What Does OSHA Do?

Posted by Steve Alder

The Occupational Safety and Health Administration (OSHA) is a federal agency within the U.S. Department of Labor that is responsible for the regulation and enforcement of workplace safety and health standards. Additionally, OSHA provides training and outreach to educate workers and employers on best safety and health practices. This article answers the questions what does OSHA do about:

  • Developing Safety Standards
  • Requiring Hazard Communications
  • Recordkeeping and Reporting
  • Training and Outreach
  • Enforcing OSHA Standards
  • Emergency Preparedness and Response
  • Protecting Whistleblowers from Retaliation

What Does OSHA Do about Developing Safety Standards

When OSHA was first established in 1971, it was instructed to adopt standards for workplace safety and health within two years. Due to the tight timeframe, the agency started by adopting existing standards from sources such as the American National Standards Institute and the National Fire Protection Administration, and states that had existing safety and health programs.

Once a base of standards had been adopted, OSHA set about developing new standards – originally tackling well-known threats to workplace safety in populated industries such as construction (i.e., asbestos exposure), and then threats to workplace safety in less populated industries such as commercial diving and helicopter flying.

With regards to what does OSHA do about developing safety standards, the way the standards are developed and adopted is that the agency will publish a Notice of Provisional Rule Making (NPRM) and invite stakeholders to get in touch with their comments. An amended version of the NPRM is published as a Provisional Rule; and, subject to further feedback, the standard is published as a Final Rule.

The Requirements for Hazard Communication

OSHA’s Hazard Communication Standard is a regulatory requirement designed to ensure that information about the identities and hazards of chemicals in the workplace is accessible to workers. It is often referred to as the “right to know” law and was revised in 2012 to align with the Globally Harmonized System of Classification and Labelling of Chemicals.

According to OSHA’s requirements for hazard communication, employers must establish a written hazard communication program for the workplace. This program should include labels on containers of hazardous chemicals, safety data sheets (SDSs) provided by the chemical manufacturer, and training programs for employees who potentially face exposure to these chemicals.

Labels on hazardous chemicals are a key element of OSHA compliance. The labels must include signal words, pictograms, hazard statements, precautionary statements, and product identifiers. The purpose of the label is to communicate the primary hazards and precautionary measures quickly and effectively when handling substances recognized as a hazard to safety or health.

What are OSHA’s Recordkeeping and Reporting Requirements?

Under OSHA’s recordkeeping regulations, employers with workforces above a certain size (which varies according to industry) are required to prepare and maintain records of serious occupational injuries and illnesses using the OSHA 300 Log. This includes any work-related injury or illness that results in loss of consciousness, days away from work, restricted work, or transfer to another job.

In addition to the 300 Log, employers are required to maintain a 301 Incident Report for each recordable injury or illness, providing more detail on the specific incident. An annual summary of the 300 Log (Form 300A) must be completed annually and submitted electronically to OSHA. A paper version of the report must also be posted in a prominent location in the workplace.

With regards to reporting serious workplace injuries, the requirements are that employers (of all sizes and regardless of industry) report workplace fatalities to OSHA within eight hours of knowledge of the event. An accident that results in an inpatient admission, amputation, or the loss of an eye must be reported to OSHA within 24 hours of the accident occurring.

What Does OSHA Do about Training and Outreach

OSHA plays a significant role in promoting workplace safety and health through its extensive training and outreach programs. The agency’s commitment to training is based on the principle that workers equipped with the knowledge about their rights – and the hazards they might face in the workplace – are more likely to contribute to a safer work environment.

The OSHA Training Institute (OTI) and its Education Centers offer advanced courses for safety and health officers and OSHA staff. These centers provide specialized training on a range of topics from construction safety to machine guarding and can help in creating a range of professionals skilled in OSHA standards and their implementation so that can they share their knowledge with others.

In addition to the training and outreach programs, OSHA has a range of other training initiatives. One particularly important initiative is the Susan Harwood Training Grant Program – named in honor of a former director of the Office of Risk Assessment – which provides funding for nonprofit organizations to deliver training on workplace safety and health to members of their workforces.

Enforcement, Emergency Preparedness, and Protection for Whistleblowers

OSHA most often learns about potential non-compliance with its safety and health standards via mandatory accident reports, complaints from workers, and referrals from state and federal agencies. The agency prioritizes enforcement inspections depending on the nature of the non-compliance; and, if a violation is identified, OSHA has the authority to issue citations and fines.

As well as working with individual businesses to promote workplace safety and health, OSHA has an active role in the National Contingency Plan to help prepare for and respond to emergencies such as wildfires, extreme weather events, and other natural disasters. OSHA’s role includes coordination, support, and technical assistance to accelerate regional and national responses.

OSHA’s protection for whistleblowers also extends beyond its perceived role as a safety and health regulator. OSHA’s Whistleblower Protection Program enforces whistleblower provisions in more than 20 statutes – protecting employees who report violations in industries as diverse as health insurance, motor vehicle production, food safety, and environmental protection.

What does OSHA Do? Conclusion

OSHA does a lot more than many individuals give the agency credit for. As well as fulfilling its responsibilities to promote workplace safety and health (and penalize violators), the agency helps communities better prepare for adverse natural and environmental events, helps coordinate response efforts when these events occur, and protects whistleblowers from retaliation.

For most private sector businesses, OSHA is best known for conducting unannounced safety and health inspections; and, if you have concerns that your business may have gaps on its compliance efforts, you should review our OSHA compliance checklist. If gaps are confirmed, you should seek advice on how to fill them from your nearest OSHA office or a compliance expert.

The post What Does OSHA Do? appeared first on HIPAA Journal.

What the US Healthcare IT Industry Can Learn from the EU Digital Services Act

Posted by Steve Alder

The EU Digital Services Act is due to come into force for most “intermediary” service providers that offer a service to EU citizens from February 17, 2024. The Act will impact a number of US-based healthcare IT companies and may influence future federal and state legislation in the United States.

The Digital Services Act is a new EU law that updates the existing EU Electronic Commerce Directive. Among its objectives, the Act aims to address illegal and misleading online content, better protect Internet users from fraud, and provide more control over what personal data is collected and how it is used. The Act also includes new legal requirements for Very Large Online Platforms (VLOPs – i.e., Amazon and eBay), and Very Large Online Search Engines (VLOSEs – i.e., Bing and Google).

The Act applies to all conduit, caching, and hosting services accessible by EU citizens regardless of where the service provider is based (similar to the General Data Protection Regulation). Therefore, US-based social media companies, e-commerce platforms, collaboration tools, content sharing platforms, messaging apps, and advertising networks (among others) will have to comply with the EU Digital Services Act if they provide a service to or for EU citizens.

The Issue of Provider Liability

Chapter 2 of the EU Digital Services Act is similar to §230 of the Communications Decency Act inasmuch it provides immunity for online service providers with respect to third party content generated by its users. However, unlike §230, if a service provider becomes aware of illegal activity or illegal content (Article 6) or is ordered to act against such activity or content (Article 9) and fails to remove or disable access to the activity or content, they are in violation of the Act.

With regards to the scope of provider liability, there is a question about whether a website that hosts chatrooms and forums, or allows users to add public comments, is covered by the Act. Strictly speaking, such a website fulfils the definition of an online platform because users can interact with it. However, in the definitions section of the Act (Article 3), an online platform is defined as:

“a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of this Regulation”.

Because it is unclear how EU regulators will interpret “minor” and “ancillary”, it is advisable for US-based websites that support user interaction to comply with Chapter 2 of the Act and Article 18 of Chapter 3 – which requires providers that suspect criminal activity to report their suspicions to EU law enforcement authorities. It may also be necessary to comply with Chapter 3, Article 23, which requires providers to suspend users who frequently post illegal or misleading information.

Other Relevant Articles in the EU Digital Services Act

The EU Digital Services Act has a scale of compliance obligations depending on the nature of each organization’s qualifying activities. VLOPS and VLOSEs have to comply with all applicable Articles, while organizations that only provide (for example) an online platform do not have to comply with the risk management, audit, and data access requirements. In the context of what the US healthcare IT industry can learn from the EU Digital Services Act, the following Articles are the most relevant:

Point of Contact

Similar to the requirements of HIPAA and the FTC Act, healthcare IT companies in the US that provide any form of intermediary service for EU citizens must appoint a “point of contact” similar to a Data Protection Officer under the General Data Protection Regulation. This is a requirement of the EU Digital Services Act even if the company does not qualify as a covered entity under GDPR because it does not collect, process, or store personal information relating to an EU citizen.

The “point of contact” must be contactable in a user-friendly manner (Article 12) and how the appointed individual can be contacted must be publicly available (i.e., not an automated service) so they can be contacted by users of the service and by regulatory authorities. Additionally, the point of contact must be located in the EU; so, if a company does not have a physical presence in the EU, it must appoint a “legal representative” (Article 13).

Transparency Reporting Obligations

The transparency reporting obligations of the EU Digital Services Act cover everything from how the service has moderated content and what algorithms have been used to moderate content, to what complaints have been received and what content has been removed from the service as a result. Providers of intermediary services that do not qualify as a small or micro enterprise will be required to produce a report at least annually (Article 15).

Complaint and Redress Mechanisms

Each organization is required to develop and publicize complaint and redress mechanisms (Article 17). These not only apply to handling complaints from users about illegal and misleading content but also complaints from users who have had content removed by a provider. Member states have the authority to produce their own guidelines on how to deal with malicious, unfounded, or repeated complaints, and this will likely involve the documentation of such (unactioned) complaints.

Restrictions on Deceptive Designs

Article 25 of the EU Digital Services Act prohibits the design or operation of online interfaces that deceive users or manipulate them into making a decision. Examples of such practices include giving more prominence to one option over another and repeatedly requesting that a user make a decision via a pop-up that interferes with the user experience. Additionally, the procedure for terminating a service or subscription must be just as easy as signing up for the service or subscription.

Profiling and Targeted Advertising

Several Articles have restrictions or requirements for advertising. Article 26 includes rules for ensuring users are aware an advertisement is an advertisement (or a commercial communication of any sort) and prohibits user profiling and targeted advertising using certain categories of personal data. Article 28 further extends the prohibition of profiling and targeted advertising to all websites and online platforms that are accessible to minors.

The Traceability of Traders

To mitigate the risk of EU citizens being scammed by anonymous vendors, any website or online platform that offers goods or services supplied by a third party trader must obtain the trader’s name, physical address, phone number, email address, and a copy of their registration documents before advertising their goods or services (Article 30). Additionally, third party traders will only be allowed to advertise goods or services that comply with EU laws.

How Might the EU DSA Impact the US Healthcare IT Industry

The EU DSA is designed to modernize the digital space, create a safer online environment, and reign in the influence of large search engines, e-commerce websites, and social media platforms. The fundamental principles of accountability, transparency, and user protection will impact the US healthcare IT industry inasmuch as US healthcare IT companies provide services to European healthcare systems in the following areas:

  • Electronic Health Records Systems
  • Telehealth Solutions
  • Data Analytics
  • Interoperability Solutions
  • Medical Imaging Software
  • Cybersecurity Services
  • Cloud-Based Services
  • Billing and Revenue Cycle Management
  • Population Health Management

While many of these services may not be subject to the EU DSA because the service provider is not an “intermediary” between the healthcare system and the end user, any other services that qualify as “covered services” will have to comply with the regulations for data transparency and governance, algorithmic accountability, and vendor traceability. Additionally, companies will have to implement mechanisms for complaint handling and redress where required.

The penalties for violations of the EU DSA will be “proportionate to the nature and gravity of the infringement, yet dissuasive to ensure compliance”. Initially, the Digital Services Coordinator is likely to pursue a path similar to how the HHS Office for Civil Rights approaches HIPAA violations – technical assistance and corrective action plans. However, the Coordinator has the authority to fine companies up to 6% of their global turnover and suspend the service until it is compliant.

What the US Healthcare IT Industry Can Learn from EU DSA

EU data privacy legislation is often an influencing factor on federal and state legislation in the United States. California’s Consumer Privacy Act was the first of many state laws modeled on the EU’s General Data Protection Regulation, and the proposed American Data Protection and Privacy Act (ADPPA) further extends individuals’ rights and the data governance requirements of most state laws, plus provides for a conditional private right of action.

Some states have also borrowed from the EU Digital Services Act before the EU law becomes effective. The Indiana Data Privacy Law and the Montana Consumer Data Privacy Act (both passed this year) require covered organizations to conduct data impact assessments before using data for profiling or targeted advertising, while New York’s proposed Privacy Law gives Internet users the right to opt out of both profiling (for any reason) and targeted advertising.

Other Articles in the EU DSA have made appearances in federal legislation. The INFORM Consumers Act requires online marketplaces to collect, verify, and disclose (when required) the identities of certain vendors similar to the EU DSA’s Traceability of Traders Article, while the proposed American Innovation and Choice Online Act places similar restrictions on VLOPs and VLOSEs with regards to the order in which products or search results are displayed to users.

Possibly the most important thing the US healthcare IT industry can learn from EU DSA is the likelihood of §230 of the Communications Decency Act being amended or repealed and interactive online platforms becoming liable for user content posted on them. In 2020, the Department of Justice made four recommendations to Congress ranging from carving out exemptions for specific content to removing all protections for lawsuits brought by the federal government.

Although Congress has not yet acted on the recommendations, numerous legislative proposals (for example, the “Social Media NUDGE Act”) may make it necessary for healthcare IT companies to build content monitoring into interactive apps and – if necessary – develop complaint and redress mechanisms to explain removal decisions and resolve disputes. Due to the volume of legislation that proposes amendments to §230, this is likely to become a requirement sooner rather than later.

Why it is Important to Consider Future Changes Now

There is a great deal of legislative and regulatory activity in the healthcare sector at the minute. In addition to the proposed changes to HIPAA and the cyber incident reporting requirements of the 2022 Critical Infrastructure Act, healthcare IT companies may have to redesign apps and services to comply with the EU Digital Services Act as well as new domestic laws determining how personal health data is collected, retained, and used (i.e., “My Body, My Data Act”).

Because of the number of laws and regulations that may soon require priority attention, it is recommended compliance teams and engineering teams communicate about what changes may be required to existing apps and services, and how they can be planned for now in order to avoid future penalties for non-compliance. Any companies unsure of their compliance obligations under the EU Digital Services Act – or any domestic legislation – should seek professional compliance advice.

The post What the US Healthcare IT Industry Can Learn from the EU Digital Services Act appeared first on HIPAA Journal.