NELP Final Comments on Proposed Rule for Injury and Illness Tracking

The National Employment Law Project (NELP) submits these comments in strong opposition to the provisions in the Occupational Safety and Health Administration’s (OSHA) new proposed rule, Tracking of Workplace Injuries and Illnesses, that will repeal injury reporting requirements for large employers (83 FR 36494-36507). This roll back of worker protections will allow dangerous employers to hide workplace injuries and will seriously hinder OSHA’s efforts, as well as the efforts of state agencies, the public health community, workers and employers to identify and prevent workplace injuries.

NELP is a non-profit research and policy organization that for more than 45 years has sought to ensure that America upholds the promise of opportunity and economic security for all workers.

This new DOL proposal repeals provisions of OSHA’s 2016 rule, “Improve Tracking of Workplace Injuries and Illnesses,” which required large employers (those with 250 or more workers in an establishment) to electronically submit to the agency important detailed information on injuries at their workplaces (some information from the Forms 300 and 301). The agency is proposing to strike this requirement, even though this information would significantly assist the agency in allocating its scarce resources, including compliance assistance and enforcement, to prevent the almost 3 million serious workplace injuries and over 5,000 work related fatalities that occur every year (  Further, the central collection of and access to this data would help the efforts of state agencies, researchers, workers, employers and worker representatives to identify and prevent workplace hazards.  Instead, the proposed rule will allow large employers in dangerous industries to continue to hide their records of workplace injuries.

Without reference to any supporting evidence or facts, the agency claims that it is rescinding these reporting requirements for large employers in order to protect a worker’s privacy.  Such an assertion ignores the abundance of evidence contained in the 2016 rule that Personally Identifiable Information (PII) would be protected.  In addition, the agency now claims it has reevaluated the utility of the Form 300 and 301 data for agency enforcement efforts and preliminarily determined that its enforcement value does not justify the reporting burden on employers. Again, relying on no new information, the agency arbitrarily

reverses the conclusions of the 2016 final rule that found enormous benefits—not just in agency enforcement but in providing compliance assistance and overall injury prevention efforts.  The following information addresses the dubious claims made in this proposal and the questions asked in the preamble.

  • Are there risks to worker privacy posed by the 2016 requirements to electronically collect information from the Forms 300 and 301 from establishments with 250 or more workers?

The agency makes two claims regarding worker privacy in this new proposed rule: 1) electronically collecting the information required under the 2016 rule from large employers would pose a potential privacy risk under FOIA; and 2) much of this information may be sensitive for workers, including descriptions of their injuries and body parts affected.  Both claims are unsupported by any evidence.

First, claims of concern for worker privacy are spurious.  The record of the 2016 rule clearly demonstrates that workers and their representatives supported the collection of the 300 and 301 forms (e.g. AFL-CIO; UFCW; UAW; IBT; SEIU; CTW at Ex. 1350, 1345, 1384, 1381, 1387, 1380) and it was industry representatives that opposed the collection, claiming privacy concerns.  The agency is not reacting to concerns voiced by workers and their representatives, rather they are reacting to the concerns of large corporations and their lobbyists who do not want to report any of this information to the agency.

More importantly, the 2016 rule did not require the reporting of PII. In fact, OSHA made it clear that not only does it not want PII, but the computer program it would build to electronically receive the information will not accept fields with that information.  In the final rule OSHA stated:

OSHA believes it has effective safeguards in place to prevent the disclosure of personal or confidential information contained in the recordkeeping forms and submitted to OSHA. Specifically, as discussed above, OSHA will neither collect nor publish the following information:

  • Log of Work-Related Injuries and Illnesses (OSHA Form 300): Employee name (column B).
  • Injury and Illness Incident Report (OSHA Form 301): Employee name (field 1), employee address (field 2), name of physician or other health care professional (field 6), facility name and address if treatment was given away from the worksite (field 7).

Also, OSHA’s recordkeeping regulation at § 1904.29(b)(10) prohibits the release of employees’ names and personal identifiers related to ‘‘privacy concern cases.’’ OSHA will also withhold from publication all of the information on the left-hand side of the OSHA 301 Incident Report that is submitted to OSHA (employee date of birth (Field 3), employee date hired (Field 4), and employee gender (Field 5). 81 FR 29661-29662

Further, OSHA was clear in the 2016 final rule that if PII were accidentally submitted to OSHA –for example in a field describing an injury– OSHA would neither release nor publish this information:

For example, in some cases, information entered in Column F (Describe injury or illness, parts of body affected, and object/substance that directly injured or made person ill) of the 300 Log contains personally-identifiable information, such as an employee’s name or Social Security Number. As a result, OSHA plans to review the information submitted by employers for personally identifiable information. As part of this review, the Agency will use software that will search for and de-identify personally identifiable information before OSHA posts the data. 81 CFR 29632

The current proposal is also silent on OSHA’s long history of effectively protecting PII under the FOIA process. The 2016 final rule, by contrast, did contain a robust defense of OSHA’s ability to keep PII private.  For example, in the 2016 rule, OSHA stated:

Currently, when OSHA receives a FOIA request for employer recordkeeping forms, the Agency releases all data fields on the OSHA 300A annual summary, including the annual average number of employees and total hours worked by employees during the year. With respect to the OSHA 300 Log, because OSHA currently obtains part 1904 records during onsite inspections, the Agency applies Exemption 7(c) of FOIA to withhold from disclosure information in Column B (the employee’s name). (Note that OSHA will not collect or publish Column B under this final rule.) FOIA Exemption 7(c) provides protection for personal information in law enforcement records. [5 U.S.C. 552(b)(7)(c)]. OSHA currently uses Exemption 7(c) to withhold personal information included in Column B as well as other columns of the 300 Log. For example, OSHA would not disclose the information in Column C (Job Title), if such information could be used to identify the injured or ill employee. Similarly, OSHA uses FOIA exemptions to withhold from disclosure Fields 1 through 9 on the OSHA 301 Incident Report. Fields 1 through 9 (the left side of the 301) includes personal information about the injured or ill employee as well as the physician or other health care professional. (Note that under this final rule, OSHA will not collect or publish Field 1 (employee name), Field 2 (employee address), Field 6 (name of treating physician or health care provider), or Field 7 (name and address of non-workplace treating facility). All fields on the right side of the 301 (Fields 10 through 18) are generally released by OSHA in response to a FOIA request. OSHA generally uses FOIA Exemption 7(c) to withhold from disclosure any personally identifiable information included anywhere on the three OSHA recordkeeping forms. For example, although information in Field 15 of the 301 incident report (Tell us how the injury occurred) is generally released in response to a FOIA request, if that data field includes any personally-identifiable information, such as a name or Social Security number, OSHA will apply Exemption 6 or 7(c) and not release that information. FOIA Exemption 6 protects information about individuals in ‘‘personnel and medical and similar files’’ when the disclosure of such information ‘‘would constitute a clearly unwarranted invasion of personal privacy.’’ [5 U.S.C. 552(b)(6)]. Additionally, OSHA currently uses FOIA Exemption 4 to withhold from disclosure information on the three recordkeeping forms regarding trade secrets or privileged or confidential commercial or financial information. [5 U.S.C. 552(b)(4)]. 81 FR 29658

Yet, with no new information, evidence or case law cited since the 2016 final rule, in this proposed rule, the agency has revised its assessment of its ability to protect PII.  OSHA is now stating that its previously substantiated claims that its practices of 40 years protecting PII are effective is now suspect. The only justification that OSHA provides to support its revised assessment of its ability to protect PII (should it be accidentally submitted), is that in the future, a court may disagree with the FOIA laws and OSHA’s current practice, and “require disclosure.”   But even the two cases OSHA cites undermine the statements that a future court might one day require disclosure.

The first case is a pending law suit that is compelling disclosure of electronic information from the form 300 A (summary form) that OSHA began collecting again for the first time last year—after a five-year hiatus. 81 FR 36398.   However, there is no PII on the form 300 A. As OSHA noted in its 2016 rule, “[t]he 300A annual summary does not contain any personally identifiable information.”  81 FR 29632   Further, OSHA has released this information in response to FOIA requests since 1996 and there are close to 20 years of OSHA 300 A logs on OSHA’s website.   Clearly, this pending lawsuit is no harbinger of reversals in any court’s decisions on PII.

The second case OSHA cites (Finkel v. U.S. Department of Labor No.05-5525, 2007 WL 1963163) is a case in which the “Department was ordered to disclose OSHA records collecting its individual inspector’s exposures to beryllium.” Again in this case, no PII was requested nor was any released.

OSHA also justifies its proposed revision of the 2016 rule on the basis that a “description of an injury” may be regarded as particularly sensitive and therefore should not be disclosed. This too is unsupported.  OSHA, as well as sister agencies such as state plan OSHAs and the Mine Safety and Health Administration, have been describing injuries on their web site for decades—including descriptions in press releases, and the data bases of all Federal and State OSHA inspections ( and ).  OSHA has for over 40 years publicized and released information on the description of injuries without any PII being published or released in publicly available OSHA citations and in the OSHA inspection data base.  Further, OSHA has demonstrated its ability to post a great deal of information on injury descriptions on its website and protect all PII. For example, the website on the new severe injury reports has tens of thousands of descriptions of severe injuries in one database. The agency does not cite a single complaint from an individual worker about these descriptions or others contained in the inspection database.

In this new proposal, OSHA is also completely silent about the other injury reporting requirements that sister agencies in the Department of Labor have in place. MSHA, for example, requires all of the nation’s mining operations to submit an incident report (Form 7000-1) within ten working days of all injuries and illnesses (30 CFR Part 50).  In addition, the mine employment and production information data are reported on MSHA Form 7000-2.  There is a great deal of PII collected by MSHA on the form 7000-1 and this information is accessible to the public in a downloadable format. MSHA keeps and has kept for decades the PII on this form protected and OSHA provides not one incident of MSHA’s experience of PII data breaches. Clearly, MSHA’s system demonstrates that the Department of Labor has systems in place to effectively protect worker privacy.

Moreover, as stated by one of OSHA’s State Plan Agencies in 2016, “[t]he Department of Workplace Standards, Kentucky Labor Cabinet commented that they do ‘not foresee misuse of the information; other agencies require electronic submission of similar data and have accomplished the requirement without misuse of personal identifiers’” (Ex. 0208). 81 FR 29660.

Though OSHA clearly and in a reasoned way described their ability to protect PII in the 2016 final rule, it is important for the agency to remember that many agencies collect PII information and make some of it public—with no opposition from workers:

It should also be noted that other federal agencies post establishment specific health and safety data with personal identifiers, including names. For example, the Mine Safety and Health Administration (MSHA) publishes information gathered during the agency’s investigations of fatal accidents (as we stated above, they do not publish any PII for non-fatal injuries/illnesses). MSHA’s Preliminary Report of Accident, Form 7000–13, provides information on fatal accidents including the employee’s name, age, and a description of the accident. MSHA also publishes the written Accident Investigation Report, which details the nature and causes of the accident and includes the names of other employees involved in the fatal incident. The Federal Railroad Administration (FRA) posts Accident Investigation Reports filed by railroad carriers under 49 U.S.C. 20901 or made by the Secretary of Transportation under 49 U.S.C. 20902; in the case of highway-rail grade crossing incidents, these reports include personally identifiable information (age and gender of the person(s) in the struck vehicle). Finally, the Federal Aviation Administration (FAA) posts National Transportation Safety Board (NTSB) reports about aviation accidents. These reports include personally identifiable information about employees, including job history and medical information. “ 81 CFR 29632

In summary, OSHA may legally revise a prior rule if it provides a reasoned explanation for the change. OSHA has failed to do that here.  Instead, it has relied on invented problems and case law that does not buttress their claims, rendering this proposal arbitrary and capricious.

  • What are the benefits of electronically collecting information from the 300 and 301 forms from establishments with 250 or more employees?

Though the 2016 rulemaking contained a robust discussion of the significant benefits to the agency and to others from the collection of the information from the 300 and 301 forms from establishments with 250 or more employees, the current proposal states that the benefits to the agency now “uncertain.”

The 2016 proposal concluded, after a great deal of discussion, that there are significant benefits to the agency of collecting the information from the 300 and 301 forms from larger establishments. The 2016 rulemaking discussed that such information will significant increase the agency’s ability to improve workplace safety and health and prevent occupational injuries and illnesses through more effective outreach, compliance assistance and enforcement. Yet the agency now, with no new evidence or discussion, just ignores any benefits to agency efforts in preventing occupational injuries, illnesses and fatalities through compliance assistance and outreach. In addition, the agency ignores almost all the benefits to enforcement.

The agency provides only two flimsy excuses for this new revised assessment.  First, it claims that the receipt in 2017 of the 300 A summary forms that “gives OSHA the information it needs to identify and target establishments with high rates of work related injuries and illnesses,” 83 FR 36498.  Second, it states that “OSHA has no prior experience with using case specific Form 300 and 301 data to identify and target establishments and is unsure how much benefit such data would have for targeting.” Neither of these rationales counters the fact that the additional information in the 300 and 301 forms would have significant benefits to the agency in achieving its mission.

As the agency stated in the 2016 rule:

The final rule’s provisions requiring regular electronic submission of injury and illness data will allow OSHA to obtain a much larger data set of more timely, establishment-specific information about injuries and illnesses in the workplace. This information will help OSHA use its enforcement and compliance assistance resources more effectively by enabling OSHA to the workplaces where workers are at greatest risk. For example, OSHA will be better able to identify small and medium-sized employers who report high overall injury/illness rates for referral to OSHA’s free on-site consultation program. OSHA could also send hazard specific educational materials to employers who report high rates of injuries or illnesses related to those hazards, or letters notifying employers that their reported injury/illness rates were higher than the industry-wide rates. A recent evaluation by Abt Associates of OSHA’s practice of sending referral letters to high-hazard employers identified by OSHA through the ODI confirmed the value of these letters in increasing the number of workplaces requesting a consultation visit (Ex. 1833). OSHA has also found that such high-rate notification letters were associated with a 5 percent decrease in lost workday injuries and illnesses in the following three years. In addition, OSHA will be able to use the information to identify emerging hazards, support an Agency response, and reach out to employers whose workplaces might include those hazards. The final rule will also allow OSHA to more effectively target its enforcement resources to establishments with high rates or numbers of workplaces injuries and illnesses, and better evaluate its interventions. Prior to 1997, OSHA randomly selected establishments in hazardous industries for inspection. This targeting system was based on aggregated industry data. Relatively safe workplaces in high-rate industries were selected for inspection as well as workplaces that were experiencing high rates of injuries and illnesses. In 1997, OSHA changed its method of targeting general-industry establishments for programmed inspections. The Agency began using establishment-specific injury and illness data collected through the OSHA Data Initiative (ODI) to identify and target for inspection individual establishments that were experiencing high rates of injury and illness. OSHA’s Site-Specific Targeting (SST) program has been OSHA’s main programmed inspection plan for non-construction workplaces from 1997 through 2014. OSHA intends to use the data collected under this final rule in the same manner for targeting inspections. This rule greatly expands the number and scope of establishments that will provide the Agency with their injury and illness data. As a result, the Agency will be able to focus its inspection resources on a wider population of establishments.

The data collection will also enable the Agency to focus its Emphasis Program inspections on establishments with high injury and illness rates, as it did for the National Emphasis Program (NEP) addressing hazards in Nursing Homes (see CPL 03– 00–016, April 5, 2012). The new collection will provide establishment-specific injury and illness data for analyses that are not currently possible with the data sets from inspections, the ODI, and reporting of fatalities and severe injuries. For example, OSHA could analyze the data collected under this system to answer the following questions: 1. Within a given industry, what are the characteristics of establishments with the highest injury or illness rates (for example, size or geographic location)? 2. Within a given industry, what are the relationships between an establishment’s injury and illness data and data from other agencies or departments, such as the Wage and Hour Division, the Environmental Protection Agency, or the Equal Employment Opportunities Commission?   3. Within a given industry, what are the characteristics of establishments with the lowest injury or illness rates? 4. What are the changes in types and rates of injuries and illnesses in a particular industry over time? Furthermore, without access to establishment-specific injury and illness data, OSHA has had great difficulty evaluating the effectiveness of its enforcement and compliance assistance activities. Having these data will enable OSHA to conduct rigorous evaluations of different types of programs, initiatives, and interventions in different industries and geographic areas, enabling the agency to become more effective and efficient. For example, OSHA believes that some employers who have not been inspected, but who learn about the results (include monetary penalties) of certain OSHA’s inspections in the same industry or geographic area, may voluntarily abate hazards out of concern that they will be the target of a future inspection. Access to these data will allow OSHA to compare injuries and illnesses at non-inspected establishments in the same industry or geographic areas as the inspected ones. (81 FR 29629-29630).

There were many detailed comments to the 2016 rule about the benefits to others outside of OSHA in collecting information from the 300 and 300 A forms (AIHA, APHA, AFL CIO, CSTE at Ex. 1126, 1354, 1350, 1106). From the comments of the Council of State and Territorial Epidemiologists, submitted to OSHA as part of the 2016 rule making:

As public health practitioners, we underscore the critical importance of collection, analysis and dissemination of health data to those who need to know for purposes of prevention [Halperin and Baker, 1992; Lee and Thacker, 2011]. Surveillance is an essential component to any comprehensive approach to prevention work-related injuries and illnesses, whether it is at the federal, state, local or establishment level.  OSHA’s proposal to electronically collect and make available the data employers already record on work-related injuries and illnesses would substantially enhance occupational health surveillance capacity in the United States. These establishment specific data would increase OSHA’s ability to target is limited enforcement and compliance assistance resources more effectively.  Access to these data would also facilitate public health agency efforts to reduce work-related injuries and illnesses in the states, and significantly increase the potential for more timely identification of emerging hazards.   Additionally, we believe that the electronic collection of these data provides OSHA with a valuable opportunity not only to improve the standardization and quality of the data recorded and reported by employers but also to promote use of data by employers and workers to reduce work-related injuries and illness at the establishment and company-wide levels.

In 2000, Massachusetts enacted legislation requiring hospitals licensed by the Massachusetts

Department of Public Health (MDPH) to develop sharps injury prevention control programs [MGL Chapter 111 sec 53D].  This law echoed the specific requirements of the OSHA bloodborne pathogen standard [29CFR 1910.1030] and added a requirement that hospitals report select data from the OSHA required log of sharps injuries annually to MDPH.  MDPH hospitals and hospital workers collaborated in developing a system for reporting standardized data electronically. Each year since 2001, 100% of the MDPH licensed hospitals (n= 99) have submitted data on sharps injuries annually to the MDPH.  In recent years, data from all hospitals, which range in size from less than 150 to over 20,000 employees, have submitted electronically through a secure electronic transmission.   Annual hospital specific data and statewide reports prepared by MDPH provide information on patterns of sharps injury and sharps injury rates for use by hospitals and hospital workers as well as MDPH. (Findings indicate sharps injury rates have declined and use of devices without engineered safety features has increased, but that more remains to be done to reduce sharps injuries [Laramie, et al., 2012].) This experience in Massachusetts indicates that electronic reporting of case level occupational injury data to OSHA by employers is feasible and can provide useful information for targeting prevention efforts at multiple levels. ( Ex. 1106).

Moreover, while the proposal states that the benefits of these logs to the agency is unclear, OSHA is vigorously defending in court its use of the logs as an important enforcement tool. In United States of America, v. Mar-Jac Poultry, Inc., No. 2:16-CV-192 (11th Circuit), OSHA attempted to obtain an administrative search warrant based on its examination of OSHA 300 logs. The district court denied the warrant and OSHA appealed. In its opening brief in the 11th Circuit, the government explained that “[e]experienced OSHA personnel analyzed the illness and injury data in Mar-Jac’s OSHA 300 logs, and concluded that the data suggested violations of the Occupational Safety and Health Act and related regulations in at least six other areas. . . . In light of these analyses, OSHA sought an administrative warrant authorizing the agency to inspect Mar-Jac’s poultry-processing plant with respect to these six hazards implicated by the OSHA 300 logs.” Government Brief p.6-7

Further, the government explained “[o]f particular importance with respect to the five hazards at issue on appeal, OSHA adduced evidence contained in Mar-Jac’s OSHA 300 logs, analyzed by experienced agency officials capable of contextualizing the information in the logs and drawing reasonable inferences based on a totality of the circumstances.” Government Brief p. 17

In its reply brief, the government summarized the benefit of the logs to OSHA’s enforcement efforts: “Mar-Jac’s logs may not establish conclusively the causes of the recorded injuries and illnesses, but they allow OSHA officials to draw reasonable inferences about the likely causes of the reported injuries and amply demonstrate the reasonable suspicion required for an administrative warrant.” Government Reply Brief p. 8.

Thus, the evidence is clear that maintaining the 2016 reporting requirements for large employers for information from the 300 and 301 forms would reap substantial benefits to the government, researchers, employers, workers and their representatives in preventing work related injuries and illnesses and fatalities.

As we have laid out in these comments, the provisions in this proposal to rescind reporting requirements for establishments with over 250 employees to electronically submit information (they are already required to keep) from OSHA Forms 300 and 301 is completely flawed, not supported by evidence or reasons, contrary to legal authority, and thus should be completely disregarded. However, we do support the addition of a requirement for all employers to report their EIN along with their injury and illness data. This will lead to great efficiencies.

Related to

About the Author

Christine L. Owens