What are the OSHA Regulations for Hospitals?

Posted by Steve Alder

The OSHA regulations for hospitals consist of all applicable common workplace safety and health standards and any that apply to the nature of services provided by the hospital or its operations. For example:

Common Workplace Safety and Health Standards may include:

  • 1910.22 General Requirements
  • 1910.25 Stairways
  • 1910.35 Means of Egress
  • 1910.38 Emergency Action Plan

Specific Healthcare Safety and Health Standards may include:

  • 1910.1096 Ionization Radiation
  • 1910.1030 Bloodborne Pathogens
  • 1910 Subpart I Personal Protective Equipment
  • 1910 Subpart Z Toxic and Hazardous Substances

Healthcare Operations Safety and Health Standards may include:

  • 1910.95 Noise Exposure
  • 1910.303 General Electrical Requirements
  • 1910 Subpart J General Environmental Controls
  • 1910 Subpart O Machinery and Machine Guarding

In addition, the OSHA regulations for hospitals include all applicable administrative and recordkeeping standards promulgated by the Occupational Safety and Health Administration or state OSHA Plan.

Which OSHA Regulations for Hospital are Applicable?

The challenge of OSHA compliance for hospitals is working out which OSHA regulations are applicable. For example, there will be more threats to safety and health attributable to workplace violence in hospitals with ER departments than there will be in maternity hospitals.

With regards to healthcare operations, hospitals with inhouse laundry facilities will have to be more conscious of the OSHA regulations for hospitals relating to heat stress and machine guarding than hospitals that outsource laundry services or that only provide out-patient facilities.

How OSHA’s E-Tool for Healthcare can Help

To help determine which OSHA regulations for hospitals are applicable, the Administration has created an online e-tool that covers fourteen focus points of hospital activities. It is important to be aware that the hazards, requirements, and controls discussed in each module may not be the only hazards, requirements, or controls applicable to each focus point.

OSHA reminds employers and safety officers using the e-tool it is necessary to conduct a thorough worksite hazard analysis to determine the full range of hazards to which members of the workforce are exposed and the full range of controls to protect members of the workforce from those hazards. In this respect, the CDC’s “Pocket Guide to Chemical Hazards” can also be a valuable resource.

Complying with the OSHA General Duty Clause

The OSHA General Duty clause requires that, in addition to complying with hazard-specific standards, employers must provide a work environment “free from recognized hazards that are causing or are likely to cause death or serious physical harm.” Workplace violence is a recognized hazard in the healthcare industry and as such, employers have the responsibility via the Act to abate the hazard.

Complying with the OSHA General Duty clause can also be a challenge for hospitals due to the issue of work-related Musculoskeletal Disorders (MSDs) caused by manually lifting, moving, and repositioning patients. MSDs are also covered by the OSHA General Duty clause, and OSHA has published guidance on preventing MSDs in the workplace to help avoid injuries of this type.

Complying with OSHA Recordkeeping Requirements

With the exception of partially exempt outpatient care centers, most healthcare organizations have to comply with OSHA recordkeeping requirements. These apply to all recordable work-related injuries and illnesses suffered by employed members of the workforce, and fatalities, amputations, hospitalizations, or eye loss injuries affecting any member of the workforce.

Some OSHA regulations for hospitals have special recordkeeping requirements. For example, when recording needlestick and sharps injuries (OSHA standard §1904.8), employers must not enter the employee’s name on the OSHA 300 log. There are also privacy requirements for other types of injury recordkeeping. These can be found in OSHA standard §1904.29(b)(6) through §1904.29(b)(9).

Complying with OSHA Training Requirements

The OSHA training requirements vary by standard. Some standards (i.e., the “Personal Protective Equipment” standard) require that employees are trained in how to use the equipment the first time it is provided for them. Other standards (i.e., the “Bloodborne Pathogens” standard) require annual training. Note: annual training on some standards may be required by other agencies. For example, annual emergency action plan training is a condition of participation in Medicare.

Like the HIPAA training requirements, all members of the workforce will require general safety and health training (i.e., cleaning up spills safely), while some members of the workforce will require further OSHA training specific to their roles (i.e., using ethylene oxide safely). Similarly, healthcare organizations need to train all members of the workforce on the meaning of hazard warning signs, but only some on permissible exposure limits for the hazards they are exposed to.

Penalties for Non-Compliance with the OSHA Regulations for Hospitals

Unlike HIPAA, in which penalties are most often issued for violations attributable to willful neglect, OSHA issues financial penalties when employers “should have known” about the OSHA compliance requirements. In the year to September 2023, OSHA issued financial penalties for non-compliance with the following OSHA regulations for hospitals:

  • The bloodborne pathogen standard
  • The hazard communication standard
  • The respiratory protection standard
  • The control of hazardous energy standard
  • OSHA’s form filling requirements
  • The formaldehyde standard
  • OSHA’s general requirements
  • The asbestos standard
  • The wiring methods, components, and equipment standard.
  • The exit route standard (maintenance, safeguards, and features)

The failure to train employees is a common factor in OSHA enforcement action. In 2013, the Atlanta Health Careers Institute in Georgia was fined $62,000 for violations of the bloodborne pathogen standard, with $60,000 of the total being attributable to the employer failing to train workforce members on the hazards and precautions.

Previously, the New York Hospital of Queens was fined $112,500 for violations of the formaldehyde standard – a large part of which was attributable to the failure of the hospital to provide employees with appropriate training – while in the last year, two hospitals have been fined for just the failure to provide training to members of the workforce.

Help to Comply with OSHA Healthcare Regulations

If you have a responsibility for safety and health in a hospital, and you are not sure about which regulations apply to your organization, you can get help from multiple sources. You can download our OSHA compliance checklist, seek advice from an OSHA compliance expert, or contact OSHA directly on 800-321-6742 (OSHA). In some circumstances, you may qualify for a free on-site OSHA consultation or a grant towards developing a workplace training program.

Related Content

OSHA and HIPAA compliance

How does OSHA Enforce its Standards?

What Does OSHA Mean?

OSHA Safety Walkthrough List

Why is OSHA Necessary?

The post What are the OSHA Regulations for Hospitals? appeared first on HIPAA Journal.

Fortra GoAnywhere Hacking Lawsuits Consolidated in the Southern District of Florida

Posted by Steve Alder

Dozens of lawsuits that were filed in response to the mass exploitation of a vulnerability in Fortra’s GoAnywhere MFT file transfer solution have recently been consolidated into a single lawsuit that will be heard in the Southern District of Florida.

The lawsuits stem from the mass exploitation of a vulnerability by the Clop group. The Clop group, aka Cl0p, is a financially motivated threat actor known for ransomware and extortion-only attacks, which has a history of exploiting vulnerabilities in file transfer solutions. Clop exploited flaws in the Accellion File Transfer Appliance in December 2020, SolarWinds Serv-U Managed File Transfer and Secure FTC software in November 2021, and Fortra’s GoAnywhere MFT solution between January and February 2023. Later in the year, Clop went on to exploit a zero-day vulnerability in Progress Software’s MoveIT Transfer solution.

More than 2,700 users of MOVEit software suffered attacks, the Fortra GoAnywhere vulnerability was exploited to attack around 130 organizations, and Accellion attacks affected more than two dozen organizations. In these attacks, Clop opted for data theft and extortion and chose not to encrypt files, even though the group claimed that it could have done so. Without encryption, attacks are faster and more efficient and there were no apparent attempts at wider compromises. The attacks have certainly proven to be profitable for Clop, which has raked in over $100 million in ransom payments this year from its mass exploitation attacks.

While these mass hacking incidents were similar and the subsequent lawsuits in each made similar claims, the U.S. Judicial Panel on Multidistrict Litigation opted not to consolidate the lawsuits against Accellion and its customers but did consolidate lawsuits related to the GoAnywhere and MoveIT hacking incidents. Organizations that were against consolidation in the Fortra lawsuits argued that the Judicial Panel on Multidistrict Litigation should similarly rule against consolidation as it did with the Accellion actions.

The decision to deny centralization in the Accellion actions, of which there were 26, was due to most parties opposing centralization organizing the litigation and preferring to cooperate informally, and because there were likely to be allegations specific to each defendant’s role in the breach of plaintiffs’ data since the vulnerability was present in a legacy file transfer solution that Accellion had been encouraging customers to migrate away from. The Fortra GoAnywhere solution is actively used by more than 100 organizations and is not a legacy product, therefore, there are likely to be significant questions about Fortra’s role in the ultimate exploitation of the vulnerability.

All of the GoAnywhere lawsuits are expected to share common and complex factual questions surrounding how the vulnerability occurred, the unauthorized access and data exfiltration, Fortra’s role in the vulnerability and the response to it, and the plaintiffs bringing largely overlapping putative nationwide class actions. Centralization of the actions offers substantial opportunities to streamline pretrial proceedings, reduce duplicative discovery and conflicting pretrial obligations, prevent inconsistent rulings on common evidentiary challenges and summary judgment motions, and conserve the resources of the parties, their counsel, and the judiciary.

The decision to centralize 46 actions across seven districts was supported by several of the organizations named in the lawsuits, including Aetna, Community Health Systems, Brightline, and Fortra. Anthem Insurance Companies Inc. was named in a single action and was against centralization, and plaintiffs in the District of Minnesota held no position on consolidation, although favored Minnesota if consolidated. The Judicial Panel on Multidistrict Litigation chose the Southern District of Florida to hear the case as that is where 18 of the lawsuits were filed, more than in any other appropriate transferee district.

The consolidated data breach litigation includes 18 actions against NationBenefits LLC/NationBenefits Holdings in the Southern District of Florida, 8 against Community Health Systems Inc./CHSPSC LLC in the Middle District of Tennessee, 7 against Intellihartx in the Northern District of Ohio, 4 actions against Brightline Inc in the Northern District of California, 4 against Aetna Inc/Aetna International and 3 against NationBenefits LLC in the District of Connecticut, 1 against Anthen Insurance Companies Inc in the Southern District of Indiana, and 1 against Fortra LLC in the District of Minnesota.

The post Fortra GoAnywhere Hacking Lawsuits Consolidated in the Southern District of Florida appeared first on HIPAA Journal.