Medical Records – Who Gets What?

Donna Lee Gardner

The rules regarding ownership and sharing of medical records for situations such as pre-employment screenings, fitness assessments, and others are often among the most complex scenarios occupational health providers face.

During times Like these, it can be difficult to maintain a balance between all of the different entities that an occupational health provider serves.

As noted by the American Health Information Management Association, occupational health providers face the challenge of serving multiple simultaneous clients:

  • Employer
  • Employee/patient
  • Employer’s insurance carrier,self-insured administrator, or workers’ compensation carrier
  • Employee’s health care provider

The provider may need to continuously adjust to understand their responsibility for each role performed, depending on the client they are serving at the time.“Remaining in compliance with regulations outlined by the Health Insurance Portability and Accountability Act (HIPAA) is tricky given the fact different entities served by occupational health professionals are privy to different aspects of sensitive patient data. It’s important to be absolutely clear on what your organization can share with whom.

 A recent NAOHP town hall session brought to light several key questions shared by occupational health professionals from all over the country. We’ve compiled them for you here, along with suggestions as to what your organization should do if you encounter them. Take a look.

What Permission Is Required?

In order to provide clients (the employer) with their requested employee medical and fitness results, the employee must sign consent before the exam allowing occupational health providers to share that information with the employer. Depending on the content of the release form and how it is worded, information shared with employers can go much deeper than a simple “passed” or “did not pass” testing expectations and may or may not include the full details of the examination. Some occupational health firms use additional release forms to make a point of informing the employee more thoroughly.

How HIPAA  Applies

There has, historically, been some confusion in occupational medicine about how HIPAA rules apply when dealing with worker’s comp cases. The short answer is the rules still apply very closely. Occupational health providers are only allowed to provide medical information to employers as it pertains to that specific injury, not a complete medical history of the patient.

How Do We Orient Our Clients to Pre-Employment Issues?

The health provider reviews the compliance needs of the employer and makes recommendations for exam components to meet regulations. A formalized orientation package should be prepared for all employer clients detailing the need for information at the workplace to meet all regulatory compliance issues from OSHA, DOT, DOPH, and other regulatory governing bodies overseeing the place of employment for safety and health compliance.

What Screenings Can We Share with the Client?

Generally, only items included in the written authorization required by the regulatory agencies are allowed to be shared with employers, for example, things like hearing screening, respiratory screening, immunizations, substance abuse testing, and lab work required for HAZARD screenings. It all depends on what the employee agreed to in the record of consent. If they agree that their entire medical history can be sent to their employer, then it can be sent. Once again, it’s important the employee is fully informed about what they’re signing.

What Can We Provide the Employee Candidate?

The candidate employee can have their results. The employer can’t refuse the request, even though they paid for the exam.

Who Owns Medical Records?

OSHA describes two specific entities in medical record ownership, which depend on where the testing was conducted. If the testing was done in a clinic operated by an occupational health provider, then the records belong to that provider and are still subject to HIPAA. Copies are provided to the employer only with authorization.

If testing was done in an employee health clinic at an employer’s site, the employer maintains copies in their human resource departments as part of an employee health record. In this scenario, the employer owns the record and is subject to OSHA and other state regulations governing employee health records.

What’s an Occupational Medical Record?

OSHA defines an “occupational medical record” as an occupation-related, chronological, cumulative record, regardless of the form or process by which it is maintained (i.e., paper document, microfiche, microfilm, or automatic data processing media).

The occupational medical record includes information about health status documented on an employee, including personal and occupational health histories as well as the opinions and written evaluations generated in the course of diagnosis, employment-related treatment, and examination by healthcare professionals and technicians. The definition includes employee exposure records, occupational illness, accident, or injury records.

Who Gets the DOT Physical Exam Form and Who Has The Rights to It?

The employer has a right to the forms because they’re paying for it. The employee would have signed an authorization releasing this information to their employers. In other cases, federal entities such as the FBI, the Postal Service, and others have access to the full record of pre-employment testing results for their applicants – much more than a simple “pass or fail.”

Workplace Surveillance

A healthcare provider who provides healthcare service to an individual at the request of the individual’s employer provides the service in the capacity of a member of the employer’s workforce may disclose the individual’s protected health information to the employer for the purposes of workplace medical surveillance or the evaluation of work-related illness and injuries to the extent the employer needs information to comply with OSHA, the MineSafety and Health Administration (MSHA), or the requirements of state laws. Information disclosed must be limited to the provider’s findings regarding medical surveillance or work-related illness or injury.

The covered health care provider must provide the individual with written notice the information will be disclosed to the employer or the notice may be posted at the worksite if that is where the service is provided.OSHA RequirementsOSHA’s regulation, “Access to EmployeeExposure and Medical Records,” requires retention of occupational medical records for 30 years after termination of a worker for the purpose of providing access to the records for employees and their representatives. Employee medical and exposure records must be retained. Employees must be given access to these records at no cost by the employer within 15 days of the request.

For more information, see the OSHA publication Access to Medical and Exposure Records.

More Info If you have questions not contained in this article, contact the experts at NAOHP to learn more or simply visit

Thank You To Our Annual Sponsors

Join Our Network of Occupational Health Professionals