OHS Compliance and HIPAA: What Healthcare Leaders Miss

The Bloodborne Pathogen Report That Triggered a HIPAA Investigation

A mid-sized hospital in the Midwest filed an OSHA incident report after a needle stick injury. Routine stuff — until someone in HR emailed the injured nurse's hepatitis B status, full name, and treatment plan to a department-wide distribution list of forty-seven people. The hospital thought it was handling its occupational health and safety obligations. Instead, it created a HIPAA breach that affected a single employee but drew the attention of the Office for Civil Rights.

This is the collision point most healthcare organizations never see coming. OHS compliance — the policies and procedures your facility maintains under OSHA regulations to protect workers from hazards — regularly generates and transmits protected health information. And when your OHS processes aren't designed with HIPAA guardrails, you're one careless email away from an enforcement action.

I've spent years watching organizations treat occupational health and HIPAA as separate silos. They shouldn't be. Here's why the intersection matters, where the real risks hide, and what you can do about it starting this week.

What OHS Compliance Actually Means in a Healthcare Setting

Beyond Hard Hats and Fire Exits

When people hear "OHS compliance," they picture construction sites. In healthcare, occupational health and safety covers a sprawling landscape: bloodborne pathogen exposure, ergonomic injuries, workplace violence prevention, chemical hazard communication, respiratory protection, and tuberculosis screening programs.

OSHA's healthcare-specific standards require employers to maintain exposure incident logs, provide post-exposure medical evaluations, and track workplace injuries through the OSHA 300 Log. Each of these activities can generate employee health data — and that's where the HIPAA overlap begins.

The Regulatory Framework You're Juggling

Healthcare employers answer to multiple regulators simultaneously. OSHA enforces workplace safety under the OSH Act. HHS enforces HIPAA through the Office for Civil Rights. State health departments layer on additional requirements. Your OHS compliance program has to satisfy all of them without violating any of them.

That's harder than it sounds. OSHA sometimes requires disclosure of health information that HIPAA restricts. The Privacy Rule includes specific provisions for this — but most safety officers I've worked with have never read them.

Where OHS Compliance Collides with HIPAA

Employee Health Records Are PHI — Sometimes

Here's the distinction that trips up almost everyone. When your covered entity provides healthcare to its own employees — through an employee health clinic, onsite screenings, or post-exposure treatment — those records are protected health information under HIPAA. When a separate employer (not a covered entity) maintains employment records that happen to include health data, HIPAA generally doesn't apply to those specific records.

But you're reading this blog, which means you likely work for a covered entity. Your hospital's employee health clinic generates PHI. Your occupational health nurse creates PHI. The hepatitis B vaccination records your infection control team maintains? PHI.

The HHS Privacy Rule guidance makes clear that covered entities wearing two hats — as employer and as healthcare provider — must separate these functions with appropriate safeguards.

The OSHA 300 Log Trap

OSHA requires employers to record certain workplace injuries and illnesses. The OSHA 300 Log includes the employee's name, job title, and a description of the injury. Employers must make this log available to current and former employees upon request.

Here's the trap: if your log includes diagnostic information or treatment details that qualify as PHI, you may have a dual obligation. OSHA says post it. HIPAA says protect it. The OSHA 300A summary form (the annual posting requirement) strips out names, which helps. But the detailed 300 Log itself requires careful handling.

In my experience, most safety managers don't coordinate with their privacy officers on this. They should.

Post-Exposure Evaluations and Minimum Necessary

After a bloodborne pathogen exposure, OSHA's standard at 29 CFR 1910.1030 requires the employer to provide the exposed employee with a confidential medical evaluation. The evaluating healthcare provider sends a written opinion back to the employer — but that opinion is limited to whether the hepatitis B vaccine is recommended, whether the employee received it, and confirmation the employee was informed of results.

That's a textbook application of HIPAA's minimum necessary standard. The employer gets only what it needs. The problem? I've seen employers demand full lab results, diagnosis details, and treatment plans from the evaluating provider. That violates both the OSHA standard's intent and HIPAA's minimum necessary rule.

The $1.5 Million Mistake: When Employee Health Data Leaks

OCR has pursued enforcement actions where employee health information was improperly disclosed. While most high-profile settlements involve patient data, the principle applies equally to workforce PHI held by covered entities.

Consider the broader pattern. OCR's enforcement page documents cases where organizations failed to implement basic access controls, allowed PHI to be shared with unauthorized recipients, and neglected to train their workforce. These same failures show up in OHS compliance contexts — safety teams accessing employee health portals without authorization, supervisors receiving diagnosis information they don't need, and incident reports circulated without redaction.

The penalties are real. OCR settled with the University of Rochester Medical Center for $3 million in 2019 over ePHI issues tied to inadequate device controls and risk analysis failures. The root cause wasn't exotic. It was a lack of training and policy enforcement — the same gaps I see in OHS programs every month.

How Do You Align OHS Compliance with HIPAA?

This is the question I hear most from safety directors and compliance officers. Here's a practical framework.

Step 1: Map Your Employee Health Data Flows

Identify every point where your organization collects, stores, or transmits employee health data as part of OHS compliance activities. This includes:

• Pre-employment physicals and drug screenings
• Bloodborne pathogen exposure incident reports
• TB screening and fit-testing records
• Workers' compensation claim files
• Return-to-work evaluations
• Employee assistance program referrals

For each data flow, determine whether the information qualifies as PHI under HIPAA. If your organization is a covered entity and it created or received the data in a healthcare capacity, it almost certainly does.

Step 2: Separate Employment Records from Health Records

HIPAA's Privacy Rule at 45 CFR 164.501 excludes certain employment records from the definition of PHI — but only if those records are held by the covered entity in its capacity as employer, not as provider. The key is documentation. Your policies must clearly delineate which records belong to which function.

Keep employee health clinic records in a separate system from HR personnel files. Restrict access based on role. Your safety officer doesn't need the same access as your occupational health nurse.

Step 3: Train Both Teams — Together

Your safety team needs HIPAA training. Your privacy team needs to understand OHS workflows. I've watched organizations train these groups in isolation for years, and the result is always the same: gaps at the intersection.

A strong foundation starts with HIPAA Introduction Training for 2026, which covers the Privacy Rule basics every safety professional needs. For deeper policy development, the HIPAA Fundamentals course walks through minimum necessary, access controls, and breach notification — all directly relevant to OHS compliance.

Step 4: Build Redaction and Disclosure Protocols

Create standard operating procedures for every OHS disclosure scenario. When your safety officer needs to report an incident to OSHA, what gets included? When a supervisor asks about an employee's fitness for duty, what can you share?

Document these protocols. Train your staff on them. Audit them quarterly.

Remote Workers Make OHS Compliance Even Harder

The rise of remote healthcare roles — telehealth providers, remote coders, virtual case managers — adds a layer of complexity. These workers face ergonomic risks, isolation-related mental health concerns, and home-office safety hazards. When your organization addresses those risks, you may collect health information electronically.

ePHI transmitted over home networks, stored on personal devices, or discussed over unsecured platforms creates HIPAA exposure. If you're managing OHS compliance for a distributed workforce, your teams need targeted guidance. Our HIPAA Training for Remote Healthcare Workers addresses exactly these scenarios — securing ePHI in non-traditional work environments while maintaining compliance across multiple regulatory frameworks.

Five Red Flags Your OHS Program Has a HIPAA Problem

• Your OSHA incident reports include diagnostic codes or treatment details. They shouldn't. Limit reports to what OSHA actually requires.
• Supervisors receive medical clearance letters with specific diagnoses. They need a yes-or-no fitness determination, not a medical chart.
• Employee health records live in the same system as HR files with no access segregation. This violates the separation principle.
• Your safety team has never received HIPAA workforce training. Under the Privacy Rule, every member of your workforce who handles PHI must be trained.
• You have no breach notification protocol for employee health data. If an employee's PHI is improperly disclosed during an OHS process, the Breach Notification Rule applies just as it would for patient data.

The Bottom Line for 2026

OHS compliance and HIPAA compliance aren't competing obligations. They're overlapping ones. Every time your organization investigates a workplace injury, conducts a health screening, or files an OSHA report, it potentially touches protected health information governed by federal privacy law.

The organizations that get this right don't treat safety and privacy as separate departments. They build integrated compliance programs where safety officers understand minimum necessary, privacy officers understand OSHA reporting requirements, and everyone receives consistent, current workforce training.

The organizations that get it wrong end up explaining to OCR why forty-seven people received an email with a nurse's hepatitis status. Don't be that organization. Start by auditing your OHS data flows this quarter, and make sure every person who touches employee health data has completed current HIPAA training.