Under HAZWOPER and related OSHA standards, supervisors, coworkers, managers, and most other personnel at a company should not have direct access to an employee’s medical records. These records are tightly restricted, and only a small number of people can view them, each under specific conditions. The core rule comes from OSHA’s standard on access to employee exposure and medical records (29 CFR 1910.1020), which governs how medical surveillance data from hazardous waste operations must be stored, shared, and protected.
Who Can Access HAZWOPER Medical Records
The list of people with legitimate access is short. The employee themselves has the strongest right to view their own medical records. Beyond the employee, access is limited to the physician or healthcare professional who maintains the records, a designated representative the employee has authorized in writing, and in certain cases, OSHA compliance officers or researchers from the National Institute for Occupational Safety and Health (NIOSH).
A “designated representative” is someone the employee specifically names through written consent. This could be a personal physician, an attorney, or a union representative. The key point is that the employee must actively authorize this access. No one becomes a designated representative by default, not even a union steward or a spouse.
Who Is Excluded From Access
Direct supervisors, site managers, HR staff, and coworkers have no right to view an employee’s full medical records. This is true even if the supervisor oversees a HAZWOPER site and feels they need the information to make staffing decisions. The employer’s role is to receive a fitness-for-duty determination from the examining physician, not to review exam results, diagnoses, or treatment details.
In practice, this means a site safety officer might learn that a worker has been cleared (or not cleared) for respirator use or hazardous waste work, but they should never see the underlying medical data that led to that determination. The physician can share a summary statement about whether the employee is fit for duty. That is the boundary.
Third-party contractors, insurance adjusters, and other companies working at the same HAZWOPER site are also excluded unless the employee provides specific written authorization. Even OSHA itself follows defined procedures when requesting medical records during an inspection.
What Employers Actually Receive
When a physician conducts medical surveillance for HAZWOPER workers, the employer typically receives only the physician’s written opinion. This opinion covers whether the employee can perform their assigned duties, any recommended limitations on the worker’s exposure or use of protective equipment, and confirmation that the employee was informed of the exam results. It does not include specific diagnoses, lab values, or details about the worker’s overall health.
This is an important distinction that often causes confusion on job sites. Employers sometimes assume that because they pay for the medical exam, they own the results. They don’t. The medical records belong to the employee and the healthcare provider. The employer is entitled only to the narrow fitness-for-duty information they need to comply with OSHA standards.
Special Restrictions on Sensitive Diagnoses
OSHA adds an extra layer of protection for particularly sensitive medical information. If a physician representing the employer believes that giving an employee direct access to their own records regarding a terminal illness or psychiatric condition could be harmful to the employee, the employer can route that information through a designated representative instead. This is the only situation where even the employee’s own access can be limited, and it requires the employee to provide written consent naming someone to receive the information on their behalf.
Healthcare personnel maintaining the records can also remove the identities of family members, friends, or coworkers who provided confidential information about the employee’s health. This protects people who may have reported concerns about a worker’s condition in good faith.
How HIPAA and OSHA Overlap
HIPAA’s Privacy Rule and OSHA’s record access standards operate in parallel, and both apply in most HAZWOPER situations. HIPAA generally prohibits healthcare providers from disclosing protected health information without patient consent. However, it includes a specific exception allowing covered entities to share information with employers when it concerns a work-related illness, injury, or workplace medical surveillance required by OSHA or similar agencies.
This exception is narrow. It permits sharing the information the employer needs to comply with OSHA regulations, not blanket access to the worker’s medical history. Employment records that a company maintains in its capacity as an employer fall outside HIPAA’s definition of protected health information entirely, but the medical surveillance records generated by a physician during HAZWOPER exams remain protected.
How Long Records Must Be Protected
Employers must maintain HAZWOPER medical records for the duration of the employee’s employment plus 30 years. Exposure records carry a separate 30-year retention requirement. These timelines mean that confidentiality obligations extend well beyond the time someone works at a site. If an employer wants to dispose of records after the retention period ends, they must notify the Director of NIOSH in writing at least three months before disposal, giving the agency a chance to preserve the records.
If a business closes or changes ownership, the records transfer obligation follows. The new owner or successor organization inherits the responsibility to protect and maintain those records under the same access restrictions.
Consequences of Unauthorized Access
Violations of OSHA’s medical record confidentiality requirements carry real penalties. A serious violation can result in fines up to $7,000 per occurrence. Willful or repeated violations carry penalties between $5,000 and $70,000 per violation. If someone knowingly falsifies records or documentation related to medical record access, they face a fine of up to $10,000, up to six months in prison, or both. These are the statutory figures from the OSH Act; adjusted penalty amounts under current enforcement are typically higher.
Beyond OSHA fines, unauthorized disclosure of employee medical information can trigger liability under state privacy laws and, where HIPAA applies, federal enforcement by the Department of Health and Human Services. For employers operating HAZWOPER sites, the practical takeaway is straightforward: lock medical records down, limit access to the examining physician and the employee, and share only fitness-for-duty determinations with management.
Responding to Record Requests
When an employee or their designated representative requests access to medical records, the employer has 15 working days to provide them. The physician may recommend that the employee consult with them to review and discuss the records, accept a summary of key findings instead of the full file, or agree to release the records only to another physician or designated representative. These are recommendations, not requirements. The employee retains the right to the full records unless the narrow terminal illness or psychiatric condition exception applies.
Employers must also inform workers about their right to access these records. OSHA requires that employees covered by the medical surveillance provisions of HAZWOPER be told, at the time of initial assignment and at least annually afterward, that their records exist and how to request them.