It’s Your Call November 2019

OSHA: Some offices are partially exempt from maintaining OSHA injury and illness records. How can I find out if our office is exempt?

A list of partially exempt industries can be found at: https://www.osha.gov/laws-regs/regulations/standardnumber/1904/1904SubpartBAppA. These employers are required to keep a record ONLY if they are asked in writing by OSHA, the Bureau of Labor Statistics (BLS), or a state agency operating under the authority of OSHA or the BLS. Typically, the OSHA 300 form is sent to the appropriate agency in this case and is due by a certain deadline. If there is an employee fatality, in-patient hospitalization, amputation, or loss of an eye, it MUST be reported to OSHA.

man signing papers third party risk management

HIPAA: When should a Business Associate Agreement (BAA) be executed and what are the fines if the BAA is not available?

The Business Associate Agreement must be executed prior to services being rendered because HIPAA covered entities cannot disclose protected health information (PHI) to unauthorized persons. When the BAA is lacking, the covered entity is negligent in its duty to protect sensitive health information, and this may lead to misuse or improper disclosure of PHI.

Historically, undocumented BAAs have resulted in monetary fines from $31K to $1.5 million, so Business Associate Agreements are critical. It is also important to review them and accompanying service contracts periodically to ensure that updates are not necessary.