[Federal Register Volume 84, Number 17 (Friday, January 25, 2019)]
[Rules and Regulations]
[Pages 380-406]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-00101]
[[Page 379]]
Vol. 84
Friday,
No. 17
January 25, 2019
Part II
Department of Labor
-----------------------------------------------------------------------
Occupational Safety and Health Administration
-----------------------------------------------------------------------
29 CFR Part 1904
Tracking of Workplace Injuries and Illnesses; Final Rule
��Federal Register / Vol. 84, No. 17 / Friday, January 25, 2019 / Rules
and Regulations��
[[Page 380]]
-----------------------------------------------------------------------
DEPARTMENT OF LABOR
Occupational Safety and Health Administration
29 CFR Part 1904
[Docket No. OSHA-2013-0023]
RIN 1218-AD17
Tracking of Workplace Injuries and Illnesses
AGENCY: Occupational Safety and Health Administration (OSHA), Labor.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: To protect worker privacy, the Occupational Safety and Health
Administration (OSHA) is amending the recordkeeping regulation by
rescinding the requirement for establishments with 250 or more
employees to electronically submit information from OSHA Forms 300 and
301. These establishments will continue to be required to maintain
those records on-site, and OSHA will continue to obtain them as needed
through inspections and enforcement actions. In addition to reporting
required after severe injuries, establishments will continue to submit
information from their Form 300A. Such submissions provide OSHA with
ample data that it will continue seeking to fully utilize. In addition,
OSHA is amending the recordkeeping regulation to require covered
employers to submit their Employer Identification Number (EIN)
electronically along with their injury and illness data submission,
which will facilitate use of the data and may help reduce duplicative
employer reporting. Nothing in the final rule revokes an employer's
duty to maintain OSHA Forms 300 and 301 for OSHA inspection. These
actions together will allow OSHA to improve enforcement targeting and
compliance assistance, decrease burden on employers, and protect worker
privacy and safety.
DATES: This final rule becomes effective on February 25, 2019.
Collections of information: There are collections of information
contained in this final rule. (See Section XI, Paperwork Reduction
Act). Notwithstanding the general date of applicability that applies to
all other requirements contained in the final rule, affected parties do
not have to comply with the collections of information until the
Department of Labor publishes a separate document in the Federal
Register announcing that the Office of Management and Budget has
approved them under the Paperwork Reduction Act.
ADDRESSES: In accordance with 28 U.S.C. 2112(a)(2), OSHA designates
Edmund Baird, Acting Associate Solicitor of Labor for Occupational
Safety and Health, Office of the Solicitor, Room S-4004, U.S.
Department of Labor, 200 Constitution Avenue NW, Washington, DC 20210,
to receive petitions for review of the final rule.
FOR FURTHER INFORMATION CONTACT:
For press inquiries: Frank Meilinger, OSHA Office of
Communications, telephone: (202) 693-1999; email:
[email protected].
For general and technical information: Amanda Edens, Director,
Directorate of Technical Support and Emergency Management, telephone:
(202) 693-2300; email: [email protected].
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Background
A. Introduction
B. Regulatory History
II. Legal Authority
III. Summary and Explanation of the Final Rule
A. Rescission of Requirement for Certain Establishments To
Submit Data From OSHA Forms 300 and 301 to OSHA Electronically
B. New Requirement To Include Employer Identification Number
With Injury and Illness Data Submitted to OSHA Electronically Under
29 CFR 1904.41
IV. Final Economic Analysis and Regulatory Flexibility Analysis
A. Introduction
B. Cost Savings
C. New Costs (From the EIN Collection)
D. Net Cost Savings
E. Benefits
F. Economic Feasibility
G. Regulatory Flexibility Certification
H. Executive Order 13771: Reducing Regulation and Controlling
Regulatory Costs
V. Unfunded Mandates
VI. Federalism
VII. State-Plan States
VIII. Environmental Impact Assessment
IX. Paperwork Reduction Act
X. Consultation and Coordination With Indian Tribal Governments
Citation Method
In the docket for this rulemaking found at http://www.regulations.gov, every submission was assigned a document
identification (ID) number that consists of the docket number (OSHA-
2013-0023) followed by an additional four-digit number. For example,
the document ID number for the proposed rule is OSHA-2013-0023-1922.
Some document ID numbers include one or more attachments, such as one
of the submissions by the National Institute for Occupational Safety
and Health (NIOSH). (See Document ID OSHA-2013-0023-2003).
When citing exhibits in the docket in this preamble, OSHA includes
the term ``Document ID'' followed by the last four digits of the
document number; the attachment number or other attachment identifier,
if applicable (designated as ``A,'' followed by the number of the
attachment); page numbers, if applicable; and, in a limited number of
cases, a footnote number (designated as ``Fn''). In a citation that
contains two or more document ID numbers, the document ID numbers are
separated by semi-colons. For example, a citation referring to an
attachment to the National Association of Home Builders' comments and
the second attachment to the United Steelworkers' comments would be
indicated as follows: (Document ID 2044-A1, pp. X-X; 2086-A2, p. X).
The exhibits in the docket, including public comments, supporting
materials, meeting transcripts, and other documents, are listed on
http://www.regulations.gov. All exhibits are listed in the docket index
on http://www.regulations.gov, but some exhibits (e.g., copyrighted
material) are not available to read or download from that website. All
materials in the docket are available for inspection at the OSHA Docket
Office, Room N-3508, U.S. Department of Labor, 200 Constitution Avenue
NW, Washington, DC 20210; telephone (202) 693-2350.
I. Background
A. Introduction
OSHA's regulation at 29 CFR part 1904 requires employers with more
than 10 employees in most industries to keep records of occupational
injuries and illnesses at their establishments. Employers covered by
these rules must record each recordable employee injury and illness on
an OSHA Form 300, which is the ``Log of Work-Related Injuries and
Illnesses,'' or equivalent. Employers must also prepare a supplementary
OSHA Form 301 ``Injury and Illness Incident Report'' or equivalent that
provides additional details about each case recorded on the OSHA Form
300. At the end of each year, employers are required to prepare a
summary report of all injuries and illnesses on the OSHA Form 300A,
which is the ``Summary of Work-Related Injuries and Illnesses,'' and
post the form in a visible location in the workplace.
The recordkeeping regulation also requires establishments with 250
or more employees that are currently
[[Page 381]]
required to keep OSHA injury and illness records to electronically
submit information from the OSHA Forms 300, 300A, and 301 to OSHA
annually.\1\ Establishments with 20-249 employees in certain designated
industries are required to electronically submit information only from
the OSHA Form 300A--the summary form. To protect worker privacy, this
final rule eliminates the requirement that establishments with 250 or
more employees that are currently required to keep OSHA injury and
illness records submit information electronically from their OSHA Forms
300 and 301. These establishments, as well as establishments with 20 or
more employees, but fewer than 250 employees, in certain designated
industries, must continue to submit information electronically from
their part 1904 annual summary (Form 300A) to OSHA or OSHA's designee
on an annual basis. The final rule also requires all establishments
that must submit information electronically from their part 1904 annual
summary (Form 300A) to submit their Employer Identification Number
(EIN).
---------------------------------------------------------------------------
\1\ Although the initial deadline for electronic submission of
information from OSHA Forms 300 and 301 by covered establishments
with 250 or more employees was July 1, 2018, OSHA indicated in the
proposed rule that it would not enforce that deadline without
further notice while this rulemaking was underway. (83 FR at 36496).
Furthermore, no secure Web portal for collecting data from Forms 300
and 301 was built while the 2016 rule was being developed or after
it was finalized. As a result, while OSHA already has extensive 300A
data from 214,574 establishments that have proven useful and which
it is seeking to fully utilize, OSHA has never received the data
submissions from Forms 300 and 301 that the 2016 rule anticipated.
---------------------------------------------------------------------------
Elimination of the requirement that establishments with 250 or more
employees submit information electronically from their OSHA Forms 300
and 301--a requirement that has not yet been enforced--does not change
any employer's obligation to complete and retain injury and illness
records under OSHA's regulations for recording and reporting
occupational injuries and illnesses. The final rule also does not add
to or change the recording criteria or definitions for these records.
OSHA's collection and use of the summary data from form 300A, and
information concerning severe injuries it also receives, give OSHA the
information it needs to identify and target for potential enforcement
actions those establishments with high rates of work-related injuries
and illnesses. For example, OSHA has collected summary 300A data for
2016 from 214,574 establishments, and expects to collect a greater
volume of 2017 summary data. With the data, OSHA has already designed a
targeted enforcement mechanism for industries experiencing higher rates
of injuries and illnesses. OSHA plans to further refine its approach as
it seeks to fully utilize these data from form 300A, and it will
likewise continue to use information received from severe injury
reports.
In light of this backdrop, OSHA has determined that the rule will
benefit worker privacy by preventing routine government collection of
information that may be quite sensitive, including descriptions of
workers' injuries and the body parts affected, and thereby avoiding the
risk that such information might be publicly disclosed under the
Freedom of Information Act (FOIA) or through the Injury Tracking
Application. OSHA has also concluded that the extent of any incremental
benefits of collecting the data from Forms 300 and 301 for OSHA
enforcement and compliance assistance activities is uncertain. OSHA has
determined that avoiding this risk to worker privacy outweighs the
data's uncertain incremental benefits to enforcement. The rule will
allow OSHA to focus agency resources on the collection and use of 300A
data described above, and severe injury reports, as well as data from
other initiatives that its past experience has proven useful--instead
of diverting those resources toward developing a Web portal for, and
then collecting, manually reviewing, and analyzing data from Forms 300
and 301.
This rule is a deregulatory action under Executive Order 13771 (82
FR 9339 (January 30, 2017)). It has annualized net cost savings
estimated at $16 million. The savings from elimination of the
requirement that establishments with 250 or more employees submit
information electronically from their OSHA Forms 300 and 301 will be
$8.9 million per year. New costs not included in the 2016 final rule
are estimates of cost savings to the government from avoiding a manual
review of all data from Forms 300 and 301 to identify and remove PII
and other information that could be re-identified with individuals.
This cost will be $7.5 million per year. The total cost of providing
EINs will be $2.2 million the first year these data are submitted, and
will be $223,000 per year every year after that. A detailed discussion
of OSHA's estimates of the rule's benefits, costs, and cost savings is
included in section IV, Final Economic Analysis and Regulatory
Flexibility Certification.
B. Regulatory History
OSHA's regulations on recording and reporting occupational injuries
and illnesses (29 CFR part 1904) were first issued in 1971 (36 FR 12612
(July 2, 1971)). These regulations require the recording of work-
related injuries and illnesses that involve death, loss of
consciousness, days away from work, restriction of work, transfer to
another job, medical treatment other than first aid, or diagnosis of a
significant injury or illness by a physician or other licensed health
care professional. (29 CFR 1904.7).
On July 29, 1977, OSHA amended these regulations to partially
exempt businesses having ten or fewer employees during the previous
calendar year from the requirement to record occupational injuries and
illnesses. (42 FR 38568). Then, on December 28, 1982, OSHA amended the
regulations again to partially exempt establishments in certain lower-
hazard industries from the requirement to record occupational injuries
and illnesses. (47 FR 57699). OSHA also amended the recordkeeping
regulations in 1994 (Reporting of Fatality or Multiple Hospitalization
Incidents, 59 FR 15594) and 1997 (Reporting Occupational Injury and
Illness Data to OSHA, 62 FR 6434). Under the version of Sec. 1904.41
added by the 1997 final rule, OSHA began requiring certain employers to
submit their 300A data to OSHA annually through the OSHA Data
Initiative (ODI). Through the ODI, OSHA collected data on injuries and
acute illnesses attributable to work-related activities in the private
sector from approximately 80,000 establishments in selected high-hazard
industries. The agency used these data to calculate establishment-
specific injury and illness rates, and in combination with other data
sources, to target enforcement and compliance assistance activities.
On January 19, 2001, OSHA issued a final rule amending its
requirements for the recording and reporting of occupational injuries
and illnesses (29 CFR parts 1904 and 1952), along with the forms
employers use to record those injuries and illnesses. (66 FR 5916). The
final rule also updated the list of industries that are partially
exempt from recording occupational injuries and illnesses.
On September 18, 2014, OSHA again amended the regulations to
require employers to report work-related fatalities and severe
injuries--in-patient hospitalizations, amputations, and losses of an
eye--to OSHA and to allow electronic reporting of these events. (79 FR
56130). The final rule also revised
[[Page 382]]
the list of industries that are partially exempt from recording
occupational injuries and illnesses.
On May 12, 2016, OSHA amended the regulations on recording and
reporting occupational injuries and illnesses to require employers, on
an annual basis, to submit electronically to OSHA injury and illness
information that employers are already required to keep under part
1904. (81 FR 29624). Under the 2016 revisions, establishments with 250
or more employees that are routinely required to keep records are also
required to electronically submit information from their OSHA Forms
300, 300A, and 301 to OSHA or OSHA's designee once a year, and
establishments with 20 to 249 employees in certain designated
industries are required to electronically submit information from their
OSHA annual summary (Form 300A) to OSHA or OSHA's designee once a year.
In addition, that final rule required employers, upon notification, to
electronically submit information from part 1904 recordkeeping forms to
OSHA or OSHA's designee. These provisions became effective on January
1, 2017, with an initial submission deadline of July 1, 2017, for 2016
Form 300A data described in 29 CFR 1904.41(c)(1). That submission
deadline was subsequently extended to December 15, 2017. (82 FR 55761).
The deadline for electronic submission of information from OSHA Forms
300 and 301 was July 1, 2018. OSHA announced that it would not enforce
this requirement without notice during this rulemaking, (83 FR at
36496), and OSHA has never received the data submissions from Forms 300
and 301 that the 2016 rule anticipated.
On July 30, 2018, OSHA issued a notice of proposed rulemaking (NPRM
or proposed rule) proposing to amend its recordkeeping regulations to
remove the requirement for establishments with 250 or more employees
that are routinely required to keep records to electronically submit
information from their OSHA Forms 300 and 301 to OSHA or OSHA's
designee once a year and to add a requirement for electronic submission
of the EIN. (83 FR 36494). OSHA received 1,880 comments on the proposed
rule. The issues raised in those comments are addressed herein.
II. Legal Authority
OSHA is issuing this final rule pursuant to authority expressly
granted by sections 8 and 24 of the Occupational Safety and Health Act
(the ``OSH Act'' or ``Act''). (29 U.S.C. 657, 673). Section 8(c)(1) of
the Act requires each employer to ``make, keep and preserve, and make
available to the Secretary [of Labor] or the Secretary of Health and
Human Services, such records regarding his activities relating to this
chapter as the Secretary [of Labor] . . . may prescribe by regulation
as necessary or appropriate for the enforcement of this chapter or for
developing information regarding the causes and prevention of
occupational accidents and illnesses.'' (29 U.S.C. 657(c)(1)). Section
8(c)(2) directs the Secretary to prescribe regulations ``requiring
employers to maintain accurate records of, and to make periodic reports
on, work-related deaths, injuries and illnesses other than minor
injuries requiring only first aid treatment and which do not involve
medical treatment, loss of consciousness, restriction of work or
motion, or transfer to another job.'' (29 U.S.C. 657(c)(2)). Finally,
section 8(g)(2) of the OSH Act broadly empowers the Secretary to
``prescribe such rules and regulations as he may deem necessary to
carry out [his] responsibilities under this chapter.'' (29 U.S.C.
657(g)(2)).
Section 24 of the OSH Act (29 U.S.C. 673) contains a similar grant
of authority. This section requires the Secretary to ``develop and
maintain an effective program of collection, compilation, and analysis
of occupational safety and health statistics'' and ``compile accurate
statistics on work injuries and illnesses which shall include all
disabling, serious, or significant injuries and illnesses.'' (29 U.S.C.
673(a)). Section 24 also requires employers to ``file such reports with
the Secretary as he shall prescribe by regulation.'' (29 U.S.C.
673(e)). These reports are to be based on ``the records made and kept
pursuant to'' section 8(c) of the OSH Act. (29 U.S.C. 673(e)).
The OSH Act requires cooperation with the Secretary of Health and
Human Services concerning regulations that address reporting and
recordkeeping, and consultation concerning the development and
maintenance of a program for occupational safety and health statistics.
OSHA has a lengthy history of cooperation and consultation with the
Department of Health and Human Services in this regard, particularly
with its sub-agency, the National Institute for Occupational Safety and
Health. With respect to this rule, OSHA informally received feedback
from NIOSH on its proposal, including reviewing a draft of NIOSH's
comment, and provided NIOSH, and HHS more generally, with opportunities
to provide comment on both the proposed and this final rule before
publication.
Further support for the Secretary's authority to require employers
to keep and submit records of work-related illnesses and injuries is in
the Congressional Findings and Purpose at the beginning of the OSH Act.
(See 29 U.S.C. 651). In that section, Congress declares the overarching
purpose of the Act is ``to assure so far as possible every working man
and woman in the Nation safe and healthful working conditions.'' (29
U.S.C. 651(b)). One of the ways in which the Act is meant to achieve
this goal is ``by providing for appropriate reporting procedures . . .
[that] will help achieve the objectives of this chapter and accurately
describe the nature of the occupational safety and health problem.''
(29 U.S.C. 651(b)(12)). Notably, the statute does not require this
information to be transmitted to OSHA. And, section 8(d) of the Act
provides that any information the Secretary collects under the Act
``shall be obtained with a minimum burden upon employers.'' (29 U.S.C.
657(d)).
The OSH Act authorizes the Secretary of Labor to issue two types of
occupational safety and health rules: Standards and regulations.
Standards aim to correct particular identified workplace hazards, while
regulations further the general enforcement and detection purposes of
the OSH Act. (See Workplace Health & Safety Council v. Reich, 56 F.3d
1465, 1468 (D.C. Cir. 1995) (citing La. Chem. Ass'n v. Bingham, 657
F.2d 777, 781-82 (5th Cir. 1981)); United Steelworkers of Am. v.
Auchter, 763 F.2d 728, 735 (3d Cir. 1985)). Recordkeeping requirements
promulgated under the Act are characterized as regulations. (See 29
U.S.C. 657 (using the term ``regulations'' to describe recordkeeping
requirements)). An agency may revise a prior rule if it provides a
reasoned explanation for the change. (See Motor Vehicle Mfrs. Ass'n v.
State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 42 (1983)).\2\
---------------------------------------------------------------------------
\2\ In the NPRM and in the final rule, OSHA has offered reasoned
analysis for its preliminary and now final determination to rescind
the requirement for covered employees to submit their 300 and 301
data to OSHA electronically. OSHA has likewise considered and
discussed the comments raised by those who also argue that OSHA's
decision runs afoul of the APA, (e.g., Document ID 2012-A1, pp. 9,
15; 2028-A1, pp. 1-3, 6, 8), as well as other comments in the
record. In short, this rule is a product of reasoned decision-
making, has the support of substantial evidence in the record as a
whole, and is appropriate based on policy concerns and OSHA's
obligations under the Act.
---------------------------------------------------------------------------
When promulgating regulations pursuant to sections 8 and 24 of the
OSH Act, OSHA must comply with the Administrative Procedure Act (APA)
(5 U.S.C. 553), which requires the agency to publish notice of a
proposed rule in the Federal Register and to provide an opportunity for
interested persons to
[[Page 383]]
comment on the rulemaking. In the NPRM, OSHA invited comment on ``all
aspects of the proposed rule'' (83 FR at 36505), and specifically
encouraged comment on four questions regarding: (1) The risks and
benefits of electronically collecting the information; (2) other
agencies or organizations that use automated coding systems for text
data in data collections; (3) other agencies or organizations that use
automated de-identification systems to remove personal identifying
information (PII) from text data before making the data available to
the public; and (4) privacy issues regarding the submission of EINs.
(83 FR at 36500).
OSHA received 1,880 comments on the proposed rule.\3\ Pursuant to
the APA, 5 U.S.C. 553, OSHA has reviewed these comments and responded
to the material issues commenters raised. (See Genuine Parts Co. v.
Envtl. Prot. Agency, 890 F.3d 304, 313 (D.C. Cir. 2018) (although an
agency ``is not required to discuss every item of fact or opinion
included in the submissions it receives in response to a Notice of
Proposed Rulemaking, it must respond to those comments which, if true,
would require a change in the proposed rule.'') (quoting La. Fed. Land
Bank Ass'n v. Farm Credit Admin., 336 F.3d 1075, 1080 (D.C. Cir.
2003))).
---------------------------------------------------------------------------
\3\ Of these, 1,641 were nearly identical form letters.
---------------------------------------------------------------------------
Some commenters raised issues such as the requirement for certain
employers to submit their 300A data to OSHA (e.g., Document ID 2057-A1,
pp. 2-3; 2053, p. 3) and the employee protection provisions added by
the 2016 final rule (e.g., Document ID 2006-A1, p. 4; 2009-A1, p. 4;
2023-A1). These comments were beyond the scope of this rulemaking, and
this final rule does not make any changes to the relevant provisions.
Nevertheless, OSHA acknowledges and shares some of the concerns these
comments suggest. First, in relation to concerns raised about possible
publication of data submitted electronically to OSHA from Form 300A--
and as identified in the NPRM and later in this final rule--the agency
takes the position that these data are exempt from public disclosure
under FOIA. It should likewise be noted that OSHA uses and will
continue to use 300A data to prioritize its inspections and enforcement
actions. Among other considerations, disclosure of 300A data through
FOIA may jeopardize OSHA's enforcement efforts by enabling employers to
identify industry trends and anticipate the inspection of their
particular workplaces. As OSHA has explained elsewhere, OSHA is
strongly opposed to disclosure of 300A data, has not made such data
public, and does not intend to make any such data public for at least
the approximately four years after its receipt that OSHA intends to use
the data for enforcement purposes.
In response to concerns about the application of the 2016 final
rule to employee drug testing and incident-based incentive programs,
OSHA notes that the employee protection provisions promulgated by that
final rule and codified at 29 CFR 1904.35 neither ban drug testing
employees involved in workplace injury or illnesses, nor prohibit
incident-based incentive programs. Rather, Sec. 1904.35(b)(1)(iv)
merely prohibits employers from implementing these programs to penalize
workers ``for reporting a work-related injury or illness.'' Id.
(emphasis added). On October 11, 2018, OSHA issued a memorandum that
explained this regulatory text and OSHA's position on workplace
incentive programs and post-incident drug testing. See U.S. Dep't of
Labor, Clarification of OSHA's Position on Workplace Safety Incentive
Programs and Post-Incident Drug Testing Under 29 CFR Sec.
1904.35(b)(1)(iv) (Oct. 11, 2018). That memorandum--which referred to
the 2016 final rule and its preamble--reiterated the rule's limited
scope and expressed how it ``does not prohibit workplace safety
incentive programs or post-incident drug testing.'' Id. To the extent
the 2016 preamble suggested otherwise, it has been superseded. While
not the focus of this particular rulemaking, that memorandum accurately
reflects OSHA's position and addresses the commenters' concerns.
III. Summary and Explanation of Final Rule
A. Rescission of Requirement for Certain Establishments To Submit Data
From OSHA Forms 300 and 301 to OSHA Electronically
As discussed in detail below, OSHA has determined that collecting
the data from Forms 300 and 301, as was recently required under the
2016 final rule, would subject sensitive worker information to a
meaningful risk of public disclosure. OSHA has also concluded that the
extent of the incremental benefits of collecting the data for OSHA's
enforcement targeting and compliance assistance activities remains
uncertain. Finally, OSHA has found that collecting the data and
analyzing them for use would require OSHA to divert significant
resources from agency priorities such as fully utilizing the 300A data
and severe injury reports OSHA already collects electronically and that
have proven useful in its experience for targeting areas of concern.
After considering all of the comments in the record and balancing
the risk to worker privacy against the uncertain extent of the benefits
of collecting the data and OSHA's resource priorities, OSHA has
determined that the final rule is necessary to preserve sensitive
worker information and conserve agency resources for initiatives with
more concrete benefits to OSHA's mission of assuring safe and healthful
workplaces.
Concerns About the Potential Release of Sensitive Worker Information
A central reason OSHA proposed rescinding the requirement for
certain employers to electronically submit information from Forms 300
and 301 to OSHA was ``to protect sensitive worker information from
potential disclosure under the Freedom of Information Act (FOIA).'' (83
FR at 36494). As explained in greater detail below, although OSHA
believes data from Forms 300 and 301 would be exempt from disclosure
under FOIA exemptions, OSHA is concerned that it still could be
required by a court to release the data. Many commenters echoed this
concern.
OSHA's position in this final rule is consistent with the
principles articulated in the Privacy Act, OMB Circular A-130, and the
Department's position on the sensitive nature of worker injury and
illness records before 2016. (See Document ID 1930-A1, pp. 2-3; 66 FR
5916, 6055-57 (Jan. 19, 2001)). In 2001, for example, OSHA noted that
it ``historically has recognized that the Log and Incident Report
(Forms 300 and 301, respectively) may contain information of a
sufficiently intimate and personal nature that a reasonable person
would wish it to remain confidential.'' (66 FR at 6055). OSHA further
explained that access to Forms 300 and 301 should be limited to workers
and their representatives--in other words, those with a ``need to
know.'' (66 FR at 6057). OSHA explained in 2001:
OSHA agrees that confidentiality of injury and illness records
should be maintained except for those persons with a legitimate need
to know the information. This is a logical extension of the agency's
position that a balancing test is appropriate in determining the
scope of access to be granted employees and their representatives.
Under this test, ``the fact that protected information must be
disclosed to a party who has [a particular] need for it . . . does
not strip the information of its protection against disclosure to
those who have no similar need.''
(66 FR at 6057 (quoting Fraternal Order of Police Lodge No. 5. v. City
of
[[Page 384]]
Philadelphia, 812 F.2d 105, 118 (10th Cir. 1987))). Commenters agreed
with OSHA that access to 300 and 301 data should be limited to those
with a ``need to know'' (i.e., workers, their representatives, and OSHA
upon request) (Document ID 2070-A1, p. 8; 2084-A2). Thus, OSHA has
always applied a balancing test to weigh the value of worker privacy
against the usefulness of releasing the data. The 2016 final rule
represented a departure from the balance OSHA has historically struck
in favor of achieving uncertain incremental benefits for OSHA
enforcement and outreach. This final rule restores OSHA's historical
emphasis on protecting the privacy of workers and its longstanding
practice of releasing sensitive data on a case-by-case basis only to
those with a ``need to know.''
Multiple commenters commented that the proposed rule is consistent
with the privacy protections in the Privacy Act of 1974 (Pub. L. 93-
579) and Section 4(g) of OMB Circular A-130. (E.g., Document ID 1930-
A1, p. 2; 1981-A1, p. 3; 2041-A1, p. 2; see also Document ID 2036-A1,
p. 4) (``[C]ompelled disclosure of the incredibly private, personally
identifiable information required by OSHA Forms 300 and 301 is contrary
to the well-established principle that an individual's right to privacy
regarding medical conditions and treatment is of paramount
importance.''). Although the Privacy Act does not apply to Forms 300
and 301, the statute's articulation that privacy is ``a personal and
fundamental right'' highlights the importance of this issue. (Document
ID 1981-A1, p. 3 (quoting Pub. L. 93-579, Section 2(a)(4))).
Furthermore, Section 4(g) of OMB Circular A-130 stresses that
``[p]rotecting an individual's privacy is of utmost importance.''
(Document ID 1981-A1, p. 3 (quoting OMB Circular A-130 (2016),
available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf)). To that end, Section 4(g) also
states that ``[t]he Federal Government shall consider and protect an
individual's privacy throughout the information life cycle.'' (OMB
Circular A-130). This final rule complies with this instruction by
limiting the potential disclosure of PII and other sensitive worker
information.
Many commenters agreed with OSHA's privacy concerns, pointing to
the Department's ``special responsibility to protect PII from loss and
misuse,'' and arguing that OSHA should not collect the data from Forms
300 and 301 because it cannot guarantee the protection of PII that may
be submitted with the data. (Document ID 2045-A1, p. 3) (quoting
Department of Labor, Guidance on the Protection of Personal
Identifiable Information, available at: https://www.dol.gov/general/ppii). Commenters agreed with OSHA that the information reported on
Forms 300 and 301 is sensitive, and that the risk of disclosing this
sensitive worker information is not worth the uncertain incremental
benefits of collecting the data. (E.g., Document ID 1985-A1, pp. 1-2;
2045-A1, pp. 2-3). Other comments agreed with OSHA that collecting Form
300A provides concrete enforcement benefits without putting private
worker information at risk of disclosure. (E.g., Document ID 2008, pp.
2-3).
Some commenters cautioned that the 300 and 301 data could include
PII, which the Department defines as ``any representation of
information that permits the identity of an individual to whom the
information applies to be reasonably inferred by either direct or
indirect means[,]'' such as ``name, address, social security number or
other identifying number or code, telephone number, email address,
etc.'' (E.g., Document ID 2045, pp. 2-3) (quoting Department of Labor,
Guidance on the Protection of Personal Identifiable Information,
available at: https://www.dol.gov/general/ppii)). Although some of
these commenters are under the mistaken impression that employers would
be required to submit PII such as name, address, or the name of the
treating physician under the prior final rule (compare e.g., Document
ID 2041-A1, pp. 1-2 with 81 FR at 29660-61), OSHA shares these
commenters' concern that collection of data from Forms 300 and 301
poses a risk of the release of PII.
It is foreseeable that, despite instructions not to include such
information, some employers would submit PII inadvertently in Forms 300
and 301, for example in the narrative description of the incident in
Column F of the 300 Log. (See 81 FR at 29662; Document ID 2019-A1, pp.
2-3). Although one commenter's experience demonstrated employers'
capability of fully redacting PII from a small dataset (Document ID
2077-A1, pp. 1, 2), ``[i]t has been OSHA's experience that information
entered in Column F of the 300 Log may contain personally-identifiable
information. For example, when describing an injury or illness,
employers sometimes include names of employees.'' (81 FR at 29662).
Whereas in the past, OSHA has manually screened smaller datasets
for PII, the dataset at issue in this rulemaking would be far too large
to screen manually for employer compliance with an instruction not to
include PII, and OSHA is concerned that alternative approaches would
not sufficiently alleviate the risk of disclosure. For example, OSHA
stated in the 2016 final rule that it would ``review'' the data for PII
using software--and some commenters urged a similar review (e.g.,
Document ID 1989-A1, p. 1; 2004-A1, p. 1)--but this software is
imperfect. As discussed in the NPRM, ``it is not possible to guarantee
the non-release of PII.'' (83 FR at 36498 (citing ``De-Identification
of Personal Information,'' p. 5, Simson L. Garfinkel, NISTIR 8053,
October 2015, Document ID 2060)). No commenters provided evidence to
the contrary. Therefore, OSHA finds that it would not be able to
guarantee that all PII inadvertently submitted to OSHA would be
protected from disclosure. (83 FR at 36498).
Moreover, even if PII could be completely removed from the data,
concerns about re-identification would remain. As many commenters
noted, several data points on Forms 300 and 301 could be combined to
reveal the identity of workers who reported work-related injuries or
illnesses, particularly in a small town. (E.g., Document ID 2032-A1;
2044-A1, p. 5 (quoting prior comment); 2045-A1, pp. 2-3, 5; 2070-A1,
pp. 3, 11, 15-16). As the Phylmar Regulatory Roundtable (PRR)
explained:
For example, even with the employee's name removed, PRR members
believe it would be easy to determine a worker's identity when
reviewing the information in the remaining fields on Form 300: Job
title (field C), where the event occurred (E), and details on the
injury and body parts affected (F). On the 301 Report, combining
multiple data points, for example, the date of the injury or illness
(11), what time the employee began work (12), time of event (13),
what was the employee doing just before the incident occurred (14),
what happened (15), and what was the injury or illness (16), could
also result in identifying the worker. While individual fields,
standing alone, would not be considered traditional ``PII,'' (e.g.,
name, address), once linked, there is a substantial risk that
employees may be identified, thus violating their privacy.
(Document ID 2070-A1, p. 3). Thus, even with PII removed from the data,
in many circumstances it may be possible to combine data points to
identify specific workers who reported injuries or illnesses along with
personal details about their conditions.
These privacy concerns are real and important. As OSHA stated in
the NPRM, some of the information collected on Forms 300 and 301 may be
sensitive for workers. (E.g., 83 FR at 36495). For example, many of the
questions on Form 301 seek answers
[[Page 385]]
that could contain sensitive information about workers, including:
Was the employee treated in an emergency room?
Was the employee hospitalized overnight or as an in-
patient?
Date of birth.
Date of injury.
What was the employee doing just before the incident
occurred? Describe the activity, as well as the tools, equipment, or
material the employee was using. Be specific. Examples: ``climbing a
ladder while carrying roofing materials''; ``spraying chlorine from
hand sprayer''; ``daily computer key-entry.''
What happened? Tell us how the injury occurred. Examples:
``When ladder slipped on wet floor, worker fell 20 feet''; ``Worker was
sprayed with chlorine when gasket broke during replacement''; ``Worker
developed soreness in wrist over time.''
What was the injury or illness? Tell us the part of the
body that was affected and how it was affected; be more specific than
``hurt,'' ``pain,'' or ``sore.'' Examples: ``strained back'';
``chemical burn, hand''; ``carpal tunnel syndrome.''
What object or substance directly harmed the employee?
Examples: ``concrete floor''; ``chlorine''; ``radial arm saw.''
(83 FR at 36495-96). Some commenters disagreed that injury descriptions
like those above are sensitive (e.g., Document ID 2048-A1, p. 2; 1978-
A1, p. 2; 2048-A1, p. 2), but other commenters provided additional
examples of sensitive information that could appear on Form 300 or 301,
such as contracting an infectious disease from a patient, being
assaulted in the workplace, or being diagnosed with depression or post-
traumatic stress disorder. (E.g., Document ID 2044-A1, pp. 5-6 (quoting
prior comment); 2070-A1, pp. 15-16). A commenter also noted that some
records could implicate the privacy of non-employees, such as patients
involved in the occurrence of a workplace injury or illness. (Document
ID 1960-A1).
Other commenters disagreed with OSHA's preliminary determination
that the data from Forms 300 and 301 are sensitive. (E.g., Document ID
1961-A1, p. 2; 2081-A2, p. 1; 1984-A1, p. 2; 1978-A1, p. 2; 2017-A1, p.
3). For example, one commenter maintained that information such as a
description of an injury is integral to OSHA's investigation and is not
private or privileged, like medical advice or other communication
between a patient and doctor. (Document ID 2017-A1, p. 3). OSHA agrees
that not all of the 300 and 301 data are always sensitive, but
maintains that some of the data are sensitive and remain sensitive even
if not legally privileged and even though OSHA intends to continue to
use these data during onsite inspections.
Commenters asserting that OSHA's privacy concerns are disingenuous
(e.g., Document ID 1976-A1, pp. 2-3; 1984-A1, pp. 1-2; 2022-A1, p. 3;
2038-A1, p. 2; Document ID 1978-A1, p. 2; 2088-A1, p. 3) fail to
appreciate the real possibility of the disclosure of sensitive worker
information. The comment (and others like it) that ``[t]he risk to
worker privacy is very minimal and unlikely to materialize'' (Document
ID 2011-A1, p. 5) discounts the risk to worker privacy that OSHA's
experience--of having to remove PII and other information that could
re-identify the ill or injured worker during manual screening of forms
prior to release--has shown. Although many advocacy groups submitted
similarly-worded comments stating that the data from Forms 300 and 301
are not sensitive (e.g., Document ID 1976-A1, p. 3; 2058-A1, p. 2;
2059-A1, p .2; 1976-A1, p. 3), private citizens and health advocacy
organizations expressed concern about the sensitive nature of the data
and emphasized the importance of keeping sensitive worker information
out of the public eye. (E.g., Document ID 1938; 1975; 1979; 2006-A1, p.
2). OSHA agrees with the latter commenters that sensitive information
can be included in the data on these Forms and should be protected
against public disclosure.
Moreover, many of those taking the view that privacy concerns about
the data were overstated expressed their confidence that OSHA could
guarantee the protection of any PII contained in the data, a confidence
that OSHA does not share. (E.g., Document ID 2031 (``The 2016
provisions clearly stated that no information that would identify
individual workers was to be reported. If such information was
accidentally submitted, OSHA made it clear it would never be released
to the public.''); 2038-A1, p. 2 (``The 2016 provisions clearly state
that no information tied to any individual worker(s) was to be
reported. If such information was inadvertently submitted, OSHA ensured
[sic] us it would never be released to the public.'')).
It is true, as some commenters noted, that OSHA considered the
issue of worker privacy in the 2016 final rule and included protections
to reduce the likelihood of sensitive information being made public,
(Document ID 2028-A1, p. 6), but OSHA no longer views such protections
as sufficient. OSHA noted in 2016, for example, that ``consistent with
FOIA, the agency does not intend to post personally identifiable
information on the website.'' (81 FR at 29659 (emphasis added)). Yet
OSHA did not--and cannot--guarantee non-release of PII. In fact, OSHA
acknowledged in 2016 that Forms 300 and 301 could contain PII in the
fields that employers were required to submit. (See 81 FR at 29662
(``It has been OSHA's experience that information entered in Column F
of the 300 Log may contain personally-identifiable information. For
example, when describing an injury or illness, employers sometimes
include names of employees.'')). Although OSHA previously thought to
address this issue with software, de-identification software is not
100% effective, and OSHA believes that some PII could be released even
after being processed through the software. (83 FR at 36498).
Moreover, even if software could guarantee full scrubbing of PII,
the possibility still remains that the data could be re-identified with
the worker who reported the injury or illness. (83 FR at 36498). When
discussing the agency's past experience of withholding private worker
information from disclosure under FOIA, OSHA referred to the practice
of manually redacting Forms 300 and 301 on a case by case basis. (81 FR
at 29658). For example, OSHA noted that it ``would not disclose the
information in Column C [of Form 300] (Job Title), if such information
could be used to identify the injured or ill employee.'' (81 FR at
29658). OSHA thus acknowledged even in the 2016 final rule that the
worker's job title could be used to identify the injured or ill worker
in some situations and that OSHA had protected that information in the
past through manual review of the file and invocation of FOIA Exemption
7(c). (81 FR at 29658). The 2016 rule's proposed use of de-
identification software would not address this issue.
Commenters argued that data similar to those on Forms 300 and 301
have been available to workers and their representatives since the
passage of the Act (i.e., those with a ``need to know'') (E.g.,
Document ID 1984-A1, p. 2; 2088-A3, p. 5 (comments dated March 10,
2014)), but those data have always been screened manually for PII. Such
screening may have been possible before the 2016 final rule for
individual files requested on a case by case basis, but OSHA could not
possibly review each individual form that would be submitted
electronically under the 2016 final rule to determine whether a
worker's job title could be used to identify the worker.
[[Page 386]]
The same principle distinguishes OSHA's practice of posting
information about severe injuries and fatalities on its website, which
some commenters cited as proof that the information on Forms 300 and
301 is not too sensitive to publish. (E.g., Document ID 1961-A1, p. 2;
1976-A1, p. 3; 2038-A1, p. 2; 2054-A1, p. 4). Although OSHA has not
identified specific worker complaints about OSHA's posting of severe
injury data in the past, as asserted by one commenter (Document ID
2054-A1, p. 4; see also Document ID 2015-A1, p. 1), OSHA receives only
approximately 800 severe injury reports per month, and manually screens
each severe injury report for PII or other sensitive worker information
before posting. OSHA's past practice of manually redacting these data
before releasing them has no application to the mass collection of
Forms 300 and 301 data from 36,903 establishments--data drawn from what
OSHA estimates would be more than 775,000 forms--which could only be
screened using software with limitations delineated elsewhere in this
preamble and in the 2018 NPRM.
Although OSHA believes the 300 and 301 data would be exempt from
disclosure under FOIA Exemptions 6 and 7(c), OSHA still could be
required by a court to release the data, as discussed in the NPRM and
echoed by many commenters. (83 FR at 36498; see also Document ID 1930-
A1, pp. 3-4; 1979; 1981-A1, pp. 2-3; 2075-A1, p. 5; 2084-A1, p. 3). The
risk of disclosure of sensitive information is not speculative, as some
commenters claimed (e.g., Document ID 2056-A1, pp. 1-2). One FOIA
requester has already sued the Department in multiple lawsuits seeking
injury and illness data: One lawsuit seeks the 300A data collected
through the Injury Tracking Application, and one lawsuit seeks to force
OSHA to collect the 2017 data from Forms 300 and 301 for the
requestor's use in research. See Public Citizen v. U.S. Dep't of Labor,
Civ. No. 18-cv-117 (D.D.C. filed Jan. 19, 2018); Public Citizen Health
Research Group v. Acosta, Civ. No. 18-cv-1729 (D.D.C. filed July 25,
2018). In a decision denying the government's motion to dismiss in
Public Citizen Health Research Group v. Acosta, the court concluded
that the plaintiffs would likely be entitled to a significant portion
of the 300 and 301 data if collected by OSHA, despite OSHA's conclusion
that the data would be exempt from disclosure under FOIA. Public
Citizen Health Research Group v. Acosta, Civ. No. 18-cv-1729 (D.D.C.
December 12, 2018) (order denying motion to dismiss and preliminary
injunction). In addition, in New York Times Co. v. U.S. Dep't of Labor,
340 F. Supp. 2d 394 (S.D.N.Y 2004) and Finkel v. U.S. Dep't of Labor,
No. 05-5525, 2007 WL 1963163 (D.N.J. June 29, 2007), two separate
courts ordered OSHA to release injury and illness data that OSHA argued
were exempt from disclosure under FOIA Exemption 4. (See Document ID
2019-A1, p. 7; 2070-A1, p. 4).
OSHA disagrees with comments arguing that OSHA mischaracterized the
Finkel and Public Citizen lawsuits and the risk of the disclosure of
sensitive information under FOIA. (See Document ID 2048-A1, pp. 2-3;
2012-A1, p. 11; 2022-A1, p. 2). OSHA agrees with Mr. Finkel and other
commenters that the Finkel lawsuit did not result in a court ordering
disclosure of PII (see, e.g., Document ID 2048-A1, p. 1; Finkel v. U.S.
Dep't of Labor, No. 05-5525, 2007 WL 1963163 (D.N.J. June 29, 2007)).
The Public Citizen Health Research Group, Finkel and New York Times
lawsuits do, however, demonstrate the power of courts to order OSHA to
release injury and illness data that OSHA considers sensitive
information exempt from disclosure, over OSHA's objections. In another
case, the Sixth Circuit Court of Appeals ordered the release of data
the Federal Aviation Administration tried to protect from disclosure,
despite the possibility that multiple data points could be combined to
re-identify particular individuals who had participated in a strike.
(Norwood v. FAA, 993 F.2d 570, 574-75 (6th Cir. 1993)). OSHA is
concerned a similar outcome could result if it collects the data from
Forms 300 and 301 and then attempts to withhold the data in response to
FOIA requests on the ground that the data could well contain sensitive
information that OSHA cannot guarantee would be removed. ``[O]nce the
information is disclosed [under FOIA], it can never be made private.''
(See Document ID 2075-A1, p. 5).
Some commenters asserted that OSHA should collect the 300 and 301
data but limit its release in various ways (Document ID 2006-A1, pp. 2-
3), or that OSHA could never be required to disclose sensitive worker
information under FOIA (e.g., Document ID 2006-A1, p. 3; 2012-A1, p.
11; 2022-A1, p. 2; 2028-A1, pp. 2, 7). These comments ignore the
reality reflected in these lawsuits that the Department would not
retain complete control over the data once they are collected. And,
given that OSHA cannot guarantee complete removal of PII or data that
could be re-identified with a particular worker from such a large
dataset, court-ordered publication of the data from Forms 300 and 301
could well result in the disclosure of sensitive worker information.
Other commenters presented alternatives to fully rescinding the
requirement to collect the data from Forms 300 and 301, such as
excluding job title and precise date of injury to reduce the likelihood
of re-identification. (Document ID 1993-A1, p. 2; 2028-A1, p. 7). OSHA
notes that even without the job title and precise date fields, however,
employers could include sensitive information, such as worker and
patient names, in the narrative description of the injury and how it
occurred. (Document ID 1960-A1; 81 FR at 39662). OSHA has had to redact
this kind of information during manual screening in the past prior to
release. (81 FR at 39662).
The American Nurses Association (ANA) expressed concern about
potential disclosure of sensitive worker information under FOIA but
believes that the case-level data are important for performing root-
cause analyses to prevent incidents of workplace injuries and
illnesses. (Document ID 2000-A1, pp. 1-2). The ANA notes that 29 CFR
1904.8 requires employers to record on the OSHA Form 300 all work-
related needlestick injuries and cuts from sharp objects that are
contaminated with another person's blood or other potentially-
infectious material, but that employers are prohibited from recording
an injured worker's name. (Document ID 2000-A1, pp. 2-3). Given the
protections afforded these cases under Sec. 1904.29(b)(6) through (9),
the ANA asks whether it would be viable for OSHA to continue to require
electronic submission of OSHA 300 Log for needlestick and sharps
injuries to help inform the future prevention of needlestick and sharps
injuries. (Document ID 2000-A1, p. 3).
OSHA notes the importance of the OSHA 300 Log for needlestick
injuries and cuts from sharp objects for identifying hazards in
healthcare settings, and encourages employers to use their own data
from Forms 300 and 301 to identify workplace hazards, as OSHA does
during onsite inspections. Like any other OSHA 300 Log, however, the
possibility of personal information being reported to OSHA
inadvertently remains despite the prohibition against recording names,
as does the risk of re-identification through job title or another
reported field. These data might then be subject to release under FOIA.
Therefore, OSHA declines the invitation to retain the reporting
requirements for case-characteristic data for the OSHA
[[Page 387]]
300 Log for needlestick injuries and cuts from sharp objects.
After reviewing all of the comments on this issue, OSHA has
determined collecting the data would expose sensitive worker
information to a meaningful risk of disclosure. OSHA cannot justify
that risk given its resource allocation concerns and the uncertain
incremental benefits to OSHA of collecting the data, as discussed
elsewhere in this preamble. OSHA has determined that the best use of
its resources is to focus on data it already receives--including a
large set of data from Form 300A, as well as discrete data about urgent
issues from severe injury reports--and has found useful in its past
experience.
Experience of the Mine Safety and Health Administration (MSHA) and
Other Federal and State Agencies
The experience of MSHA and other federal and state agencies with
collecting and publishing similar data, as many commenters noted (e.g.,
Document ID 2007, p. 8; 2011-A1, p. 6; 2012-A1, p. 6; 2028-A1, p. 2),
does not mean OSHA is required to collect the data from Forms 300 and
301. As explained below, other federal and state agencies may weigh
worker privacy concerns differently based on their missions,
priorities, and budgets.
OSHA acknowledges, for example, comments that MSHA has been
collecting similar data--albeit from a much small number of
establishments--for many years (e.g., Document ID 2011-A1, p. 7) and
has posted data on the web for more than fifteen years (Document ID
2012-A1, pp. 6, 10). MSHA maintains the data in a comprehensive
database that it makes available to the public. (E.g., Document ID
1965-A1, p. 52). Commenters noted that MSHA has not experienced any
security breaches or complaints or controversy about employee privacy,
despite the fact that MSHA's database includes small employers.\4\
(E.g., Document ID 2012-A1, p. 10). Commenters further noted that
``MSHA has a robust system in place to protect [PII] from inappropriate
disclosure.'' (E.g., Document ID 2011-A1, pp. 7-8).
---------------------------------------------------------------------------
\4\ MSHA has been subject to cyber attack in the past, however.
See Ted Hesson, ``Morning Shift: DOL Takes Stock After Hack,''
POLITICO (Apr. 25, 2018) (detailing successful hack), https://www.politico.com/newsletters/morning-shift/2018/04/25/travel-ban-at-scotus-182935.
There are security controls in place to prevent database
contamination should nefarious acts be taken against the front-end
website. The information has to be reviewed by at least three
approving authorities prior to it being introduced and or uploaded
into the appropriate database for further analysis and data
manipulation. Data extracts are redacted of the PII prior to being
---------------------------------------------------------------------------
released for public consumption.
(Document ID 2088-A1, p. 12) (quoting MSHA, Privacy Impact Assessment
Questionnaire, MSHA Standardized Information System (MSIS)--FY2017,
available at: https://www.dol.gov/oasam/ocio/programs/pia/msha/MSHA-MSIS.htm).
Although three layers of review might make sense given MSHA's
budget and the much smaller number of employers under the agency's
jurisdiction, it would require OSHA to commit an unwarranted level of
resources to provide three layers of review for the volume of records
it would receive. Under the 2016 final rule, OSHA would collect between
38 and 77 times more injury reports than MSHA--that is, approximately
775,000 reports, versus MSHA's 10,000-20,000. OSHA estimates, based on
the time it has taken OSHA staff to review and remove personal
information from other OSHA data, that it would take two levels of
review and 7 minutes per record, on average, to assess the record and
remove personal information. Such review would cost OSHA approximately
$7.5 million each year.\5\
---------------------------------------------------------------------------
\5\ See the Final Economic Analysis for details on this
calculation.
---------------------------------------------------------------------------
Other commenters pointed out that ``[t]he Federal Railroad
Administration (FRA) posts accident investigation reports filed by
railroad carriers or made by the Secretary of Transportation, and the
Federal Aviation Administration (FAA) posts National Transportation
Safety Board reports about aviation accidents.'' (Document ID 2012-A1,
p. 10; see also 2028-A1, p. 7). Some of these commenters noted that the
information posted by these agencies includes personally identifiable
information, such as age, gender, job history, medical information, or
information about the accident. (Document ID 2028-A1, p. 7). In
addition, some state workers' compensation systems have online search
capacity for data including the claimant's name and the description of
the injury. (Document ID 1993-A1, p. 2).
Again, OSHA acknowledges that other federal and state agencies have
collected somewhat similar data for a number of years, but notes that
each of these agencies has a unique mission, varying priorities, and
different resource constraints. In this final rule, OSHA is balancing
the issues of worker privacy and OSHA's resource priorities against the
uncertain incremental benefits of collecting the data from Forms 300
and 301. Because OSHA has determined that the extent of the incremental
benefits to OSHA of collecting the data is uncertain--and because OSHA
can still obtain the data from employers if needed for specific
enforcement actions--the agency is choosing to protect worker privacy
and commit the agency's resources to fully utilizing 300A and severe
injury report data that its experience has already demonstrated are
useful. Other federal and state agencies may weigh worker privacy
concerns differently based on their missions, priorities, and budgets.
The Health Information Portability and Accountability Act (HIPAA) and
Americans With Disabilities Act (ADA)
One commenter indicated that PII should never be included in
published data because such action would conflict with HIPAA and could
require employees in healthcare settings to violate patients' privacy
rights, subjecting those employees to legal and licensing problems.
(Document ID 1936). Another commenter noted that--like HIPAA--the ADA
protects medical information from unnecessary disclosure and limits who
can access an employee's medical records (including only providing them
to government personnel investigating compliance upon request).
(Document ID 2036-A1, p. 5). OSHA disagrees that HIPAA and the ADA
would apply to its electronic collection of Forms 300 and 301 for the
reasons set forth in the 2016 final rule, (see 81 FR at 29665-66), but
agrees that privacy-related policy concerns reflected in these laws
buttress its determination that these data should not be collected in
this way.
Technological Limitations of De-Identification Software
In the NPRM, OSHA proposed to amend the recordkeeping regulations
to protect worker privacy by no longer requiring employers to submit
electronically detailed injury and accident information. (E.g., 83 FR
at 36494). Specifically, OSHA explained the concern about potential
disclosure of sensitive worker information under the Freedom of
Information Act (FOIA). (E.g., 83 FR at 36494). Although software is
available to scrub identifying information from electronic data, the
software cannot eliminate the risk of disclosure of PII. (83 FR at
36498). Even if all PII were removed from the data, a risk remains that
some data could still be re-identified with a particular individual.
(83 FR at 36498).
Many commenters echoed OSHA's concerns that, under the prior final
rule,
[[Page 388]]
PII or data that could be re-identified with a particular individual
could be released under FOIA. (Document ID 2070-A1, pp. 3, 4-5; 2055-
A1, p. 2). These commenters stated that OSHA's plan to de-identify PII
through software is insufficient to protect worker privacy. (Document
ID 2070-A1, p. 5; 2055-A1, p. 2). For example, one commenter stated
that in the case of a unique injury occurring in a small town, the
sensitive details of an injury might easily be associated with a
specific individual even without naming that individual. (Document ID
2032-A1).
Although OSHA stated in the 2016 final rule that ``the [a]gency
will use software that will search for, and de-identify, personally
identifiable information before the submitted data are posted'' (81 FR
at 29662), OSHA did not guarantee complete removal of PII through de-
identification software as some commenters claimed. (See Document ID
2031 (``OSHA made it clear [information that would identify individual
workers] would never be released to the public.''); 2038-A1, p. 2
(``OSHA ensured [sic] us [information tied to individual workers] would
never be released to the public.'')). In fact, OSHA stated that it
intended to protect sensitive information from release, (81 FR at
29659), but that is not a guarantee. Commenters noting that OSHA has
not cited any concrete evidence of problems or errors in de-
identification since promulgating the 2016 final rule, nor any evidence
that the information on Forms 300 and 301 would be particularly
vulnerable to disclosure (Document ID 2020-A1, pp. 3-5; 2033-A1, p. 4),
fail to give due weight to the possibility that sensitive worker
information could be released despite OSHA's best efforts. Claims that
the concerns about disclosure after de-identification are
``speculative'' and raise only a ``remote'' risk of disclosure
(Document ID 2020-A1, p. 4) likewise ignore OSHA's past experience of
needing to remove PII and other sensitive information from Forms 300
and 301 on a case-by-case basis prior to release to prevent re-
identification, as discussed above in more detail.
After carefully considering commenters' submissions on this issue,
OSHA finds that there is a meaningful risk to worker privacy if OSHA
requires employers to electronically file detailed injury and illness
data on Forms 300 and 301 because de-identification software cannot
fully eliminate the risk of disclosure of PII or re-identification of a
specific individual and manual review of the data would not be
feasible. OSHA's past experience with case-by-case release of 300 and
301 data and severe injury reports reveals that these concerns are far
from speculative. These risks weigh in favor of the rescinding
requirements to submit the data from Forms 300 and 301 to OSHA
electronically.
Risk of Cyber Attack
In the NPRM, OSHA stated that electronically-stored data might
incentivize cyber-attacks on the Department's IT system. OSHA noted
that there was a potential compromise of user information for OSHA's
Injury Tracking Application (ITA) in 2017, demonstrating that such a
large data collection will inevitably encounter malware. (83 FR at
36498, Fn. 2).
Several commenters agreed with OSHA that worker privacy could be
compromised by a data breach, cyber-attack, or malware, and that
collecting such a large amount of data electronically could incentivize
cyber-attacks on the Department. (E.g., Document ID 2076-A1, p. 5).
Some of these commenters noted the 2017 potential compromise of OSHA's
ITA as a basis for these concerns. (Document ID 2034-A1, p. 2; 2076-A1,
p. 5). Commenters also included examples of large scale breaches of
government data systems in other agencies. (Document ID 2034-A1, pp. 1-
2; 2042-A1, p. 2). In addition, commenters cited a 2016 report by the
House Oversight Committee finding that the federal government was
vulnerable to cyber-attacks (Document ID 2034-A1, p. 1), and a Federal
Information Security Modernization Act (FISMA) Report to Congress for
Fiscal Year 2017 finding that the Occupational Safety and Health Review
Commission had an overall rating of ``At Risk'' (Document ID 2070-A1,
p. 8).
One commenter asserted that OSHA should be just as capable as MSHA
of safeguarding the data since the Department consolidated Information
Technology (IT) services in 2014. (Document ID 2082-A2, p. 5; see also
Document ID 2088-A1, p. 12 (noting that MSHA has strong information
security controls in place)).
OSHA notes that the ITA data meet the security requirements for
government data, and after reconsidering this issue, OSHA does not find
that collecting the data from Forms 300 and 301 would increase the risk
of a successful cyber-attack. Some risk remains, however, that a cyber-
attack could occur and result in the release of data. Moreover, OSHA
shares the concerns of some commenters about how having thousands of
businesses upload a large volume of additional data could generally
increase risk for cyber-security issues. (See, e.g., Document ID 2045-
A1, p. 3; 2075-A1, pp. 4-5).
Limitations on OSHA's Capacity To Collect and Use the Data From Forms
300 and 301
In the NPRM, OSHA expressed doubt about the necessity for and
ability to use the large volume of data that would be generated by
Forms 300 and 301, given its resources and competing priorities. As
explained below, OSHA has prior experience with using the 300A data
successfully and believes that it is the best resource for enforcement
targeting and compliance assistance. OSHA also receives and effectively
uses data concerning the most severe injuries and illnesses. In
contrast, the agency has no prior experience using the case-specific
data collected on Forms 300 and 301 for enforcement targeting or
compliance assistance and is unsure how much benefit such data would
have for these purposes or the level of resources needed to attain any
benefit. (83 FR at 36498). OSHA noted that the agency's efforts to
realize these uncertain benefits by collecting, processing, analyzing,
distributing, and programmatically applying the data would be costly.
(83 FR at 36498-99).
Several commenters agreed that OSHA may not be able to make
beneficial use of the large volume of data it would receive under the
2016 Rule. (Document ID 2034-A1, p. 2; 2070-A1, p. 9). The United
States Postal Service also expressed concern that any technical
complications OSHA experienced due to the large volume of data being
submitted could hinder timely reporting, leading to steep monetary
penalties for employers. (Document ID 2034-A1, p. 2).
Other commenters claimed that OSHA has the capacity to collect and
code this volume of data. (Document ID 2011-A5, p. 1 (commenting on
2013 NPRM); 2026-A1, p. 3; 2029). The Attorneys General of NJ, MA, MD,
NY, PA, RI, and WA jointly commented that OSHA's lack of experience
with this volume of data is unsurprising because OSHA has not tried to
collect the Form 300 and 301 data yet. (Document ID 2028-A1, p. 3).
They noted that for this reason it is also unsurprising that the
benefits are uncertain at this point. (Document ID 2028-A1, p. 3).
Another commenter observed that OSHA does have experience evaluating
Form 300 Logs and Form 301 Incident Reports while conducting workplace
investigations, so OSHA should be able to make use of such information
collected through electronic submissions. (Document ID 2063-A1, pp. 1-
2).
[[Page 389]]
Although OSHA is technically capable of collecting the 300 and 301
data through a secure Web portal similar to the one used for 300A data
collection, no such portal was built when the 2016 rule was being
developed or after it was finalized. Diverting resources now to build
such a portal would take away from OSHA's enforcement efforts.
Likewise, the cost of collecting the additional 300 and 301 data in
that manner would be substantial (see Section IV, Final Economic
Analysis and Regulatory Flexibility Certification). OSHA has
accordingly concluded that worker privacy concerns and OSHA's resource
priorities--including fully utilizing the 300A data that it already has
collected from 214,574 establishments--outweigh the uncertain benefits
of seeking to collect and process the data from Forms 300 and 301.
Several commenters observed that other agencies, as well as other
divisions within the Department of Labor, collect, track, and utilize
similar data. (E.g., Document ID 2026, pp. 2-3). Some of these
commenters encouraged consultation with other agencies who collect this
type of data, including NIOSH, MSHA, Bureau of Labor Statistics (BLS),
FRA, and FAA, to learn about database design and best practices for
collecting this kind of data. (Document ID 1965-A1, pp. 179-80; 2012-
A1, p. 9; 2085-A1, p. 16 (quoting comments on 2013 NPRM)). Given OSHA's
successful use of summary data from Form 300A and severe injury reports
to target its enforcement and outreach efforts, and given its privacy
concerns and its current resources and priorities, OSHA has determined
to continue to invest its time and money in an approach that is known
to be effective, while continuing its use of 300 and 301 data in onsite
inspections.
OSHA also received a comment from NIOSH, offering to help with data
analysis. Specifically, NIOSH commented that it is well-positioned to
play a leading role in helping OSHA use data collected in Forms 300 and
301 to prevent occupational injuries and illnesses. (Document ID 2003-
A2, p. 3). NIOSH explained that it has the experience and capacity to
analyze the data, as well as interest in using the data to provide
guidance to employers for the prevention of occupational injury and
illness, and to provide data analysis results and analytical tools that
should enhance OSHA's targeting. (Document ID 2003-A2, p. 3). NIOSH
noted that it has already developed auto-coding methods for
categorizing occupation and industry based on free text data and has
successfully utilized similar free text data collected from workers'
compensation claims. (Document ID 2003-A2, p. 5). While NIOSH
acknowledged that the data collected from Forms 300 and 301 would pose
a greater analysis challenge because of the amount of data, NIOSH
stated that the large data set would be useful to identify patterns and
prevent workplace injuries. (Document ID 2003-A2, p. 6).
OSHA appreciates the value of inter-agency efforts to achieve
shared goals of preventing occupational injuries and illnesses and
looks forward to continued coordination with NIOSH and other agencies
where appropriate. However, OSHA has determined that NIOSH's ability to
analyze data collected from Forms 300 and 301 does not reduce the
burden on OSHA to collect the data. Even if NIOSH could make the data
useful for OSHA's enforcement targeting and outreach efforts, which
NIOSH itself has suggested would present analytical challenges due to
the volume of the data, OSHA and employers would be left covering the
expense of collection, not to mention additional expense associated
with the need to process and otherwise manually review data from the
forms--costs that would detract from OSHA's priorities of enforcement
and compliance assistance to reduce workforce hazards.
After reviewing commenters' submissions related to OSHA's capacity
to use the large volume of data that would be generated by the
submission of Forms 300 and 301, the agency remains concerned about the
costs of collecting and processing this large volume of data. OSHA has
considered the comments about the benefits of electronically collecting
the data and, as explained more fully below, has determined that the
incremental benefits of electronic collection of these data to OSHA's
enforcement targeting and compliance assistance activities remain
uncertain. In OSHA's judgment, those uncertain benefits are outweighed
by the cost of developing a system to manage that volume of data,
particularly when making use of the data would divert resources away
from OSHA's current priority of fully utilizing Form 300A and severe
injury data for targeting and outreach.
Uncertain Extent of Benefits From Collecting the Data From Forms 300
and 301
In the proposed rule, OSHA preliminarily determined that the extent
of the incremental benefits of electronically collecting data from
Forms 300 and 301 is uncertain. (E.g., 83 FR at 36498-99). OSHA
explained that the collection of data from the summary Form 300A
provides the agency with the information it needs to identify and
target establishments with high rates of work-related injuries and
illnesses. (83 FR at 36498). For example, OSHA noted that it had
collected summary 300A data for 2016 from 214,574 establishments. (83
FR at 36498). OSHA further explained that it was able to use those data
to design a targeted enforcement mechanism for establishments
experiencing higher rates of injuries and illnesses. (E.g., 83 FR at
36498). OSHA noted its plans to further refine this approach by using
the greater volume of 2017 summary data. (83 FR at 36498).
The proposed rule also discussed OSHA's long-time use of summary
data in enforcement. (83 FR at 36498). Before the 2016 rule, OSHA had
collected these data for 17 years under its OSHA Data Initiative (ODI)
and used those data to identify and target high-rate establishments
through the Site-Specific Targeting (SST) Program. (83 FR at 36498).
OSHA stopped the ODI in 2013 and the SST in 2014 while it developed the
2016 final rule, but the agency noted that those prior programs have
still given it considerable experience with using 300A data for
targeting. (83 FR at 36498).
Conversely, OSHA explained that it has no prior experience with
using the case-specific data from Forms 300 and 301 to identify and
target establishments for enforcement or outreach purposes. (83 FR at
36498). For example, OSHA is unsure how much benefit such data would
have for these purposes, but has determined that considerable effort
and resources would be required to realize those uncertain benefits.
(83 FR at 36498-99). The agency estimated that establishments with 250
employees or more would report data from approximately 775,210 Form
301s annually, a total volume three times the number of Form 300As from
which data were uploaded for 2016, while also presenting more
complicated information than that captured by Form 300A. (83 FR at
36498). To gain enforcement value from the case-specific 300 and 301
data, OSHA explained that it would need to divert resources from other
priorities, such as the utilization of Form 300A data, which OSHA's
long experience has shown to be useful. (83 FR at 36498-99).
OSHA asked stakeholders to submit comments on the benefits and
disadvantages of the proposed removal of the requirement for employers
with 250 or more employees to submit the data from OSHA Forms 300 and
301 to OSHA electronically on an annual basis, including the usefulness
of the data for
[[Page 390]]
enforcement targeting (83 FR at 36499), and received a number of
comments in response. Many of the commenters agreed that the
enforcement benefits stemming from electronically collecting the Form
300 and 301 data are uncertain. (E.g., Document ID 2034-A1, pp. 2-3;
2036-A1, pp. 7-8). One commenter also suggested that OSHA has not shown
that it is fully and effectively using currently-available data
(Document ID 2019-A1, p. 3), and another indicated that OSHA has not
demonstrated that there are significant gaps in the current data that
compromise OSHA's execution of its mission, that electronically
collecting the Form 300 and 301 data will address those gaps, or that
the protocols described by the 2016 final rule will efficiently and
effectively compile necessary information to lead to significant
improvements in achieving OSHA's goals (Document ID 2003-A2, p. 3).
Commenters further noted that OSHA did not explain in 2016 how it would
effectively use the Form 300 and 301 data to the benefit of its
enforcement and compliance assistance programs. (E.g., Document ID
2019-A1, p. 3; 2044-A1, p. 6). Other commenters concluded that
collecting Form 300A data is sufficient for OSHA's targeting and
enforcement purposes and electronically collecting the Form 300 and 301
data has no clear benefit. (E.g., Document ID 1970-A1; 2034-A1, pp. 2-
3).
Commenters also asserted that Form 300 and 301 data do not predict
current hazards or take into account any corrective actions by the
employer, nor do they show if OSHA should have issued a citation in
response to a recorded occurrence. (E.g., Document ID 2057-A1, p. 3;
2075-A1, p. 3). Put another way, the fact that an employer records an
incident does not necessarily correlate to workplace hazards or
compliance inadequacy or otherwise indicate that the reporting employer
is responsible for the incident. (E.g., Document ID 2075-A1, p. 3). For
example, the E-Recordkeeping Coalition stated that, ``[b]ased on a
qualitative analysis of [its] members' 300 and 301 data, only a small
percentage of that data would indicate any regulatory compliance
insufficiency.'' (Document ID 2076-A1, p. 3). Relatedly, one commenter
posited that collecting the Forms 300 and 301 data does not serve the
purpose of a ``no-fault'' recordkeeping system. (Document ID 2057-A1,
p. 3).
According to some commenters, maintaining Form 300 and 301 data
electronically would not aid OSHA in identifying, and engaging in
enforcement, at high-risk workplaces, (e.g., Document ID 2042-A1, p.
2), or otherwise provide any real value to the agency's enforcement
targeting strategies or decisions (e.g., Document ID 2075-A1, p. 3;
2076-A1, p. 3). A comment in the record concerning OSHA's 2013 NPRM,
from a commenter that generally supported OSHA's collection of Form 300
and 301 data, noted that use of the Form 301 narratives can be
cumbersome. (Document ID 2085-A8, p. 31). The Phylmar Regulatory
Roundtable pointed out that OSHA can still collect the Form 300 and 301
data after it has determined to inspect an establishment, using the
data to target specific areas of the workplace during the inspection,
and stated that doing so results in a fair, objective process, rather
than injecting unfairness and subjectivity into OSHA's targeting
decisions. (Document ID 2070-A1, p. 8). OSHA agrees that the best use
of the Form 300 and 301 data is for identifying hazards during onsite
inspections, and OSHA will continue using the data in this manner.
OSHA disagrees with commenters asserting that OSHA now ignores many
key benefits it previously asserted would be derived from
electronically collecting and publishing the Form 300 and 301 data.
(E.g., Document ID 2028-A1, p. 3; 2054-A1, p. 6). Rather, OSHA is now
re-assessing the uncertain incremental benefits to OSHA enforcement and
compliance assistance activities and re-balancing those benefits
against worker privacy concerns and OSHA's current resource priorities.
That balancing takes into account, as is appropriate, how OSHA can and
will continue to collect and use data from Forms 300 and 301 as needed,
as well as data from severe injury reports, for on-site inspections and
specific enforcement.
OSHA's position in this final rule on the uncertain benefits of
collecting data from Forms 300 and 301 outside the context of an onsite
inspection is not inconsistent with its position in the Mar-Jac Poultry
case (see U.S. v. Mar-Jac Poultry, Inc., 153 Fed. Appx. 562 (11th Cir.
Oct. 9, 2018) (unpublished)), as some commenters suggested. (E.g.,
Document ID 2015-A1, pp. 8-11; 2054-A1, pp. 8-9). In that case, OSHA
took the position that the 300 logs had value for identifying potential
violations during an onsite inspection, and OSHA maintains that belief.
Indeed, OSHA intends to continue using the data from Forms 300 and 301
for that purpose. OSHA notes that case involved the use of 300A data
from an establishment OSHA is inspecting to expand the scope of the
inspection; it did not address the usefulness, for enforcement
purposes, of collecting a high volume of Form 300 and 301 data.
One commenter disagreed with rescinding the requirement to submit
data from Forms 300 and 301 to OSHA without taking certain steps
identified in the 2016 final rule--including ``looking at examples of
electronic data collection efforts by other federal agencies'' and
``form[ing] a working group with BLS to assess data quality,
timeliness, accuracy, and public use of the collected data.'' (Document
ID 2012-A1, p. 15). OSHA did not, however, bind itself to take such
actions in order to reconsider the decision whether to collect the data
was justified in light of the risk to worker privacy and the agency's
best use of its resources. Furthermore, other agencies' experiences are
not directly relevant to OSHA's resource priorities and unique mission.
OSHA routinely consults with other agencies as part of its rulemaking
process and did so for this rule. Because OSHA issues this final rule
as a result of its re-balancing of the risk to worker privacy with the
rule's uncertain benefits and the agency's resource priorities, OSHA
has determined that further consultation with other agencies is neither
necessary nor appropriate.
OSHA agrees, as some commenters noted, that public health
principles dictate data-based approaches. (E.g., Document ID 2006-A1,
p. 2; 2014-A1, p. 2). OSHA disagrees, however, that collecting the data
from Forms 300 and 301 is therefore necessary; OSHA is already
collecting the 300A data and using those data to inform its enforcement
targeting. OSHA is uncertain how much additional value the data from
Forms 300 and 301 would provide for enforcement and compliance
assistance at this time and has therefore determined that fully
utilizing the 300A data and severe injury report data is the best use
of OSHA's resources. OSHA will continue to obtain the data from Forms
300 and 301 from employers, as needed, for on-site inspections and
specific enforcement actions, and OSHA will likewise continue to assess
and utilize data from the severe injury reports it receives and that
have proven useful in identifying and addressing areas of need.
According to some commenters, having a comprehensive batch of data
from Forms 300 and 301 would allow OSHA to understand employer
misconduct more broadly, and this dataset could make up for OSHA's
inability to visit all of the worksites within its jurisdiction. (E.g.,
Document ID 2015-A1, p. 7; 2056-A1, p. 2; 2082-
[[Page 391]]
A2, p. 5). Others asserted that the data can serve as a guide for
agency inspections, providing compliance officers with the number,
type, severity, and distribution of injuries at a particular workplace.
(Document ID 2012-A1, p. 2; 1965-A1, p. 179 (NAS Report)).\6\ OSHA has
determined that the 300A data are sufficient for enforcement targeting
and compliance assistance, and notes again that it can still use Forms
300 and 301 to guide inspections by collecting the data onsite, without
the need to divert resources to creating a Web portal never built
during or after the 2016 rule's development.
---------------------------------------------------------------------------
\6\ The National Academies of Science, Engineering, and Medicine
(NAS) report, titled A Smarter National Surveillance System for
Occupational Safety and Health in the 21st Century (Document ID
1965-A1) was the result of a joint request from NIOSH, BLS, and OSHA
to NAS, asking NAS to conduct a study in response to the need for a
more coordinated, cost-effective set of approaches for occupational
safety and health surveillance in the United States. (See Document
ID 1965-A1, p. x). Commenters submitted copies of the report to the
record. (See Document ID 1965-A1; 2085-A10). Where those commenters
and others have specifically referenced findings, recommendations,
or other statements contained in the report in their comments, OSHA
has responded to them in this preamble. However, because the report
is not, and was not intended to be, commentary on this rulemaking,
the agency does not find it is appropriate or necessary to respond
to statements contained therein where those statements were not
referenced by commenters in their submissions to the record.
---------------------------------------------------------------------------
Some commenters indicated that having electronic access to the data
would facilitate OSHA's effective use of the data (e.g., Document ID
2056-A1, p. 2) by, for example, providing timely, searchable, sortable
information with which OSHA could identify and understand trends, and
that reducing the amount of information available to the agency would
make it less effective. (E.g., Document ID 1974; 1994; 2020-A1, p. 11;
2082-A2, p. 5; 2085-A1, pp. 5-7). Others, assuming the data would be
published, suggested that employees would use publicly available
information to analyze whether their employers are underreporting, to
identify hazards and prevent injuries, and to determine where they may
want to work (e.g., Document ID 2012-A1, pp. 5, 13; 2022-A1, pp. 1, 2;
2047-A1, pp. 3-4; 2050-A1, p. 1; 2083-A1, p. 2; 2085-A1, pp. 19-20
(quoting Document ID 2085-A10, pp. 13, 178 (NAS report)), and that
employers would use the data to benchmark effectively, and to identify
injury trends in the industry to prevent incidents before they occur
(e.g, Document ID 2007-A1, p. 5; 2011-A3, p. 8; 2012-A1, p. 6; 2022-A1,
p. 2). One commenter suggested that employers could use the data to
assess the safety record of contractors before hiring them. (Document
ID 2085-A1, p. 18). Commenters also argued that electronic access to
the data would eliminate delays and obstacles to accessing the data for
employees and their representatives. (E.g., Document ID 2020-A1, p. 11;
2086-A1, p. 3). Other commenters opined that requiring employers to
report their Forms 300 and 301 electronically could improve the
consistency and quality of what employers report, providing employers
and employees with an opportunity to decrease injuries and illnesses
both at particular establishments and company-wide. (E.g., Document ID
2010-A2, p. 1; 2082-A2, pp. 2-3; 2085-A1, p. 11).
OSHA begins by noting that many of the benefits discussed by
commenters would not materialize. Because OSHA has determined
publishing the data would do more harm than good for reasons described
more fully below and in the privacy discussion above, OSHA would not
make the data public even if collected. In addition, as noted above,
OSHA has already taken the position that data from Form 300A is exempt
from disclosure under FOIA and that OSHA will not make such data public
for at least the approximately four years after its receipt that OSHA
intends to use the data for enforcement purposes. Therefore, the
benefits some commenters ascribed to publication of the data would not
be realized. Without publication, the research benefits claimed by many
commenters (e.g., Document ID 1965-A1, p. 1; 2004-A1, p. 1; 2011-A1,
pp. 2-3 (quoting the NAS report), 6-11; 2012-A1, pp. 3-4, 6-7; 2015-A1,
pp. 2-6; 2082-A2, pp. 2-3; 2088-A1, pp. 2, 7-8) also fall away. To the
extent case-specific data are crucial in conducting root-cause
analyses, which can reduce and prevent workplace illnesses and injuries
(Document ID 2000-A1, p. 1), employers can still use their own data, or
share it with researchers voluntarily, for this purpose. OSHA
acknowledges that the 300 and 301 data would have benefits for
occupational safety and health research, but notes that researchers
already have access to BLS data and severe injury data. OSHA has
determined that the best use of the agency's resources at this time is
full utilization of 300A and severe injury data, not providing 300 and
301 data to researchers despite the uncertain incremental benefits of
the data to OSHA and especially when OSHA itself will continue to
protect workers by accessing Forms 300 and 301 through on-site
inspections and for specific enforcement actions as needed.
With respect to the remaining potential benefits for enforcement
identified by the commenters, OSHA simply notes that those benefits are
uncertain, and collecting and utilizing these data would be costly.
OSHA cannot justify diverting resources from fully utilizing 300A data
and severe injury data, which OSHA's experience has shown to be useful
for enforcement and compliance assistance, to collect data with
uncertain benefits to OSHA's core mission.
NIOSH and other commenters stated that the data from Forms 300 and
301 could be used for future research to identify patterns and trends
across workplaces that could be masked by aggregated, summary data from
Form 300A. (Document ID 2003-A2, pp. 6-7; 2007-A1, p. 4). In addition,
the NAS report echoed a number of the benefits of collection identified
by some commenters, including research for surveillance and prevention
purposes, employer benchmarking, employee assessment of safety and
health conditions at various workplaces, and intervention and education
by public health agencies. (Document ID 1965-A1, pp. 177-179). The NAS
report suggests that electronic collection of Form 300 and 301 data
would supplement BLS Survey of Occupational Injuries and Illnesses
(SOII) data, letting OSHA focus its interventions and prevention
efforts on hazardous industries, workplaces, exposures, and high-risk
groups. (Document ID 1965-A1, p. 179). According to the report,
collecting the Form 300 and 301 data would allow for expanding and
targeting outreach to employers, particularly smaller employers, to
improve hazard identification and prevention efforts, and would give
OSHA the opportunity to advise employers on how their rates of injury
and illness compare with the rest of their industry. (Document ID 1965-
A1, p. 178).
OSHA will continue to work with NIOSH, other government agencies,
and interested stakeholders to share information and leverage
efficiencies to reduce workplace injuries and illnesses as appropriate.
And while OSHA appreciates the findings and recommendations of the NAS
Report that commenters identified, the approaches suggested by NAS
would require substantial investment of time and money to develop. OSHA
has determined that at this juncture, the protection of worker safety
and health will best be furthered by allocating its resources in more
concrete ways in which OSHA can more fully draw on its existing
experience, such as utilizing the 300A and severe injury data it is
[[Page 392]]
already collecting and analyzing for enforcement and compliance
assistance activities.
Several commenters pointed out ways in which OSHA has used Forms
300 and 301 and similar data in the past to further its mission of
ensuring safe and healthy workplaces. (E.g., Document ID 2003-A2, pp.
6-7; 2012-A1, pp. 3-4). For example, commenters asserted that OSHA has
previously analyzed Form 300 and 301 data from multiple workplaces to
identify frequently-recurring injuries and to better protect workers'
safety and health, and used information from severe injury reports to
understand injury causation and to inform the agency's compliance
assistance and outreach efforts. (Document ID 2012-A1, pp. 3-4; 2003-
A2, pp. 6-7). Employers have had to submit severe injury reports,
containing information similar to what is included on Form 301, to OSHA
since 2015. (Document ID 2003-A2, p. 6). To the extent OSHA has
evaluated small batches of similar data in the past to further its
mission of protecting worker safety and health, commenters suggest that
a broader collection could be similarly useful.
OSHA agrees that data from Forms 300 and 301 and similar data can
be helpful, but disagrees that its past experience justifies the broad
collection envisioned in 2016. As NIOSH acknowledged in its comment,
the volume of Form 300 and 301 data employers were required to submit
under the 2016 final rule would far exceed the number of severe injury
reports OSHA receives. (Document ID 2003-A2, p. 6). Collecting and
using a high volume of data--without the relevancy filters imposed by
severe injury reports or on-site inspections--would require substantial
resources to process and analyze. OSHA has determined that, at the
current time, the resources OSHA would need to devote to developing
that capacity and determining best how use the data would better
achieve the mission of the agency by being allocated to full
utilization of the 300A and severe injury data. OSHA will thus continue
to obtain and use data from Forms 300 and 301 from employers as needed
for on-site inspections and specific enforcement actions, as has proven
helpful in the past.
Moreover, as OSHA notes elsewhere in this preamble, before making
300 and 301 records requested on an ad hoc basis or severe injury
reports public, the agency manually screens all of those records for
PII and data that could re-identify workers. But the sheer volume of
the data, which is expected to come from over 775,000 reports, would
make the costs to manually screen all of the 300 and 301 data enormous;
OSHA believes those resources are better allocated to activities closer
to OSHA's core enforcement mission. One commenter suggested that
collecting the data from Forms 300 and 301 electronically would benefit
workers by allowing them access to these records without fear of
retaliation for requesting the records from their employers. (Document
ID 2083-A1, p. 2). But OSHA notes that workers have a right under 29
CFR 1904.35 to access their own employers' 300 and 301 data, and
Section 11(c) of the OSH Act, 29 U.S.C. 660(c), prohibits employers
from retaliating against workers for exercising that right. Another
commenter asserted that a worker's medical provider could benefit from
OSHA's electronic collection and publication of 300 and 301 data and
using the data to assess conditions at the relevant workplace.
(Document ID 2010-A2, p. 4) (commenting on the 2013 NPRM). But OSHA
again notes that workers retain the right to access 300 and 301 data
from their own employers and share it with their medical providers.
After considering these comments, OSHA has determined that because
it already has systems in place to use the 300A data for enforcement
targeting and compliance assistance without impacting worker privacy,
and because the Form 300 and 301 data would provide uncertain
additional value, the Form 300A data are sufficient for enforcement
targeting and compliance assistance at this time. OSHA will continue to
request copies of Forms 300 and 301 during its inspections, and make
use of data from severe injury reports, as appropriate.
Collecting and Processing the 300 and 301 Data Would Divert Agency
Resources From Higher Priority Initiatives
As OSHA stated in the NPRM, electronically collecting and taking
steps necessary to try to use Form 300 and 301 data would require the
agency to divert resources from other priorities, including the
analysis of Form 300A data. As explained above, OSHA has already
collected summary 300A data from 214,574 establishments, and expects
that volume to increase. OSHA is seeking to fully utilize these data,
and has designed and implemented a targeted enforcement mechanism for
industries experiencing higher rates of injuries and illnesses. OSHA
likewise evaluates severe injury reports, which it receives shortly
after accidents, to target its enforcement and compliance-assistance
efforts.
Many commenters agreed that OSHA would need to significantly
increase or divert its resources from other priorities to collect,
process and analyze the electronically submitted Form 300 and 301 data.
(E.g., Document ID 2008-A1, p. 2; 2019-A1, pp. 2, 6-7, 9-10; 2044-A1,
p. 6 (citing 83 FR at 36496)). Some noted that, without diverting
resources from other priorities, OSHA might not be able to analyze and
use the data as it intended when it finalized the 2016 final rule
(Document ID 2070-A1, p. 9), and that OSHA already has access to other
data sources it can analyze and more potential violators than it can
investigate with its resource constraints (Document ID 2055-A1, p. 2).
By rescinding the requirement to collect electronically Form 300 and
301 data, OSHA will better focus on pre-existing, successful
enforcement efforts. (E.g., Document ID 2044-A1, p. 6; 2075-A1, p. 4).
Commenters also agreed with OSHA that the uncertain benefits of
requiring employers to electronically submit Forms 300 and 301 do not
outweigh the costs and burdens to OSHA and employers and the risk to
worker privacy. (E.g., Document ID 1985-A1, p. 1; 2008-A1, p. 2; 2024-
A1, p. 1).
Other commenters suggested that requiring electronic submission of
the Form 300 and 301 data would help OSHA allocate its resources and
identify injury trends, their causes, and emerging hazards to improve
its enforcement and outreach efforts beyond what OSHA can accomplish
with the 300A data. (E.g., Document ID 1929; 1961-A1, pp. 1-2; 2007-A1,
pp. 1-5; 2011-A1, p. 6; 2054-A1, pp. 1, 6-7, 8-9). One commenter
theorized that having access to the detailed information contained in
Forms 300 and 301, rather than simply the summary data from Form 300A,
can improve OSHA's use of its enforcement resources to target the
highest priority issues. (Document ID 2007-A1, p. 5). But these
commenters provide no evidence to support their claims, and OSHA finds
none in the record. OSHA's own experience with using Form 300 and 301
data is insufficient to support these theories. These commenters'
speculation therefore does not alter OSHA's view that diverting OSHA's
focus from longstanding and successful agency priorities is not
justified to achieve the uncertain benefits of electronically
collecting data from Forms 300 and 301.
Commenters pointed to OSHA's statements in the 2016 final rule that
collecting data from Forms 300 and 301
[[Page 393]]
would allow the agency to leverage its resources to execute its mission
by helping its compliance assistance programs, encouraging employers
and workers to identify and address workplace hazards to avoid the
perception of being an unsafe place to work, and providing data to
employers, workers, unions and academics that would assist them in
researching and innovating to improve workplace safety and health.
(Document ID 2007-A1, p. 3; 2017-A1, p. 2). Although OSHA identified
these potential benefits, OSHA never quantified them. This final rule
does not ignore those prior statements or the possibility that benefits
could result from collecting the data, but concludes that the scope of
any such benefits is uncertain. OSHA does not believe that these
uncertain benefits justify the diversion of OSHA's resources from other
agency initiatives with a proven record of effectiveness.
Some commenters asserted that a recent Office of the Inspector
General (OIG) report auditing OSHA's fatality and severe injury
reporting program (OIG, Dep't of Labor, OSHA Needs to Improve the
Guidance for Its Fatality and Severe Injury Reporting Program to Better
Protect Workers, 02-18-203-10-105 (OIG report), available at: https://www.oig.dol.gov/public/reports/oa/viewpdf.php?r=02-18-203-10-105&y=2018) demonstrates a need for improved reporting, noting that the
OIG report concluded employers underreport fatalities and severe
injuries by as much as 50 percent. (E.g., Document ID 2017-A1, p. 2;
2051-A1, p. 3). Commenters noted that the OIG report found that OSHA
cannot effectively target compliance and enforcement efforts without
complete information on work-related fatalities and severe injuries.
(E.g., Document ID 2051-A1, p. 3; 2089-A1, p. 2). Another commenter
suggested that the collection and publication of data from Forms 300
and 301 would create ``publicly available checks'' and increased
accountability for employers. (Document ID 2062-A1, p. 2).
OSHA disagrees that the OIG report indicated a need to collect more
injury and illness data. Rather, the report recommends that OSHA take
steps to better enforce and implement the severe injury reporting
requirements. (OIG report, p. 1). Specifically, the OIG recommended
that OSHA (1) develop and provide guidance to staff to detect and
prevent underreporting; (2) consistently issue citations for
underreporting; (3) clarify guidance for documentation of OSHA's
essential decisions, evidence required to demonstrate abatement by the
employer, and requirements for monitoring employer-conducted
investigations; and (4) emphasize the importance of conducting
inspections for incidents that resulted in a fatality, two or more in-
patient hospitalizations, emphasis programs, or imminent danger. (OIG
report, p. 15). OSHA is committed to implementing these recommendations
as indicated in OSHA's formal response to the report, (OIG report, pp.
21-23), and OSHA has determined such implementation is more likely to
address OIG concerns than electronically collecting Forms 300 and 301.
OSHA will use the OIG report's findings to shape and improve its
severe injury reporting objectives. Indeed, this rulemaking seeks to
improve OSHA's capacity to direct its resources to current initiatives
such as implementing the severe injury reporting requirements, rather
than collecting new data with uncertain benefits. OSHA's current
priorities include fully utilizing the data from the Form 300As and
severe injury reports it is already collecting to improve its
enforcement and outreach objectives to ensure compliance with the OSH
Act. Again, investing in a program to collect, process, and analyze
data from hundreds of thousands of Forms 300 and 301 would constrain
OSHA's ability to achieve these and other priority enforcement goals.
Regarding the suggestion that collection and publication of data
from Forms 300 and 301 might increase compliance with electronic
reporting requirements (Document ID 2062-A1, p. 2), OSHA finds it can
better hold employers accountable through the appropriate allocation of
resources to enforcement efforts and compliance assistance, rather than
collecting data with uncertain benefits. This commenter provides no
evidence for the speculative suggestion that publication of the data
would create an incentive for employers to report fatalities and severe
injuries. (Document ID 2062-A1, p. 2).
Collecting 300/301 Data Could Lead to Less Accurate Records
Commenters expressed concern that requiring employers to report
electronically the data from Forms 300 and 301 could have a negative
impact on accurate recordkeeping. For example, some employers may not
prepare Forms 300 and 301 accurately for fear that the information
would become public and cause reputational harm or subject them to
targeted OSHA inspections. (Document ID 2019-A1, p. 7; 2044-A1, p. 34
(commenting on 2013 NPRM); 2055-A1, p. 2). Commenters also indicated
that employers fear that publishing Form 300 and 301 data will expose
confidential and proprietary information to their competitors and
adversaries. (Document ID 2070-A1, pp. 9-10; 2076-A1, pp. 6-7). For
example, public disclosure of location information may allow
competitors to determine confidential business locations or
acquisitions that have not been publicized, or publication of the
substances or chemicals that were involved in injuries and illnesses
may identify products, inventions, or proprietary technologies that are
in research and development. (Document ID 2070-A1, pp. 9-10). The
collection's focus on lagging indicators, which measure past safety
performance, also may not be representative of a company's current
safety efforts. (Document ID 2044-A1, p. 30) (commenting on 2013 NPRM).
One commenter explained that Forms 300 and 301 are most useful to the
employer when they contain robust information about the details of
workplace injuries and illnesses, but that employers will have
incentives to sanitize their reports if they believe they will become
public, and be mischaracterized, as a result of electronic submission
to OSHA. (Document ID 2019-A1, p. 7).
Commenters also noted that workers may be reluctant to report
accurately their data for Forms 300 and 301 for fear that the details
of their reports will become public and reveal their private
information. (Document ID 2030; 2085-A8, p. 8 (commenting on 2013
NPRM)). One commenter noted that the Confidential Information
Protection and Statistical Efficiency Act of 2002 requires BLS to keep
this kind of data confidential. (Document ID 2053-A1, p. 2). In
enacting the CIPSEA, Congress found that ensuring the confidentiality
of sensitive information submitted to the government ``is essential in
continuing public cooperation in statistical programs.'' (Pub. L. 107-
347 sec. 511(a)(5)). While the CIPSEA applies to BLS, not OSHA, OSHA
shares Congress's concern that fear of sensitive information becoming
public could undermine accurate reporting.
Other commenters expressed concern that employers will hide
workplace injuries if they are not required to file Forms 300 and 301
electronically. (Document ID 1976-A1, p. 1; 1996-A1, p. 1; 1999-A1, p.
1; 2002-A1, p. 1). OSHA finds these comments to be speculative and
unsupported by its experience reviewing Forms 300 and 301 through on-
site inspections. OSHA also does not find that requiring employers to
submit their 300 and 301 data electronically would motivate them
[[Page 394]]
to report injuries and illnesses they otherwise would not have
recorded. One commenter noted that the cost to large employers of
submitting their 300 and 301 data was not burdensome because compliance
would have cost approximately $258.34 per establishment per year, which
would be an average of less than one dollar per employee per year.
(Document ID 2012-A1, p. 12). Although OSHA acknowledges that the
requirement to submit data from Forms 300 and 301 to OSHA would have
been economically feasible for large employers, OSHA's central
rationale for rescinding these requirements is not to reduce employer
costs but rather to protect worker privacy and to direct agency
resources towards fully utilizing the data it is already collecting to
advance improvements to health and safety for workers.
OSHA has determined that publishing the data could also cause more
harm than good. Workers would know in advance that some details of
their injuries would be public and on the internet. Deterring worker
reporting through fear of publication could make the records less
accurate. And, because employers are required to report workplace
injuries and illnesses regardless of fault, OSHA no longer considers
collection of employers' injury and illness records likely to ``nudge''
them to make their workplaces safer, which OSHA identified in 2016 as a
benefit of publishing the 300 and 301 data. (See 81 FR 29629; Document
ID 2007-A1, pp. 4-5). OSHA finds that the final rule may ensure more
accurate records on Forms 300 and 301 by alleviating employers' and
workers' fears about the consequences of the records becoming public,
and will allow employers to devote more of their resources towards
compliance with safety and health standards.
State Plan Issues
In the NPRM, OSHA noted that, pursuant to section 18 of the OSH Act
(29 U.S.C. 667) and the requirements of 29 CFR 1904.37 and 1902.7,
within 6 months after publication of the final OSHA rule, state-plan
states must promulgate occupational injury and illness recording and
reporting requirements substantially identical to those in 29 CFR part
1904. (83 FR at 36505). All other injury and illness recording and
reporting requirements (for example, industry exemptions, reporting of
fatalities and hospitalizations, record retention, or employee
involvement) that are promulgated by state-plan states may be more
stringent than, or supplemental to, the federal requirements, but,
because of the unique nature of the national recordkeeping program,
states must consult with OSHA and obtain approval of such additional or
more stringent reporting and recording requirements to ensure that they
will not interfere with uniform reporting objectives under 29 CFR
1904.37 and 1902.7. (See 83 FR at 36505).
Some commenters responded to this section of the NPRM with concerns
that centralized, federal collection is the most efficient and cost-
effective way to compile detailed data for enforcement and prevention,
and that the analysis of small, discrete quantities of data from
multiple state databases will make important trends less apparent.
(Document ID 2062-A1. p. 1; 2028-A1, pp. 5-6; 1965-A1, pp. 6-7).
Commenters theorized that the detailed reporting requirements of the
prior final rule would have enabled both federal OSHA and state plans
to target their prevention and enforcement measures at particular
employers and industries. (Document ID 2028-A1, p. 3; 2046-A1, p. 2).
Commenters also asserted that, as a result of this final rule, some
states would have to set up separate reporting systems at significant
cost to maintain reporting requirements consistent with the prior final
rule. (Document ID 2028-A1, p. 5; 2088-A1, p. 13). The California
Department of Industrial Relations is in favor of the reporting
requirements of the prior final rule because national collection would
be more efficient than state-by-state collection, among other reasons.
(Document ID 2062-A1, p. 3). Commenters also pointed out that some
state-level agencies, such as the Washington State Department of Labor
and Industries (``WA L&I''), have gathered detailed data through their
workers' compensation system and collaborated with NIOSH in analyzing
the data to inform targeted enforcement strategies. (Document ID 1993-
A1, p. 1; 1965-A1, pp. 57-59). One commenter pointed to the NAS Report,
which noted that ``only 20 percent of states reported having
substantial epidemiologic and surveillance capacity in occupational
health'' and concluded that this lack of surveillance capacity
``results . . . in . . . missed opportunities for collaboration across
public health domains to address convergent public health concerns that
affect workers as well as the general public.'' (Document ID 1965-A1,
p. 122 (NAS Report)). One group of commenters expressed concern that
OSHA's consultation requirement would make it harder for states to
implement such systems and noted that states without state plans or
with state plans limited to public sector workers will not have the
opportunity to have access to detailed data like that required by the
prior rule. (Document ID 2028-A1, pp. 5-6).
As OSHA noted in the NPRM, the effectiveness of the Form 300 and
301 data as an enforcement and prevention tool in advancing worker
safety is unclear. The suggestion that the data would be useful to
states without state plans (Document ID 2028-A1, pp. 5-6), is
speculative, as OSHA has determined that the benefits of collecting
such data on a national scale are uncertain and do not outweigh the
collection's burdens and costs. (83 FR at 36498). OSHA finds that the
Form 300A collection adequately serves its enforcement purposes at this
time without jeopardizing worker privacy, and OSHA is committed to
sharing these data with state-plan states, including those covering
only public sector workers. OSHA cannot justify collecting Form 300 and
301 data where the data's usefulness is unclear. (83 FR at 36498).
OSHA disagrees that this final rule would necessarily hinder states
in implementing their own requirements for collection of Form 300 and
301 data. As OSHA explained in the NPRM, the rule does not preempt
state law. (83 FR at 36505). The consultation requirement is not
intended to limit state plans to strict conformity with the rule but
rather to aid states in avoiding interference with OSHA's unique
recordkeeping program. There is no evidence in the record that
individual state collection of Form 300 and 301 data would cause such
interference. To the extent some state agencies, such as WA L&I, have
already collected similar data, this shows that some states have
mechanisms to collect the data they need without OSHA's collecting
electronically the Form 300 and 301 data. If state agencies determine
that a detailed data collection system is best for their states, then
they may pursue such a system in consultation with OSHA.
OSHA acknowledges that systems to collect this volume of data would
be costly for states to implement. Centralized collection might be more
efficient and cost-effective than state-by-state collection, but OSHA
has doubts about the usefulness of the data and concerns about the
costs of collection as noted elsewhere in this preamble. States are
empowered to do as OSHA has and weigh the substantial costs of
collection against the likely utility of the data. OSHA also notes, in
response to a comment that some states have more limited surveillance
capacity than others (Document ID 1965-A1, p. 57),
[[Page 395]]
that those states will have access to the summary data collected by
OSHA, and that OSHA itself must appropriately allocate its resources
for surveillance to best serve OSHA's mission of protecting all
workers. States are empowered to share the data gathered at the state
level at their discretion and consistent with any applicable laws. In
promulgating this rule, OSHA erects no barrier to communication among
state agencies.
B. New Requirement To Include Employer Identification Number With
Injury and Illness Data Submitted to OSHA Electronically Under 29 CFR
1904.41
The NPRM included a provision that would require covered employers
to submit their Employer Identification Number (EIN) electronically
along with their injury and illness data submission in the proposed
rule. (83 FR at 36494). OSHA explained that it had limited the proposed
data collection in its 2013 NPRM (78 FR 67254) to Improve Tracking of
Workplace Injuries and Illnesses to records that employers were already
required to collect under part 1904. Accordingly, the May 2016 final
rule only required the electronic submission of such records. These
records do not include the employer's EIN.
After collecting and analyzing the first year of data (i.e.,
Calendar Year 2016 Form 300A data), however, OSHA and BLS realized that
collecting EINs could help the agencies make full use of the data
collected. The proposed EIN submission requirement grew out of that
realization. As the agency explained in the proposal, this change could
have a number of benefits. (83 FR at 36499-500). For example, OSHA
posited that collecting EINs would increase the likelihood that BLS
would be able to match data collected by OSHA under the electronic
reporting requirements in 29 CFR part 1904 to data collected by BLS for
the Survey of Occupational Injury and Illnesses (SOII). The ability to
accurately match the data is critical for evaluating how BLS might use
OSHA-collected data to supplement the SOII, which in turn would enhance
the ability of OSHA and other users of the SOII data to identify
occupational injury and illness trends and emerging issues.
Furthermore, the ability of BLS to match the OSHA-collected data also
has the potential to reduce the burden on employers who are required to
report injury and illness data both to OSHA (for the electronic
recordkeeping requirements in part 1904) and to BLS (for the SOII).\7\
---------------------------------------------------------------------------
\7\ As OSHA explained in the NPRM, the SOII is an establishment
survey and is a comprehensive source of national estimates of
nonfatal injuries and illnesses that occur in the workplace. (83 FR
at 36499). The survey collects data on non-fatal injuries and
illnesses for each calendar year from a sample of employers based on
recordable injuries and illnesses as defined by OSHA in 29 CFR part
1904. (83 FR at 36499). Using data from the survey, BLS estimates
annual counts and rates by industry and state for workers in private
industry and state and local government. (83 FR at 36499-500). In
addition, the SOII provides details about the most severe injuries
and illnesses (those involving days away from work), including
characteristics of the workers involved and details of the
circumstances surrounding the incident, using data collected on
Forms 300A and 301 from the sampled establishments. (83 FR at 36500
(citing BLS Handbook of Methods: https://www.bls.gov/opub/hom/soii/home.htm)).
---------------------------------------------------------------------------
OSHA also noted in the proposal that without the EIN, there is no
methodological approach to match completely the establishments that
submit data through both OSHA's collection of injury and illness data
under Sec. 1904.41 and the BLS data collection for the SOII. BLS
cannot provide its collected data to OSHA because the Confidential
Information Protection and Statistical Efficiency Act of 2002 (Pub. L.
107-347, 116 Stat. 2899 (2002)) prohibits BLS from releasing
establishment-specific data to either OSHA or the general public. (83
FR at 36500). Although OSHA can provide the data it collects to BLS,
without the EIN it is very difficult to match the establishments in
OSHA's data collection to the establishments in BLS's data collection.
Not having the EIN increases the resources necessary to match the data
and reduces the accuracy of the match.
OSHA further explained its preliminary determination that including
the EIN in the electronic reporting to OSHA would improve BLS's ability
to match accurately the OSHA-collected data with the SOII data. (83 FR
at 36500). OSHA suggested that, after evaluation of the accuracy of the
data matching, it might be possible for BLS to use the OSHA-collected
data to generate occupational injuries and illnesses estimates,
reducing burden on employers by decreasing duplicative reporting. If
the EIN is not collected and the data from the two sources cannot be
accurately matched, reducing this burden becomes nearly impossible.
Finally, OSHA suggested that including the EIN as part of
electronic reporting could improve the quality and utility of the
collected data. (83 FR at 36500). For example, OSHA noted that it could
use the EIN to identify errors such as multiple submissions of data
from the same establishment and to link multiple years of data
submissions from the same establishment. (83 FR at 36500). The agency
also observed that the EIN could be used to match against other
databases that contain this identifier to add additional
characteristics to the data. (83 FR at 36500). For example, OSHA
routinely collects the employer's EIN during an inspection and enters
the EIN into the OSHA Information System (OIS). OSHA noted in the
proposal that Form 300A submissions with an EIN could be linked to the
OIS to identify the previous enforcement history of the establishment
when the inspection records contain the EIN. (83 FR at 36500).
In the proposal, OSHA also noted that EINs do not have the same
level of protection as Social Security numbers. (83 FR at 36500). In
fact, many employers' EINs are available in a variety of public
sources, including filings with the U.S. Securities and Exchange
Commission, the Federal Communications Commission's Commission
Registration System, and the DOL's Employee Benefits Security
Administration. (83 FR at 36500). Businesses also have to share EINs
with contractors and clients for tax reporting, such as filing an IRS
Form 1099. (83 FR at 36500). As a result, OSHA explained, the
Department has not generally withheld EINs from disclosure. (83 FR at
36500).
OSHA asked stakeholders to comment on its proposal to add the EIN
submission requirement generally. (83 FR at 36499). The agency also
specifically invited public comment on the advantages and disadvantages
of requiring employer submission of EINs and on whether employers
required to electronically report information to OSHA under part 1904
would consider the EIN to be exempt from disclosure, either as
confidential business information or for another reason. (83 FR at
36500). In addition, OSHA asked if there were any circumstances where
the EIN would be considered PII and whether there were privacy concerns
that might arise from employers submitting their EIN. (83 FR at 36500).
Commenters submitted a number of comments in response to OSHA's
request. These comments generally fall into three categories: (1)
Comments related to the benefits of collecting EINs, (2) comments
focusing on whether an employer's EIN is commercially confidential or
sensitive, and (3) comments suggesting alternatives to the agency's
proposal that might achieve the agency's goal of reducing respondent
burden and increasing the utility of the data collected, without the
submission
[[Page 396]]
of EINs. Each of these issues, commenters' submissions, and the
agency's final determinations are laid out in more detail below.
Benefits of Collecting the EIN
As discussed above, OSHA preliminarily determined that collecting
EINs would have a number of benefits, including streamlining reporting
for employers who are required to report injury and illness data both
to OSHA and BLS, improving the agencies' ability to match their data,
and improving the quality and utility of the collected data. (83 FR at
36499-500). OSHA received many comments on the benefits of collecting
the EIN.
Many commenters agreed with OSHA that collection of the EIN would
enhance the utility of the data and therefore improve worker safety and
health. (E.g., Document ID 2012-A1, p. 15). Several commenters provided
specific examples of how the EIN can be used by OSHA for research
purposes, such as identifying employers with patterns of injuries
(E.g., Document ID 2015-A1, p. 7) and matching against other databases
that contain the EIN to add characteristics to the data. (E.g.,
Document ID 2003-A2, p. 7). Several commenters also noted that using
the EIN to enhance research is consistent with recommendations from the
NAS Report. (E.g., Document ID 2003-A2, p. 7). Still other commenters
observed that collecting EINs would allow OSHA to improve the quality
and utility of the data collected, and provided many examples of the
benefits associated with having this data element. (E.g., Document ID
2088-A1, p. 14; 2012-A1, p. 15; 2003-A2, p. 7). For example, some
commenters noted that adding the EIN would enhance the value of the
data for enforcement and compliance assistance by allowing OSHA to
identify the relationship between establishments rather than having to
rely on company names that can be similar across different businesses.
(E.g., Document ID 2007-A1, pp. 8-9; 2012-A1, p. 15; 2074-A1, p. 5).
Many commenters also agreed with OSHA that collecting the EIN along
with data submissions under part 1904 could potentially reduce
duplicative reporting for employers that are also required to submit
data both to BLS under the SOII. (E.g., Document ID 2088-A1, p. 14;
2036-A1, p. 8). Several commenters noted that using the EIN to reduce
duplication of burden is consistent with the NAS report. (E.g.,
Document ID 2085-A1, p. 20).
Other commenters, however, disagreed, observing that there
``appears to be little value to OSHA gained in collecting the EIN.''
(Document ID 2084-A2, p. 5).
After carefully reviewing all the comments submitted on this
subject, OSHA finds that collection of the EIN will result in the
benefits detailed by commenters. Having this common identifier will
help OSHA understand exactly which establishment the Form 300A data
represents, link establishments between databases, and track data over
time. The difficulties involved in matching and tracking establishments
by name and address introduce uncertainty which in turn reduces the
utility of the data collected. A numerical identifier that is common
over time and between databases eliminates these uncertainties.
Collecting the EIN is also an essential first step towards eliminating
duplicative reporting to OSHA and BLS in the future. In short,
collection and use of the EIN presents the most practical and efficient
solution for matching and linking the BLS and OSHA data sets and at the
same time increases the utility and accuracy of the data within OSHA's
data set.
Sensitivity of the EIN
Although nearly all of the commenters who opined on the potential
benefits of collecting the EIN agreed with OSHA that the collection
would be beneficial, a number of commenters argued that any benefits to
OSHA in collecting the EIN were outweighed by the risks if the EIN is
publicly disclosed. (Document ID 2064-A1, p. 2). For example, some
commenters expressed concern about the commercial sensitivity of the
EIN and the potential for fraud. (E.g., Document ID 2057-A1, p. 5).
Some commenters maintained that the EIN was confidential business
information comparable to a Social Security number. (E.g., Document ID
2041-A1, p. 2; 2066-A1, p. 2). One commenter stated that it did not
object to OSHA's proposal to include EINs with Form 300A filings,
provided that OSHA maintains this information as confidential.
(Document ID 2049-A1, p. 2).
Others, though not claiming that the EIN was confidential
commercial information, nonetheless asserted that collecting the EIN
could harm businesses and that such harm outweighed any benefits of
collection. (E.g., Document ID 2084-A2, p. 5; 2039-A1, p. 3). For
example, one commenter asserted that employers are concerned about
making EINs more widely available through FOIA requests ``given the
high potential for fraud. For example, a 2013 audit by the U.S.
Department of the Treasury identified 767,071 corporate tax returns
with potentially fraudulent refunds totaling almost $2.3 billion due to
stolen and falsely obtained EINs.'' (Document ID 2057-A1, p. 5).
Commenters also stated that the risk of bad actors causing
``irreparable harm'' through malicious use of the EIN ``far outweighs
the issues involved in duplicative reporting.'' (Document ID 2039-A1,
p. 3; see also Document ID 2084-A2, p. 5; 2064-A1, p. 2).
Other commenters conceded that the EIN was not commercially
confidential and did not oppose OSHA's proposal to collect the EIN with
injury and illness data. (E.g., Document ID 2036-A1, p. 8; 2070-A1, p.
17). For example, Mark Dreux of the Corn Refiners Association (CRA)
stated: ``Because employers are required to disclose their EINs in many
different contexts . . . CRA's members do not consider it to be
confidential or proprietary business information.'' (Document ID 2036-
A1, p. 8). Consequently, CRA indicated that its members did not have
any concerns with the proposed requirement to submit EINs in
conjunction with injury and illness data to facilitate the exchange of
data between OSHA and BLS. (Document ID 2036-A1, p. 8). In fact, CRA's
members agreed with OSHA that ``the submission of employers' EINs will
simplify and avoid duplicative reporting of information between the two
agencies.'' (Document ID 2036-A1, p. 8; see also Document ID 2070-A1,
p. 17). Other employers simply noted that they did not object to
collection of EINs. (E.g., Document ID 1930-A1, p. 5). There were no
comments that claimed the EIN is Personally Identifiable Information
(PII). Several commenters specifically stated that it is not PII.
(E.g., Document ID 1969; 2070-A1, p. 17).
After reviewing these comments, OSHA concludes that the EIN is not
confidential commercial information, nor is it too sensitive to collect
with injury and illness data. The EIN is a government-issued number
(thus, not commercial), and as discussed above, many commenters
conceded that EINs are routinely made public (thus, not confidential).
Many companies must include their EINs on public filings or in filings
that are later disclosed in response to FOIA requests. (See 83 FR at
36500). For these reasons, OSHA has determined the EIN is not too
sensitive to collect given the possibility of release to the public
under FOIA.
OSHA also reviewed the Treasury Inspector General for Tax
Administration's 2013 report, Stolen and Falsely Obtained Employer
Identification Numbers Are Used to Report False Income and Withholding,
[[Page 397]]
referenced in a comment (see Document ID 2057-A1, p. 5). The report
does not indicate any harm done to the legitimate business owners of
the stolen EINs. While the report shows that tax fraud involving
misused EINs exists, it does not provide any indication that collection
of the EIN by OSHA would put employers at increased risk or exacerbate
the problem of false tax returns. OSHA does not agree that the findings
of this report are relevant to the agency's collection of the EIN with
injury and illness data.
Alternative Proposals and Miscellaneous Issues
Several commenters encouraged OSHA to seek and use alternative
methods to achieve the goal of reducing respondent burden and
increasing the utility of the data collected without collecting the
EIN, such as exploring technological approaches to resolve the
duplication issue (Document ID 2039-A1, p. 3), and others suggested
that OSHA should not need the EIN ``to determine whether it has correct
information when comparing it with [BLS].'' (Document ID 2073-A1, p.
2). One commenters suggested that OSHA should delay collection of the
EIN ``unless there is relative certainty that the data can and will be
used for its intended purpose.'' (Document ID 2019-A1, p. 8).
OSHA agrees that further collaboration with BLS to identify methods
for reducing respondent burden is vital. Collection and use of the EIN
presents the most practical and efficient solution for matching and
linking the two agencies' separate data sets at this time. OSHA does
not agree that a delay in the collection is warranted. The benefits of
having these data are clear, as discussed above. Any delay in the
collection of the EIN would delay the reduction in respondent burden
and increased utility of the Form 300A data collected.
The final rule requires employers to provide the EIN of their
establishments when submitting their injury and illness data. As
discussed above, evidence in the docket shows the EIN is a widely
available public record. Employers routinely made their EIN available
to both government and private entities, and OSHA already collects and
stores EINs in its inspection records. OSHA concludes the collection
and storage of the EINs through the ITA will pose minimal adverse
effects to establishments that provide these data. At the same time,
OSHA concludes the benefits of collecting these data are substantial.
Having the EIN will increase the utility of the data by both BLS and
OSHA and may reduce the burden on employers that are required to
respond to both the BLS and OSHA data collections. OSHA will continue
to collaborate with BLS to identify technological approaches to reduce
respondent burden, including exploring changes to both data collection
systems and real-time sharing of OSHA data with BLS.
Compliance Dates
The requirement to include the EIN for each establishment
submitting injury and illness data under 29 CFR 1904.41 will become
effective on February 25, 2019. The compliance date for this provision
is March 2, 2020. The EIN will therefore be required for covered
establishments submitting their 300A data from 2019, but not for
covered establishments submitting their 300A data from 2018, which have
to be submitted by March 2, 2019.
IV. Final Economic Analysis and Regulatory Flexibility Certification
A. Introduction
Executive Orders 12866 and 13563 require that OSHA estimate the
benefits, costs, and net benefits of proposed and final regulations.
Executive Orders 12866 and 13563, the Regulatory Flexibility Act (5
U.S.C. 601-612) and the Unfunded Mandates Reform Act (UMRA) (2 U.S.C.
1501-1571) also require OSHA to estimate the costs, assess the
benefits, and analyze the impacts of certain rules that the agency
promulgates. Executive Orders 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety, and other effects; distributive impacts; and
equity). Executive Order 13563 emphasizes the importance of quantifying
both costs and benefits, reducing costs, harmonizing rules, and
promoting flexibility.
In its preliminary economic analysis (PEA) in the proposal, OSHA
estimated that this rule would have net cost savings of $8.28 million
per year at a 3 percent discount rate, including $8.23 million per year
for the private sector and $52,754 per year for the government.
Annualized at a 7 percent discount rate, OSHA estimated that the
proposed rule would have net cost savings of $8.25 million per year,
including $8.18 million per year for the private sector and $64,070 per
year for the government. Annualized at a perpetual 7 percent discount
rate, the estimate rose to net cost savings of $8.35 million per year.
The agency stated its belief that the electronic collection of
information in the Forms 300 and 301 poses risks to worker privacy and
additional cost to employers and OSHA that outweigh the uncertain
enforcement benefits of collecting that information. (83 FR at 36501).
In this final economic analysis, OSHA estimates that the rule would
have net cost savings of $15.9 million per year at a 3 percent discount
rate, including $8.4 million per year for the private sector and $7.5
million per year for the government. Annualized at a 7 percent discount
rate, the rule would have net cost savings of $15.86 million per year,
including $8.37 million per year for the private sector and $7.5
million per year for the government. Annualized at a perpetual 7
percent discount rate, the rule would have net cost savings of
$16million per year. The agency has determined that the rescission of
the requirement to submit electronically the Forms 300 and 301 data
will benefit worker privacy by preventing routine government collection
of information that may be quite sensitive, including descriptions of
workers' injuries and the body parts affected. OSHA has determined
that, at this time, avoiding this risk to worker privacy outweighs the
uncertain incremental benefits to enforcement gained from
electronically collecting the data. In addition, the rule will allow
OSHA to focus its resources on the collection of 300A data and the data
provided through the new serious injury and illness reporting system.
OSHA finds that the new requirement for establishments to submit
their EIN will help both OSHA and BLS make full use of the data the
agencies collect. Collecting the EIN is helpful to understanding
exactly which establishment the Form 300A data represents, linking
establishments between databases, and tracking data over time. The
difficulties involved in matching and tracking establishments by name
and address introduce uncertainty, which in turn reduces the utility of
the data collected. A numerical identifier that is common over time and
between databases eliminates these uncertainties. Collecting the EIN is
also a positive first step towards eliminating duplicative reporting to
OSHA and BLS in the future. In short, OSHA concludes that collection of
the EIN presents the most practical and efficient solution for matching
and linking the BLS and OSHA data sets and at the same time increases
the quality and utility of the collected data.
The final rule is not an ``economically significant regulatory
action'' under E.O.
[[Page 398]]
12866 or UMRA (2 U.S.C. 1532(a)), and it is not a ``major rule'' under
the Congressional Review Act (CRA) (5 U.S.C. 801 et seq.). The agency
estimates that the rulemaking imposes far less than $100 million in
annual economic costs. In addition, it does not meet any of the other
criteria specified by UMRA or CRA for a significant regulatory action
or major rule. The final rule is a deregulatory action under Executive
Order 13771 (82 FR 9339 (January 30, 2017)).
The final rule will make two changes to the existing recording and
reporting requirements in part 1904. First, OSHA will eliminate the
requirement for establishments that are required to keep injury and
illness records under part 1904, and that had 250 or more employees in
the previous year, to electronically submit information from OSHA
recordkeeping Forms 300 and 301 to OSHA or OSHA's designee, on an
annual basis. Second, OSHA will require covered employers to submit
their EIN electronically along with other injury and illness data they
are required to submit to OSHA. These changes in existing requirements
are identical to those included in the proposal. The final rule does
not make any other changes to an employer's obligations regarding
injury and illness records.
In the subsections below, OSHA will first examine the cost savings,
costs, net cost savings, and benefits of the activities outlined above,
including a discussion of the comments submitted on these topics. The
agency will then turn to its economic feasibility finding and its
certification under the Regulatory Flexibility Act.
B. Cost Savings
As discussed in more detail below, OSHA preliminarily estimated
that the proposed elimination of the requirement that establishments
with 250 or more employees submit information electronically from their
OSHA Forms 300 and 301 would result in cost savings to employers and to
the government. (See 83 FR at 36501-02). Numerous commenters responded
that businesses are already required to keep these data and that
reporting the data to OSHA was not a costly additional requirement.
(E.g., Document ID 1943; 1945; 1947; 2077-A1, p. 2). One commenter
stated that making the data from Forms 300 and 301 available ``is a
reasonable cost of doing business.'' (Document ID 1942). None of these
comments challenged OSHA's specific cost estimates; rather, they simply
asserted that the costs were not substantial. OSHA's estimate of the
cost savings to employers from eliminating the requirement to submit
the data from Forms 300 and 301 is consistent with OSHA's finding in
2016 regarding the incremental cost of submitting these data. And, as
detailed earlier in this preamble, even though any related costs may be
minor for larger employers, OSHA has decided to rescind the requirement
to submit the data from Forms 300 and 301 primarily to protect
sensitive worker information from the risk of public disclosure, and to
focus its resources on fully utilizing the 300A data and severe injury
reports OSHA already collects rather than diverting resources from
those efforts given the uncertain extent of any incremental benefits
the 300 and 301 data would have for OSHA's enforcement and outreach
activities.
For the PEA, OSHA relied on the Final Economic Analysis (FEA) in
the May 2016 final rule (see 81 FR at 29674-87), updated to include
more recent data and some modifications in OSHA's methodology. OSHA
obtained the estimated cost of electronic data submission by
multiplying the compensation per hour of the person expected to perform
the task of electronic data submission by the time required to submit
the data. (83 FR at 36501).
In the PEA, as in the 2016 FEA, OSHA selected an employee in the
occupation of Industrial Health and Safety Specialist as being at the
appropriate salary level. The agency stated that the mean hourly wage
for Standard Occupational Classification (SOC) code 29-9011, Industrial
Health and Safety Specialists, in the May 2016 data from the BLS
Occupational Employment Survey (OES), was $34.85. However, OSHA
recognized that not all firms assign the responsibility for
recordkeeping to an Industrial Health and Safety Specialist. For
example, a smaller firm may use a bookkeeper or a plant manager, while
a larger firm may use a higher-level specialist. Therefore, OSHA asked
for comment on whether Industrial Health and Safety Specialist is the
appropriate salary level for the employee performing this task. (83 FR
at 36501).
OSHA did not receive any comments on this question; nor did
commenters object to the mean hourly rate used in the PEA. Therefore,
OSHA finds that Industrial Health and Safety Specialist is the
appropriate salary level. The updated mean hourly rate for this
position, per the May 2017 OES data, is $35.38.\8\ OSHA notes that this
is the raw wage and does not include the other fringe benefits that
make up full hourly compensation or overhead costs calculated in this
analysis.
---------------------------------------------------------------------------
\8\ See https://www.bls.gov/oes/current/oes299011.htm.
---------------------------------------------------------------------------
In the PEA, OSHA multiplied the mean hourly wage for Industrial
Health and Safety Specialist ($34.85) by the applicable mean fringe
benefit factor for workers in private industry as reported in the June
2017 data from the BLS National Compensation Survey (1.44) to obtain
the estimated total compensation (wages and benefits) of $50.18 per
hour. (83 FR at 36501).
OSHA did not receive any comments on this point. Therefore, OSHA is
retaining the estimate, with updates based on the June 2018 data from
the BLS National Compensation Survey.\9\ The Survey again reported a
mean fringe benefit factor of 1.44 for workers in private industry.
Multiplying the mean fringe benefit factor by the updated hourly wage
of $35.38 produces an estimated total compensation of $50.95 (an
increase of 1.5 percent from the PEA, due to the increase in the mean
hourly wage). OSHA believes that the calculated cost of $50.95 per hour
is a reasonable estimated total hourly compensation for a typical
record keeper.
---------------------------------------------------------------------------
\9\ See https://www.bls.gov/news.release/ecec.nr0.htm.
---------------------------------------------------------------------------
As noted in the PEA, overhead costs are indirect expenses that
cannot be tied to producing a specific product or service. Common
examples include rent, utilities, and office equipment. Unfortunately,
there is no general consensus on the cost elements that fit this
definition. The lack of a common definition has led to a wide range of
overhead estimates. Consequently, the treatment of overhead costs needs
to be case-specific. For the PEA, OSHA adopted an overhead rate of 17
percent of base wages. OSHA explained that the 17 percent rate was
consistent with the overhead rate used for sensitivity analyses in the
FEA in support of the 2017 final rule delaying the deadline for
submission of 300A data (82 FR 55761) and the FEA in support of OSHA's
2016 final standard on Occupational Exposure to Respirable Crystalline
Silica.\10\ (83 FR at 36501).
---------------------------------------------------------------------------
\10\ See the sensitivity analyses in the Improved Tracking FEA
(https://www.gpo.gov/fdsys/pkg/FR-2017-11-24/pdf/2017-25392.pdf,
page 55765) and the FEA in support of OSHA's 2016 final standard on
Occupational Exposure to Respirable Crystalline Silica (81 FR 16285)
(https://www.gpo.gov/fdsys/pkg/FR-2016-03-25/pdf/2016-04800.pdf
pp.16488-16492.). The methodology was modeled after an approach used
by the Environmental Protection Agency. More information on this
approach can be found at: U.S. Environmental Protection Agency,
``Wage Rates for Economic Analyses of the Toxics Release Inventory
Program,'' June 10, 2002 (Ex. 2066). This analysis itself was based
on a survey of several large chemical manufacturing plants: Heiden
Associates, Final Report: A Study of Industry Compliance Costs Under
the Final Comprehensive Assessment Information Rule, Prepared for
the Chemical Manufacturers Association, December 14, 1989, Ex. 2065.
---------------------------------------------------------------------------
[[Page 399]]
To calculate the total labor cost for an Industrial Health and
Safety Specialist, Standard Occupational Classification (SOC) code 29-
9011 for the PEA, OSHA added three components together: Base wage
($34.85) + fringe benefits ($15.33, derived as 44% of $34.85) +
applicable overhead costs ($5.92, derived as 17% of $34.85). This
increased the labor cost of the fully-loaded hourly wage for an
Industrial Health and Safety Specialist to $56.10. (83 FR at 36501).
OSHA did not receive any comments concerning its use of overhead or
the calculations to add an overhead charge to the loaded wage rate.
Therefore, for the FEA, OSHA has calculated the total labor cost for an
Industrial Health and Safety Specialist, Standard Occupational
Classification (SOC) code 29-9011, using the same method. The three
components are added together: Base wage ($35.38) + fringe benefits
($15.57, derived as 44% of $35.38) + applicable overhead costs ($6.01,
derived as 17% of $35.38). This increases the labor cost of the fully-
loaded hourly wage for an Industrial Health and Safety Specialist to
$56.96. OSHA considers this to be a reasonable estimate of total labor
costs.
To estimate the time required for the data submission in the PEA,
OSHA used the same estimated unit time requirements as reported by BLS
in its paperwork burden analysis for the Survey of Occupational
Injuries and Illnesses (SOII) (OMB Control Number 1220-0045). BLS
estimated 10 minutes per recordable injury/illness case for electronic
submission of the information on Form 300 (Log of Work-Related Injuries
and Illnesses) and Form 301 (Injury and Illness Incident Report). OSHA
also noted that, in the 2016 FEA, the agency estimated 2 minutes more
time than the BLS paperwork burden, for a total of 12 minutes per
recordable case (10 minutes per case for Form 301 entries plus 2
minutes per case for entry of Form 300 log entries), to account for the
differences between BLS and OSHA submission requirements. (83 FR at
36501-02).
OSHA received two comments about its preliminary time and burden
hour calculations. (Document ID 2012-A1, p. 12). The first commenter
argued that OSHA's estimated establishment-specific costs of the
electronic submission of data to OSHA are likely to be far higher than
the actual costs to employers, since the PEA assumed that all the data
will be entered manually for electronic submission. (Document ID 2012-
A1, p. 12). The commenter wrote that OSHA noted in the 2016 rule that
establishments that already keep their records electronically may have
lower submission times if they can export or transmit the required
information rather than entering it into the web form. (Document ID
2012-A1, p. 12) (quoting 81 FR 29690). The commenter asserted that OSHA
ignored this potential decrease in burden hours in the PEA. (Document
ID 2012-A1, p. 12).
OSHA recognizes that many large establishments will already be
keeping their records electronically and would likely have submitted
their data electronically through a batch upload or other bulk
electronic transmission, thus reducing the time that would have been
needed to comply with the electronic reporting requirement and the
corresponding cost estimate. The agency does not have precise
information regarding the percentage of employers that fall into that
category. Even if the percentage of those large employers is
substantial, OSHA does not have, and commenters did not provide, data
on the ease with which those employers could package this information
and transmit it in the format required.\11\ Therefore, as in the 2016
final rule, OSHA is retaining the time estimate that assumed manual
data entry for electronic submission.
---------------------------------------------------------------------------
\11\ To the extent some establishments may not have an internet
connection on site, that could also increase the time burden and
thus raise the cost estimate.
---------------------------------------------------------------------------
In addition, to the extent that the commenter is arguing that the
agency's omission of this fact from the PEA was an attempt to obscure a
potential decrease in the proposal's estimated cost savings, OSHA notes
that the statement regarding potential time savings was made in
response to a comment submitted during the 2016 rulemaking--a comment
that did not cause the agency to change its time estimate. Moreover,
the agency was clear in the PEA that its methodology was based on the
numbers in the 2016 rule. (See 83 FR 36501).
The second commenter on this issue similarly argued that OSHA's
cost estimate of 12 minutes per recordable case is based on the wrong
data point. The commenter maintained that OSHA's preliminary cost
analysis failed to disaggregate the time spent preparing Forms 300,
300A, and 301 (which an employer must incur regardless of whether the
form must be submitted to OSHA electronically) from the time spent
electronically submitting Forms 300 and 301 to OSHA. The commenter
argues that OSHA's cost estimate should be based only on the marginal
time of electronic reporting itself. (Document ID 2033-A1, p. 6).
OSHA agrees that the time estimate (and, thus, the cost savings
estimate) should account only for the incremental time spent on each
data submission--that is precisely why the agency calculated cost
savings in that manner in the PEA and continues to do so in this FEA.
(See 83 FR at 36501-02; see also 81 FR at 29676 (discussing the time
needed to submit the Forms 300 and 301 data electronically). The cost
of keeping records, including Forms 301, 301 and 300A were accounted
for in previous OSHA final rules and ICRs. The 2016 rule imposed
additional costs for electronic submission, and those were reported in
that FEA. (See 81 FR at 29676). This current final rule removes only
those newly imposed costs.
Therefore, having considered all the comments in the record on this
issue, OSHA continues to rely the time estimates from the PEA. OSHA
believes that the original estimate of 12 minutes per recordable case
is a reasonable average.
In the proposal, OSHA estimated the number of injuries and
illnesses that would have been reported by covered establishments with
250 or more employees under the 2016 final rule (and, thus, the number
that would no longer be required to be reported under the proposal). To
do so, OSHA assumed that the total number of recordable cases in
establishments with 250 or more employees was proportional to the
establishments' share of employment within each industry.\12\ OSHA then
used the most recent SOII data to estimate that, without the final
rule, covered establishments with 250 or more employees would report
775,210 injury and illness cases per year. The PEA thus estimated that
cost per case at $11.22 (12/60 x $56.10), and the total cost at
$8,699,173 ($11.22 per case x 775,210 cases).\13\ (83 FR at 36502).
---------------------------------------------------------------------------
\12\ OSHA solicited comment on this assumption in the PEA but
received none and so has retained this method for estimating total
recordable cases for this FEA.
\13\ Note that totals summarized in the text may not precisely
sum from underlying elements due to rounding. The precise
calculation of the numbers in the FEA appears in the spreadsheet in
the rulemaking docket titled ``FEA calculations.''
---------------------------------------------------------------------------
OSHA did not receive any comments on these estimates. OSHA
continues to find the above methodology and estimates to be reasonable
and has used them in the final rule, with updates based on the new wage
rate and
[[Page 400]]
establishment totals.\14\ The final cost per case to report the
information from Forms 300 and 301 is estimated at $11.39 (12/60 x
$56.96), and the total cost is $8,829,642 ($11.39 per case x 775,210
cases).\15\ Therefore, removing the requirement to submit the
information from OSHA Forms 300 and 301 to OSHA electronically would
result in a total cost savings to the private sector of $8,829,642.\16\
---------------------------------------------------------------------------
\14\ This cost estimate was developed prior to the NPRM, and is
subject to change based on subsequent developments to OSHA's ITA.
\15\ In addition, note that the totals in Table 1 of this
section of the preamble and the totals summarized in the text may
not precisely sum from underlying elements due to rounding. The
precise calculation of the numbers in the FEA appears in the
spreadsheet in the rulemaking docket titled ``FEA calculations.''
\16\ Overall, the estimated cost savings to private industry of
removing the requirement for electronic reporting of case data is 25
percent greater than the 2016 estimated cost of promulgating the
provision ($6,948,487). There are three reasons for this 25 percent
increase: The number of establishments with more than 250 employees
has grown, the mean hourly wage has increased, and OSHA is now
including a 17 percent overhead estimate in the cost estimates.
---------------------------------------------------------------------------
As noted in the PEA, the 2016 FEA included government costs for the
rule because creating a reporting and data collection system was a
significant fraction of the total costs of the regulation. OSHA
estimated that not collecting the case-specific data from OSHA Forms
300 and 301 would generate a small additional cost savings for the
government because that portion of the reporting and data collection
system has not yet been created and would not have to be created under
this final rule. OSHA estimated a lump sum savings from not creating
the software to collect the data from Forms 300 and 301 to be $450,000.
OSHA did not receive any comments about the cost to the government of
creating software to collect the data from Forms 300 and 301 and finds
that the original estimates are reasonable in light of overall costs
expected, so in the FEA OSHA will retain the estimate of $450,000.
Annualized at 3 percent over 10 years, this would represent a savings
to the government of $52,754 per year; annualized at 7 percent over 10
years, the cost savings would be slightly higher: $64,070. This
estimate underestimates costs to the government of having a system for
collection of this data. It includes the costs of software development,
but it does not include other administrative costs, or the analysis
that would be needed in order to use the data received by the system
for enforcement purposes.
A significant source of costs that was identified during the
preparation of this economic analysis is the anticipated costs of
attempting to remove PII and information that enables re-identification
of individuals from data that would have been collected under the 2016
final rule. This cost was not considered in the rulemaking preceding
the 2016 final rule because OSHA anticipated using software for this
purpose. As explained above, a court could require OSHA to release the
data as a result of a FOIA request. This risk is not insignificant--in
a recent decision, subsequent to publication of the NPRM for this rule,
in a lawsuit seeking to order OSHA to enforce the requirement for
covered employers to submit their Form 300 and 301 data from 2017 to
OSHA electronically, the court concluded that OSHA would likely be
required to release a significant portion of the data to the plaintiffs
under FOIA despite OSHA's concerns about employee privacy. See Public
Citizen Health Research Group v. Acosta, No. 18-1729, slip op. at 9
(D.D.C. Dec. 12, 2018). The court reasoned that, if some records
present a meaningful possibility of re-identification, OSHA could
redact any sensitive information ``on a case by case basis.'' Id. If
the Form 300 and 301 data were to be released, OSHA would need to
manually review the data to be released--from approximately 775,000
cases annually--to remove PII and other information that could allow
re-identification of ill or injured workers. This review would be
necessary because, as noted above, software cannot guarantee full
scrubbing of PII and has no ability to judge re-identifiable
information. OSHA has therefore added annual costs for case-by-case
review.
As noted above, OSHA estimates, based on the time it has taken OSHA
staff to review and remove personal information from other OSHA data,
that case-by-case review would require two levels of review. OSHA
anticipates that the first level review would be done by a GS-12, Step
5 Analyst (on the Washington, DC locality GS pay scale) and that
analyst's work would be reviewed by a GS-14, Step 5 Supervisor (also on
the Washington, DC locality pay scale).
The government hourly labor costs for the work of these employees
were calculated in the following manner. Federal GS-12, Step 5 Analysts
would conduct most of the review work. The fully-loaded hourly wage of
a GS-12, Step 5 Analyst is calculated by taking the annual salary,
dividing by the requisite 2087 hours worked per year, adding a fringe
benefit factor of 1.6, and finally adding a 17 percent overhead charge.
Using that formula, the fully-loaded hourly wage rate of a GS-12, Step
5 Analyst is $78.38 (annual salary of $92,421/2087 hours = base wage of
$44.28 x 1.6 + $44.28 x .17 = $78.38). A GS-14, Step 5 Supervisor would
review the review work. Using the same formula, the fully-loaded hourly
wage rate of the supervisor is $110.14 (annual salary of $129,869/2087
hours = base wage of $62.23 x 1.6 + $62.23 x .17 = $110.14).
The cost calculation for manually reviewing Form 300 and 301 data,
and removing any PII and other information that could allow re-
identification of ill or injured workers, is as follows. OSHA is
estimating that the first level review by the GS-12, Step 5 Analyst
would take, on average, six minutes per record to review the record and
redact any PII and other information that could allow re-identification
of ill or injured workers. The agency is also estimating that all
records would need to be reviewed. The first level review would have an
estimated total annual cost of $6,076,323 (775,210 records x 6 minutes
per record x 1 hour per 60 minutes x $78.38 per hour). The second level
review completed by the GS-14, Step 5 Supervisor is estimated to take,
on average, one minute per record and, again, all records would need to
undergo this second level review. The supervisor review of the first-
level review has an estimated total annual cost of $1,423,064 (775,210
records x 1 minute per record x 1 hour per 60 minutes x $110.14). The
total labor cost to review and remove PII by examination of each record
is estimated to be $7,499,387 ($6,076,323 + $1,423,064) annually.
OSHA notes that these numbers are broadly consistent with the
annual costs of MSHA's data collection and publication program (from
the MSHA ICR Supporting Statement, https://www.reginfo.gov/public/do/DownloadDocument?objectID=76285301).
C. New Costs (From the EIN Collection)
In the PEA, OSHA also estimated the potential new costs of amending
the recordkeeping regulation to require covered employers to submit
their EINs electronically along with their injury and illness data
submission. The agency anticipated that some employees given this task
would already know their employer's EIN from their other duties, but
others would need to spend some time finding out this information. OSHA
estimated an average of 5 minutes for an employee to find out his or
her employer's EIN and to enter it on the submission form. Therefore,
OSHA
[[Page 401]]
estimated that the unit cost for a submission would be the loaded wage
of the employee who submitted the information multiplied by his or her
time plus overhead, or $4.68 [(5/60) x $56.10]. (83 FR at 36502).
OSHA did not receive any comments on this estimate, and the agency
has determined that the preliminary estimate was reasonable. Therefore,
OSHA has retained the 5 minute estimate in this FEA. The updated unit
cost for a submission would be the wage of the employee who submitted
the information multiplied by his or her time plus overhead, or $4.75
[(5/60) x $56.96].
In the PEA, OSHA explained that the currently-implemented
electronic reporting system is already designed to retain information
about each establishment based on the login information, including the
EIN. Therefore, employers would only have to provide OSHA their EIN
once, so this would not be a recurring cost. However, it would be an
additional one-time cost for employers who are newly reporting data
because, for example, the establishment is new or the employer newly
reached the reporting threshold for employment size. OSHA estimated
that each year there will be about 10.15 percent more establishments
that will be required to report their EIN. OSHA derived the 10.15
percent figure from the U.S. Census Bureau's Statistics of U.S.
Businesses (SUSB), specifically the employment change data set,\17\
which shows the increase in U.S. business establishments from 2014 to
2015. In 2015, there were 689,819 new establishments, out of a total of
6,795,201 establishments. Dividing the first figure by the second gives
a change of about 10.15 percent. (83 FR at 36502). There were no
comments criticizing OSHA's use of the SUSB data or the methodology to
estimate the number of new reporting establishments each year, and OSHA
continues to find the above methodology and estimates to be reasonable.
Therefore, OSHA is retaining these estimates for the FEA.
---------------------------------------------------------------------------
\17\ See https://www2.census.gov/programssurveys/susb/datasets/2015/us_state_emplchange_2014-2015.txt.
---------------------------------------------------------------------------
In the PEA, OSHA estimated costs for covered establishments to
provide their EINs, using establishment and employment data from the
U.S. Census County Business Patterns (CBP).\18\ The three categories of
included establishments included in the CBP data are: (1) All
establishments with 250 or more employees in industries that are
required to routinely keep OSHA injury and illness records, (2)
establishments with 20-249 employees in certain high-hazard industries,
as defined in the Appendix to the May 2016 final rule, and (3) farms
and ranches with 20 or more employees. CBP data do not include numbers
of farms and ranches with 20 or more employees, so in the May 2016
final rule, OSHA used data from the 2012 Census of Agriculture. Updated
data from the 2017 Census of Agriculture were not available for the
PEA, so the PEA used the 2012 count of 20,623 farms with 20 or more
employees. CBP data also showed that there were 36,903 establishments
with 250 or more employees in industries required to routinely keep
records and 405,666 establishments with 20-249 employees in the
designated high-hazard industries. Combining these figures with 20,623
farms and ranches results in a total of 463,192 establishments that
would be required to submit an EIN under the proposed rule. With a cost
per establishment of $4.68, the total first year cost of providing EINs
would be $2,165,751 (463,192 x $4.68). The annualized cost over ten
years at a 3 percent discount rate was $253,892, and at a 7 percent
discount rate the cost was $308,354. (83 FR at 36502).
---------------------------------------------------------------------------
\18\ For the CBP, see https://www.census.gov/programs-surveys/cbp.html.
---------------------------------------------------------------------------
OSHA did not receive any comments on these estimates, and the
agency has determined that the preliminary estimates were reasonable.
Therefore, OSHA is retaining them (with the available updates) in the
FEA. Because updated establishment data were not available, OSHA has
retained the PEA estimate of 463,192 establishments that would be
required to submit and EIN under the final rule. With a cost per
establishment of $4.75, the updated total first year cost of providing
EINs would be $2,200,162 (463,192 x $4.75).\19\ When this cost is
annualized over ten years, the annualized cost at a 3 percent discount
rate is $257,926 and at a 7 percent discount rate the cost is $313,254.
---------------------------------------------------------------------------
\19\ In addition, note that the totals in Table 1 of this
section of the preamble, as well as totals summarized in the text,
may not precisely sum from underlying elements due to rounding. The
precise calculation of the numbers in the FEA appears in the
rulemaking docket in the spreadsheet titled ``FEA calculations.''
---------------------------------------------------------------------------
As noted above, OSHA estimates that 463,192 establishments
(including establishments with more than 250 employees, those with 20-
249 employees in certain NAICS codes, and farms with more than 20
employees) will be subject to reporting their EIN in the first year
under this rule. In the PEA, the agency explained that with 10.15
percent new establishments each year, there would be an additional
47,012 establishments each year that would newly need to report their
EIN, resulting in an additional cost of $4.68 x 47,012 or $219,858. (83
FR at 36502). OSHA did not receive any comments on the estimated
additional costs for new establishments each year, and the agency has
determined that this is a reasonable estimate. Therefore, the agency
has retained these estimates in the final rule. The final cost for
those establishments, using the updated unit cost for a submission
($4.75), will be $4.75 x 47,012 or $223,307. As explained in the PEA,
the cost for new establishments each year does not occur in the first
year. (83 FR at 36502). Therefore, OSHA annualized 9 years of new
establishment costs over ten years, which results in annualized costs
of $216,608 at a discount rate of 3 percent and $207,676 at a 7 percent
discount rate.
OSHA noted in the PEA that the EIN data field is already included
in the reporting system design, so the agency did not anticipate any
additional government costs associated with submittal of the EIN. (83
FR at 36502). Commenters did not object to this determination, and the
agency has no reason to believe that any such costs will be incurred by
the government. Therefore, OSHA is not accounting for any additional
government costs associated with EIN submittal in the final rule.
D. Net Cost Savings
OSHA presented its estimates of the cost savings associated with
eliminating the Forms 300 and 301 electronic data submission
requirements, the new costs associated with collecting the EIN, and the
net total costs in Table 1 of the proposed rule. (83 FR at 36502-03).
Commenters on the proposal did not submit any thoughts on these
estimates. Therefore, OSHA has retained the estimates, with updates, as
described above. The cost savings of the final rule, the new costs
associated with collecting the EIN, and the net total cost savings are
shown in Table 1. Combining the cost savings to the private sector and
to the government, the estimated total annual cost savings from the
final rule would be $16,383,000 at a 3 percent discount rate and
$16,395,000 at 7 percent discount rate. The additional costs to the
private sector from collection of the EIN are estimated to be $474,000
at a 3 percent discount rate and $521,000 at 7 percent discount rate.
The net cost savings for this rule to the private sector are estimated
to be $8,410,000 at a 3 percent discount rate
[[Page 402]]
and $8,375,000 at 7 percent discount rate.
Table 1--Total Cost Savings and Total Additional Costs of the Final Rule \20\
----------------------------------------------------------------------------------------------------------------
FEA annual cost
Cost savings element PEA annual cost savings savings \21\
----------------------------------------------------------------------------------------------------------------
Cost savings for eliminating electronic $8,699,173................................. $8,831,000
submission of part 1904 records by
establishments with 250 or more employees
(Total Private Sector Savings).
Total Government Software Cost Savings, 3 52,754..................................... 53,000
percent discount rate over ten years.
Total Government Software Cost Savings, 7 64,070..................................... 64,000
percent discount rate over ten years.
Total Annual Government PII Review Cost Savings (*)........................................ 7,499,000
Total Cost Savings per year, 3 percent discount 8,751,927.................................. 16,383,000
rate over ten years.
Total Cost Savings per year, 7 percent discount 8,763,243.................................. 16,395,000
rate over ten years.
----------------------------------------------------------------------------------------------------------------
New costs from EIN collection Cost
----------------------------------------------------------------------------------------------------------------
First Year EIN Cost............................ 2,165,751.................................. 2,199,000
Annualized First Year Costs, 3 percent discount 253,892.................................... 258,000
rate over ten years.
Annualized First Year Costs, 7 percent discount 308,354.................................... 313,000
rate over ten years.
Subsequent Annual EIN Costs (from new 219,858.................................... 223,000
establishments), starting in second year.
Subsequent annual EIN Cost Annualized at a 3 213,262.................................... 217,000
percent discount rate over ten years.
Subsequent annual EIN Cost Annualized at a 7 204,468.................................... 208,000
percent discount rate over ten years.
Annualized Total EIN Cost, 3 percent discount 467,194.................................... 474,000
rate over ten years.
Annualized Total EIN Cost, 7 percent discount 512,822.................................... 521,000
rate over ten years.
Net Cost Savings, 3 percent discount rate over 8,284,733.................................. 15,909,000
ten years.
Net Cost Savings, 7 percent discount rate over 8,250,421.................................. 15,862,000
ten years.
----------------------------------------------------------------------------------------------------------------
* Not calculated.
As OSHA explained in the proposal (83 FR at 36503), there could be
substantial cost savings from requiring covered employers to include
the EIN in their reporting. There is roughly a 40 percent overlap
between the BLS SOII sample and private sector establishments required
to report to OSHA. If OSHA collected Form 300A from all covered private
sector units and BLS were able to fully match these units and use them
in generating SOII estimates, the reduction in duplication would
represent approximately 15,000 hours of respondent burden. In its SOII
paperwork burden analysis, BLS estimates the total cost of submitting
this form for private sector establishments to be $891,000. The
potential cost savings for avoiding duplication is 40 percent of this
value--$356,000.
---------------------------------------------------------------------------
\20\ Source: OSHA, Office of Regulatory Analysis.
\21\ OSHA is reporting these estimates rounded to the nearest
thousand in order not to suggest a spurious degree of accuracy.
---------------------------------------------------------------------------
E. Benefits
In the PEA, OSHA preliminarily determined that the substantial
benefits to worker privacy outweighed the uncertain forgone benefits to
enforcement. The agency requested comment on its preliminary
determination, including on its preliminary conclusions that neither
worker privacy nor enforcement benefits can be meaningfully quantified.
(83 FR at 36503).
As discussed in detail in Section III, Summary and Explanation of
the Final Rule, OSHA received a number of comments regarding its
preliminary benefits determination.\22\ After carefully reviewing these
comments, OSHA has determined that the extent of any benefits of
collecting the data from Forms 300 and 301 for OSHA enforcement and
compliance assistance activities is currently uncertain. OSHA has
determined that, at this time, avoiding the risk to worker privacy of
collecting the data from Forms 300 and 301 outweighs the uncertain
incremental benefits to enforcement from the data. The rule will also
allow OSHA to focus its resources on the collection and use of 300A
data and severe injury reports, which the agency's past experience has
proven useful.
---------------------------------------------------------------------------
\22\ The Agency discussed and responded to all public comments
on this determination in Section III, Summary and Explanation of the
Final Rule. (See, e.g., Concerns About the Potential Release of
Sensitive Worker Information and Uncertain Extent of Benefits from
Collecting the Data from Forms 300 and 301).
---------------------------------------------------------------------------
F. Economic Feasibility
In the PEA, OSHA stated that proposed elimination of the
requirement for establishments with 250 or more employees to submit the
information from OSHA Forms 300 and 301 to OSHA annually would reduce
costs and so would have no negative feasibility effects. (83 FR at
36503). Even with the proposed EIN requirement, the proposal still
resulted in a large overall reduction in costs. (83 FR at 36503).Thus,
OSHA concluded that the proposed rule was economically feasible. (83 FR
at 36503). Commenters did not submit any comments objecting to this
determination and, due to the increase in the wage rates, the reduction
in costs has increased since the proposal. Therefore, OSHA finds that
the final rule is economically feasible.
G. Regulatory Flexibility Certification
In the PEA, OSHA explained that the current requirement for annual
electronic submission of information from OSHA Forms 300 and 301
affects only a very small minority of small firms. In many industry
sectors, there are no small firms with at least 250 employees. Even in
those industry sectors where the definition of small firm includes some
firms with at least 250 employees, the overwhelming majority of small
firms have fewer than 250 employees. There will, however, be some small
firms affected in some industries. OSHA estimated that removing this
requirement as proposed would result in a cost savings of, on average,
$236 per establishment for each establishment with 250 or more
employees affected by the 2016 final rule.\23\ OSHA preliminarily
determined that such a small amount of cost savings
[[Page 403]]
would not have a significant impact on a firm with 250 or more
employees. (83 FR at 36503). Commenters did not object to these
determinations. OSHA reaffirms its preliminary finding and also finds
that the updated cost savings of $239 per establishment for each
establishment with 250 or more employees affected by the 2016 final
rule will not have a significant impact on a firm with 250 or more
employees.\24\
---------------------------------------------------------------------------
\23\ This number was derived by dividing the total estimated
cost savings to private industry of $8,699,173 from the proposal by
36,903 affected establishments with 250 or more employees. (83 FR at
36503).
\24\ This number is derived by dividing the total final cost
savings to private industry of $8,831,000 by 36,903 affected
establishments with 250 or more employees.
---------------------------------------------------------------------------
The PEA also included a certification that the proposed rule would
not have a significant economic impact on a substantial number of small
entities. (83 FR at 36503). OSHA did not receive any comments on this
certification. As with the proposal, the final rule will result in an
overall reduction of costs. Removing the requirement for establishments
with 250 or more employees to submit the information from OSHA Forms
300 and 301 annually to OSHA would reduce costs, and the estimated cost
of the EIN requirement is $4.75 per establishment, a negligible amount.
Hence, per sec. 605 of the Regulatory Flexibility Act, OSHA certifies
that this final rule will not have a significant economic impact on a
substantial number of small entities.
H. Executive Order 13771: Reducing Regulation and Controlling
Regulatory Costs
Consistent with Executive Order 13771 (82 FR 9339, January 30,
2017), OSHA's preliminary economic analysis estimated the net annual
cost savings of this rule to be $8.28 million per year at a 3 discount
rate, and $8.25 million per year, at a discount rate of 7 percent. (83
FR at 36501). Therefore, OSHA concluded that the proposed rule was
expected to be a deregulatory action under the Executive Order. (83 FR
at 36496). OSHA received several comments on this preliminary
conclusion.
One commenter argued that OSHA did not demonstrate how it complied
the Executive Order or with the Office of Management and Budget's (OMB)
guidance to agency heads on how to comply with the Executive Order.
(See Document ID 2033-A1, pp. 6-7 (citing OMB Memorandum M-17-21-OMB,
Guidance Implementing Executive Order 13771, ``Reducing Regulation and
Controlling Regulatory Costs'' (Apr. 5, 2017) (OMB Guidance on E.O.
13771))). But that comment misunderstands the Agency's burden under the
Executive Order and the related guidance. The guidance defines the term
``deregulatory action'' to mean ``an action that has been finalized and
has total costs less than zero.'' (OMB Guidance on E.O. 13771, p. 4).
In the proposal, OSHA estimated that this rule would have net cost
savings of $8.28 million per year at a 3 percent discount rate,
including $8.23 million per year for the private sector and $52,754 per
year for the government. (See 83 FR at 36500-501, 36502-03). Annualized
at a 7 percent discount rate, OSHA estimated that the proposed rule
would have net cost savings of $8.25 million per year, including $8.18
million per year for the private sector and $64,070 per year for the
government. (See 83 FR at 36501, 36502-03). The Agency included
detailed information about how it calculated those numbers. Because
OSHA expected the rule to have cost savings (i.e., total costs less
than zero), it stated that it expected the proposed rule to be
deregulatory action under the Executive Order. (83 FR at 36596).
Nothing more was required under the Executive Order.
Another commenter remarked that adding a requirement for additional
data seemed contrary to OSHA's claim that the proposed rule is a
deregulatory action under the Executive Order. (Document ID 2039-A1, p.
3 (quoting 83 FR at 36496)). This comment also misinterprets the
Executive Order's requirements. As noted above, OMB's guidance defines
the term ``deregulatory action'' to mean ``an action that has been
finalized and has total costs less than zero.'' (OMB Guidance on E.O.
13771, p. 4). This definition does not consider whether part of the
rule imposes costs, but other portions of the rule provide cost
savings. Rather, it looks at the total costs imposed by the rule. As
explained in the proposal, OSHA expected the total costs of the
proposal to be well below zero. Therefore, the Agency finds that its
preliminary expectation was correct.
After carefully considering the comments submitted on this issue,
OSHA reaffirms its preliminary determination that this rule is expected
to be a deregulatory action within the meaning of Executive Order
13771. This finding is based on the Agency's estimate that the total
annual cost savings from the final rule would be $8,884,000 at a 3
percent discount rate and $8,896,000 at 7 percent discount rate.
Further details on the estimated costs and cost savings estimates for
this rule can be found in Section VI, Final Economic Analysis and
Regulatory Flexibility Analysis.
V. Unfunded Mandates
For purposes of the Unfunded Mandates Reform Act (2 U.S.C. 1501 et
seq.), as well as Executive Order 13132 (64 FR 43255 (Aug. 4, 1999)),
this final rule does not include any federal mandate that may result in
increased expenditures by state, local, and tribal governments, or
increased expenditures by the private sector of more than $100 million.
Accordingly, OSHA is not required to issue a written statement
containing a qualitative and quantitative assessment of the anticipated
costs and benefits of the Federal mandate, as required under Section
202(a) of the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1532(a)).
VI. Federalism
The agency reviewed this rule in accordance with the Executive
Order on Federalism 13132. (64 FR 43255). The final rule involves a
``regulation'' issued under sections 8 and 24 of the OSH Act (29 U.S.C.
657, 673), and not an ``occupational safety and health standard''
issued under section 6 of the OSH Act (29 U.S.C. 655). Therefore,
pursuant to section 18 of the OSH Act (29 U.S.C. 667(a)), the rule does
not preempt state law. The effect of the final rule on states is
discussed in section VII, State-Plan States.
VII. State-Plan States
Pursuant to section 18 of the OSH Act (29 U.S.C. 667) and the
requirements of 29 CFR 1904.37 and 1902.7, within 6 months after
publication of the final OSHA rule, state-plan states must promulgate
occupational injury and illness recording and reporting requirements
that are substantially identical to those in 29 CFR part 1904
``Recording and Reporting Occupational Injuries and Illnesses.'' All
other injury and illness recording and reporting requirements (for
example, industry exemptions, reporting of fatalities and
hospitalizations, record retention, or employee involvement) that are
promulgated by state-plan states may be more stringent than, or
supplemental to, the federal requirements, but, because of the unique
nature of the national recordkeeping program, states must consult with
OSHA and obtain approval of such additional or more stringent reporting
and recording requirements to ensure that they will not interfere with
uniform reporting objectives (29 CFR 1904.37(b)(2); 29 CFR 1902.7(a)).
There are 28 state plan states and territories. The states and
territories that cover private sector employers are Alaska, Arizona,
California, Hawaii, Indiana, Iowa, Kentucky, Maryland,
[[Page 404]]
Michigan, Minnesota, Nevada, New Mexico, North Carolina, Oregon, Puerto
Rico, South Carolina, Tennessee, Utah, Vermont, Virginia, Washington,
and Wyoming. Connecticut, Illinois, Maine, New Jersey, New York, and
the Virgin Islands have OSHA-approved state plans that apply to state
and local government employees only.
VIII. Environmental Impact Assessment
OSHA has reviewed the provisions of this final rule in accordance
with the requirements of the National Environmental Policy Act (NEPA)
of 1969 (42 U.S.C. 4321 et seq.), the Council on Environmental Quality
(CEQ) NEPA regulations (40 CFR parts 1500-1508), and the Department of
Labor's NEPA Procedures (29 CFR part 11). As a result of this review,
OSHA has determined that the final rule will have no significant
adverse effect on air, water, or soil quality, plant or animal life,
use of land, or other aspects of the environment.
IX. Paperwork Reduction Act
Overview
This final rule revises an existing collection of information that
is subject to review by OMB under the Paperwork Reduction Act of 1995
(PRA) (44 U.S.C. 3501 et. seq.) and its implementing regulations (5 CFR
part 1320). The PRA generally requires that agencies consider the
impact of paperwork and other information collection burdens imposed on
the public, obtain public input, and obtain approval from OMB before
conducting any collection of information (44 U.S.C. 3507). The PRA
defines a ``collection of information'' as ``the obtaining, causing to
be obtained, soliciting, or requiring the disclosure to third parties
or the public, of facts or opinions by or for an agency, regardless of
form or format[.]'' (44 U.S.C. 3502(3)(A)). Federal agencies generally
cannot conduct or sponsor a collection of information, and the public
is generally not required to respond to an information collection,
unless it is approved by OMB under the PRA and displays a currently-
valid OMB Control Number. In addition, notwithstanding any other
provisions of law, no person shall be subject to penalty for failing to
comply with a collection of information if the collection of
information does not display a valid OMB Control Number. (See 44 U.S.C.
3512).
Solicitation of Comments
OSHA published a Federal Register notice that allowed the public an
opportunity to comment on the proposed Information Collection Request
(ICR) containing the information collection requirements in the
proposed rule for 60 days, as required by 44 U.S.C. 3507. Specifically,
in the NPRM, OSHA explained how the proposed rule would affect its ICR
estimates and asked members of the public to submit comments on the
paperwork requirements. (83 FR at 36504-05). Concurrent with the
proposed rule, OSHA submitted the ICR to OMB for review (ICR Reference
Number 201807-1218-002) in accordance with 44 U.S.C. 3507(d).
In addition to generally soliciting comments on the paperwork
requirements, the proposed rule indicated that OSHA and OMB were
particularly interested in comments that:
Evaluate whether the proposed collection of information is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
Evaluate the accuracy of the agency's estimate of the
burden of the proposed collection of information, including the
validity of the methodology and assumptions used;
Enhance the quality, utility, and clarity of the
information to be collected; and
Minimize the burden of the collection of information on
those who are to respond, including through the use of appropriate
automated, electronic, mechanical, or other technological collection
techniques or other forms of information technology, e.g., permitting
electronic submission of responses.
(83 FR at 36505).
OMB concluded its review by filing a comment requesting OSHA to
resubmit the request at the Final Rule stage, after considering any
public comments and clarifying how the information collection
requirements in final rule were changed because of the comments. OSHA
received a number of comments in response to the proposed rule that
addressed information collection requirements and contained information
relevant to the burden hour and costs analysis in the ICR. Summaries of
these comments and OSHA's responses are found above in Sections III,
Summary and Explanation of the Final Rule, and IV, Final Economic
Analysis and Regulatory Flexibility Certification, and in the final
ICR. OSHA considered these comments when it developed the revised ICR
associated with the final rule.
Concurrent with publication of this final rule, the Department of
Labor has submitted the final ICR, containing the full analysis and
description of the burden hours and costs associated with the final
rule, to OMB for approval. A copy of this ICR will be available on the
internet at http://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201811-1218-004 on the day following publication of the final rule. At the
conclusion of OMB's review, OSHA will publish a separate notice in the
Federal Register to announce the results. That notice will also include
a list of OMB-approved information collection requirements and total
burden hours and costs imposed by the new standard.
Summary of Information Collection Requirements
OSHA's existing recordkeeping forms consist of the OSHA 300 Log,
the 300A Summary, and the 301 Incident Report. These forms are
contained in the ICR titled Recording and Reporting Occupational
Injuries and Illnesses (29 CFR part 1904), which OMB approved under OMB
Control Number 1218-0176 (expiration date 06/30/2021).
This final rule affects the ICR estimates as follows:
1. Establishments that are subject to the part 1904 requirements
and have 250 or more employees will no longer be required to
electronically submit information recorded on their OSHA Forms 300 and
301 to OSHA once a year.
2. Establishments subject to the data collection must provide one
additional data element, the EIN.
The burden hours for the reporting requirements under Sec. 1904.41
are estimated to be 140,545 per year, which is a reduction of 112,694
burden hours from what was estimated for the previous reporting
requirements. There are no capital costs for this collection of
information.
More specifically, this action amends the recordkeeping regulation
to remove the requirement for establishments that are required to keep
injury and illness records under part 1904, and that had 250 or more
employees in the previous year, to electronically submit to OSHA or
OSHA's designee case characteristic information from the OSHA Form 300
(Log of Work-Related Injuries and Illnesses) and OSHA Form 301 (Injury
and Illness Incident Report) once a year. Under the final rule, these
establishments are only required to submit summary information from the
OSHA Form 300A. There are approximately 37,000 establishments that are
no longer subject to a requirement to submit the information on OSHA
Forms 300 and 301 for
[[Page 405]]
approximately 775,000 injury and illness cases under the rule. (OSHA
used BLS's 2015 Survey of Occupational Injuries and Illnesses (SOII)
data (https://www.bls.gov/iif/oshwc/osh/os/ostb4734.pdf) to estimate
that, without the final rule, covered establishments with 250 or more
employees would report 775,210 injury and illness cases per year.)
In addition, under the final rule, 463,192 establishments are now
required to provide their EINs to OSHA.
The OSHA recordkeeping and reporting information collection may be
summarized as follows. (Note these estimates are for the full burden of
the recordkeeping and reporting information collection, including
aspects that are unchanged by this rulemaking).
Agency: DOL-OSHA.
Title of Collection: Recording and Reporting Occupational Injuries
and Illnesses (29 CFR part 1904).
OMB control number: 1218-0176.
Number of respondents: 1,002,912.
Number of annual responses: 5,903,976.
Total estimated annual burden time: 2,140,856 hours.
Total estimated annual other costs burden (start-up, capital,
operation, and maintenance): $0.
X. Consultation and Coordination With Indian Tribal Governments
OSHA reviewed this final rule in accordance with Executive Order
13175 (65 FR 67249 (Nov. 9, 2000)) and determined that it does not have
``tribal implications'' as defined in that order. This final rule does
not have substantial direct effects on one or more Indian tribes, on
the relationship between the Federal Government and Indian tribes, or
on the distribution of power and responsibilities between the Federal
Government and Indian tribes.
List of Subjects in 29 CFR Part 1904
Health statistics, Occupational safety and health, Reporting and
recordkeeping requirements, State plans.
Signed at Washington, DC, on January 17, 2019.
Loren E. Sweatt,
Deputy Assistant Secretary of Labor for Occupational Safety and Health.
Final Rule
Amendments to Regulations
For the reasons stated in the preamble, OSHA amends part 1904 of
chapter XVII of title 29 as follows:
PART 1904--[AMENDED]
Subpart E--Reporting Fatality, Injury and Illness Information to
the Government
0
1. The authority citation for subpart E of 29 CFR part 1904 continues
to read as follows:
Authority: 29 U.S.C. 657, 673, 5 U.S.C. 553, and Secretary of
Labor's Order No. 1-2012 (77 FR 3912, Jan. 25, 2012).
0
2. In Sec. 1904.41, revise the section heading and paragraph (a)(1),
add paragraph (a)(4), and revise paragraph (b) to read as follows:
Sec. 1904.41 Electronic submission of Employer Identification Number
(EIN) and injury and illness records to OSHA.
(a) * * *
(1) Annual electronic submission of OSHA Form 300A Summary of Work-
Related Injuries and Illnesses by establishments with 250 or more
employees. If your establishment had 250 or more employees at any time
during the previous calendar year, and this part requires your
establishment to keep records, then you must electronically submit
information from OSHA Form 300A Summary of Work-Related Injuries and
Illnesses to OSHA or OSHA's designee. You must submit the information
once a year, no later than the date listed in paragraph (c) of this
section of the year after the calendar year covered by the form (for
example, 2019 for the 2018 form).
* * * * *
(4) Electronic submission of the Employer Identification Number
(EIN). For each establishment that is subject to these reporting
requirements, you must provide the EIN used by the establishment.
(b) Implementation--(1) Does every employer have to routinely
submit this information to OSHA? No, only two categories of employers
must routinely submit this information. First, if your establishment
had 250 or more employees at any time during the previous calendar
year, and this part requires your establishment to keep records, then
you must submit the required information to OSHA once a year. Second,
if your establishment had 20 or more employees but fewer than 250
employees at any time during the previous calendar year, and your
establishment is classified in an industry listed in appendix A to this
subpart, then you must submit the required information to OSHA once a
year. Employers in these two categories must submit the required
information by the date listed in paragraph (c) of this section of the
year after the calendar year covered by the form (for example, 2019 for
the 2018 form). If you are not in either of these two categories, then
you must submit the information to OSHA only if OSHA notifies you to do
so for an individual data collection.
(2) Do part-time, seasonal, or temporary workers count as employees
in the criteria for number of employees in paragraph (a) of this
section? Yes, each individual employed in the establishment at any time
during the calendar year counts as one employee, including full-time,
part-time, seasonal, and temporary workers.
(3) How will OSHA notify me that I must submit information as part
of an individual data collection under paragraph (a)(3) of this
section? OSHA will notify you by mail if you will have to submit
information as part of an individual data collection under paragraph
(a)(3). OSHA will also announce individual data collections through
publication in the Federal Register and the OSHA newsletter, and
announcements on the OSHA website. If you are an employer who must
routinely submit the information, then OSHA will not notify you about
your routine submittal.
(4) When do I have to submit the information? If you are required
to submit information under paragraph (a)(1) or (2) of this section,
then you must submit the information once a year, by the date listed in
paragraph (c) of this section of the year after the calendar year
covered by the form (for example, 2019 for the 2018 form). If you are
submitting information because OSHA notified you to submit information
as part of an individual data collection under paragraph (a)(3) of this
section, then you must submit the information as specified in the
notification.
(5) How do I submit the information? You must submit the
information electronically. OSHA will provide a secure website for the
electronic submission of information. For individual data collections
under paragraph (a)(3) of this section, OSHA will include the website's
location in the notification for the data collection.
(6) Do I have to submit information if my establishment is
partially exempt from keeping OSHA injury and illness records? If you
are partially exempt from keeping injury and illness records under
Sec. Sec. 1904.1 and/or 1904.2, then you do not have to routinely
submit information under paragraphs (a)(1) and (2) of this section. You
will have to submit information under paragraph (a)(3) of this section
if OSHA informs you in writing that it will collect injury and illness
information from you. If you
[[Page 406]]
receive such a notification, then you must keep the injury and illness
records required by this part and submit information as directed.
(7) Do I have to submit information if I am located in a State Plan
State? Yes, the requirements apply to employers located in State Plan
States.
(8) May an enterprise or corporate office electronically submit
information for its establishment(s)? Yes, if your enterprise or
corporate office had ownership of or control over one or more
establishments required to submit information under paragraph (a) of
this section, then the enterprise or corporate office may collect and
electronically submit the information for the establishment(s).
* * * * *
[FR Doc. 2019-00101 Filed 1-24-19; 8:45 am]
BILLING CODE 4510-26-P