Who is Not Covered by OSHA?
There are several categories of workers not covered by OSHA. Additionally, some members of a workforce are only covered in specific roles, while others are only covered in specific states or industries. This article looks at when workers are not covered by OSHA, specifically those in the following areas:
- Volunteers & Temporary Workers
- Self Employed Workers
- Family Members of Farm Employers
- Industries Regulated by Another Agency
- State and Local Government Employees
Volunteers & Temporary Workers
Volunteers are generally not covered by OSHA – but there are exceptions. Volunteer firefighters may be covered by OSHA if they are remunerated for time spent serving the community, covered by workers’ compensation, or regarded as public employees by the state or local government with jurisdiction over the location they volunteer in.
There are also some special cases in which an agency has adopted an OSHA standard as one of its own and included volunteers in the coverage. For example, when the Environmental Protection Agency adopted OSHA’s Hazardous Waste and Emergency Response standard, the Agency applied the standard to both paid and uncompensated workers.
Temporary workers that are paid by either an employer or a staffing agency are classified as employees and covered by OSHA. It is important to note that, regardless of who the payer is, if a temporary worker is assigned a job by a staffing agency, both the employer and staffing agency are accountable for the safety and health of the employee.
One final comment about volunteers and temporary workers not covered by OSHA is that if a workforce consists of both paid employees and volunteers, the workplace must comply with OSHA standards. Therefore, if a volunteer suffers an injury in a workplace accident that could have happened to a paid employee, the employer could still be cited and fined by OSHA.
Self Employed Workers
One significant category of workers not covered by OSHA includes the self-employed – independent contractors, freelancers, or anyone else who works for themselves. Self-employed individuals are, by definition, their own employers and do not have employees of their own. As such, OSHA’s standards, which were designed to protect employees from unsafe working conditions, do not usually apply.
However, there are exceptions. In the same way as an employer has to provide a safe working environment for volunteers when other members of the workforce are paid employees, employers must provide a safe working environment to self-employed individuals when self-employed individuals work on the premises.
Complications can arise when one self-employed individual subcontracts another self-employed individual to work with them or on their premises. In such cases, OSHA standards should not apply because both individuals are self-employed. However, depending on the nature of the work and state regulations, some OSHA standards may be applicable.
Family Members of Farm Employees
The applicability of OSHA standards to farms is a nuanced issue, particularly where family members of farm employees are concerned. Generally, farms with fewer than eleven employees are not covered by OSHA, and OSHA considers immediate family – parents and their children, stepchildren, foster children, and spouses – to be excluded from the count of employees.
However, this doesn’t mean that farms are devoid of all responsibility for the safety of their family members working there. Farms are encouraged to follow best practices in agricultural safety and health, and OSHA provides resources and guidelines to aid in this. Furthermore, certain regulations, such as those pertaining to labor camps, accidents, and hazardous substances, may still apply.
Again, there are exceptions to this category of workers not covered by OSHA. If a temporary labor camp is set up on a farm, or an employee (including family members of farm employees) has a fatal accident or sustains an injury that results in hospitalization, amputation, or the loss of an eye, temporary compliance with OSHA’s standards and reporting requirements applies.
Industries Regulated by Another Agency
Some specific industries and workplaces are regulated by other federal agencies. In such cases, businesses in these industries and their workplaces are not covered by OSHA. Examples of this group include:
Most mining and milling operations fall under the Mine Safety and Health Administration (MSHA). However, OSHA standards may apply for some product types and post-mining processes (see Appendix B of the MSHA and OSHA Memorandum)
The working conditions of flight crews when an aircraft is in flight. These are overseen by the Federal Aviation Administration (FAA). However, FAA oversight does not apply to cabin crews in respect of noise, hazard communication, and bloodborne pathogens.
The safety and health of seamen aboard vessels is regulated by the Department of Transportation’s Coast Guard agency. However, OSHA has the authority to enforce standards relating to discrimination and whistleblowing according to a 1983 Memorandum.
Workers in the publicly owned energy sector that may be exposed to ionizing radiation are covered by safety standards regulated by the Nuclear Regulatory Commission and the Department of Energy. All privately owned businesses in the energy sector are subject to OSHA standards.
State and Local Government Employees
While federal government employees are protected by OSHA, the situation differs for state and local government employees – including those in public schools and universities. OSHA only covers these employees in certain states with an OSHA-approved state plan. In other states, the safety and health of public sector employees fall under the jurisdiction of the state’s health and safety agencies.
In 28 states and territories, the safety and health standards for state and local government employees are overseen by OSHA-approved state plans. Where state plans only apply to state and local government employees, federal OSHA standards apply to private employment activities. State plans are required to have standards and enforcement programs at least as effective as OSHA’s.
| How OSHA Applies | States |
| State Plan Covering Private, State, Local Government | Alaska, Arizona, California, Hawaii, Indiana, Iowa, Kentucky, Nevada, Maryland, Michigan, Minnesota, New Mexico, North Carolina, Oregon, Puerto Rico, South Carolina, Tennessee, Utah, Vermont, Virginia, Washington, and Wyoming, |
| State Plan Covering State/Local Government Only | Connecticut, Illinois, Maine, New Jersey, New York, and the U.S. Virgin Islands |
| Federal OSHA States | Alabama, American Samoa, Arkansas, Colorado, Delaware, District of Columbia, Florida, Georgia, Guam, Idaho, Kansas, Louisiana, Massachusetts, Mississippi, Montana, Nebraska, New Hampshire, Northern Mariana Islands, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Dakota, Texas, West Virginia, and Wisconsin |
Who is Not Covered by OSHA? Conclusion
While it may seem like a large number of workers are not covered by OSHA, it is important to note the agency’s influence is vast, covering most private sector workers and federal employees throughout the United States. Additionally, many workers not directly covered by OSHA are protected indirectly by OSHA, by other health and safety agencies, or by a state plan.
Consequently, most private and public employers need to understand their compliance requirements and ensure measures are implemented to comply with applicable OSHA standards. Employers who are unsure of their compliance requirements should review our OSHA compliance checklist and speak with a compliance expert or seek advice directly from the nearest OSHA office.
The post Who is Not Covered by OSHA? appeared first on HIPAA Journal.
LockBit Ransomware Group Threatens to Publish Stolen Cancer Patient Data
The LockBit ransomware group has added Varian Medical Systems to its data leak site and has threatened to publish the data of cancer patients if the ransom is not paid. Varian Medical Systems is a Palo Alto, CA-based provider of radiation oncology treatments and software for oncology departments and a subsidiary of Siemens Healthineers. Varian Medical Systems has not yet confirmed the data breach, and the LockBit group has not yet disclosed how much data was stolen in the attack but said Varian has been given until August 17, 2023, to enter into negotiations otherwise all stolen databases and patient data will be released on its dark web data leak site.
Karakurt Threat Group Says Data Stolen from McAlester Regional Health Center
The KaraKurt ransomware group has recently added McAlester Regional Health Center to its data leak site and claims to have stolen more than 1,175 GB of data from the Oklahoma hospital, including 5 GB of SQL data on medical staff and medical reports containing sensitive patient information, including DNA data. According to the listing, the stolen employee data includes Social Security numbers and bank account information. The group has threatened to sell the data if the ransom is not paid. McAlester Regional Health Center has not verified the claim and has yet to announce a data breach on its website or report the incident to the HHS’ Office for Civil Rights.
Precision Anesthesia Billing LLC Reports Breach of the PHI of 209,200 Individuals
The Tampa, FL-based HIPAA business associate, Precision Anesthesia Billing LLC (PAB), reported a breach of the protected health information of 209,200 individuals to the HHS’ Office for Civil Rights on July 7, 2023. While no public notice about the data breach appears to have been published to date, the medical group, Athens Anesthesia Associates (AAA), has confirmed that it was one of the entities affected by the breach.
AAA said it was informed by PAB on May 11, 2023, that the data of some of its patients had potentially been compromised. PAB said a well-known cyber threat actor that has conducted many successful cyberattacks was responsible but did not name the group. PAB was able to successfully stop the attack and secure its systems but said it was likely that files containing patient data were accessed and exfiltrated from its systems between May 4 and May 7, 2023. The information compromised in the incident included names, addresses, phone numbers, email addresses, dates of birth, ages, Social Security numbers, bank account numbers, insurance policy numbers, diagnoses, treatment information and dates, ultrasound images, medical record numbers, and hospital account numbers. AAA said it has offered affected patients two years of complimentary credit monitoring services.
Life Management Center of Northwest Florida Cyberattack Impacts 19,107 Individuals
Life Management Center of Northwest Florida, a provider of mental health, behavioral health, and family counseling services, discovered a security breach on March 31, 2023. Steps were immediately taken to secure its network and third-party forensics experts were engaged to investigate the incident. The investigation confirmed that an unauthorized actor accessed files that contained patient data. A comprehensive review of the affected files concluded on May 26, 2023, that the protected health information of 19,107 individuals had been compromised, including names, Social Security numbers, driver’s license numbers, medical treatment and/or diagnosis information, and health insurance information. Affected individuals were notified on July 25, 2023, and have been offered complimentary credit monitoring services.
Discovery at Home Falls Victim to Phishing Attack
Discovery at Home, a provider of home healthcare services to seniors in Florida and Texas, fell victim to a phishing attack on or around June 1, 2023, that saw the email account of an employee accessed by an unauthorized individual. Discovery at Home said the incident, “resulted in the inadvertent transmittal of personal health information via unencrypted e-mail to an unauthorized third-party sender.”
The compromised information included names, addresses, dates of birth, dates of service, treatment-related information, and health insurance information, including insurance beneficiary number, claim number, and policy number. At the time of issuing notification letters, Discovery at Home was unaware of any misuse of the compromised data. Discovery at Home said the email account was immediately secured when the breach was detected, steps have been taken to improve email security, and the employee in question has received further security awareness training. Affected individuals were notified by mail on July 31, 2023.
The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Bi-Bett Corporation Suffers Email Account Breach
Bi-Bett Corporation, a Californian provider of substance use disorder treatment services, has recently notified 4,722 patients that some of their protected health information was stored in an email account that was accessed by an unauthorized third party. Suspicious activity was identified in the email account on February 17, 2023, and the email account was immediately secured and a third-party cybersecurity firm was engaged to investigate. On April 14, 2023, the cybersecurity firm confirmed that patient information may have been accessed or acquired.
The email account was reviewed to identify the affected individuals and the information that had been compromised, and that process was completed on May 22, 2023. The information compromised included first and last names, addresses, Social Security Numbers, driver’s license numbers, Medicaid numbers, and/or medical reference numbers. Bi-Bett said it is working with third-party security experts to strengthen its security posture further. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.
The post LockBit Ransomware Group Threatens to Publish Stolen Cancer Patient Data appeared first on HIPAA Journal.