Privacy Concern Cases

The OSHA 300 Log is a workplace document that current and former employees, employee representatives, and authorized agency officials may request and review. Several categories of injury and illness carry an inherent risk that disclosure would expose sensitive medical or personal information unrelated to safety improvement.

29 CFR 1904.29(b)(7) lists the categories that the employer must treat as privacy concern cases. For these cases, the employer enters “privacy concern case” in the name column rather than the employee's name, while still recording the case as required.

Mental illness is recordable when it is work-related, meets the 1904.7 thresholds, and either was diagnosed by a physician or other licensed health care professional or the employee voluntarily provides a diagnosis. OSHA also requires for mental illnesses that the employee voluntarily provide the case to be recorded — although the privacy designation applies regardless.

Work-relatedness for mental illness usually traces to:

• A discrete traumatic event at work (assault, witnessed fatality, severe near-miss).
• A defined harassment or hostile work environment with clinical manifestation.
• Chronic high-stress occupations with documented psychiatric injury (first responders, healthcare workers, certain heavy industry roles).

When recordable, the case enters the 300 Log under all other illnesses, with the name field reading “privacy concern case.”

Privacy designation does not erase the requirement to identify the employee in the employer's internal records. The employer must keep a separate, confidential list that links each privacy concern case number on the 300 Log to the employee's name. This list is retained for the same five-year period as the 300 Log under 29 CFR 1904.33.

The cross-reference list is not for general distribution. It is provided to OSHA on request during inspection or audit and is otherwise restricted to the personnel who maintain recordkeeping. Storing it with the 300 Log defeats the privacy purpose. Keep it separate, with access logged.

Under 29 CFR 1904.35, employees, former employees, their personal representatives, and authorized employee representatives may obtain copies of the 300 Log. The privacy designation continues into these copies — the name field remains “privacy concern case” in the released version.

29 CFR 1904.29(b)(9) further allows the employer to withhold descriptive details from the 300 Log if the description itself would reasonably allow identification of the employee. In a small workforce, even an “all other illness” entry with a date can identify someone. The employer can enter only the minimum description necessary, while still ensuring the case is on the log.

When releasing the 301 Incident Report, the same protection applies. Identifying details, narrative descriptions, and witness names that would expose the employee can be redacted from copies provided to representatives, while the original record retained by the employer is unredacted.

The annual summary (Form 300A) does not include any individual employee names. It is summary statistics only. Privacy concern cases are counted in the totals like any other case but are not separately identifiable on the 300A. The standard Feb 1 – Apr 30 posting requirement applies.

Electronic submission to OSHA's Injury Tracking Application also follows the privacy rules. Establishments required to submit 300 Log and 301 Incident Report data electronically must omit names and other personally identifiable information for privacy concern cases. See the article on electronic submission to the ITA for the field-level rules.