What are the OSHA Emergency Action Plan Requirements?

Posted by Steve Alder

The OSHA Emergency Action Plan requirements are that every qualifying employer must develop a Plan that meets minimum elements and must provide training on the Plan to key personnel. Qualifying employers must also implement and maintain an employee alarm system to alert employees to emergencies.

The OSHA Emergency Action Plan Requirements

The OSHA Emergency Action Plan requirements (as per §1910.38) are that qualifying employers must develop a plan that includes the following minimum elements:

  • The procedures for reporting a fire or other emergency.
  • The procedures for emergency evacuation, including type of evacuation and exit route assignments.
  • The procedures to be followed by employees who remain to operate critical plant operations before they evacuate.
  • The procedures to account for all employees after evacuation.
  • The procedures to be followed by employees performing rescue or medical duties.
  • The name or job title of every employee who may be contacted by employees who need more information about the plan or an explanation of their duties under the plan.

The Plan must be written and kept in the workplace for employees to review unless an employer has 10 or fewer employees, in which case the plan can be communicated verbally. Employers must also “review” the Plan with each employee at the start of their employment, whenever the employee’s responsibilities change, or whenever the plan is changed.

What are “Qualifying Employers”?

“Qualifying employers” are those required to have an Emergency Action Plan “whenever an OSHA standard in this part [OSHA Part 1910] requires one”. To save businesses scrolling through every applicable standard to see if they meet the criteria for a “Qualifying Employer”,  guidance provided for compliance with the OSHA standard relating to portable fire extinguishers states:

“If fire extinguishers are required or provided in the workplace, and if anyone will be evacuating during a fire or other emergency, then OSHA requires you to have an Emergency Action Plan”

There are exceptions to this Standard – for example if a business has systems in place to extinguish fires before an evacuation is necessary. Business unsure about whether they are required to comply with the OSHA Emergency Action Plan requirements can check whether or not they meet the criteria for a “Qualifying Employer” using this OSHA e-tool.

Who Should be Trained on the Contents of an Emergency Action Plan?

According to the OSHA Emergency Action Plan standard, only personnel involved in assisting a safe and orderly evacuation of the premises must receive OSHA training. However, it is important to be aware of other federal, state, or local regulations that may have more stringent emergency requirements than OSHA and that therefore preempt the OSHA EAP training requirements

An example of a federal regulation with training requirements that preempt OSHA is CMS’ Emergency Preparedness Rule. This Rule requires all organizations that participate in the Medicare program to provide training on emergency preparedness policies and procedures to all members of the workforce on commencement of their employment and annually thereafter.

How Do the OSHA EAP Requirements Align with CMS’ Emergency Preparedness Rule?

The OSHA EAP requirements align with CMS’ Emergency Preparedness Rule inasmuch as if an organization is in compliance with the CMS Rule it will have covered the minimum elements required by the OSHA Emergency Action Plan standard. However, complying with CMS’ Emergency Preparedness Rule does not absolve organizations from other OSHA compliance obligations.

For example, whereas CMS’ Emergency Preparedness Rule requires organization to have a communication plans for contacting emergency services, OSHA §1926.50 stipulates that phones used to call 911 must have caller ID capabilities activated, must provide the latitude and longitude of the emergency to 911 dispatchers, or must have some other location identifying measure.

Where to Find Help for Complying with the OSHA EAP Requirements

There is a great deal of help available for complying with the OSHA EAP requirements. Businesses can take advantage of the OSHA Evacuation Plans and Procedures e-tool or review the non.-mandatory guidance in the Appendix to Part 190 Subpart E – “Exit Routes, Emergency Action Plans, and Fire Prevention Plans. Alternatively, businesses can speak with their local OSHA office directly to see if they qualify for a free onsite consultation about the OSHA Emergency Action Plan requirements.

Related Content

OSHA Safety Walkthrough List

OSHA Section 11(c) Compliance

What is OSHA Certification?

What is OSHA Training?

OSHA and HIPAA compliance

The post What are the OSHA Emergency Action Plan Requirements? appeared first on HIPAA Journal.

Investigation Highlights Ease at Which Police Can Access Pharmacy Records

Posted by Steve Alder

On Monday, three Democratic Senators wrote to the Secretary of the Department of Health and Human Services (HHS) Xavier Becerra to express their concern about pharmacies disclosing prescription records to the police without a warrant.

Sen. Ron Wyden (D-OR) and Reps. Pramila Jayapal (D-WA) and Sara Jacobs (D-CA) launched an investigation following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, which removed the federal right to an abortion and left it to individual states to set their own laws on abortion. Many states have implemented bans or severe restrictions on abortions, which has resulted in women, and in some cases, children, traveling to more permissive states to receive the reproductive care they need, and there are growing fears that individuals who seek legal reproductive health care out of state may face prosecution in their home state.

The HHS issued guidance on HIPAA and reproductive healthcare following the overturning of Roe v Wade, stressing that while the HIPAA Privacy Rule permits disclosures of PHI to law enforcement, the disclosures are not required by the HIPAA Privacy Rule. It is up to each HIPAA-covered entity to decide whether they provide records to the police.

One of the easiest places to obtain patient records to check who has been prescribed abortion medications is national pharmacy chains, which maintain records for patients no matter which location they visit. The records of the prescriptions of each patient can be accessed from any pharmacy, which means that if a patient in a state where abortion is illegal (e.g. Idaho) crosses the border to get abortion medication legally in a more permissive state (e.g. Oregon), police in the home state can obtain the prescription records because a digital trail is maintained.

But how easy is it to access those records? According to the Senators’ investigation, CVS Health, Kroger, and Rite Aid, allow their staff to hand over pharmacy records in-store. Each of the pharmacy chains confirmed that their staff face extreme pressure to comply with law enforcement requests and they have been instructed to process them on the spot.

The Senators found that the top 8 pharmacy chains, Walgreens Boots Alliance, Amazon Pharmacy, Kroger, Walmart, CVS, Cigna, and Optum Rx, only require a subpoena to provide the records and not a warrant. A subpoena can be issued without a sign-off from a judge, whereas a warrant requires approval from a judge, which means the police must convince the judge that the medical records are essential to the investigation of a crime.

What is not clear is how many requests for medical records have been issued in relation to investigations of individuals seeking abortions. The pharmacy chains confirmed they receive tens of thousands of requests every year to provide medical records to law enforcement, although most are related to civil lawsuits. Only one pharmacy chain, Amazon Pharmacy, said its policy was to notify individuals if there has been a law enforcement request for their medical records and does so unless that action is prevented by law. Most requests for medical records include a gag order, which prevents pharmacies from alerting individuals about disclosures to law enforcement.

The Senators have called for the HHS to make an urgent update to HIPAA to require law enforcement to obtain a warrant or a judge-issued subpoena in order to access medical records and also request that pharmacies proactively notify customers if their records have been requested by law enforcement.

The post Investigation Highlights Ease at Which Police Can Access Pharmacy Records appeared first on HIPAA Journal.

AHA Opposes HHS Plan to Penalize Hospitals for Cybersecurity Failures

Posted by Steve Alder

The American Hospital Association (AHA) is urging the U.S. Department of Health and Human Services (HHS) to reconsider its plan to make it mandatory for hospitals to comply with new cybersecurity requirements and issue financial penalties if they fail to do so.

Last week, the HHS published its healthcare cybersecurity strategy, which outlines the steps the HHS has taken and plans to take in the future to improve healthcare cybersecurity. Those plans include introducing two tiers of Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) – essential and enhanced. The essential HPH CPGs will include high-impact cybersecurity requirements for improving cyber resiliency and are intended to establish a baseline for cybersecurity, whereas the enhanced HPH CPGs are desirable cybersecurity requirements to further improve security and protect patient privacy. While both tiers of HPH CPGs would be voluntary initially, the HHS explained in its cybersecurity strategy that it plans to make the essential HPH CPGs enforceable in the future and will be working with Congress to increase the penalties for HIPAA violations.

The AHA believes that forcing hospitals to make investments in cybersecurity and imposing financial penalties if they suffer a cyberattack and haven’t implemented certain cybersecurity measures would be counterproductive and undermine the efforts hospitals are already making to improve cybersecurity. “Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks,” said AHA President and CEO Rick Pollack. “The AHA has long been committed to helping hospitals and health systems with these efforts, working closely with our federal partners, including the FBI, HHS, Cybersecurity and Infrastructure Security Agency, and many others to prevent and mitigate cyberattacks.”

While the AHA expressed support for the HHS proposal to issue incentives for improving cybersecurity and make funding available to help hospitals with low resources cover the initial cost of cybersecurity improvements, punishing hospitals financially is unfair, especially when cyberattacks are commonly conducted by sophisticated cyber actors who work in collusion with hostile nation-states.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”

The post AHA Opposes HHS Plan to Penalize Hospitals for Cybersecurity Failures appeared first on HIPAA Journal.