OSHA Releases ‘new’ Electronic Recordkeeping Regulation: Everything Old Is New Again

Morgan Lewis

Morgan Lewis

The Occupational Safety and Health Administration (OSHA) released its revised electronic recordkeeping regulation, “Improve Tracking of Workplace Injuries and Illnesses,” on July 17. Most significantly, the revised regulation reinstates the requirement for many employers to submit certain injury and illness information electronically directly to OSHA every year.

OSHA states in its preamble to the rule that it intends to post the collected information online where it will become publicly available. OSHA’s new” recordkeeping regulation reverts to a prior regulation it published during the waning days of the Obama administration, which the agency soon after withdrew under the Trump administration.

Although challenges in court seem likely, the regulation generally will become effective January 1, 2024, with data submission requirements beginning on March 2, 2024.


For employers, the most significant part of the regulation is its reinstated online electronic reporting requirement. In the past, employers covered by OSHA’s recordkeeping regulations collected and maintained information regarding covered work-related injuries and illnesses. Generally, OSHA only gained access to those records as part of an onsite inspection, or on occasion as part of specific written requests.

Under the revised regulation, however, employers in “high risk” industries with 100 or more employees at one establishment must now electronically provide certain information on their OSHA 300 and 301 forms to OSHA annually. Perhaps most importantly, OSHA will require establishments to include their company name when making electronic submissions to OSHA and then intends to make the data publicly available in a searchable online database.

OSHA published the list of “high-risk” industries subject to this new requirement, which will become “Appendix B to subpart E.” Those industries include food production, manufacturing, healthcare, retail, warehousing, transportation, and the performing arts, among others.

OSHA determined which industries were “high risk” by examining industries’ total recordable cases (TRC), Days Away, Restricted, or Transferred (DART) rates, and the number of fatalities that occurred in each industry. OSHA concluded that those industries with a TRC of 3.5, a DART rate of 2.25 per 100 employees, or a fatality rate of 5.7 deaths per 100,000 full-time-or-equivalent employees were “high risk.”

OSHA’s rationale for gathering and publishing this information harkens back to what it said in the prior rescinded version of the rule. Specifically, OSHA contends that “expanded public access to establishment-specific, case specific injury and illness data” will allow various stakeholders, including the general public, to “make more informed decisions about workplace safety and health at a given establishment.”

The agency also suggests that public posting of the data is necessary because employees fear that their employer will retaliate against them if they request 300 logs for their establishment— a right that employees already had prior to this revised rule. OSHA goes so far as to predict that “this increased accessibility will result in the reduction of occupational injuries and illnesses.” However, rates of occupational injury and illness have remained mostly constant for years, with the national average TRC ranging from 2.8 in 2018 to 2.7 in 2021, the last year for which relevant BLS data is available.

OSHA claims in the preamble to the regulation that this new requirement will not infringe on employers’ or employees’ privacy rights. To that end, OSHA will not collect or publish certain information on the OSHA 300 and 301 forms, specifically employee and healthcare provider names and addresses.

Further, OSHA indicates that it will scrub the data that it does collect with “automated information technology to detect and remove any remaining information that could reasonably be expected to identify individuals directly.” OSHA believes these measures, coupled with reminders to employers not to submit personal information, will adequately protect employees’ privacy.


OSHA has also updated the list of industries that are required to submit data from annual 300A logs:

  • OSHA continues to require all establishments with 250 or more employees at any time during the previous calendar year—that are already required to keep records under OSHA’s injury and illness regulation (i.e., they are not exempt from OSHA recordkeeping regulations)—to submit this data.
  • OSHA revised the list of industries required to submit electronic 300A data for establishments with 20 to 249 employees. OSHA’s industry list is based on the 2017 North American Classification System (NAICS) codes—and not the newest NAICS codes published in 2022 because the illness and injury data for the 2022 codes had not yet been published. As a result, OSHA noted that it may continue to update the list of smaller establishments required to submit 300A data to align with the new NAICS codes once that data becomes available.

OSHA used similar reasoning for these submissions as with the 300 and 301 data, noting that the requirement “provides a good deal of useful data” for it to help further the agency’s objectives.


The implications of OSHA’s return to the Obama administration’s reporting requirements are significant, as the regulation creates various concerns due to the public disclosure of employer safety data. For one, the OSHA recordkeeping process has always allowed employers the continuing opportunity to revise injury and illness records with new changes. But once the injury and illness data are initially reported and disclosed, it may be difficult for employers to revise this public information. The records can also reveal proprietary information, such as the number of workers at a facility, and their publication may create a chilling effect because the data may be misinterpreted or misrepresented by the media or competitors.

Further, employee privacy is a concern. OSHA has historically acknowledged the privacy concerns regarding sensitive and personal employee medical information, but in the final rule, OSHA argues that there is little or no expectation of privacy in records that are required by law to be kept and made available and that the information submission requirements in this final rule are reasonable. Although OSHA states that it will use software to remove private employee information from the disclosures before posting, the effectiveness of this software remains to be seen.

In addition, smaller establishments may be negatively impacted by the expansion of the regulation to establishments with 100 or more employees, as information could be used to identify injuries and illnesses for specific workers, and thereby the specific workers’ medical information, violating their privacy.

Finally, the cost and resources necessary to implement electronic data collection and maintenance will be significant. OSHA’s financial estimates may not account for the time and effort required to bring an employer into compliance, especially ones without any electronic collection procedures currently in place.

In summary, the new rule has serious implications for employers and creates new burdens. Legal challenges by employers and employer groups are expected.


Employers subject to OSHA’s recordkeeping regulations can take certain steps now to comply with the new requirements and limit citation liability. Specifically, those in industries labeled “high risk” should begin to develop a process for collecting the information detailed in the 300 and 301 forms electronically, to the extent that this is not already being done, to assist in meeting the electronic submission deadline.

Employers should also review their injury and illness reporting procedures to ensure that such programs are reasonable and do not discourage injury and illness reporting.

Finally, employers should develop procedures so that if an establishment reaches the 100 or 250 employee thresholds in the regulation, the employer receives notification so that it can be in a position to comply with the new electronic submission requirements.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide