practice in the Southeast thought they had compliance covered. OSHA posters on the wall, bloodborne pathogen kits in the breakroom, and a dusty HIPAA manual on a shelf somewhere. Then an employee filed a complaint about unsafe needle disposal — and the investigation uncovered that employee medical records were stored in unlocked filing cabinets right next to personnel files. Two agencies. Two sets of violations. One very expensive month.

I've seen this pattern more times than I can count. Organizations focus on compliance OSHA requirements or HIPAA requirements, but rarely think about where the two frameworks collide. And that gap — the space between workplace safety and health information privacy — is exactly where regulators love to dig.

If you manage a covered entity, a dental practice, a hospital, or any organization where employees handle both hazardous materials and protected health information, this post is for you.

Why Compliance OSHA and HIPAA Aren't Separate Conversations

Most people think of OSHA and HIPAA as living in different universes. OSHA handles workplace safety — chemical exposure, ergonomics, bloodborne pathogens. HIPAA guards protected health information (PHI). Clean lines, right?

Not even close.

The moment an employee gets a needlestick injury, you're in both worlds simultaneously. OSHA requires you to document the incident, track the exposure, and maintain medical records related to the event. HIPAA requires you to protect the health information generated during post-exposure evaluation and follow-up. Store that medical record wrong, share it with the wrong person, or fail to restrict access — and now you've got an HHS problem on top of your Department of Labor problem.

Employee Medical Records: The Overlap Everyone Ignores

OSHA's Recordkeeping Standard (29 CFR 1904) and its Access to Employee Exposure and Medical Records Standard (29 CFR 1910.1020) require employers to maintain certain health-related records. These include results of medical surveillance exams, hepatitis B vaccination records, and exposure incident documentation.

Here's where it gets tricky. If your organization is also a covered entity under HIPAA — a healthcare provider, health plan, or healthcare clearinghouse — those same employee medical records may qualify as PHI. That means they're subject to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

I've watched compliance officers realize this mid-audit and go pale. They had OSHA logs perfectly maintained but stored in shared drives with no access controls. That's a potential HIPAA violation — specifically, a failure to implement technical safeguards for ePHI under 45 CFR Part 164, Subpart C.

Three Scenarios Where OSHA and HIPAA Collide

1. Bloodborne Pathogen Exposure Incidents

When an employee is exposed to blood or other potentially infectious materials, OSHA mandates a confidential medical evaluation. The results of that evaluation — HIV test results, hepatitis panels, physician recommendations — are PHI if your organization is a covered entity. You must store them separately from general personnel files, restrict access, and ensure proper disposal.

OSHA says you need to keep these records for the duration of employment plus 30 years. HIPAA says you need to protect them every single day of that retention period. That's a long time to maintain both physical and technical safeguards.

2. Workers' Compensation and Disclosure Requests

Workers' comp claims often require disclosure of employee health information. HIPAA permits disclosure for workers' compensation purposes under the Privacy Rule (§164.512(l)), but only the minimum necessary information. I've seen clinics fax entire medical charts to insurance adjusters because "they asked for everything." That's not how minimum necessary works. Your staff needs to understand that an OSHA-related injury claim doesn't waive HIPAA protections.

3. Workplace Wellness Programs and Health Screenings

If your organization runs health screenings — blood pressure checks, flu shot clinics, biometric testing — you're generating PHI. OSHA doesn't require these, but many employers offer them as part of a safety culture. The data collected falls squarely under HIPAA if a covered entity administers the program. I've audited wellness programs that stored screening results in spreadsheets emailed between HR staff with zero encryption. That's a breach waiting to happen.

What Exactly Does OSHA Require vs. HIPAA?

This is the question I get asked most often in consulting engagements, and it's a common search query too. Here's the direct answer:

OSHA requires employers to maintain a safe workplace, document injuries and illnesses (OSHA 300 Log), provide access to employee medical and exposure records, and train workers on hazards including bloodborne pathogens. OSHA is enforced by the Department of Labor.

HIPAA requires covered entities and their business associates to protect the privacy, security, and integrity of PHI and ePHI. It mandates administrative, physical, and technical safeguards, workforce training, risk assessments, and breach notification. HIPAA is enforced by the Office for Civil Rights (OCR) within HHS.

The overlap: when health-related records created for OSHA compliance purposes also meet the definition of PHI, both frameworks apply simultaneously. You don't get to pick one.

The $2.2 Million Mistake: When Employee Records Aren't Protected

OCR has repeatedly penalized organizations for failing to protect employee health information. In 2017, Memorial Healthcare System paid $5.5 million to settle with OCR after employees accessed patient PHI without authorization — a failure of workforce access controls that applies equally to employee medical records.

While that case centered on patient records, the lesson translates directly. If your workforce can access employee OSHA-related medical records without proper authorization, you have the same vulnerability. OCR doesn't distinguish between patient PHI and employee PHI when it comes to enforcement. PHI is PHI.

Five Steps to Close the OSHA-HIPAA Gap

Step 1: Audit Where Employee Health Records Live

Walk through your organization and find every place employee medical records are stored — paper files, shared drives, email inboxes, HR software. If any of those records contain PHI and your organization is a covered entity, HIPAA applies.

Step 2: Separate OSHA Logs From Medical Records

OSHA 300 Logs are not considered confidential medical records — they document injuries and illnesses in a summary format. But the underlying medical documentation (physician notes, lab results, treatment records) absolutely qualifies as PHI. Keep them in separate, access-controlled locations.

Step 3: Train Your Workforce on Both Frameworks

Your staff can't comply with rules they don't understand. OSHA requires bloodborne pathogen training annually. HIPAA requires workforce training on privacy and security policies. Do both — and make sure your training addresses the overlap. Our HIPAA Introduction Training for 2026 covers the fundamentals of PHI protection that every employee needs, regardless of their role.

Step 4: Apply Minimum Necessary to Every Disclosure

When OSHA compliance, workers' comp, or any other process requires sharing employee health information, apply the minimum necessary standard. Train your HR team and compliance officers to ask: "What is the least amount of PHI I need to disclose to accomplish this purpose?"

Step 5: Address AI and Technology Risks

In 2026, many organizations use AI-powered tools for incident reporting, safety analytics, and HR workflows. If those tools process employee health information — even in a summarization or analytics capacity — you need to ensure HIPAA compliance. Our course on Using AI Tools and PHI walks through the specific risks and safeguards required when technology touches protected health information.

The OSHA Whistleblower Angle You Haven't Considered

Here's a scenario I've seen blindside healthcare organizations. An employee files an OSHA complaint about unsafe conditions. During the investigation, the employer retaliates — maybe by accessing the employee's medical records to build a case for termination. Now you've triggered OSHA's whistleblower protections and a HIPAA privacy violation.

OSHA's Section 11(c) of the OSH Act prohibits retaliation. HIPAA's Privacy Rule prohibits using PHI for employment decisions unless a specific exception applies. Two violations from one bad decision. I've seen it destroy small practices.

Stop Treating These as Separate Checklists

The organizations that get compliance OSHA and HIPAA right are the ones that stop treating them as separate checklists taped to different walls. They build integrated compliance programs where the safety officer talks to the privacy officer, where training covers both bloodborne pathogens and PHI handling, and where employee health records get the same protection as patient records.

If you're starting from scratch or need to rebuild your compliance program, explore our full training catalog to find courses that fit your workforce's needs.

Your organization doesn't get to choose which regulator shows up first. Make sure you're ready for both.