[Federal Register Volume 84, Number 17 (Friday, January 25, 2019)]
[Rules and Regulations]
[Pages 380-406]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-00101]



[[Page 379]]

Vol. 84

Friday,

No. 17

January 25, 2019

Part II





 Department of Labor





-----------------------------------------------------------------------





 Occupational Safety and Health Administration





-----------------------------------------------------------------------





29 CFR Part 1904





 Tracking of Workplace Injuries and Illnesses; Final Rule

  Federal Register / Vol. 84, No. 17 / Friday, January 25, 2019 / Rules 
and Regulations  

[[Page 380]]


-----------------------------------------------------------------------

DEPARTMENT OF LABOR

Occupational Safety and Health Administration

29 CFR Part 1904

[Docket No. OSHA-2013-0023]
RIN 1218-AD17


Tracking of Workplace Injuries and Illnesses

AGENCY: Occupational Safety and Health Administration (OSHA), Labor.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: To protect worker privacy, the Occupational Safety and Health 
Administration (OSHA) is amending the recordkeeping regulation by 
rescinding the requirement for establishments with 250 or more 
employees to electronically submit information from OSHA Forms 300 and 
301. These establishments will continue to be required to maintain 
those records on-site, and OSHA will continue to obtain them as needed 
through inspections and enforcement actions. In addition to reporting 
required after severe injuries, establishments will continue to submit 
information from their Form 300A. Such submissions provide OSHA with 
ample data that it will continue seeking to fully utilize. In addition, 
OSHA is amending the recordkeeping regulation to require covered 
employers to submit their Employer Identification Number (EIN) 
electronically along with their injury and illness data submission, 
which will facilitate use of the data and may help reduce duplicative 
employer reporting. Nothing in the final rule revokes an employer's 
duty to maintain OSHA Forms 300 and 301 for OSHA inspection. These 
actions together will allow OSHA to improve enforcement targeting and 
compliance assistance, decrease burden on employers, and protect worker 
privacy and safety.

DATES: This final rule becomes effective on February 25, 2019.
    Collections of information: There are collections of information 
contained in this final rule. (See Section XI, Paperwork Reduction 
Act). Notwithstanding the general date of applicability that applies to 
all other requirements contained in the final rule, affected parties do 
not have to comply with the collections of information until the 
Department of Labor publishes a separate document in the Federal 
Register announcing that the Office of Management and Budget has 
approved them under the Paperwork Reduction Act.

ADDRESSES: In accordance with 28 U.S.C. 2112(a)(2), OSHA designates 
Edmund Baird, Acting Associate Solicitor of Labor for Occupational 
Safety and Health, Office of the Solicitor, Room S-4004, U.S. 
Department of Labor, 200 Constitution Avenue NW, Washington, DC 20210, 
to receive petitions for review of the final rule.

FOR FURTHER INFORMATION CONTACT: 
    For press inquiries: Frank Meilinger, OSHA Office of 
Communications, telephone: (202) 693-1999; email: 
[email protected].
    For general and technical information: Amanda Edens, Director, 
Directorate of Technical Support and Emergency Management, telephone: 
(202) 693-2300; email: [email protected].

SUPPLEMENTARY INFORMATION: 

Table of Contents

I. Background
    A. Introduction
    B. Regulatory History
II. Legal Authority
III. Summary and Explanation of the Final Rule
    A. Rescission of Requirement for Certain Establishments To 
Submit Data From OSHA Forms 300 and 301 to OSHA Electronically
    B. New Requirement To Include Employer Identification Number 
With Injury and Illness Data Submitted to OSHA Electronically Under 
29 CFR 1904.41
IV. Final Economic Analysis and Regulatory Flexibility Analysis
    A. Introduction
    B. Cost Savings
    C. New Costs (From the EIN Collection)
    D. Net Cost Savings
    E. Benefits
    F. Economic Feasibility
    G. Regulatory Flexibility Certification
    H. Executive Order 13771: Reducing Regulation and Controlling 
Regulatory Costs
V. Unfunded Mandates
VI. Federalism
VII. State-Plan States
VIII. Environmental Impact Assessment
IX. Paperwork Reduction Act
X. Consultation and Coordination With Indian Tribal Governments

Citation Method

    In the docket for this rulemaking found at http://www.regulations.gov, every submission was assigned a document 
identification (ID) number that consists of the docket number (OSHA-
2013-0023) followed by an additional four-digit number. For example, 
the document ID number for the proposed rule is OSHA-2013-0023-1922. 
Some document ID numbers include one or more attachments, such as one 
of the submissions by the National Institute for Occupational Safety 
and Health (NIOSH). (See Document ID OSHA-2013-0023-2003).
    When citing exhibits in the docket in this preamble, OSHA includes 
the term ``Document ID'' followed by the last four digits of the 
document number; the attachment number or other attachment identifier, 
if applicable (designated as ``A,'' followed by the number of the 
attachment); page numbers, if applicable; and, in a limited number of 
cases, a footnote number (designated as ``Fn''). In a citation that 
contains two or more document ID numbers, the document ID numbers are 
separated by semi-colons. For example, a citation referring to an 
attachment to the National Association of Home Builders' comments and 
the second attachment to the United Steelworkers' comments would be 
indicated as follows: (Document ID 2044-A1, pp. X-X; 2086-A2, p. X).
    The exhibits in the docket, including public comments, supporting 
materials, meeting transcripts, and other documents, are listed on 
http://www.regulations.gov. All exhibits are listed in the docket index 
on http://www.regulations.gov, but some exhibits (e.g., copyrighted 
material) are not available to read or download from that website. All 
materials in the docket are available for inspection at the OSHA Docket 
Office, Room N-3508, U.S. Department of Labor, 200 Constitution Avenue 
NW, Washington, DC 20210; telephone (202) 693-2350.

I. Background

A. Introduction

    OSHA's regulation at 29 CFR part 1904 requires employers with more 
than 10 employees in most industries to keep records of occupational 
injuries and illnesses at their establishments. Employers covered by 
these rules must record each recordable employee injury and illness on 
an OSHA Form 300, which is the ``Log of Work-Related Injuries and 
Illnesses,'' or equivalent. Employers must also prepare a supplementary 
OSHA Form 301 ``Injury and Illness Incident Report'' or equivalent that 
provides additional details about each case recorded on the OSHA Form 
300. At the end of each year, employers are required to prepare a 
summary report of all injuries and illnesses on the OSHA Form 300A, 
which is the ``Summary of Work-Related Injuries and Illnesses,'' and 
post the form in a visible location in the workplace.
    The recordkeeping regulation also requires establishments with 250 
or more employees that are currently

[[Page 381]]

required to keep OSHA injury and illness records to electronically 
submit information from the OSHA Forms 300, 300A, and 301 to OSHA 
annually.\1\ Establishments with 20-249 employees in certain designated 
industries are required to electronically submit information only from 
the OSHA Form 300A--the summary form. To protect worker privacy, this 
final rule eliminates the requirement that establishments with 250 or 
more employees that are currently required to keep OSHA injury and 
illness records submit information electronically from their OSHA Forms 
300 and 301. These establishments, as well as establishments with 20 or 
more employees, but fewer than 250 employees, in certain designated 
industries, must continue to submit information electronically from 
their part 1904 annual summary (Form 300A) to OSHA or OSHA's designee 
on an annual basis. The final rule also requires all establishments 
that must submit information electronically from their part 1904 annual 
summary (Form 300A) to submit their Employer Identification Number 
(EIN).
---------------------------------------------------------------------------

    \1\ Although the initial deadline for electronic submission of 
information from OSHA Forms 300 and 301 by covered establishments 
with 250 or more employees was July 1, 2018, OSHA indicated in the 
proposed rule that it would not enforce that deadline without 
further notice while this rulemaking was underway. (83 FR at 36496). 
Furthermore, no secure Web portal for collecting data from Forms 300 
and 301 was built while the 2016 rule was being developed or after 
it was finalized. As a result, while OSHA already has extensive 300A 
data from 214,574 establishments that have proven useful and which 
it is seeking to fully utilize, OSHA has never received the data 
submissions from Forms 300 and 301 that the 2016 rule anticipated.
---------------------------------------------------------------------------

    Elimination of the requirement that establishments with 250 or more 
employees submit information electronically from their OSHA Forms 300 
and 301--a requirement that has not yet been enforced--does not change 
any employer's obligation to complete and retain injury and illness 
records under OSHA's regulations for recording and reporting 
occupational injuries and illnesses. The final rule also does not add 
to or change the recording criteria or definitions for these records.
    OSHA's collection and use of the summary data from form 300A, and 
information concerning severe injuries it also receives, give OSHA the 
information it needs to identify and target for potential enforcement 
actions those establishments with high rates of work-related injuries 
and illnesses. For example, OSHA has collected summary 300A data for 
2016 from 214,574 establishments, and expects to collect a greater 
volume of 2017 summary data. With the data, OSHA has already designed a 
targeted enforcement mechanism for industries experiencing higher rates 
of injuries and illnesses. OSHA plans to further refine its approach as 
it seeks to fully utilize these data from form 300A, and it will 
likewise continue to use information received from severe injury 
reports.
    In light of this backdrop, OSHA has determined that the rule will 
benefit worker privacy by preventing routine government collection of 
information that may be quite sensitive, including descriptions of 
workers' injuries and the body parts affected, and thereby avoiding the 
risk that such information might be publicly disclosed under the 
Freedom of Information Act (FOIA) or through the Injury Tracking 
Application. OSHA has also concluded that the extent of any incremental 
benefits of collecting the data from Forms 300 and 301 for OSHA 
enforcement and compliance assistance activities is uncertain. OSHA has 
determined that avoiding this risk to worker privacy outweighs the 
data's uncertain incremental benefits to enforcement. The rule will 
allow OSHA to focus agency resources on the collection and use of 300A 
data described above, and severe injury reports, as well as data from 
other initiatives that its past experience has proven useful--instead 
of diverting those resources toward developing a Web portal for, and 
then collecting, manually reviewing, and analyzing data from Forms 300 
and 301.
    This rule is a deregulatory action under Executive Order 13771 (82 
FR 9339 (January 30, 2017)). It has annualized net cost savings 
estimated at $16 million. The savings from elimination of the 
requirement that establishments with 250 or more employees submit 
information electronically from their OSHA Forms 300 and 301 will be 
$8.9 million per year. New costs not included in the 2016 final rule 
are estimates of cost savings to the government from avoiding a manual 
review of all data from Forms 300 and 301 to identify and remove PII 
and other information that could be re-identified with individuals. 
This cost will be $7.5 million per year. The total cost of providing 
EINs will be $2.2 million the first year these data are submitted, and 
will be $223,000 per year every year after that. A detailed discussion 
of OSHA's estimates of the rule's benefits, costs, and cost savings is 
included in section IV, Final Economic Analysis and Regulatory 
Flexibility Certification.

B. Regulatory History

    OSHA's regulations on recording and reporting occupational injuries 
and illnesses (29 CFR part 1904) were first issued in 1971 (36 FR 12612 
(July 2, 1971)). These regulations require the recording of work-
related injuries and illnesses that involve death, loss of 
consciousness, days away from work, restriction of work, transfer to 
another job, medical treatment other than first aid, or diagnosis of a 
significant injury or illness by a physician or other licensed health 
care professional. (29 CFR 1904.7).
    On July 29, 1977, OSHA amended these regulations to partially 
exempt businesses having ten or fewer employees during the previous 
calendar year from the requirement to record occupational injuries and 
illnesses. (42 FR 38568). Then, on December 28, 1982, OSHA amended the 
regulations again to partially exempt establishments in certain lower-
hazard industries from the requirement to record occupational injuries 
and illnesses. (47 FR 57699). OSHA also amended the recordkeeping 
regulations in 1994 (Reporting of Fatality or Multiple Hospitalization 
Incidents, 59 FR 15594) and 1997 (Reporting Occupational Injury and 
Illness Data to OSHA, 62 FR 6434). Under the version of Sec.  1904.41 
added by the 1997 final rule, OSHA began requiring certain employers to 
submit their 300A data to OSHA annually through the OSHA Data 
Initiative (ODI). Through the ODI, OSHA collected data on injuries and 
acute illnesses attributable to work-related activities in the private 
sector from approximately 80,000 establishments in selected high-hazard 
industries. The agency used these data to calculate establishment-
specific injury and illness rates, and in combination with other data 
sources, to target enforcement and compliance assistance activities.
    On January 19, 2001, OSHA issued a final rule amending its 
requirements for the recording and reporting of occupational injuries 
and illnesses (29 CFR parts 1904 and 1952), along with the forms 
employers use to record those injuries and illnesses. (66 FR 5916). The 
final rule also updated the list of industries that are partially 
exempt from recording occupational injuries and illnesses.
    On September 18, 2014, OSHA again amended the regulations to 
require employers to report work-related fatalities and severe 
injuries--in-patient hospitalizations, amputations, and losses of an 
eye--to OSHA and to allow electronic reporting of these events. (79 FR 
56130). The final rule also revised

[[Page 382]]

the list of industries that are partially exempt from recording 
occupational injuries and illnesses.
    On May 12, 2016, OSHA amended the regulations on recording and 
reporting occupational injuries and illnesses to require employers, on 
an annual basis, to submit electronically to OSHA injury and illness 
information that employers are already required to keep under part 
1904. (81 FR 29624). Under the 2016 revisions, establishments with 250 
or more employees that are routinely required to keep records are also 
required to electronically submit information from their OSHA Forms 
300, 300A, and 301 to OSHA or OSHA's designee once a year, and 
establishments with 20 to 249 employees in certain designated 
industries are required to electronically submit information from their 
OSHA annual summary (Form 300A) to OSHA or OSHA's designee once a year. 
In addition, that final rule required employers, upon notification, to 
electronically submit information from part 1904 recordkeeping forms to 
OSHA or OSHA's designee. These provisions became effective on January 
1, 2017, with an initial submission deadline of July 1, 2017, for 2016 
Form 300A data described in 29 CFR 1904.41(c)(1). That submission 
deadline was subsequently extended to December 15, 2017. (82 FR 55761). 
The deadline for electronic submission of information from OSHA Forms 
300 and 301 was July 1, 2018. OSHA announced that it would not enforce 
this requirement without notice during this rulemaking, (83 FR at 
36496), and OSHA has never received the data submissions from Forms 300 
and 301 that the 2016 rule anticipated.
    On July 30, 2018, OSHA issued a notice of proposed rulemaking (NPRM 
or proposed rule) proposing to amend its recordkeeping regulations to 
remove the requirement for establishments with 250 or more employees 
that are routinely required to keep records to electronically submit 
information from their OSHA Forms 300 and 301 to OSHA or OSHA's 
designee once a year and to add a requirement for electronic submission 
of the EIN. (83 FR 36494). OSHA received 1,880 comments on the proposed 
rule. The issues raised in those comments are addressed herein.

II. Legal Authority

    OSHA is issuing this final rule pursuant to authority expressly 
granted by sections 8 and 24 of the Occupational Safety and Health Act 
(the ``OSH Act'' or ``Act''). (29 U.S.C. 657, 673). Section 8(c)(1) of 
the Act requires each employer to ``make, keep and preserve, and make 
available to the Secretary [of Labor] or the Secretary of Health and 
Human Services, such records regarding his activities relating to this 
chapter as the Secretary [of Labor] . . . may prescribe by regulation 
as necessary or appropriate for the enforcement of this chapter or for 
developing information regarding the causes and prevention of 
occupational accidents and illnesses.'' (29 U.S.C. 657(c)(1)). Section 
8(c)(2) directs the Secretary to prescribe regulations ``requiring 
employers to maintain accurate records of, and to make periodic reports 
on, work-related deaths, injuries and illnesses other than minor 
injuries requiring only first aid treatment and which do not involve 
medical treatment, loss of consciousness, restriction of work or 
motion, or transfer to another job.'' (29 U.S.C. 657(c)(2)). Finally, 
section 8(g)(2) of the OSH Act broadly empowers the Secretary to 
``prescribe such rules and regulations as he may deem necessary to 
carry out [his] responsibilities under this chapter.'' (29 U.S.C. 
657(g)(2)).
    Section 24 of the OSH Act (29 U.S.C. 673) contains a similar grant 
of authority. This section requires the Secretary to ``develop and 
maintain an effective program of collection, compilation, and analysis 
of occupational safety and health statistics'' and ``compile accurate 
statistics on work injuries and illnesses which shall include all 
disabling, serious, or significant injuries and illnesses.'' (29 U.S.C. 
673(a)). Section 24 also requires employers to ``file such reports with 
the Secretary as he shall prescribe by regulation.'' (29 U.S.C. 
673(e)). These reports are to be based on ``the records made and kept 
pursuant to'' section 8(c) of the OSH Act. (29 U.S.C. 673(e)).
    The OSH Act requires cooperation with the Secretary of Health and 
Human Services concerning regulations that address reporting and 
recordkeeping, and consultation concerning the development and 
maintenance of a program for occupational safety and health statistics. 
OSHA has a lengthy history of cooperation and consultation with the 
Department of Health and Human Services in this regard, particularly 
with its sub-agency, the National Institute for Occupational Safety and 
Health. With respect to this rule, OSHA informally received feedback 
from NIOSH on its proposal, including reviewing a draft of NIOSH's 
comment, and provided NIOSH, and HHS more generally, with opportunities 
to provide comment on both the proposed and this final rule before 
publication.
    Further support for the Secretary's authority to require employers 
to keep and submit records of work-related illnesses and injuries is in 
the Congressional Findings and Purpose at the beginning of the OSH Act. 
(See 29 U.S.C. 651). In that section, Congress declares the overarching 
purpose of the Act is ``to assure so far as possible every working man 
and woman in the Nation safe and healthful working conditions.'' (29 
U.S.C. 651(b)). One of the ways in which the Act is meant to achieve 
this goal is ``by providing for appropriate reporting procedures . . . 
[that] will help achieve the objectives of this chapter and accurately 
describe the nature of the occupational safety and health problem.'' 
(29 U.S.C. 651(b)(12)). Notably, the statute does not require this 
information to be transmitted to OSHA. And, section 8(d) of the Act 
provides that any information the Secretary collects under the Act 
``shall be obtained with a minimum burden upon employers.'' (29 U.S.C. 
657(d)).
    The OSH Act authorizes the Secretary of Labor to issue two types of 
occupational safety and health rules: Standards and regulations. 
Standards aim to correct particular identified workplace hazards, while 
regulations further the general enforcement and detection purposes of 
the OSH Act. (See Workplace Health & Safety Council v. Reich, 56 F.3d 
1465, 1468 (D.C. Cir. 1995) (citing La. Chem. Ass'n v. Bingham, 657 
F.2d 777, 781-82 (5th Cir. 1981)); United Steelworkers of Am. v. 
Auchter, 763 F.2d 728, 735 (3d Cir. 1985)). Recordkeeping requirements 
promulgated under the Act are characterized as regulations. (See 29 
U.S.C. 657 (using the term ``regulations'' to describe recordkeeping 
requirements)). An agency may revise a prior rule if it provides a 
reasoned explanation for the change. (See Motor Vehicle Mfrs. Ass'n v. 
State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 42 (1983)).\2\
---------------------------------------------------------------------------

    \2\ In the NPRM and in the final rule, OSHA has offered reasoned 
analysis for its preliminary and now final determination to rescind 
the requirement for covered employees to submit their 300 and 301 
data to OSHA electronically. OSHA has likewise considered and 
discussed the comments raised by those who also argue that OSHA's 
decision runs afoul of the APA, (e.g., Document ID 2012-A1, pp. 9, 
15; 2028-A1, pp. 1-3, 6, 8), as well as other comments in the 
record. In short, this rule is a product of reasoned decision-
making, has the support of substantial evidence in the record as a 
whole, and is appropriate based on policy concerns and OSHA's 
obligations under the Act.
---------------------------------------------------------------------------

    When promulgating regulations pursuant to sections 8 and 24 of the 
OSH Act, OSHA must comply with the Administrative Procedure Act (APA) 
(5 U.S.C. 553), which requires the agency to publish notice of a 
proposed rule in the Federal Register and to provide an opportunity for 
interested persons to

[[Page 383]]

comment on the rulemaking. In the NPRM, OSHA invited comment on ``all 
aspects of the proposed rule'' (83 FR at 36505), and specifically 
encouraged comment on four questions regarding: (1) The risks and 
benefits of electronically collecting the information; (2) other 
agencies or organizations that use automated coding systems for text 
data in data collections; (3) other agencies or organizations that use 
automated de-identification systems to remove personal identifying 
information (PII) from text data before making the data available to 
the public; and (4) privacy issues regarding the submission of EINs. 
(83 FR at 36500).
    OSHA received 1,880 comments on the proposed rule.\3\ Pursuant to 
the APA, 5 U.S.C. 553, OSHA has reviewed these comments and responded 
to the material issues commenters raised. (See Genuine Parts Co. v. 
Envtl. Prot. Agency, 890 F.3d 304, 313 (D.C. Cir. 2018) (although an 
agency ``is not required to discuss every item of fact or opinion 
included in the submissions it receives in response to a Notice of 
Proposed Rulemaking, it must respond to those comments which, if true, 
would require a change in the proposed rule.'') (quoting La. Fed. Land 
Bank Ass'n v. Farm Credit Admin., 336 F.3d 1075, 1080 (D.C. Cir. 
2003))).
---------------------------------------------------------------------------

    \3\ Of these, 1,641 were nearly identical form letters.
---------------------------------------------------------------------------

    Some commenters raised issues such as the requirement for certain 
employers to submit their 300A data to OSHA (e.g., Document ID 2057-A1, 
pp. 2-3; 2053, p. 3) and the employee protection provisions added by 
the 2016 final rule (e.g., Document ID 2006-A1, p. 4; 2009-A1, p. 4; 
2023-A1). These comments were beyond the scope of this rulemaking, and 
this final rule does not make any changes to the relevant provisions. 
Nevertheless, OSHA acknowledges and shares some of the concerns these 
comments suggest. First, in relation to concerns raised about possible 
publication of data submitted electronically to OSHA from Form 300A--
and as identified in the NPRM and later in this final rule--the agency 
takes the position that these data are exempt from public disclosure 
under FOIA. It should likewise be noted that OSHA uses and will 
continue to use 300A data to prioritize its inspections and enforcement 
actions. Among other considerations, disclosure of 300A data through 
FOIA may jeopardize OSHA's enforcement efforts by enabling employers to 
identify industry trends and anticipate the inspection of their 
particular workplaces. As OSHA has explained elsewhere, OSHA is 
strongly opposed to disclosure of 300A data, has not made such data 
public, and does not intend to make any such data public for at least 
the approximately four years after its receipt that OSHA intends to use 
the data for enforcement purposes.
    In response to concerns about the application of the 2016 final 
rule to employee drug testing and incident-based incentive programs, 
OSHA notes that the employee protection provisions promulgated by that 
final rule and codified at 29 CFR 1904.35 neither ban drug testing 
employees involved in workplace injury or illnesses, nor prohibit 
incident-based incentive programs. Rather, Sec.  1904.35(b)(1)(iv) 
merely prohibits employers from implementing these programs to penalize 
workers ``for reporting a work-related injury or illness.'' Id. 
(emphasis added). On October 11, 2018, OSHA issued a memorandum that 
explained this regulatory text and OSHA's position on workplace 
incentive programs and post-incident drug testing. See U.S. Dep't of 
Labor, Clarification of OSHA's Position on Workplace Safety Incentive 
Programs and Post-Incident Drug Testing Under 29 CFR Sec.  
1904.35(b)(1)(iv) (Oct. 11, 2018). That memorandum--which referred to 
the 2016 final rule and its preamble--reiterated the rule's limited 
scope and expressed how it ``does not prohibit workplace safety 
incentive programs or post-incident drug testing.'' Id. To the extent 
the 2016 preamble suggested otherwise, it has been superseded. While 
not the focus of this particular rulemaking, that memorandum accurately 
reflects OSHA's position and addresses the commenters' concerns.

III. Summary and Explanation of Final Rule

A. Rescission of Requirement for Certain Establishments To Submit Data 
From OSHA Forms 300 and 301 to OSHA Electronically

    As discussed in detail below, OSHA has determined that collecting 
the data from Forms 300 and 301, as was recently required under the 
2016 final rule, would subject sensitive worker information to a 
meaningful risk of public disclosure. OSHA has also concluded that the 
extent of the incremental benefits of collecting the data for OSHA's 
enforcement targeting and compliance assistance activities remains 
uncertain. Finally, OSHA has found that collecting the data and 
analyzing them for use would require OSHA to divert significant 
resources from agency priorities such as fully utilizing the 300A data 
and severe injury reports OSHA already collects electronically and that 
have proven useful in its experience for targeting areas of concern.
    After considering all of the comments in the record and balancing 
the risk to worker privacy against the uncertain extent of the benefits 
of collecting the data and OSHA's resource priorities, OSHA has 
determined that the final rule is necessary to preserve sensitive 
worker information and conserve agency resources for initiatives with 
more concrete benefits to OSHA's mission of assuring safe and healthful 
workplaces.
Concerns About the Potential Release of Sensitive Worker Information
    A central reason OSHA proposed rescinding the requirement for 
certain employers to electronically submit information from Forms 300 
and 301 to OSHA was ``to protect sensitive worker information from 
potential disclosure under the Freedom of Information Act (FOIA).'' (83 
FR at 36494). As explained in greater detail below, although OSHA 
believes data from Forms 300 and 301 would be exempt from disclosure 
under FOIA exemptions, OSHA is concerned that it still could be 
required by a court to release the data. Many commenters echoed this 
concern.
    OSHA's position in this final rule is consistent with the 
principles articulated in the Privacy Act, OMB Circular A-130, and the 
Department's position on the sensitive nature of worker injury and 
illness records before 2016. (See Document ID 1930-A1, pp. 2-3; 66 FR 
5916, 6055-57 (Jan. 19, 2001)). In 2001, for example, OSHA noted that 
it ``historically has recognized that the Log and Incident Report 
(Forms 300 and 301, respectively) may contain information of a 
sufficiently intimate and personal nature that a reasonable person 
would wish it to remain confidential.'' (66 FR at 6055). OSHA further 
explained that access to Forms 300 and 301 should be limited to workers 
and their representatives--in other words, those with a ``need to 
know.'' (66 FR at 6057). OSHA explained in 2001:

    OSHA agrees that confidentiality of injury and illness records 
should be maintained except for those persons with a legitimate need 
to know the information. This is a logical extension of the agency's 
position that a balancing test is appropriate in determining the 
scope of access to be granted employees and their representatives. 
Under this test, ``the fact that protected information must be 
disclosed to a party who has [a particular] need for it . . . does 
not strip the information of its protection against disclosure to 
those who have no similar need.''

(66 FR at 6057 (quoting Fraternal Order of Police Lodge No. 5. v. City 
of

[[Page 384]]

Philadelphia, 812 F.2d 105, 118 (10th Cir. 1987))). Commenters agreed 
with OSHA that access to 300 and 301 data should be limited to those 
with a ``need to know'' (i.e., workers, their representatives, and OSHA 
upon request) (Document ID 2070-A1, p. 8; 2084-A2). Thus, OSHA has 
always applied a balancing test to weigh the value of worker privacy 
against the usefulness of releasing the data. The 2016 final rule 
represented a departure from the balance OSHA has historically struck 
in favor of achieving uncertain incremental benefits for OSHA 
enforcement and outreach. This final rule restores OSHA's historical 
emphasis on protecting the privacy of workers and its longstanding 
practice of releasing sensitive data on a case-by-case basis only to 
those with a ``need to know.''
    Multiple commenters commented that the proposed rule is consistent 
with the privacy protections in the Privacy Act of 1974 (Pub. L. 93-
579) and Section 4(g) of OMB Circular A-130. (E.g., Document ID 1930-
A1, p. 2; 1981-A1, p. 3; 2041-A1, p. 2; see also Document ID 2036-A1, 
p. 4) (``[C]ompelled disclosure of the incredibly private, personally 
identifiable information required by OSHA Forms 300 and 301 is contrary 
to the well-established principle that an individual's right to privacy 
regarding medical conditions and treatment is of paramount 
importance.''). Although the Privacy Act does not apply to Forms 300 
and 301, the statute's articulation that privacy is ``a personal and 
fundamental right'' highlights the importance of this issue. (Document 
ID 1981-A1, p. 3 (quoting Pub. L. 93-579, Section 2(a)(4))). 
Furthermore, Section 4(g) of OMB Circular A-130 stresses that 
``[p]rotecting an individual's privacy is of utmost importance.'' 
(Document ID 1981-A1, p. 3 (quoting OMB Circular A-130 (2016), 
available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf)). To that end, Section 4(g) also 
states that ``[t]he Federal Government shall consider and protect an 
individual's privacy throughout the information life cycle.'' (OMB 
Circular A-130). This final rule complies with this instruction by 
limiting the potential disclosure of PII and other sensitive worker 
information.
    Many commenters agreed with OSHA's privacy concerns, pointing to 
the Department's ``special responsibility to protect PII from loss and 
misuse,'' and arguing that OSHA should not collect the data from Forms 
300 and 301 because it cannot guarantee the protection of PII that may 
be submitted with the data. (Document ID 2045-A1, p. 3) (quoting 
Department of Labor, Guidance on the Protection of Personal 
Identifiable Information, available at: https://www.dol.gov/general/ppii). Commenters agreed with OSHA that the information reported on 
Forms 300 and 301 is sensitive, and that the risk of disclosing this 
sensitive worker information is not worth the uncertain incremental 
benefits of collecting the data. (E.g., Document ID 1985-A1, pp. 1-2; 
2045-A1, pp. 2-3). Other comments agreed with OSHA that collecting Form 
300A provides concrete enforcement benefits without putting private 
worker information at risk of disclosure. (E.g., Document ID 2008, pp. 
2-3).
    Some commenters cautioned that the 300 and 301 data could include 
PII, which the Department defines as ``any representation of 
information that permits the identity of an individual to whom the 
information applies to be reasonably inferred by either direct or 
indirect means[,]'' such as ``name, address, social security number or 
other identifying number or code, telephone number, email address, 
etc.'' (E.g., Document ID 2045, pp. 2-3) (quoting Department of Labor, 
Guidance on the Protection of Personal Identifiable Information, 
available at: https://www.dol.gov/general/ppii)). Although some of 
these commenters are under the mistaken impression that employers would 
be required to submit PII such as name, address, or the name of the 
treating physician under the prior final rule (compare e.g., Document 
ID 2041-A1, pp. 1-2 with 81 FR at 29660-61), OSHA shares these 
commenters' concern that collection of data from Forms 300 and 301 
poses a risk of the release of PII.
    It is foreseeable that, despite instructions not to include such 
information, some employers would submit PII inadvertently in Forms 300 
and 301, for example in the narrative description of the incident in 
Column F of the 300 Log. (See 81 FR at 29662; Document ID 2019-A1, pp. 
2-3). Although one commenter's experience demonstrated employers' 
capability of fully redacting PII from a small dataset (Document ID 
2077-A1, pp. 1, 2), ``[i]t has been OSHA's experience that information 
entered in Column F of the 300 Log may contain personally-identifiable 
information. For example, when describing an injury or illness, 
employers sometimes include names of employees.'' (81 FR at 29662).
    Whereas in the past, OSHA has manually screened smaller datasets 
for PII, the dataset at issue in this rulemaking would be far too large 
to screen manually for employer compliance with an instruction not to 
include PII, and OSHA is concerned that alternative approaches would 
not sufficiently alleviate the risk of disclosure. For example, OSHA 
stated in the 2016 final rule that it would ``review'' the data for PII 
using software--and some commenters urged a similar review (e.g., 
Document ID 1989-A1, p. 1; 2004-A1, p. 1)--but this software is 
imperfect. As discussed in the NPRM, ``it is not possible to guarantee 
the non-release of PII.'' (83 FR at 36498 (citing ``De-Identification 
of Personal Information,'' p. 5, Simson L. Garfinkel, NISTIR 8053, 
October 2015, Document ID 2060)). No commenters provided evidence to 
the contrary. Therefore, OSHA finds that it would not be able to 
guarantee that all PII inadvertently submitted to OSHA would be 
protected from disclosure. (83 FR at 36498).
    Moreover, even if PII could be completely removed from the data, 
concerns about re-identification would remain. As many commenters 
noted, several data points on Forms 300 and 301 could be combined to 
reveal the identity of workers who reported work-related injuries or 
illnesses, particularly in a small town. (E.g., Document ID 2032-A1; 
2044-A1, p. 5 (quoting prior comment); 2045-A1, pp. 2-3, 5; 2070-A1, 
pp. 3, 11, 15-16). As the Phylmar Regulatory Roundtable (PRR) 
explained:

    For example, even with the employee's name removed, PRR members 
believe it would be easy to determine a worker's identity when 
reviewing the information in the remaining fields on Form 300: Job 
title (field C), where the event occurred (E), and details on the 
injury and body parts affected (F). On the 301 Report, combining 
multiple data points, for example, the date of the injury or illness 
(11), what time the employee began work (12), time of event (13), 
what was the employee doing just before the incident occurred (14), 
what happened (15), and what was the injury or illness (16), could 
also result in identifying the worker. While individual fields, 
standing alone, would not be considered traditional ``PII,'' (e.g., 
name, address), once linked, there is a substantial risk that 
employees may be identified, thus violating their privacy.

(Document ID 2070-A1, p. 3). Thus, even with PII removed from the data, 
in many circumstances it may be possible to combine data points to 
identify specific workers who reported injuries or illnesses along with 
personal details about their conditions.
    These privacy concerns are real and important. As OSHA stated in 
the NPRM, some of the information collected on Forms 300 and 301 may be 
sensitive for workers. (E.g., 83 FR at 36495). For example, many of the 
questions on Form 301 seek answers

[[Page 385]]

that could contain sensitive information about workers, including:
     Was the employee treated in an emergency room?
     Was the employee hospitalized overnight or as an in-
patient?
     Date of birth.
     Date of injury.
     What was the employee doing just before the incident 
occurred? Describe the activity, as well as the tools, equipment, or 
material the employee was using. Be specific. Examples: ``climbing a 
ladder while carrying roofing materials''; ``spraying chlorine from 
hand sprayer''; ``daily computer key-entry.''
     What happened? Tell us how the injury occurred. Examples: 
``When ladder slipped on wet floor, worker fell 20 feet''; ``Worker was 
sprayed with chlorine when gasket broke during replacement''; ``Worker 
developed soreness in wrist over time.''
     What was the injury or illness? Tell us the part of the 
body that was affected and how it was affected; be more specific than 
``hurt,'' ``pain,'' or ``sore.'' Examples: ``strained back''; 
``chemical burn, hand''; ``carpal tunnel syndrome.''
     What object or substance directly harmed the employee? 
Examples: ``concrete floor''; ``chlorine''; ``radial arm saw.''

(83 FR at 36495-96). Some commenters disagreed that injury descriptions 
like those above are sensitive (e.g., Document ID 2048-A1, p. 2; 1978-
A1, p. 2; 2048-A1, p. 2), but other commenters provided additional 
examples of sensitive information that could appear on Form 300 or 301, 
such as contracting an infectious disease from a patient, being 
assaulted in the workplace, or being diagnosed with depression or post-
traumatic stress disorder. (E.g., Document ID 2044-A1, pp. 5-6 (quoting 
prior comment); 2070-A1, pp. 15-16). A commenter also noted that some 
records could implicate the privacy of non-employees, such as patients 
involved in the occurrence of a workplace injury or illness. (Document 
ID 1960-A1).
    Other commenters disagreed with OSHA's preliminary determination 
that the data from Forms 300 and 301 are sensitive. (E.g., Document ID 
1961-A1, p. 2; 2081-A2, p. 1; 1984-A1, p. 2; 1978-A1, p. 2; 2017-A1, p. 
3). For example, one commenter maintained that information such as a 
description of an injury is integral to OSHA's investigation and is not 
private or privileged, like medical advice or other communication 
between a patient and doctor. (Document ID 2017-A1, p. 3). OSHA agrees 
that not all of the 300 and 301 data are always sensitive, but 
maintains that some of the data are sensitive and remain sensitive even 
if not legally privileged and even though OSHA intends to continue to 
use these data during onsite inspections.
    Commenters asserting that OSHA's privacy concerns are disingenuous 
(e.g., Document ID 1976-A1, pp. 2-3; 1984-A1, pp. 1-2; 2022-A1, p. 3; 
2038-A1, p. 2; Document ID 1978-A1, p. 2; 2088-A1, p. 3) fail to 
appreciate the real possibility of the disclosure of sensitive worker 
information. The comment (and others like it) that ``[t]he risk to 
worker privacy is very minimal and unlikely to materialize'' (Document 
ID 2011-A1, p. 5) discounts the risk to worker privacy that OSHA's 
experience--of having to remove PII and other information that could 
re-identify the ill or injured worker during manual screening of forms 
prior to release--has shown. Although many advocacy groups submitted 
similarly-worded comments stating that the data from Forms 300 and 301 
are not sensitive (e.g., Document ID 1976-A1, p. 3; 2058-A1, p. 2; 
2059-A1, p .2; 1976-A1, p. 3), private citizens and health advocacy 
organizations expressed concern about the sensitive nature of the data 
and emphasized the importance of keeping sensitive worker information 
out of the public eye. (E.g., Document ID 1938; 1975; 1979; 2006-A1, p. 
2). OSHA agrees with the latter commenters that sensitive information 
can be included in the data on these Forms and should be protected 
against public disclosure.
    Moreover, many of those taking the view that privacy concerns about 
the data were overstated expressed their confidence that OSHA could 
guarantee the protection of any PII contained in the data, a confidence 
that OSHA does not share. (E.g., Document ID 2031 (``The 2016 
provisions clearly stated that no information that would identify 
individual workers was to be reported. If such information was 
accidentally submitted, OSHA made it clear it would never be released 
to the public.''); 2038-A1, p. 2 (``The 2016 provisions clearly state 
that no information tied to any individual worker(s) was to be 
reported. If such information was inadvertently submitted, OSHA ensured 
[sic] us it would never be released to the public.'')).
    It is true, as some commenters noted, that OSHA considered the 
issue of worker privacy in the 2016 final rule and included protections 
to reduce the likelihood of sensitive information being made public, 
(Document ID 2028-A1, p. 6), but OSHA no longer views such protections 
as sufficient. OSHA noted in 2016, for example, that ``consistent with 
FOIA, the agency does not intend to post personally identifiable 
information on the website.'' (81 FR at 29659 (emphasis added)). Yet 
OSHA did not--and cannot--guarantee non-release of PII. In fact, OSHA 
acknowledged in 2016 that Forms 300 and 301 could contain PII in the 
fields that employers were required to submit. (See 81 FR at 29662 
(``It has been OSHA's experience that information entered in Column F 
of the 300 Log may contain personally-identifiable information. For 
example, when describing an injury or illness, employers sometimes 
include names of employees.'')). Although OSHA previously thought to 
address this issue with software, de-identification software is not 
100% effective, and OSHA believes that some PII could be released even 
after being processed through the software. (83 FR at 36498).
    Moreover, even if software could guarantee full scrubbing of PII, 
the possibility still remains that the data could be re-identified with 
the worker who reported the injury or illness. (83 FR at 36498). When 
discussing the agency's past experience of withholding private worker 
information from disclosure under FOIA, OSHA referred to the practice 
of manually redacting Forms 300 and 301 on a case by case basis. (81 FR 
at 29658). For example, OSHA noted that it ``would not disclose the 
information in Column C [of Form 300] (Job Title), if such information 
could be used to identify the injured or ill employee.'' (81 FR at 
29658). OSHA thus acknowledged even in the 2016 final rule that the 
worker's job title could be used to identify the injured or ill worker 
in some situations and that OSHA had protected that information in the 
past through manual review of the file and invocation of FOIA Exemption 
7(c). (81 FR at 29658). The 2016 rule's proposed use of de-
identification software would not address this issue.
    Commenters argued that data similar to those on Forms 300 and 301 
have been available to workers and their representatives since the 
passage of the Act (i.e., those with a ``need to know'') (E.g., 
Document ID 1984-A1, p. 2; 2088-A3, p. 5 (comments dated March 10, 
2014)), but those data have always been screened manually for PII. Such 
screening may have been possible before the 2016 final rule for 
individual files requested on a case by case basis, but OSHA could not 
possibly review each individual form that would be submitted 
electronically under the 2016 final rule to determine whether a 
worker's job title could be used to identify the worker.

[[Page 386]]

    The same principle distinguishes OSHA's practice of posting 
information about severe injuries and fatalities on its website, which 
some commenters cited as proof that the information on Forms 300 and 
301 is not too sensitive to publish. (E.g., Document ID 1961-A1, p. 2; 
1976-A1, p. 3; 2038-A1, p. 2; 2054-A1, p. 4). Although OSHA has not 
identified specific worker complaints about OSHA's posting of severe 
injury data in the past, as asserted by one commenter (Document ID 
2054-A1, p. 4; see also Document ID 2015-A1, p. 1), OSHA receives only 
approximately 800 severe injury reports per month, and manually screens 
each severe injury report for PII or other sensitive worker information 
before posting. OSHA's past practice of manually redacting these data 
before releasing them has no application to the mass collection of 
Forms 300 and 301 data from 36,903 establishments--data drawn from what 
OSHA estimates would be more than 775,000 forms--which could only be 
screened using software with limitations delineated elsewhere in this 
preamble and in the 2018 NPRM.
    Although OSHA believes the 300 and 301 data would be exempt from 
disclosure under FOIA Exemptions 6 and 7(c), OSHA still could be 
required by a court to release the data, as discussed in the NPRM and 
echoed by many commenters. (83 FR at 36498; see also Document ID 1930-
A1, pp. 3-4; 1979; 1981-A1, pp. 2-3; 2075-A1, p. 5; 2084-A1, p. 3). The 
risk of disclosure of sensitive information is not speculative, as some 
commenters claimed (e.g., Document ID 2056-A1, pp. 1-2). One FOIA 
requester has already sued the Department in multiple lawsuits seeking 
injury and illness data: One lawsuit seeks the 300A data collected 
through the Injury Tracking Application, and one lawsuit seeks to force 
OSHA to collect the 2017 data from Forms 300 and 301 for the 
requestor's use in research. See Public Citizen v. U.S. Dep't of Labor, 
Civ. No. 18-cv-117 (D.D.C. filed Jan. 19, 2018); Public Citizen Health 
Research Group v. Acosta, Civ. No. 18-cv-1729 (D.D.C. filed July 25, 
2018). In a decision denying the government's motion to dismiss in 
Public Citizen Health Research Group v. Acosta, the court concluded 
that the plaintiffs would likely be entitled to a significant portion 
of the 300 and 301 data if collected by OSHA, despite OSHA's conclusion 
that the data would be exempt from disclosure under FOIA. Public 
Citizen Health Research Group v. Acosta, Civ. No. 18-cv-1729 (D.D.C. 
December 12, 2018) (order denying motion to dismiss and preliminary 
injunction). In addition, in New York Times Co. v. U.S. Dep't of Labor, 
340 F. Supp. 2d 394 (S.D.N.Y 2004) and Finkel v. U.S. Dep't of Labor, 
No. 05-5525, 2007 WL 1963163 (D.N.J. June 29, 2007), two separate 
courts ordered OSHA to release injury and illness data that OSHA argued 
were exempt from disclosure under FOIA Exemption 4. (See Document ID 
2019-A1, p. 7; 2070-A1, p. 4).
    OSHA disagrees with comments arguing that OSHA mischaracterized the 
Finkel and Public Citizen lawsuits and the risk of the disclosure of 
sensitive information under FOIA. (See Document ID 2048-A1, pp. 2-3; 
2012-A1, p. 11; 2022-A1, p. 2). OSHA agrees with Mr. Finkel and other 
commenters that the Finkel lawsuit did not result in a court ordering 
disclosure of PII (see, e.g., Document ID 2048-A1, p. 1; Finkel v. U.S. 
Dep't of Labor, No. 05-5525, 2007 WL 1963163 (D.N.J. June 29, 2007)). 
The Public Citizen Health Research Group, Finkel and New York Times 
lawsuits do, however, demonstrate the power of courts to order OSHA to 
release injury and illness data that OSHA considers sensitive 
information exempt from disclosure, over OSHA's objections. In another 
case, the Sixth Circuit Court of Appeals ordered the release of data 
the Federal Aviation Administration tried to protect from disclosure, 
despite the possibility that multiple data points could be combined to 
re-identify particular individuals who had participated in a strike. 
(Norwood v. FAA, 993 F.2d 570, 574-75 (6th Cir. 1993)). OSHA is 
concerned a similar outcome could result if it collects the data from 
Forms 300 and 301 and then attempts to withhold the data in response to 
FOIA requests on the ground that the data could well contain sensitive 
information that OSHA cannot guarantee would be removed. ``[O]nce the 
information is disclosed [under FOIA], it can never be made private.'' 
(See Document ID 2075-A1, p. 5).
    Some commenters asserted that OSHA should collect the 300 and 301 
data but limit its release in various ways (Document ID 2006-A1, pp. 2-
3), or that OSHA could never be required to disclose sensitive worker 
information under FOIA (e.g., Document ID 2006-A1, p. 3; 2012-A1, p. 
11; 2022-A1, p. 2; 2028-A1, pp. 2, 7). These comments ignore the 
reality reflected in these lawsuits that the Department would not 
retain complete control over the data once they are collected. And, 
given that OSHA cannot guarantee complete removal of PII or data that 
could be re-identified with a particular worker from such a large 
dataset, court-ordered publication of the data from Forms 300 and 301 
could well result in the disclosure of sensitive worker information. 
Other commenters presented alternatives to fully rescinding the 
requirement to collect the data from Forms 300 and 301, such as 
excluding job title and precise date of injury to reduce the likelihood 
of re-identification. (Document ID 1993-A1, p. 2; 2028-A1, p. 7). OSHA 
notes that even without the job title and precise date fields, however, 
employers could include sensitive information, such as worker and 
patient names, in the narrative description of the injury and how it 
occurred. (Document ID 1960-A1; 81 FR at 39662). OSHA has had to redact 
this kind of information during manual screening in the past prior to 
release. (81 FR at 39662).
    The American Nurses Association (ANA) expressed concern about 
potential disclosure of sensitive worker information under FOIA but 
believes that the case-level data are important for performing root-
cause analyses to prevent incidents of workplace injuries and 
illnesses. (Document ID 2000-A1, pp. 1-2). The ANA notes that 29 CFR 
1904.8 requires employers to record on the OSHA Form 300 all work-
related needlestick injuries and cuts from sharp objects that are 
contaminated with another person's blood or other potentially-
infectious material, but that employers are prohibited from recording 
an injured worker's name. (Document ID 2000-A1, pp. 2-3). Given the 
protections afforded these cases under Sec.  1904.29(b)(6) through (9), 
the ANA asks whether it would be viable for OSHA to continue to require 
electronic submission of OSHA 300 Log for needlestick and sharps 
injuries to help inform the future prevention of needlestick and sharps 
injuries. (Document ID 2000-A1, p. 3).
    OSHA notes the importance of the OSHA 300 Log for needlestick 
injuries and cuts from sharp objects for identifying hazards in 
healthcare settings, and encourages employers to use their own data 
from Forms 300 and 301 to identify workplace hazards, as OSHA does 
during onsite inspections. Like any other OSHA 300 Log, however, the 
possibility of personal information being reported to OSHA 
inadvertently remains despite the prohibition against recording names, 
as does the risk of re-identification through job title or another 
reported field. These data might then be subject to release under FOIA. 
Therefore, OSHA declines the invitation to retain the reporting 
requirements for case-characteristic data for the OSHA

[[Page 387]]

300 Log for needlestick injuries and cuts from sharp objects.
    After reviewing all of the comments on this issue, OSHA has 
determined collecting the data would expose sensitive worker 
information to a meaningful risk of disclosure. OSHA cannot justify 
that risk given its resource allocation concerns and the uncertain 
incremental benefits to OSHA of collecting the data, as discussed 
elsewhere in this preamble. OSHA has determined that the best use of 
its resources is to focus on data it already receives--including a 
large set of data from Form 300A, as well as discrete data about urgent 
issues from severe injury reports--and has found useful in its past 
experience.
Experience of the Mine Safety and Health Administration (MSHA) and 
Other Federal and State Agencies
    The experience of MSHA and other federal and state agencies with 
collecting and publishing similar data, as many commenters noted (e.g., 
Document ID 2007, p. 8; 2011-A1, p. 6; 2012-A1, p. 6; 2028-A1, p. 2), 
does not mean OSHA is required to collect the data from Forms 300 and 
301. As explained below, other federal and state agencies may weigh 
worker privacy concerns differently based on their missions, 
priorities, and budgets.
    OSHA acknowledges, for example, comments that MSHA has been 
collecting similar data--albeit from a much small number of 
establishments--for many years (e.g., Document ID 2011-A1, p. 7) and 
has posted data on the web for more than fifteen years (Document ID 
2012-A1, pp. 6, 10). MSHA maintains the data in a comprehensive 
database that it makes available to the public. (E.g., Document ID 
1965-A1, p. 52). Commenters noted that MSHA has not experienced any 
security breaches or complaints or controversy about employee privacy, 
despite the fact that MSHA's database includes small employers.\4\ 
(E.g., Document ID 2012-A1, p. 10). Commenters further noted that 
``MSHA has a robust system in place to protect [PII] from inappropriate 
disclosure.'' (E.g., Document ID 2011-A1, pp. 7-8).
---------------------------------------------------------------------------

    \4\ MSHA has been subject to cyber attack in the past, however. 
See Ted Hesson, ``Morning Shift: DOL Takes Stock After Hack,'' 
POLITICO (Apr. 25, 2018) (detailing successful hack), https://www.politico.com/newsletters/morning-shift/2018/04/25/travel-ban-at-scotus-182935.

    There are security controls in place to prevent database 
contamination should nefarious acts be taken against the front-end 
website. The information has to be reviewed by at least three 
approving authorities prior to it being introduced and or uploaded 
into the appropriate database for further analysis and data 
manipulation. Data extracts are redacted of the PII prior to being 
---------------------------------------------------------------------------
released for public consumption.

(Document ID 2088-A1, p. 12) (quoting MSHA, Privacy Impact Assessment 
Questionnaire, MSHA Standardized Information System (MSIS)--FY2017, 
available at: https://www.dol.gov/oasam/ocio/programs/pia/msha/MSHA-MSIS.htm).
    Although three layers of review might make sense given MSHA's 
budget and the much smaller number of employers under the agency's 
jurisdiction, it would require OSHA to commit an unwarranted level of 
resources to provide three layers of review for the volume of records 
it would receive. Under the 2016 final rule, OSHA would collect between 
38 and 77 times more injury reports than MSHA--that is, approximately 
775,000 reports, versus MSHA's 10,000-20,000. OSHA estimates, based on 
the time it has taken OSHA staff to review and remove personal 
information from other OSHA data, that it would take two levels of 
review and 7 minutes per record, on average, to assess the record and 
remove personal information. Such review would cost OSHA approximately 
$7.5 million each year.\5\
---------------------------------------------------------------------------

    \5\ See the Final Economic Analysis for details on this 
calculation.
---------------------------------------------------------------------------

    Other commenters pointed out that ``[t]he Federal Railroad 
Administration (FRA) posts accident investigation reports filed by 
railroad carriers or made by the Secretary of Transportation, and the 
Federal Aviation Administration (FAA) posts National Transportation 
Safety Board reports about aviation accidents.'' (Document ID 2012-A1, 
p. 10; see also 2028-A1, p. 7). Some of these commenters noted that the 
information posted by these agencies includes personally identifiable 
information, such as age, gender, job history, medical information, or 
information about the accident. (Document ID 2028-A1, p. 7). In 
addition, some state workers' compensation systems have online search 
capacity for data including the claimant's name and the description of 
the injury. (Document ID 1993-A1, p. 2).
    Again, OSHA acknowledges that other federal and state agencies have 
collected somewhat similar data for a number of years, but notes that 
each of these agencies has a unique mission, varying priorities, and 
different resource constraints. In this final rule, OSHA is balancing 
the issues of worker privacy and OSHA's resource priorities against the 
uncertain incremental benefits of collecting the data from Forms 300 
and 301. Because OSHA has determined that the extent of the incremental 
benefits to OSHA of collecting the data is uncertain--and because OSHA 
can still obtain the data from employers if needed for specific 
enforcement actions--the agency is choosing to protect worker privacy 
and commit the agency's resources to fully utilizing 300A and severe 
injury report data that its experience has already demonstrated are 
useful. Other federal and state agencies may weigh worker privacy 
concerns differently based on their missions, priorities, and budgets.
The Health Information Portability and Accountability Act (HIPAA) and 
Americans With Disabilities Act (ADA)
    One commenter indicated that PII should never be included in 
published data because such action would conflict with HIPAA and could 
require employees in healthcare settings to violate patients' privacy 
rights, subjecting those employees to legal and licensing problems. 
(Document ID 1936). Another commenter noted that--like HIPAA--the ADA 
protects medical information from unnecessary disclosure and limits who 
can access an employee's medical records (including only providing them 
to government personnel investigating compliance upon request). 
(Document ID 2036-A1, p. 5). OSHA disagrees that HIPAA and the ADA 
would apply to its electronic collection of Forms 300 and 301 for the 
reasons set forth in the 2016 final rule, (see 81 FR at 29665-66), but 
agrees that privacy-related policy concerns reflected in these laws 
buttress its determination that these data should not be collected in 
this way.
Technological Limitations of De-Identification Software
    In the NPRM, OSHA proposed to amend the recordkeeping regulations 
to protect worker privacy by no longer requiring employers to submit 
electronically detailed injury and accident information. (E.g., 83 FR 
at 36494). Specifically, OSHA explained the concern about potential 
disclosure of sensitive worker information under the Freedom of 
Information Act (FOIA). (E.g., 83 FR at 36494). Although software is 
available to scrub identifying information from electronic data, the 
software cannot eliminate the risk of disclosure of PII. (83 FR at 
36498). Even if all PII were removed from the data, a risk remains that 
some data could still be re-identified with a particular individual. 
(83 FR at 36498).
    Many commenters echoed OSHA's concerns that, under the prior final 
rule,

[[Page 388]]

PII or data that could be re-identified with a particular individual 
could be released under FOIA. (Document ID 2070-A1, pp. 3, 4-5; 2055-
A1, p. 2). These commenters stated that OSHA's plan to de-identify PII 
through software is insufficient to protect worker privacy. (Document 
ID 2070-A1, p. 5; 2055-A1, p. 2). For example, one commenter stated 
that in the case of a unique injury occurring in a small town, the 
sensitive details of an injury might easily be associated with a 
specific individual even without naming that individual. (Document ID 
2032-A1).
    Although OSHA stated in the 2016 final rule that ``the [a]gency 
will use software that will search for, and de-identify, personally 
identifiable information before the submitted data are posted'' (81 FR 
at 29662), OSHA did not guarantee complete removal of PII through de-
identification software as some commenters claimed. (See Document ID 
2031 (``OSHA made it clear [information that would identify individual 
workers] would never be released to the public.''); 2038-A1, p. 2 
(``OSHA ensured [sic] us [information tied to individual workers] would 
never be released to the public.'')). In fact, OSHA stated that it 
intended to protect sensitive information from release, (81 FR at 
29659), but that is not a guarantee. Commenters noting that OSHA has 
not cited any concrete evidence of problems or errors in de-
identification since promulgating the 2016 final rule, nor any evidence 
that the information on Forms 300 and 301 would be particularly 
vulnerable to disclosure (Document ID 2020-A1, pp. 3-5; 2033-A1, p. 4), 
fail to give due weight to the possibility that sensitive worker 
information could be released despite OSHA's best efforts. Claims that 
the concerns about disclosure after de-identification are 
``speculative'' and raise only a ``remote'' risk of disclosure 
(Document ID 2020-A1, p. 4) likewise ignore OSHA's past experience of 
needing to remove PII and other sensitive information from Forms 300 
and 301 on a case-by-case basis prior to release to prevent re-
identification, as discussed above in more detail.
    After carefully considering commenters' submissions on this issue, 
OSHA finds that there is a meaningful risk to worker privacy if OSHA 
requires employers to electronically file detailed injury and illness 
data on Forms 300 and 301 because de-identification software cannot 
fully eliminate the risk of disclosure of PII or re-identification of a 
specific individual and manual review of the data would not be 
feasible. OSHA's past experience with case-by-case release of 300 and 
301 data and severe injury reports reveals that these concerns are far 
from speculative. These risks weigh in favor of the rescinding 
requirements to submit the data from Forms 300 and 301 to OSHA 
electronically.
Risk of Cyber Attack
    In the NPRM, OSHA stated that electronically-stored data might 
incentivize cyber-attacks on the Department's IT system. OSHA noted 
that there was a potential compromise of user information for OSHA's 
Injury Tracking Application (ITA) in 2017, demonstrating that such a 
large data collection will inevitably encounter malware. (83 FR at 
36498, Fn. 2).
    Several commenters agreed with OSHA that worker privacy could be 
compromised by a data breach, cyber-attack, or malware, and that 
collecting such a large amount of data electronically could incentivize 
cyber-attacks on the Department. (E.g., Document ID 2076-A1, p. 5). 
Some of these commenters noted the 2017 potential compromise of OSHA's 
ITA as a basis for these concerns. (Document ID 2034-A1, p. 2; 2076-A1, 
p. 5). Commenters also included examples of large scale breaches of 
government data systems in other agencies. (Document ID 2034-A1, pp. 1-
2; 2042-A1, p. 2). In addition, commenters cited a 2016 report by the 
House Oversight Committee finding that the federal government was 
vulnerable to cyber-attacks (Document ID 2034-A1, p. 1), and a Federal 
Information Security Modernization Act (FISMA) Report to Congress for 
Fiscal Year 2017 finding that the Occupational Safety and Health Review 
Commission had an overall rating of ``At Risk'' (Document ID 2070-A1, 
p. 8).
    One commenter asserted that OSHA should be just as capable as MSHA 
of safeguarding the data since the Department consolidated Information 
Technology (IT) services in 2014. (Document ID 2082-A2, p. 5; see also 
Document ID 2088-A1, p. 12 (noting that MSHA has strong information 
security controls in place)).
    OSHA notes that the ITA data meet the security requirements for 
government data, and after reconsidering this issue, OSHA does not find 
that collecting the data from Forms 300 and 301 would increase the risk 
of a successful cyber-attack. Some risk remains, however, that a cyber-
attack could occur and result in the release of data. Moreover, OSHA 
shares the concerns of some commenters about how having thousands of 
businesses upload a large volume of additional data could generally 
increase risk for cyber-security issues. (See, e.g., Document ID 2045-
A1, p. 3; 2075-A1, pp. 4-5).
Limitations on OSHA's Capacity To Collect and Use the Data From Forms 
300 and 301
    In the NPRM, OSHA expressed doubt about the necessity for and 
ability to use the large volume of data that would be generated by 
Forms 300 and 301, given its resources and competing priorities. As 
explained below, OSHA has prior experience with using the 300A data 
successfully and believes that it is the best resource for enforcement 
targeting and compliance assistance. OSHA also receives and effectively 
uses data concerning the most severe injuries and illnesses. In 
contrast, the agency has no prior experience using the case-specific 
data collected on Forms 300 and 301 for enforcement targeting or 
compliance assistance and is unsure how much benefit such data would 
have for these purposes or the level of resources needed to attain any 
benefit. (83 FR at 36498). OSHA noted that the agency's efforts to 
realize these uncertain benefits by collecting, processing, analyzing, 
distributing, and programmatically applying the data would be costly. 
(83 FR at 36498-99).
    Several commenters agreed that OSHA may not be able to make 
beneficial use of the large volume of data it would receive under the 
2016 Rule. (Document ID 2034-A1, p. 2; 2070-A1, p. 9). The United 
States Postal Service also expressed concern that any technical 
complications OSHA experienced due to the large volume of data being 
submitted could hinder timely reporting, leading to steep monetary 
penalties for employers. (Document ID 2034-A1, p. 2).
    Other commenters claimed that OSHA has the capacity to collect and 
code this volume of data. (Document ID 2011-A5, p. 1 (commenting on 
2013 NPRM); 2026-A1, p. 3; 2029). The Attorneys General of NJ, MA, MD, 
NY, PA, RI, and WA jointly commented that OSHA's lack of experience 
with this volume of data is unsurprising because OSHA has not tried to 
collect the Form 300 and 301 data yet. (Document ID 2028-A1, p. 3). 
They noted that for this reason it is also unsurprising that the 
benefits are uncertain at this point. (Document ID 2028-A1, p. 3). 
Another commenter observed that OSHA does have experience evaluating 
Form 300 Logs and Form 301 Incident Reports while conducting workplace 
investigations, so OSHA should be able to make use of such information 
collected through electronic submissions. (Document ID 2063-A1, pp. 1-
2).

[[Page 389]]

    Although OSHA is technically capable of collecting the 300 and 301 
data through a secure Web portal similar to the one used for 300A data 
collection, no such portal was built when the 2016 rule was being 
developed or after it was finalized. Diverting resources now to build 
such a portal would take away from OSHA's enforcement efforts. 
Likewise, the cost of collecting the additional 300 and 301 data in 
that manner would be substantial (see Section IV, Final Economic 
Analysis and Regulatory Flexibility Certification). OSHA has 
accordingly concluded that worker privacy concerns and OSHA's resource 
priorities--including fully utilizing the 300A data that it already has 
collected from 214,574 establishments--outweigh the uncertain benefits 
of seeking to collect and process the data from Forms 300 and 301.
    Several commenters observed that other agencies, as well as other 
divisions within the Department of Labor, collect, track, and utilize 
similar data. (E.g., Document ID 2026, pp. 2-3). Some of these 
commenters encouraged consultation with other agencies who collect this 
type of data, including NIOSH, MSHA, Bureau of Labor Statistics (BLS), 
FRA, and FAA, to learn about database design and best practices for 
collecting this kind of data. (Document ID 1965-A1, pp. 179-80; 2012-
A1, p. 9; 2085-A1, p. 16 (quoting comments on 2013 NPRM)). Given OSHA's 
successful use of summary data from Form 300A and severe injury reports 
to target its enforcement and outreach efforts, and given its privacy 
concerns and its current resources and priorities, OSHA has determined 
to continue to invest its time and money in an approach that is known 
to be effective, while continuing its use of 300 and 301 data in onsite 
inspections.
    OSHA also received a comment from NIOSH, offering to help with data 
analysis. Specifically, NIOSH commented that it is well-positioned to 
play a leading role in helping OSHA use data collected in Forms 300 and 
301 to prevent occupational injuries and illnesses. (Document ID 2003-
A2, p. 3). NIOSH explained that it has the experience and capacity to 
analyze the data, as well as interest in using the data to provide 
guidance to employers for the prevention of occupational injury and 
illness, and to provide data analysis results and analytical tools that 
should enhance OSHA's targeting. (Document ID 2003-A2, p. 3). NIOSH 
noted that it has already developed auto-coding methods for 
categorizing occupation and industry based on free text data and has 
successfully utilized similar free text data collected from workers' 
compensation claims. (Document ID 2003-A2, p. 5). While NIOSH 
acknowledged that the data collected from Forms 300 and 301 would pose 
a greater analysis challenge because of the amount of data, NIOSH 
stated that the large data set would be useful to identify patterns and 
prevent workplace injuries. (Document ID 2003-A2, p. 6).
    OSHA appreciates the value of inter-agency efforts to achieve 
shared goals of preventing occupational injuries and illnesses and 
looks forward to continued coordination with NIOSH and other agencies 
where appropriate. However, OSHA has determined that NIOSH's ability to 
analyze data collected from Forms 300 and 301 does not reduce the 
burden on OSHA to collect the data. Even if NIOSH could make the data 
useful for OSHA's enforcement targeting and outreach efforts, which 
NIOSH itself has suggested would present analytical challenges due to 
the volume of the data, OSHA and employers would be left covering the 
expense of collection, not to mention additional expense associated 
with the need to process and otherwise manually review data from the 
forms--costs that would detract from OSHA's priorities of enforcement 
and compliance assistance to reduce workforce hazards.
    After reviewing commenters' submissions related to OSHA's capacity 
to use the large volume of data that would be generated by the 
submission of Forms 300 and 301, the agency remains concerned about the 
costs of collecting and processing this large volume of data. OSHA has 
considered the comments about the benefits of electronically collecting 
the data and, as explained more fully below, has determined that the 
incremental benefits of electronic collection of these data to OSHA's 
enforcement targeting and compliance assistance activities remain 
uncertain. In OSHA's judgment, those uncertain benefits are outweighed 
by the cost of developing a system to manage that volume of data, 
particularly when making use of the data would divert resources away 
from OSHA's current priority of fully utilizing Form 300A and severe 
injury data for targeting and outreach.
Uncertain Extent of Benefits From Collecting the Data From Forms 300 
and 301
    In the proposed rule, OSHA preliminarily determined that the extent 
of the incremental benefits of electronically collecting data from 
Forms 300 and 301 is uncertain. (E.g., 83 FR at 36498-99). OSHA 
explained that the collection of data from the summary Form 300A 
provides the agency with the information it needs to identify and 
target establishments with high rates of work-related injuries and 
illnesses. (83 FR at 36498). For example, OSHA noted that it had 
collected summary 300A data for 2016 from 214,574 establishments. (83 
FR at 36498). OSHA further explained that it was able to use those data 
to design a targeted enforcement mechanism for establishments 
experiencing higher rates of injuries and illnesses. (E.g., 83 FR at 
36498). OSHA noted its plans to further refine this approach by using 
the greater volume of 2017 summary data. (83 FR at 36498).
    The proposed rule also discussed OSHA's long-time use of summary 
data in enforcement. (83 FR at 36498). Before the 2016 rule, OSHA had 
collected these data for 17 years under its OSHA Data Initiative (ODI) 
and used those data to identify and target high-rate establishments 
through the Site-Specific Targeting (SST) Program. (83 FR at 36498). 
OSHA stopped the ODI in 2013 and the SST in 2014 while it developed the 
2016 final rule, but the agency noted that those prior programs have 
still given it considerable experience with using 300A data for 
targeting. (83 FR at 36498).
    Conversely, OSHA explained that it has no prior experience with 
using the case-specific data from Forms 300 and 301 to identify and 
target establishments for enforcement or outreach purposes. (83 FR at 
36498). For example, OSHA is unsure how much benefit such data would 
have for these purposes, but has determined that considerable effort 
and resources would be required to realize those uncertain benefits. 
(83 FR at 36498-99). The agency estimated that establishments with 250 
employees or more would report data from approximately 775,210 Form 
301s annually, a total volume three times the number of Form 300As from 
which data were uploaded for 2016, while also presenting more 
complicated information than that captured by Form 300A. (83 FR at 
36498). To gain enforcement value from the case-specific 300 and 301 
data, OSHA explained that it would need to divert resources from other 
priorities, such as the utilization of Form 300A data, which OSHA's 
long experience has shown to be useful. (83 FR at 36498-99).
    OSHA asked stakeholders to submit comments on the benefits and 
disadvantages of the proposed removal of the requirement for employers 
with 250 or more employees to submit the data from OSHA Forms 300 and 
301 to OSHA electronically on an annual basis, including the usefulness 
of the data for

[[Page 390]]

enforcement targeting (83 FR at 36499), and received a number of 
comments in response. Many of the commenters agreed that the 
enforcement benefits stemming from electronically collecting the Form 
300 and 301 data are uncertain. (E.g., Document ID 2034-A1, pp. 2-3; 
2036-A1, pp. 7-8). One commenter also suggested that OSHA has not shown 
that it is fully and effectively using currently-available data 
(Document ID 2019-A1, p. 3), and another indicated that OSHA has not 
demonstrated that there are significant gaps in the current data that 
compromise OSHA's execution of its mission, that electronically 
collecting the Form 300 and 301 data will address those gaps, or that 
the protocols described by the 2016 final rule will efficiently and 
effectively compile necessary information to lead to significant 
improvements in achieving OSHA's goals (Document ID 2003-A2, p. 3). 
Commenters further noted that OSHA did not explain in 2016 how it would 
effectively use the Form 300 and 301 data to the benefit of its 
enforcement and compliance assistance programs. (E.g., Document ID 
2019-A1, p. 3; 2044-A1, p. 6). Other commenters concluded that 
collecting Form 300A data is sufficient for OSHA's targeting and 
enforcement purposes and electronically collecting the Form 300 and 301 
data has no clear benefit. (E.g., Document ID 1970-A1; 2034-A1, pp. 2-
3).
    Commenters also asserted that Form 300 and 301 data do not predict 
current hazards or take into account any corrective actions by the 
employer, nor do they show if OSHA should have issued a citation in 
response to a recorded occurrence. (E.g., Document ID 2057-A1, p. 3; 
2075-A1, p. 3). Put another way, the fact that an employer records an 
incident does not necessarily correlate to workplace hazards or 
compliance inadequacy or otherwise indicate that the reporting employer 
is responsible for the incident. (E.g., Document ID 2075-A1, p. 3). For 
example, the E-Recordkeeping Coalition stated that, ``[b]ased on a 
qualitative analysis of [its] members' 300 and 301 data, only a small 
percentage of that data would indicate any regulatory compliance 
insufficiency.'' (Document ID 2076-A1, p. 3). Relatedly, one commenter 
posited that collecting the Forms 300 and 301 data does not serve the 
purpose of a ``no-fault'' recordkeeping system. (Document ID 2057-A1, 
p. 3).
    According to some commenters, maintaining Form 300 and 301 data 
electronically would not aid OSHA in identifying, and engaging in 
enforcement, at high-risk workplaces, (e.g., Document ID 2042-A1, p. 
2), or otherwise provide any real value to the agency's enforcement 
targeting strategies or decisions (e.g., Document ID 2075-A1, p. 3; 
2076-A1, p. 3). A comment in the record concerning OSHA's 2013 NPRM, 
from a commenter that generally supported OSHA's collection of Form 300 
and 301 data, noted that use of the Form 301 narratives can be 
cumbersome. (Document ID 2085-A8, p. 31). The Phylmar Regulatory 
Roundtable pointed out that OSHA can still collect the Form 300 and 301 
data after it has determined to inspect an establishment, using the 
data to target specific areas of the workplace during the inspection, 
and stated that doing so results in a fair, objective process, rather 
than injecting unfairness and subjectivity into OSHA's targeting 
decisions. (Document ID 2070-A1, p. 8). OSHA agrees that the best use 
of the Form 300 and 301 data is for identifying hazards during onsite 
inspections, and OSHA will continue using the data in this manner.
    OSHA disagrees with commenters asserting that OSHA now ignores many 
key benefits it previously asserted would be derived from 
electronically collecting and publishing the Form 300 and 301 data. 
(E.g., Document ID 2028-A1, p. 3; 2054-A1, p. 6). Rather, OSHA is now 
re-assessing the uncertain incremental benefits to OSHA enforcement and 
compliance assistance activities and re-balancing those benefits 
against worker privacy concerns and OSHA's current resource priorities. 
That balancing takes into account, as is appropriate, how OSHA can and 
will continue to collect and use data from Forms 300 and 301 as needed, 
as well as data from severe injury reports, for on-site inspections and 
specific enforcement.
    OSHA's position in this final rule on the uncertain benefits of 
collecting data from Forms 300 and 301 outside the context of an onsite 
inspection is not inconsistent with its position in the Mar-Jac Poultry 
case (see U.S. v. Mar-Jac Poultry, Inc., 153 Fed. Appx. 562 (11th Cir. 
Oct. 9, 2018) (unpublished)), as some commenters suggested. (E.g., 
Document ID 2015-A1, pp. 8-11; 2054-A1, pp. 8-9). In that case, OSHA 
took the position that the 300 logs had value for identifying potential 
violations during an onsite inspection, and OSHA maintains that belief. 
Indeed, OSHA intends to continue using the data from Forms 300 and 301 
for that purpose. OSHA notes that case involved the use of 300A data 
from an establishment OSHA is inspecting to expand the scope of the 
inspection; it did not address the usefulness, for enforcement 
purposes, of collecting a high volume of Form 300 and 301 data.
    One commenter disagreed with rescinding the requirement to submit 
data from Forms 300 and 301 to OSHA without taking certain steps 
identified in the 2016 final rule--including ``looking at examples of 
electronic data collection efforts by other federal agencies'' and 
``form[ing] a working group with BLS to assess data quality, 
timeliness, accuracy, and public use of the collected data.'' (Document 
ID 2012-A1, p. 15). OSHA did not, however, bind itself to take such 
actions in order to reconsider the decision whether to collect the data 
was justified in light of the risk to worker privacy and the agency's 
best use of its resources. Furthermore, other agencies' experiences are 
not directly relevant to OSHA's resource priorities and unique mission. 
OSHA routinely consults with other agencies as part of its rulemaking 
process and did so for this rule. Because OSHA issues this final rule 
as a result of its re-balancing of the risk to worker privacy with the 
rule's uncertain benefits and the agency's resource priorities, OSHA 
has determined that further consultation with other agencies is neither 
necessary nor appropriate.
    OSHA agrees, as some commenters noted, that public health 
principles dictate data-based approaches. (E.g., Document ID 2006-A1, 
p. 2; 2014-A1, p. 2). OSHA disagrees, however, that collecting the data 
from Forms 300 and 301 is therefore necessary; OSHA is already 
collecting the 300A data and using those data to inform its enforcement 
targeting. OSHA is uncertain how much additional value the data from 
Forms 300 and 301 would provide for enforcement and compliance 
assistance at this time and has therefore determined that fully 
utilizing the 300A data and severe injury report data is the best use 
of OSHA's resources. OSHA will continue to obtain the data from Forms 
300 and 301 from employers, as needed, for on-site inspections and 
specific enforcement actions, and OSHA will likewise continue to assess 
and utilize data from the severe injury reports it receives and that 
have proven useful in identifying and addressing areas of need.
    According to some commenters, having a comprehensive batch of data 
from Forms 300 and 301 would allow OSHA to understand employer 
misconduct more broadly, and this dataset could make up for OSHA's 
inability to visit all of the worksites within its jurisdiction. (E.g., 
Document ID 2015-A1, p. 7; 2056-A1, p. 2; 2082-

[[Page 391]]

A2, p. 5). Others asserted that the data can serve as a guide for 
agency inspections, providing compliance officers with the number, 
type, severity, and distribution of injuries at a particular workplace. 
(Document ID 2012-A1, p. 2; 1965-A1, p. 179 (NAS Report)).\6\ OSHA has 
determined that the 300A data are sufficient for enforcement targeting 
and compliance assistance, and notes again that it can still use Forms 
300 and 301 to guide inspections by collecting the data onsite, without 
the need to divert resources to creating a Web portal never built 
during or after the 2016 rule's development.
---------------------------------------------------------------------------

    \6\ The National Academies of Science, Engineering, and Medicine 
(NAS) report, titled A Smarter National Surveillance System for 
Occupational Safety and Health in the 21st Century (Document ID 
1965-A1) was the result of a joint request from NIOSH, BLS, and OSHA 
to NAS, asking NAS to conduct a study in response to the need for a 
more coordinated, cost-effective set of approaches for occupational 
safety and health surveillance in the United States. (See Document 
ID 1965-A1, p. x). Commenters submitted copies of the report to the 
record. (See Document ID 1965-A1; 2085-A10). Where those commenters 
and others have specifically referenced findings, recommendations, 
or other statements contained in the report in their comments, OSHA 
has responded to them in this preamble. However, because the report 
is not, and was not intended to be, commentary on this rulemaking, 
the agency does not find it is appropriate or necessary to respond 
to statements contained therein where those statements were not 
referenced by commenters in their submissions to the record.
---------------------------------------------------------------------------

    Some commenters indicated that having electronic access to the data 
would facilitate OSHA's effective use of the data (e.g., Document ID 
2056-A1, p. 2) by, for example, providing timely, searchable, sortable 
information with which OSHA could identify and understand trends, and 
that reducing the amount of information available to the agency would 
make it less effective. (E.g., Document ID 1974; 1994; 2020-A1, p. 11; 
2082-A2, p. 5; 2085-A1, pp. 5-7). Others, assuming the data would be 
published, suggested that employees would use publicly available 
information to analyze whether their employers are underreporting, to 
identify hazards and prevent injuries, and to determine where they may 
want to work (e.g., Document ID 2012-A1, pp. 5, 13; 2022-A1, pp. 1, 2; 
2047-A1, pp. 3-4; 2050-A1, p. 1; 2083-A1, p. 2; 2085-A1, pp. 19-20 
(quoting Document ID 2085-A10, pp. 13, 178 (NAS report)), and that 
employers would use the data to benchmark effectively, and to identify 
injury trends in the industry to prevent incidents before they occur 
(e.g, Document ID 2007-A1, p. 5; 2011-A3, p. 8; 2012-A1, p. 6; 2022-A1, 
p. 2). One commenter suggested that employers could use the data to 
assess the safety record of contractors before hiring them. (Document 
ID 2085-A1, p. 18). Commenters also argued that electronic access to 
the data would eliminate delays and obstacles to accessing the data for 
employees and their representatives. (E.g., Document ID 2020-A1, p. 11; 
2086-A1, p. 3). Other commenters opined that requiring employers to 
report their Forms 300 and 301 electronically could improve the 
consistency and quality of what employers report, providing employers 
and employees with an opportunity to decrease injuries and illnesses 
both at particular establishments and company-wide. (E.g., Document ID 
2010-A2, p. 1; 2082-A2, pp. 2-3; 2085-A1, p. 11).
    OSHA begins by noting that many of the benefits discussed by 
commenters would not materialize. Because OSHA has determined 
publishing the data would do more harm than good for reasons described 
more fully below and in the privacy discussion above, OSHA would not 
make the data public even if collected. In addition, as noted above, 
OSHA has already taken the position that data from Form 300A is exempt 
from disclosure under FOIA and that OSHA will not make such data public 
for at least the approximately four years after its receipt that OSHA 
intends to use the data for enforcement purposes. Therefore, the 
benefits some commenters ascribed to publication of the data would not 
be realized. Without publication, the research benefits claimed by many 
commenters (e.g., Document ID 1965-A1, p. 1; 2004-A1, p. 1; 2011-A1, 
pp. 2-3 (quoting the NAS report), 6-11; 2012-A1, pp. 3-4, 6-7; 2015-A1, 
pp. 2-6; 2082-A2, pp. 2-3; 2088-A1, pp. 2, 7-8) also fall away. To the 
extent case-specific data are crucial in conducting root-cause 
analyses, which can reduce and prevent workplace illnesses and injuries 
(Document ID 2000-A1, p. 1), employers can still use their own data, or 
share it with researchers voluntarily, for this purpose. OSHA 
acknowledges that the 300 and 301 data would have benefits for 
occupational safety and health research, but notes that researchers 
already have access to BLS data and severe injury data. OSHA has 
determined that the best use of the agency's resources at this time is 
full utilization of 300A and severe injury data, not providing 300 and 
301 data to researchers despite the uncertain incremental benefits of 
the data to OSHA and especially when OSHA itself will continue to 
protect workers by accessing Forms 300 and 301 through on-site 
inspections and for specific enforcement actions as needed.
    With respect to the remaining potential benefits for enforcement 
identified by the commenters, OSHA simply notes that those benefits are 
uncertain, and collecting and utilizing these data would be costly. 
OSHA cannot justify diverting resources from fully utilizing 300A data 
and severe injury data, which OSHA's experience has shown to be useful 
for enforcement and compliance assistance, to collect data with 
uncertain benefits to OSHA's core mission.
    NIOSH and other commenters stated that the data from Forms 300 and 
301 could be used for future research to identify patterns and trends 
across workplaces that could be masked by aggregated, summary data from 
Form 300A. (Document ID 2003-A2, pp. 6-7; 2007-A1, p. 4). In addition, 
the NAS report echoed a number of the benefits of collection identified 
by some commenters, including research for surveillance and prevention 
purposes, employer benchmarking, employee assessment of safety and 
health conditions at various workplaces, and intervention and education 
by public health agencies. (Document ID 1965-A1, pp. 177-179). The NAS 
report suggests that electronic collection of Form 300 and 301 data 
would supplement BLS Survey of Occupational Injuries and Illnesses 
(SOII) data, letting OSHA focus its interventions and prevention 
efforts on hazardous industries, workplaces, exposures, and high-risk 
groups. (Document ID 1965-A1, p. 179). According to the report, 
collecting the Form 300 and 301 data would allow for expanding and 
targeting outreach to employers, particularly smaller employers, to 
improve hazard identification and prevention efforts, and would give 
OSHA the opportunity to advise employers on how their rates of injury 
and illness compare with the rest of their industry. (Document ID 1965-
A1, p. 178).
    OSHA will continue to work with NIOSH, other government agencies, 
and interested stakeholders to share information and leverage 
efficiencies to reduce workplace injuries and illnesses as appropriate. 
And while OSHA appreciates the findings and recommendations of the NAS 
Report that commenters identified, the approaches suggested by NAS 
would require substantial investment of time and money to develop. OSHA 
has determined that at this juncture, the protection of worker safety 
and health will best be furthered by allocating its resources in more 
concrete ways in which OSHA can more fully draw on its existing 
experience, such as utilizing the 300A and severe injury data it is

[[Page 392]]

already collecting and analyzing for enforcement and compliance 
assistance activities.
    Several commenters pointed out ways in which OSHA has used Forms 
300 and 301 and similar data in the past to further its mission of 
ensuring safe and healthy workplaces. (E.g., Document ID 2003-A2, pp. 
6-7; 2012-A1, pp. 3-4). For example, commenters asserted that OSHA has 
previously analyzed Form 300 and 301 data from multiple workplaces to 
identify frequently-recurring injuries and to better protect workers' 
safety and health, and used information from severe injury reports to 
understand injury causation and to inform the agency's compliance 
assistance and outreach efforts. (Document ID 2012-A1, pp. 3-4; 2003-
A2, pp. 6-7). Employers have had to submit severe injury reports, 
containing information similar to what is included on Form 301, to OSHA 
since 2015. (Document ID 2003-A2, p. 6). To the extent OSHA has 
evaluated small batches of similar data in the past to further its 
mission of protecting worker safety and health, commenters suggest that 
a broader collection could be similarly useful.
    OSHA agrees that data from Forms 300 and 301 and similar data can 
be helpful, but disagrees that its past experience justifies the broad 
collection envisioned in 2016. As NIOSH acknowledged in its comment, 
the volume of Form 300 and 301 data employers were required to submit 
under the 2016 final rule would far exceed the number of severe injury 
reports OSHA receives. (Document ID 2003-A2, p. 6). Collecting and 
using a high volume of data--without the relevancy filters imposed by 
severe injury reports or on-site inspections--would require substantial 
resources to process and analyze. OSHA has determined that, at the 
current time, the resources OSHA would need to devote to developing 
that capacity and determining best how use the data would better 
achieve the mission of the agency by being allocated to full 
utilization of the 300A and severe injury data. OSHA will thus continue 
to obtain and use data from Forms 300 and 301 from employers as needed 
for on-site inspections and specific enforcement actions, as has proven 
helpful in the past.
    Moreover, as OSHA notes elsewhere in this preamble, before making 
300 and 301 records requested on an ad hoc basis or severe injury 
reports public, the agency manually screens all of those records for 
PII and data that could re-identify workers. But the sheer volume of 
the data, which is expected to come from over 775,000 reports, would 
make the costs to manually screen all of the 300 and 301 data enormous; 
OSHA believes those resources are better allocated to activities closer 
to OSHA's core enforcement mission. One commenter suggested that 
collecting the data from Forms 300 and 301 electronically would benefit 
workers by allowing them access to these records without fear of 
retaliation for requesting the records from their employers. (Document 
ID 2083-A1, p. 2). But OSHA notes that workers have a right under 29 
CFR 1904.35 to access their own employers' 300 and 301 data, and 
Section 11(c) of the OSH Act, 29 U.S.C. 660(c), prohibits employers 
from retaliating against workers for exercising that right. Another 
commenter asserted that a worker's medical provider could benefit from 
OSHA's electronic collection and publication of 300 and 301 data and 
using the data to assess conditions at the relevant workplace. 
(Document ID 2010-A2, p. 4) (commenting on the 2013 NPRM). But OSHA 
again notes that workers retain the right to access 300 and 301 data 
from their own employers and share it with their medical providers.
    After considering these comments, OSHA has determined that because 
it already has systems in place to use the 300A data for enforcement 
targeting and compliance assistance without impacting worker privacy, 
and because the Form 300 and 301 data would provide uncertain 
additional value, the Form 300A data are sufficient for enforcement 
targeting and compliance assistance at this time. OSHA will continue to 
request copies of Forms 300 and 301 during its inspections, and make 
use of data from severe injury reports, as appropriate.
Collecting and Processing the 300 and 301 Data Would Divert Agency 
Resources From Higher Priority Initiatives
    As OSHA stated in the NPRM, electronically collecting and taking 
steps necessary to try to use Form 300 and 301 data would require the 
agency to divert resources from other priorities, including the 
analysis of Form 300A data. As explained above, OSHA has already 
collected summary 300A data from 214,574 establishments, and expects 
that volume to increase. OSHA is seeking to fully utilize these data, 
and has designed and implemented a targeted enforcement mechanism for 
industries experiencing higher rates of injuries and illnesses. OSHA 
likewise evaluates severe injury reports, which it receives shortly 
after accidents, to target its enforcement and compliance-assistance 
efforts.
    Many commenters agreed that OSHA would need to significantly 
increase or divert its resources from other priorities to collect, 
process and analyze the electronically submitted Form 300 and 301 data. 
(E.g., Document ID 2008-A1, p. 2; 2019-A1, pp. 2, 6-7, 9-10; 2044-A1, 
p. 6 (citing 83 FR at 36496)). Some noted that, without diverting 
resources from other priorities, OSHA might not be able to analyze and 
use the data as it intended when it finalized the 2016 final rule 
(Document ID 2070-A1, p. 9), and that OSHA already has access to other 
data sources it can analyze and more potential violators than it can 
investigate with its resource constraints (Document ID 2055-A1, p. 2). 
By rescinding the requirement to collect electronically Form 300 and 
301 data, OSHA will better focus on pre-existing, successful 
enforcement efforts. (E.g., Document ID 2044-A1, p. 6; 2075-A1, p. 4). 
Commenters also agreed with OSHA that the uncertain benefits of 
requiring employers to electronically submit Forms 300 and 301 do not 
outweigh the costs and burdens to OSHA and employers and the risk to 
worker privacy. (E.g., Document ID 1985-A1, p. 1; 2008-A1, p. 2; 2024-
A1, p. 1).
    Other commenters suggested that requiring electronic submission of 
the Form 300 and 301 data would help OSHA allocate its resources and 
identify injury trends, their causes, and emerging hazards to improve 
its enforcement and outreach efforts beyond what OSHA can accomplish 
with the 300A data. (E.g., Document ID 1929; 1961-A1, pp. 1-2; 2007-A1, 
pp. 1-5; 2011-A1, p. 6; 2054-A1, pp. 1, 6-7, 8-9). One commenter 
theorized that having access to the detailed information contained in 
Forms 300 and 301, rather than simply the summary data from Form 300A, 
can improve OSHA's use of its enforcement resources to target the 
highest priority issues. (Document ID 2007-A1, p. 5). But these 
commenters provide no evidence to support their claims, and OSHA finds 
none in the record. OSHA's own experience with using Form 300 and 301 
data is insufficient to support these theories. These commenters' 
speculation therefore does not alter OSHA's view that diverting OSHA's 
focus from longstanding and successful agency priorities is not 
justified to achieve the uncertain benefits of electronically 
collecting data from Forms 300 and 301.
    Commenters pointed to OSHA's statements in the 2016 final rule that 
collecting data from Forms 300 and 301

[[Page 393]]

would allow the agency to leverage its resources to execute its mission 
by helping its compliance assistance programs, encouraging employers 
and workers to identify and address workplace hazards to avoid the 
perception of being an unsafe place to work, and providing data to 
employers, workers, unions and academics that would assist them in 
researching and innovating to improve workplace safety and health. 
(Document ID 2007-A1, p. 3; 2017-A1, p. 2). Although OSHA identified 
these potential benefits, OSHA never quantified them. This final rule 
does not ignore those prior statements or the possibility that benefits 
could result from collecting the data, but concludes that the scope of 
any such benefits is uncertain. OSHA does not believe that these 
uncertain benefits justify the diversion of OSHA's resources from other 
agency initiatives with a proven record of effectiveness.
    Some commenters asserted that a recent Office of the Inspector 
General (OIG) report auditing OSHA's fatality and severe injury 
reporting program (OIG, Dep't of Labor, OSHA Needs to Improve the 
Guidance for Its Fatality and Severe Injury Reporting Program to Better 
Protect Workers, 02-18-203-10-105 (OIG report), available at: https://www.oig.dol.gov/public/reports/oa/viewpdf.php?r=02-18-203-10-105&y=2018) demonstrates a need for improved reporting, noting that the 
OIG report concluded employers underreport fatalities and severe 
injuries by as much as 50 percent. (E.g., Document ID 2017-A1, p. 2; 
2051-A1, p. 3). Commenters noted that the OIG report found that OSHA 
cannot effectively target compliance and enforcement efforts without 
complete information on work-related fatalities and severe injuries. 
(E.g., Document ID 2051-A1, p. 3; 2089-A1, p. 2). Another commenter 
suggested that the collection and publication of data from Forms 300 
and 301 would create ``publicly available checks'' and increased 
accountability for employers. (Document ID 2062-A1, p. 2).
    OSHA disagrees that the OIG report indicated a need to collect more 
injury and illness data. Rather, the report recommends that OSHA take 
steps to better enforce and implement the severe injury reporting 
requirements. (OIG report, p. 1). Specifically, the OIG recommended 
that OSHA (1) develop and provide guidance to staff to detect and 
prevent underreporting; (2) consistently issue citations for 
underreporting; (3) clarify guidance for documentation of OSHA's 
essential decisions, evidence required to demonstrate abatement by the 
employer, and requirements for monitoring employer-conducted 
investigations; and (4) emphasize the importance of conducting 
inspections for incidents that resulted in a fatality, two or more in-
patient hospitalizations, emphasis programs, or imminent danger. (OIG 
report, p. 15). OSHA is committed to implementing these recommendations 
as indicated in OSHA's formal response to the report, (OIG report, pp. 
21-23), and OSHA has determined such implementation is more likely to 
address OIG concerns than electronically collecting Forms 300 and 301.
    OSHA will use the OIG report's findings to shape and improve its 
severe injury reporting objectives. Indeed, this rulemaking seeks to 
improve OSHA's capacity to direct its resources to current initiatives 
such as implementing the severe injury reporting requirements, rather 
than collecting new data with uncertain benefits. OSHA's current 
priorities include fully utilizing the data from the Form 300As and 
severe injury reports it is already collecting to improve its 
enforcement and outreach objectives to ensure compliance with the OSH 
Act. Again, investing in a program to collect, process, and analyze 
data from hundreds of thousands of Forms 300 and 301 would constrain 
OSHA's ability to achieve these and other priority enforcement goals.
    Regarding the suggestion that collection and publication of data 
from Forms 300 and 301 might increase compliance with electronic 
reporting requirements (Document ID 2062-A1, p. 2), OSHA finds it can 
better hold employers accountable through the appropriate allocation of 
resources to enforcement efforts and compliance assistance, rather than 
collecting data with uncertain benefits. This commenter provides no 
evidence for the speculative suggestion that publication of the data 
would create an incentive for employers to report fatalities and severe 
injuries. (Document ID 2062-A1, p. 2).
Collecting 300/301 Data Could Lead to Less Accurate Records
    Commenters expressed concern that requiring employers to report 
electronically the data from Forms 300 and 301 could have a negative 
impact on accurate recordkeeping. For example, some employers may not 
prepare Forms 300 and 301 accurately for fear that the information 
would become public and cause reputational harm or subject them to 
targeted OSHA inspections. (Document ID 2019-A1, p. 7; 2044-A1, p. 34 
(commenting on 2013 NPRM); 2055-A1, p. 2). Commenters also indicated 
that employers fear that publishing Form 300 and 301 data will expose 
confidential and proprietary information to their competitors and 
adversaries. (Document ID 2070-A1, pp. 9-10; 2076-A1, pp. 6-7). For 
example, public disclosure of location information may allow 
competitors to determine confidential business locations or 
acquisitions that have not been publicized, or publication of the 
substances or chemicals that were involved in injuries and illnesses 
may identify products, inventions, or proprietary technologies that are 
in research and development. (Document ID 2070-A1, pp. 9-10). The 
collection's focus on lagging indicators, which measure past safety 
performance, also may not be representative of a company's current 
safety efforts. (Document ID 2044-A1, p. 30) (commenting on 2013 NPRM). 
One commenter explained that Forms 300 and 301 are most useful to the 
employer when they contain robust information about the details of 
workplace injuries and illnesses, but that employers will have 
incentives to sanitize their reports if they believe they will become 
public, and be mischaracterized, as a result of electronic submission 
to OSHA. (Document ID 2019-A1, p. 7).
    Commenters also noted that workers may be reluctant to report 
accurately their data for Forms 300 and 301 for fear that the details 
of their reports will become public and reveal their private 
information. (Document ID 2030; 2085-A8, p. 8 (commenting on 2013 
NPRM)). One commenter noted that the Confidential Information 
Protection and Statistical Efficiency Act of 2002 requires BLS to keep 
this kind of data confidential. (Document ID 2053-A1, p. 2). In 
enacting the CIPSEA, Congress found that ensuring the confidentiality 
of sensitive information submitted to the government ``is essential in 
continuing public cooperation in statistical programs.'' (Pub. L. 107-
347 sec. 511(a)(5)). While the CIPSEA applies to BLS, not OSHA, OSHA 
shares Congress's concern that fear of sensitive information becoming 
public could undermine accurate reporting.
    Other commenters expressed concern that employers will hide 
workplace injuries if they are not required to file Forms 300 and 301 
electronically. (Document ID 1976-A1, p. 1; 1996-A1, p. 1; 1999-A1, p. 
1; 2002-A1, p. 1). OSHA finds these comments to be speculative and 
unsupported by its experience reviewing Forms 300 and 301 through on-
site inspections. OSHA also does not find that requiring employers to 
submit their 300 and 301 data electronically would motivate them

[[Page 394]]

to report injuries and illnesses they otherwise would not have 
recorded. One commenter noted that the cost to large employers of 
submitting their 300 and 301 data was not burdensome because compliance 
would have cost approximately $258.34 per establishment per year, which 
would be an average of less than one dollar per employee per year. 
(Document ID 2012-A1, p. 12). Although OSHA acknowledges that the 
requirement to submit data from Forms 300 and 301 to OSHA would have 
been economically feasible for large employers, OSHA's central 
rationale for rescinding these requirements is not to reduce employer 
costs but rather to protect worker privacy and to direct agency 
resources towards fully utilizing the data it is already collecting to 
advance improvements to health and safety for workers.
    OSHA has determined that publishing the data could also cause more 
harm than good. Workers would know in advance that some details of 
their injuries would be public and on the internet. Deterring worker 
reporting through fear of publication could make the records less 
accurate. And, because employers are required to report workplace 
injuries and illnesses regardless of fault, OSHA no longer considers 
collection of employers' injury and illness records likely to ``nudge'' 
them to make their workplaces safer, which OSHA identified in 2016 as a 
benefit of publishing the 300 and 301 data. (See 81 FR 29629; Document 
ID 2007-A1, pp. 4-5). OSHA finds that the final rule may ensure more 
accurate records on Forms 300 and 301 by alleviating employers' and 
workers' fears about the consequences of the records becoming public, 
and will allow employers to devote more of their resources towards 
compliance with safety and health standards.
State Plan Issues
    In the NPRM, OSHA noted that, pursuant to section 18 of the OSH Act 
(29 U.S.C. 667) and the requirements of 29 CFR 1904.37 and 1902.7, 
within 6 months after publication of the final OSHA rule, state-plan 
states must promulgate occupational injury and illness recording and 
reporting requirements substantially identical to those in 29 CFR part 
1904. (83 FR at 36505). All other injury and illness recording and 
reporting requirements (for example, industry exemptions, reporting of 
fatalities and hospitalizations, record retention, or employee 
involvement) that are promulgated by state-plan states may be more 
stringent than, or supplemental to, the federal requirements, but, 
because of the unique nature of the national recordkeeping program, 
states must consult with OSHA and obtain approval of such additional or 
more stringent reporting and recording requirements to ensure that they 
will not interfere with uniform reporting objectives under 29 CFR 
1904.37 and 1902.7. (See 83 FR at 36505).
    Some commenters responded to this section of the NPRM with concerns 
that centralized, federal collection is the most efficient and cost-
effective way to compile detailed data for enforcement and prevention, 
and that the analysis of small, discrete quantities of data from 
multiple state databases will make important trends less apparent. 
(Document ID 2062-A1. p. 1; 2028-A1, pp. 5-6; 1965-A1, pp. 6-7). 
Commenters theorized that the detailed reporting requirements of the 
prior final rule would have enabled both federal OSHA and state plans 
to target their prevention and enforcement measures at particular 
employers and industries. (Document ID 2028-A1, p. 3; 2046-A1, p. 2).
    Commenters also asserted that, as a result of this final rule, some 
states would have to set up separate reporting systems at significant 
cost to maintain reporting requirements consistent with the prior final 
rule. (Document ID 2028-A1, p. 5; 2088-A1, p. 13). The California 
Department of Industrial Relations is in favor of the reporting 
requirements of the prior final rule because national collection would 
be more efficient than state-by-state collection, among other reasons. 
(Document ID 2062-A1, p. 3). Commenters also pointed out that some 
state-level agencies, such as the Washington State Department of Labor 
and Industries (``WA L&I''), have gathered detailed data through their 
workers' compensation system and collaborated with NIOSH in analyzing 
the data to inform targeted enforcement strategies. (Document ID 1993-
A1, p. 1; 1965-A1, pp. 57-59). One commenter pointed to the NAS Report, 
which noted that ``only 20 percent of states reported having 
substantial epidemiologic and surveillance capacity in occupational 
health'' and concluded that this lack of surveillance capacity 
``results . . . in . . . missed opportunities for collaboration across 
public health domains to address convergent public health concerns that 
affect workers as well as the general public.'' (Document ID 1965-A1, 
p. 122 (NAS Report)). One group of commenters expressed concern that 
OSHA's consultation requirement would make it harder for states to 
implement such systems and noted that states without state plans or 
with state plans limited to public sector workers will not have the 
opportunity to have access to detailed data like that required by the 
prior rule. (Document ID 2028-A1, pp. 5-6).
    As OSHA noted in the NPRM, the effectiveness of the Form 300 and 
301 data as an enforcement and prevention tool in advancing worker 
safety is unclear. The suggestion that the data would be useful to 
states without state plans (Document ID 2028-A1, pp. 5-6), is 
speculative, as OSHA has determined that the benefits of collecting 
such data on a national scale are uncertain and do not outweigh the 
collection's burdens and costs. (83 FR at 36498). OSHA finds that the 
Form 300A collection adequately serves its enforcement purposes at this 
time without jeopardizing worker privacy, and OSHA is committed to 
sharing these data with state-plan states, including those covering 
only public sector workers. OSHA cannot justify collecting Form 300 and 
301 data where the data's usefulness is unclear. (83 FR at 36498).
    OSHA disagrees that this final rule would necessarily hinder states 
in implementing their own requirements for collection of Form 300 and 
301 data. As OSHA explained in the NPRM, the rule does not preempt 
state law. (83 FR at 36505). The consultation requirement is not 
intended to limit state plans to strict conformity with the rule but 
rather to aid states in avoiding interference with OSHA's unique 
recordkeeping program. There is no evidence in the record that 
individual state collection of Form 300 and 301 data would cause such 
interference. To the extent some state agencies, such as WA L&I, have 
already collected similar data, this shows that some states have 
mechanisms to collect the data they need without OSHA's collecting 
electronically the Form 300 and 301 data. If state agencies determine 
that a detailed data collection system is best for their states, then 
they may pursue such a system in consultation with OSHA.
    OSHA acknowledges that systems to collect this volume of data would 
be costly for states to implement. Centralized collection might be more 
efficient and cost-effective than state-by-state collection, but OSHA 
has doubts about the usefulness of the data and concerns about the 
costs of collection as noted elsewhere in this preamble. States are 
empowered to do as OSHA has and weigh the substantial costs of 
collection against the likely utility of the data. OSHA also notes, in 
response to a comment that some states have more limited surveillance 
capacity than others (Document ID 1965-A1, p. 57),

[[Page 395]]

that those states will have access to the summary data collected by 
OSHA, and that OSHA itself must appropriately allocate its resources 
for surveillance to best serve OSHA's mission of protecting all 
workers. States are empowered to share the data gathered at the state 
level at their discretion and consistent with any applicable laws. In 
promulgating this rule, OSHA erects no barrier to communication among 
state agencies.

B. New Requirement To Include Employer Identification Number With 
Injury and Illness Data Submitted to OSHA Electronically Under 29 CFR 
1904.41

    The NPRM included a provision that would require covered employers 
to submit their Employer Identification Number (EIN) electronically 
along with their injury and illness data submission in the proposed 
rule. (83 FR at 36494). OSHA explained that it had limited the proposed 
data collection in its 2013 NPRM (78 FR 67254) to Improve Tracking of 
Workplace Injuries and Illnesses to records that employers were already 
required to collect under part 1904. Accordingly, the May 2016 final 
rule only required the electronic submission of such records. These 
records do not include the employer's EIN.
    After collecting and analyzing the first year of data (i.e., 
Calendar Year 2016 Form 300A data), however, OSHA and BLS realized that 
collecting EINs could help the agencies make full use of the data 
collected. The proposed EIN submission requirement grew out of that 
realization. As the agency explained in the proposal, this change could 
have a number of benefits. (83 FR at 36499-500). For example, OSHA 
posited that collecting EINs would increase the likelihood that BLS 
would be able to match data collected by OSHA under the electronic 
reporting requirements in 29 CFR part 1904 to data collected by BLS for 
the Survey of Occupational Injury and Illnesses (SOII). The ability to 
accurately match the data is critical for evaluating how BLS might use 
OSHA-collected data to supplement the SOII, which in turn would enhance 
the ability of OSHA and other users of the SOII data to identify 
occupational injury and illness trends and emerging issues. 
Furthermore, the ability of BLS to match the OSHA-collected data also 
has the potential to reduce the burden on employers who are required to 
report injury and illness data both to OSHA (for the electronic 
recordkeeping requirements in part 1904) and to BLS (for the SOII).\7\
---------------------------------------------------------------------------

    \7\ As OSHA explained in the NPRM, the SOII is an establishment 
survey and is a comprehensive source of national estimates of 
nonfatal injuries and illnesses that occur in the workplace. (83 FR 
at 36499). The survey collects data on non-fatal injuries and 
illnesses for each calendar year from a sample of employers based on 
recordable injuries and illnesses as defined by OSHA in 29 CFR part 
1904. (83 FR at 36499). Using data from the survey, BLS estimates 
annual counts and rates by industry and state for workers in private 
industry and state and local government. (83 FR at 36499-500). In 
addition, the SOII provides details about the most severe injuries 
and illnesses (those involving days away from work), including 
characteristics of the workers involved and details of the 
circumstances surrounding the incident, using data collected on 
Forms 300A and 301 from the sampled establishments. (83 FR at 36500 
(citing BLS Handbook of Methods: https://www.bls.gov/opub/hom/soii/home.htm)).
---------------------------------------------------------------------------

    OSHA also noted in the proposal that without the EIN, there is no 
methodological approach to match completely the establishments that 
submit data through both OSHA's collection of injury and illness data 
under Sec.  1904.41 and the BLS data collection for the SOII. BLS 
cannot provide its collected data to OSHA because the Confidential 
Information Protection and Statistical Efficiency Act of 2002 (Pub. L. 
107-347, 116 Stat. 2899 (2002)) prohibits BLS from releasing 
establishment-specific data to either OSHA or the general public. (83 
FR at 36500). Although OSHA can provide the data it collects to BLS, 
without the EIN it is very difficult to match the establishments in 
OSHA's data collection to the establishments in BLS's data collection. 
Not having the EIN increases the resources necessary to match the data 
and reduces the accuracy of the match.
    OSHA further explained its preliminary determination that including 
the EIN in the electronic reporting to OSHA would improve BLS's ability 
to match accurately the OSHA-collected data with the SOII data. (83 FR 
at 36500). OSHA suggested that, after evaluation of the accuracy of the 
data matching, it might be possible for BLS to use the OSHA-collected 
data to generate occupational injuries and illnesses estimates, 
reducing burden on employers by decreasing duplicative reporting. If 
the EIN is not collected and the data from the two sources cannot be 
accurately matched, reducing this burden becomes nearly impossible.
    Finally, OSHA suggested that including the EIN as part of 
electronic reporting could improve the quality and utility of the 
collected data. (83 FR at 36500). For example, OSHA noted that it could 
use the EIN to identify errors such as multiple submissions of data 
from the same establishment and to link multiple years of data 
submissions from the same establishment. (83 FR at 36500). The agency 
also observed that the EIN could be used to match against other 
databases that contain this identifier to add additional 
characteristics to the data. (83 FR at 36500). For example, OSHA 
routinely collects the employer's EIN during an inspection and enters 
the EIN into the OSHA Information System (OIS). OSHA noted in the 
proposal that Form 300A submissions with an EIN could be linked to the 
OIS to identify the previous enforcement history of the establishment 
when the inspection records contain the EIN. (83 FR at 36500).
    In the proposal, OSHA also noted that EINs do not have the same 
level of protection as Social Security numbers. (83 FR at 36500). In 
fact, many employers' EINs are available in a variety of public 
sources, including filings with the U.S. Securities and Exchange 
Commission, the Federal Communications Commission's Commission 
Registration System, and the DOL's Employee Benefits Security 
Administration. (83 FR at 36500). Businesses also have to share EINs 
with contractors and clients for tax reporting, such as filing an IRS 
Form 1099. (83 FR at 36500). As a result, OSHA explained, the 
Department has not generally withheld EINs from disclosure. (83 FR at 
36500).
    OSHA asked stakeholders to comment on its proposal to add the EIN 
submission requirement generally. (83 FR at 36499). The agency also 
specifically invited public comment on the advantages and disadvantages 
of requiring employer submission of EINs and on whether employers 
required to electronically report information to OSHA under part 1904 
would consider the EIN to be exempt from disclosure, either as 
confidential business information or for another reason. (83 FR at 
36500). In addition, OSHA asked if there were any circumstances where 
the EIN would be considered PII and whether there were privacy concerns 
that might arise from employers submitting their EIN. (83 FR at 36500).
    Commenters submitted a number of comments in response to OSHA's 
request. These comments generally fall into three categories: (1) 
Comments related to the benefits of collecting EINs, (2) comments 
focusing on whether an employer's EIN is commercially confidential or 
sensitive, and (3) comments suggesting alternatives to the agency's 
proposal that might achieve the agency's goal of reducing respondent 
burden and increasing the utility of the data collected, without the 
submission

[[Page 396]]

of EINs. Each of these issues, commenters' submissions, and the 
agency's final determinations are laid out in more detail below.
Benefits of Collecting the EIN
    As discussed above, OSHA preliminarily determined that collecting 
EINs would have a number of benefits, including streamlining reporting 
for employers who are required to report injury and illness data both 
to OSHA and BLS, improving the agencies' ability to match their data, 
and improving the quality and utility of the collected data. (83 FR at 
36499-500). OSHA received many comments on the benefits of collecting 
the EIN.
    Many commenters agreed with OSHA that collection of the EIN would 
enhance the utility of the data and therefore improve worker safety and 
health. (E.g., Document ID 2012-A1, p. 15). Several commenters provided 
specific examples of how the EIN can be used by OSHA for research 
purposes, such as identifying employers with patterns of injuries 
(E.g., Document ID 2015-A1, p. 7) and matching against other databases 
that contain the EIN to add characteristics to the data. (E.g., 
Document ID 2003-A2, p. 7). Several commenters also noted that using 
the EIN to enhance research is consistent with recommendations from the 
NAS Report. (E.g., Document ID 2003-A2, p. 7). Still other commenters 
observed that collecting EINs would allow OSHA to improve the quality 
and utility of the data collected, and provided many examples of the 
benefits associated with having this data element. (E.g., Document ID 
2088-A1, p. 14; 2012-A1, p. 15; 2003-A2, p. 7). For example, some 
commenters noted that adding the EIN would enhance the value of the 
data for enforcement and compliance assistance by allowing OSHA to 
identify the relationship between establishments rather than having to 
rely on company names that can be similar across different businesses. 
(E.g., Document ID 2007-A1, pp. 8-9; 2012-A1, p. 15; 2074-A1, p. 5).
    Many commenters also agreed with OSHA that collecting the EIN along 
with data submissions under part 1904 could potentially reduce 
duplicative reporting for employers that are also required to submit 
data both to BLS under the SOII. (E.g., Document ID 2088-A1, p. 14; 
2036-A1, p. 8). Several commenters noted that using the EIN to reduce 
duplication of burden is consistent with the NAS report. (E.g., 
Document ID 2085-A1, p. 20).
    Other commenters, however, disagreed, observing that there 
``appears to be little value to OSHA gained in collecting the EIN.'' 
(Document ID 2084-A2, p. 5).
    After carefully reviewing all the comments submitted on this 
subject, OSHA finds that collection of the EIN will result in the 
benefits detailed by commenters. Having this common identifier will 
help OSHA understand exactly which establishment the Form 300A data 
represents, link establishments between databases, and track data over 
time. The difficulties involved in matching and tracking establishments 
by name and address introduce uncertainty which in turn reduces the 
utility of the data collected. A numerical identifier that is common 
over time and between databases eliminates these uncertainties. 
Collecting the EIN is also an essential first step towards eliminating 
duplicative reporting to OSHA and BLS in the future. In short, 
collection and use of the EIN presents the most practical and efficient 
solution for matching and linking the BLS and OSHA data sets and at the 
same time increases the utility and accuracy of the data within OSHA's 
data set.
Sensitivity of the EIN
    Although nearly all of the commenters who opined on the potential 
benefits of collecting the EIN agreed with OSHA that the collection 
would be beneficial, a number of commenters argued that any benefits to 
OSHA in collecting the EIN were outweighed by the risks if the EIN is 
publicly disclosed. (Document ID 2064-A1, p. 2). For example, some 
commenters expressed concern about the commercial sensitivity of the 
EIN and the potential for fraud. (E.g., Document ID 2057-A1, p. 5). 
Some commenters maintained that the EIN was confidential business 
information comparable to a Social Security number. (E.g., Document ID 
2041-A1, p. 2; 2066-A1, p. 2). One commenter stated that it did not 
object to OSHA's proposal to include EINs with Form 300A filings, 
provided that OSHA maintains this information as confidential. 
(Document ID 2049-A1, p. 2).
    Others, though not claiming that the EIN was confidential 
commercial information, nonetheless asserted that collecting the EIN 
could harm businesses and that such harm outweighed any benefits of 
collection. (E.g., Document ID 2084-A2, p. 5; 2039-A1, p. 3). For 
example, one commenter asserted that employers are concerned about 
making EINs more widely available through FOIA requests ``given the 
high potential for fraud. For example, a 2013 audit by the U.S. 
Department of the Treasury identified 767,071 corporate tax returns 
with potentially fraudulent refunds totaling almost $2.3 billion due to 
stolen and falsely obtained EINs.'' (Document ID 2057-A1, p. 5). 
Commenters also stated that the risk of bad actors causing 
``irreparable harm'' through malicious use of the EIN ``far outweighs 
the issues involved in duplicative reporting.'' (Document ID 2039-A1, 
p. 3; see also Document ID 2084-A2, p. 5; 2064-A1, p. 2).
    Other commenters conceded that the EIN was not commercially 
confidential and did not oppose OSHA's proposal to collect the EIN with 
injury and illness data. (E.g., Document ID 2036-A1, p. 8; 2070-A1, p. 
17). For example, Mark Dreux of the Corn Refiners Association (CRA) 
stated: ``Because employers are required to disclose their EINs in many 
different contexts . . . CRA's members do not consider it to be 
confidential or proprietary business information.'' (Document ID 2036-
A1, p. 8). Consequently, CRA indicated that its members did not have 
any concerns with the proposed requirement to submit EINs in 
conjunction with injury and illness data to facilitate the exchange of 
data between OSHA and BLS. (Document ID 2036-A1, p. 8). In fact, CRA's 
members agreed with OSHA that ``the submission of employers' EINs will 
simplify and avoid duplicative reporting of information between the two 
agencies.'' (Document ID 2036-A1, p. 8; see also Document ID 2070-A1, 
p. 17). Other employers simply noted that they did not object to 
collection of EINs. (E.g., Document ID 1930-A1, p. 5). There were no 
comments that claimed the EIN is Personally Identifiable Information 
(PII). Several commenters specifically stated that it is not PII. 
(E.g., Document ID 1969; 2070-A1, p. 17).
    After reviewing these comments, OSHA concludes that the EIN is not 
confidential commercial information, nor is it too sensitive to collect 
with injury and illness data. The EIN is a government-issued number 
(thus, not commercial), and as discussed above, many commenters 
conceded that EINs are routinely made public (thus, not confidential). 
Many companies must include their EINs on public filings or in filings 
that are later disclosed in response to FOIA requests. (See 83 FR at 
36500). For these reasons, OSHA has determined the EIN is not too 
sensitive to collect given the possibility of release to the public 
under FOIA.
    OSHA also reviewed the Treasury Inspector General for Tax 
Administration's 2013 report, Stolen and Falsely Obtained Employer 
Identification Numbers Are Used to Report False Income and Withholding,

[[Page 397]]

referenced in a comment (see Document ID 2057-A1, p. 5). The report 
does not indicate any harm done to the legitimate business owners of 
the stolen EINs. While the report shows that tax fraud involving 
misused EINs exists, it does not provide any indication that collection 
of the EIN by OSHA would put employers at increased risk or exacerbate 
the problem of false tax returns. OSHA does not agree that the findings 
of this report are relevant to the agency's collection of the EIN with 
injury and illness data.
Alternative Proposals and Miscellaneous Issues
    Several commenters encouraged OSHA to seek and use alternative 
methods to achieve the goal of reducing respondent burden and 
increasing the utility of the data collected without collecting the 
EIN, such as exploring technological approaches to resolve the 
duplication issue (Document ID 2039-A1, p. 3), and others suggested 
that OSHA should not need the EIN ``to determine whether it has correct 
information when comparing it with [BLS].'' (Document ID 2073-A1, p. 
2). One commenters suggested that OSHA should delay collection of the 
EIN ``unless there is relative certainty that the data can and will be 
used for its intended purpose.'' (Document ID 2019-A1, p. 8).
    OSHA agrees that further collaboration with BLS to identify methods 
for reducing respondent burden is vital. Collection and use of the EIN 
presents the most practical and efficient solution for matching and 
linking the two agencies' separate data sets at this time. OSHA does 
not agree that a delay in the collection is warranted. The benefits of 
having these data are clear, as discussed above. Any delay in the 
collection of the EIN would delay the reduction in respondent burden 
and increased utility of the Form 300A data collected.
    The final rule requires employers to provide the EIN of their 
establishments when submitting their injury and illness data. As 
discussed above, evidence in the docket shows the EIN is a widely 
available public record. Employers routinely made their EIN available 
to both government and private entities, and OSHA already collects and 
stores EINs in its inspection records. OSHA concludes the collection 
and storage of the EINs through the ITA will pose minimal adverse 
effects to establishments that provide these data. At the same time, 
OSHA concludes the benefits of collecting these data are substantial. 
Having the EIN will increase the utility of the data by both BLS and 
OSHA and may reduce the burden on employers that are required to 
respond to both the BLS and OSHA data collections. OSHA will continue 
to collaborate with BLS to identify technological approaches to reduce 
respondent burden, including exploring changes to both data collection 
systems and real-time sharing of OSHA data with BLS.
Compliance Dates
    The requirement to include the EIN for each establishment 
submitting injury and illness data under 29 CFR 1904.41 will become 
effective on February 25, 2019. The compliance date for this provision 
is March 2, 2020. The EIN will therefore be required for covered 
establishments submitting their 300A data from 2019, but not for 
covered establishments submitting their 300A data from 2018, which have 
to be submitted by March 2, 2019.

IV. Final Economic Analysis and Regulatory Flexibility Certification

A. Introduction

    Executive Orders 12866 and 13563 require that OSHA estimate the 
benefits, costs, and net benefits of proposed and final regulations. 
Executive Orders 12866 and 13563, the Regulatory Flexibility Act (5 
U.S.C. 601-612) and the Unfunded Mandates Reform Act (UMRA) (2 U.S.C. 
1501-1571) also require OSHA to estimate the costs, assess the 
benefits, and analyze the impacts of certain rules that the agency 
promulgates. Executive Orders 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety, and other effects; distributive impacts; and 
equity). Executive Order 13563 emphasizes the importance of quantifying 
both costs and benefits, reducing costs, harmonizing rules, and 
promoting flexibility.
    In its preliminary economic analysis (PEA) in the proposal, OSHA 
estimated that this rule would have net cost savings of $8.28 million 
per year at a 3 percent discount rate, including $8.23 million per year 
for the private sector and $52,754 per year for the government. 
Annualized at a 7 percent discount rate, OSHA estimated that the 
proposed rule would have net cost savings of $8.25 million per year, 
including $8.18 million per year for the private sector and $64,070 per 
year for the government. Annualized at a perpetual 7 percent discount 
rate, the estimate rose to net cost savings of $8.35 million per year. 
The agency stated its belief that the electronic collection of 
information in the Forms 300 and 301 poses risks to worker privacy and 
additional cost to employers and OSHA that outweigh the uncertain 
enforcement benefits of collecting that information. (83 FR at 36501).
    In this final economic analysis, OSHA estimates that the rule would 
have net cost savings of $15.9 million per year at a 3 percent discount 
rate, including $8.4 million per year for the private sector and $7.5 
million per year for the government. Annualized at a 7 percent discount 
rate, the rule would have net cost savings of $15.86 million per year, 
including $8.37 million per year for the private sector and $7.5 
million per year for the government. Annualized at a perpetual 7 
percent discount rate, the rule would have net cost savings of 
$16million per year. The agency has determined that the rescission of 
the requirement to submit electronically the Forms 300 and 301 data 
will benefit worker privacy by preventing routine government collection 
of information that may be quite sensitive, including descriptions of 
workers' injuries and the body parts affected. OSHA has determined 
that, at this time, avoiding this risk to worker privacy outweighs the 
uncertain incremental benefits to enforcement gained from 
electronically collecting the data. In addition, the rule will allow 
OSHA to focus its resources on the collection of 300A data and the data 
provided through the new serious injury and illness reporting system.
    OSHA finds that the new requirement for establishments to submit 
their EIN will help both OSHA and BLS make full use of the data the 
agencies collect. Collecting the EIN is helpful to understanding 
exactly which establishment the Form 300A data represents, linking 
establishments between databases, and tracking data over time. The 
difficulties involved in matching and tracking establishments by name 
and address introduce uncertainty, which in turn reduces the utility of 
the data collected. A numerical identifier that is common over time and 
between databases eliminates these uncertainties. Collecting the EIN is 
also a positive first step towards eliminating duplicative reporting to 
OSHA and BLS in the future. In short, OSHA concludes that collection of 
the EIN presents the most practical and efficient solution for matching 
and linking the BLS and OSHA data sets and at the same time increases 
the quality and utility of the collected data.
    The final rule is not an ``economically significant regulatory 
action'' under E.O.

[[Page 398]]

12866 or UMRA (2 U.S.C. 1532(a)), and it is not a ``major rule'' under 
the Congressional Review Act (CRA) (5 U.S.C. 801 et seq.). The agency 
estimates that the rulemaking imposes far less than $100 million in 
annual economic costs. In addition, it does not meet any of the other 
criteria specified by UMRA or CRA for a significant regulatory action 
or major rule. The final rule is a deregulatory action under Executive 
Order 13771 (82 FR 9339 (January 30, 2017)).
    The final rule will make two changes to the existing recording and 
reporting requirements in part 1904. First, OSHA will eliminate the 
requirement for establishments that are required to keep injury and 
illness records under part 1904, and that had 250 or more employees in 
the previous year, to electronically submit information from OSHA 
recordkeeping Forms 300 and 301 to OSHA or OSHA's designee, on an 
annual basis. Second, OSHA will require covered employers to submit 
their EIN electronically along with other injury and illness data they 
are required to submit to OSHA. These changes in existing requirements 
are identical to those included in the proposal. The final rule does 
not make any other changes to an employer's obligations regarding 
injury and illness records.
    In the subsections below, OSHA will first examine the cost savings, 
costs, net cost savings, and benefits of the activities outlined above, 
including a discussion of the comments submitted on these topics. The 
agency will then turn to its economic feasibility finding and its 
certification under the Regulatory Flexibility Act.

B. Cost Savings

    As discussed in more detail below, OSHA preliminarily estimated 
that the proposed elimination of the requirement that establishments 
with 250 or more employees submit information electronically from their 
OSHA Forms 300 and 301 would result in cost savings to employers and to 
the government. (See 83 FR at 36501-02). Numerous commenters responded 
that businesses are already required to keep these data and that 
reporting the data to OSHA was not a costly additional requirement. 
(E.g., Document ID 1943; 1945; 1947; 2077-A1, p. 2). One commenter 
stated that making the data from Forms 300 and 301 available ``is a 
reasonable cost of doing business.'' (Document ID 1942). None of these 
comments challenged OSHA's specific cost estimates; rather, they simply 
asserted that the costs were not substantial. OSHA's estimate of the 
cost savings to employers from eliminating the requirement to submit 
the data from Forms 300 and 301 is consistent with OSHA's finding in 
2016 regarding the incremental cost of submitting these data. And, as 
detailed earlier in this preamble, even though any related costs may be 
minor for larger employers, OSHA has decided to rescind the requirement 
to submit the data from Forms 300 and 301 primarily to protect 
sensitive worker information from the risk of public disclosure, and to 
focus its resources on fully utilizing the 300A data and severe injury 
reports OSHA already collects rather than diverting resources from 
those efforts given the uncertain extent of any incremental benefits 
the 300 and 301 data would have for OSHA's enforcement and outreach 
activities.
    For the PEA, OSHA relied on the Final Economic Analysis (FEA) in 
the May 2016 final rule (see 81 FR at 29674-87), updated to include 
more recent data and some modifications in OSHA's methodology. OSHA 
obtained the estimated cost of electronic data submission by 
multiplying the compensation per hour of the person expected to perform 
the task of electronic data submission by the time required to submit 
the data. (83 FR at 36501).
    In the PEA, as in the 2016 FEA, OSHA selected an employee in the 
occupation of Industrial Health and Safety Specialist as being at the 
appropriate salary level. The agency stated that the mean hourly wage 
for Standard Occupational Classification (SOC) code 29-9011, Industrial 
Health and Safety Specialists, in the May 2016 data from the BLS 
Occupational Employment Survey (OES), was $34.85. However, OSHA 
recognized that not all firms assign the responsibility for 
recordkeeping to an Industrial Health and Safety Specialist. For 
example, a smaller firm may use a bookkeeper or a plant manager, while 
a larger firm may use a higher-level specialist. Therefore, OSHA asked 
for comment on whether Industrial Health and Safety Specialist is the 
appropriate salary level for the employee performing this task. (83 FR 
at 36501).
    OSHA did not receive any comments on this question; nor did 
commenters object to the mean hourly rate used in the PEA. Therefore, 
OSHA finds that Industrial Health and Safety Specialist is the 
appropriate salary level. The updated mean hourly rate for this 
position, per the May 2017 OES data, is $35.38.\8\ OSHA notes that this 
is the raw wage and does not include the other fringe benefits that 
make up full hourly compensation or overhead costs calculated in this 
analysis.
---------------------------------------------------------------------------

    \8\ See https://www.bls.gov/oes/current/oes299011.htm.
---------------------------------------------------------------------------

    In the PEA, OSHA multiplied the mean hourly wage for Industrial 
Health and Safety Specialist ($34.85) by the applicable mean fringe 
benefit factor for workers in private industry as reported in the June 
2017 data from the BLS National Compensation Survey (1.44) to obtain 
the estimated total compensation (wages and benefits) of $50.18 per 
hour. (83 FR at 36501).
    OSHA did not receive any comments on this point. Therefore, OSHA is 
retaining the estimate, with updates based on the June 2018 data from 
the BLS National Compensation Survey.\9\ The Survey again reported a 
mean fringe benefit factor of 1.44 for workers in private industry. 
Multiplying the mean fringe benefit factor by the updated hourly wage 
of $35.38 produces an estimated total compensation of $50.95 (an 
increase of 1.5 percent from the PEA, due to the increase in the mean 
hourly wage). OSHA believes that the calculated cost of $50.95 per hour 
is a reasonable estimated total hourly compensation for a typical 
record keeper.
---------------------------------------------------------------------------

    \9\ See https://www.bls.gov/news.release/ecec.nr0.htm.
---------------------------------------------------------------------------

    As noted in the PEA, overhead costs are indirect expenses that 
cannot be tied to producing a specific product or service. Common 
examples include rent, utilities, and office equipment. Unfortunately, 
there is no general consensus on the cost elements that fit this 
definition. The lack of a common definition has led to a wide range of 
overhead estimates. Consequently, the treatment of overhead costs needs 
to be case-specific. For the PEA, OSHA adopted an overhead rate of 17 
percent of base wages. OSHA explained that the 17 percent rate was 
consistent with the overhead rate used for sensitivity analyses in the 
FEA in support of the 2017 final rule delaying the deadline for 
submission of 300A data (82 FR 55761) and the FEA in support of OSHA's 
2016 final standard on Occupational Exposure to Respirable Crystalline 
Silica.\10\ (83 FR at 36501).
---------------------------------------------------------------------------

    \10\ See the sensitivity analyses in the Improved Tracking FEA 
(https://www.gpo.gov/fdsys/pkg/FR-2017-11-24/pdf/2017-25392.pdf, 
page 55765) and the FEA in support of OSHA's 2016 final standard on 
Occupational Exposure to Respirable Crystalline Silica (81 FR 16285) 
(https://www.gpo.gov/fdsys/pkg/FR-2016-03-25/pdf/2016-04800.pdf 
pp.16488-16492.). The methodology was modeled after an approach used 
by the Environmental Protection Agency. More information on this 
approach can be found at: U.S. Environmental Protection Agency, 
``Wage Rates for Economic Analyses of the Toxics Release Inventory 
Program,'' June 10, 2002 (Ex. 2066). This analysis itself was based 
on a survey of several large chemical manufacturing plants: Heiden 
Associates, Final Report: A Study of Industry Compliance Costs Under 
the Final Comprehensive Assessment Information Rule, Prepared for 
the Chemical Manufacturers Association, December 14, 1989, Ex. 2065.

---------------------------------------------------------------------------

[[Page 399]]

    To calculate the total labor cost for an Industrial Health and 
Safety Specialist, Standard Occupational Classification (SOC) code 29-
9011 for the PEA, OSHA added three components together: Base wage 
($34.85) + fringe benefits ($15.33, derived as 44% of $34.85) + 
applicable overhead costs ($5.92, derived as 17% of $34.85). This 
increased the labor cost of the fully-loaded hourly wage for an 
Industrial Health and Safety Specialist to $56.10. (83 FR at 36501).
    OSHA did not receive any comments concerning its use of overhead or 
the calculations to add an overhead charge to the loaded wage rate. 
Therefore, for the FEA, OSHA has calculated the total labor cost for an 
Industrial Health and Safety Specialist, Standard Occupational 
Classification (SOC) code 29-9011, using the same method. The three 
components are added together: Base wage ($35.38) + fringe benefits 
($15.57, derived as 44% of $35.38) + applicable overhead costs ($6.01, 
derived as 17% of $35.38). This increases the labor cost of the fully-
loaded hourly wage for an Industrial Health and Safety Specialist to 
$56.96. OSHA considers this to be a reasonable estimate of total labor 
costs.
    To estimate the time required for the data submission in the PEA, 
OSHA used the same estimated unit time requirements as reported by BLS 
in its paperwork burden analysis for the Survey of Occupational 
Injuries and Illnesses (SOII) (OMB Control Number 1220-0045). BLS 
estimated 10 minutes per recordable injury/illness case for electronic 
submission of the information on Form 300 (Log of Work-Related Injuries 
and Illnesses) and Form 301 (Injury and Illness Incident Report). OSHA 
also noted that, in the 2016 FEA, the agency estimated 2 minutes more 
time than the BLS paperwork burden, for a total of 12 minutes per 
recordable case (10 minutes per case for Form 301 entries plus 2 
minutes per case for entry of Form 300 log entries), to account for the 
differences between BLS and OSHA submission requirements. (83 FR at 
36501-02).
    OSHA received two comments about its preliminary time and burden 
hour calculations. (Document ID 2012-A1, p. 12). The first commenter 
argued that OSHA's estimated establishment-specific costs of the 
electronic submission of data to OSHA are likely to be far higher than 
the actual costs to employers, since the PEA assumed that all the data 
will be entered manually for electronic submission. (Document ID 2012-
A1, p. 12). The commenter wrote that OSHA noted in the 2016 rule that 
establishments that already keep their records electronically may have 
lower submission times if they can export or transmit the required 
information rather than entering it into the web form. (Document ID 
2012-A1, p. 12) (quoting 81 FR 29690). The commenter asserted that OSHA 
ignored this potential decrease in burden hours in the PEA. (Document 
ID 2012-A1, p. 12).
    OSHA recognizes that many large establishments will already be 
keeping their records electronically and would likely have submitted 
their data electronically through a batch upload or other bulk 
electronic transmission, thus reducing the time that would have been 
needed to comply with the electronic reporting requirement and the 
corresponding cost estimate. The agency does not have precise 
information regarding the percentage of employers that fall into that 
category. Even if the percentage of those large employers is 
substantial, OSHA does not have, and commenters did not provide, data 
on the ease with which those employers could package this information 
and transmit it in the format required.\11\ Therefore, as in the 2016 
final rule, OSHA is retaining the time estimate that assumed manual 
data entry for electronic submission.
---------------------------------------------------------------------------

    \11\ To the extent some establishments may not have an internet 
connection on site, that could also increase the time burden and 
thus raise the cost estimate.
---------------------------------------------------------------------------

    In addition, to the extent that the commenter is arguing that the 
agency's omission of this fact from the PEA was an attempt to obscure a 
potential decrease in the proposal's estimated cost savings, OSHA notes 
that the statement regarding potential time savings was made in 
response to a comment submitted during the 2016 rulemaking--a comment 
that did not cause the agency to change its time estimate. Moreover, 
the agency was clear in the PEA that its methodology was based on the 
numbers in the 2016 rule. (See 83 FR 36501).
    The second commenter on this issue similarly argued that OSHA's 
cost estimate of 12 minutes per recordable case is based on the wrong 
data point. The commenter maintained that OSHA's preliminary cost 
analysis failed to disaggregate the time spent preparing Forms 300, 
300A, and 301 (which an employer must incur regardless of whether the 
form must be submitted to OSHA electronically) from the time spent 
electronically submitting Forms 300 and 301 to OSHA. The commenter 
argues that OSHA's cost estimate should be based only on the marginal 
time of electronic reporting itself. (Document ID 2033-A1, p. 6).
    OSHA agrees that the time estimate (and, thus, the cost savings 
estimate) should account only for the incremental time spent on each 
data submission--that is precisely why the agency calculated cost 
savings in that manner in the PEA and continues to do so in this FEA. 
(See 83 FR at 36501-02; see also 81 FR at 29676 (discussing the time 
needed to submit the Forms 300 and 301 data electronically). The cost 
of keeping records, including Forms 301, 301 and 300A were accounted 
for in previous OSHA final rules and ICRs. The 2016 rule imposed 
additional costs for electronic submission, and those were reported in 
that FEA. (See 81 FR at 29676). This current final rule removes only 
those newly imposed costs.
    Therefore, having considered all the comments in the record on this 
issue, OSHA continues to rely the time estimates from the PEA. OSHA 
believes that the original estimate of 12 minutes per recordable case 
is a reasonable average.
    In the proposal, OSHA estimated the number of injuries and 
illnesses that would have been reported by covered establishments with 
250 or more employees under the 2016 final rule (and, thus, the number 
that would no longer be required to be reported under the proposal). To 
do so, OSHA assumed that the total number of recordable cases in 
establishments with 250 or more employees was proportional to the 
establishments' share of employment within each industry.\12\ OSHA then 
used the most recent SOII data to estimate that, without the final 
rule, covered establishments with 250 or more employees would report 
775,210 injury and illness cases per year. The PEA thus estimated that 
cost per case at $11.22 (12/60 x $56.10), and the total cost at 
$8,699,173 ($11.22 per case x 775,210 cases).\13\ (83 FR at 36502).
---------------------------------------------------------------------------

    \12\ OSHA solicited comment on this assumption in the PEA but 
received none and so has retained this method for estimating total 
recordable cases for this FEA.
    \13\ Note that totals summarized in the text may not precisely 
sum from underlying elements due to rounding. The precise 
calculation of the numbers in the FEA appears in the spreadsheet in 
the rulemaking docket titled ``FEA calculations.''
---------------------------------------------------------------------------

    OSHA did not receive any comments on these estimates. OSHA 
continues to find the above methodology and estimates to be reasonable 
and has used them in the final rule, with updates based on the new wage 
rate and

[[Page 400]]

establishment totals.\14\ The final cost per case to report the 
information from Forms 300 and 301 is estimated at $11.39 (12/60 x 
$56.96), and the total cost is $8,829,642 ($11.39 per case x 775,210 
cases).\15\ Therefore, removing the requirement to submit the 
information from OSHA Forms 300 and 301 to OSHA electronically would 
result in a total cost savings to the private sector of $8,829,642.\16\
---------------------------------------------------------------------------

    \14\ This cost estimate was developed prior to the NPRM, and is 
subject to change based on subsequent developments to OSHA's ITA.
    \15\ In addition, note that the totals in Table 1 of this 
section of the preamble and the totals summarized in the text may 
not precisely sum from underlying elements due to rounding. The 
precise calculation of the numbers in the FEA appears in the 
spreadsheet in the rulemaking docket titled ``FEA calculations.''
    \16\ Overall, the estimated cost savings to private industry of 
removing the requirement for electronic reporting of case data is 25 
percent greater than the 2016 estimated cost of promulgating the 
provision ($6,948,487). There are three reasons for this 25 percent 
increase: The number of establishments with more than 250 employees 
has grown, the mean hourly wage has increased, and OSHA is now 
including a 17 percent overhead estimate in the cost estimates.
---------------------------------------------------------------------------

    As noted in the PEA, the 2016 FEA included government costs for the 
rule because creating a reporting and data collection system was a 
significant fraction of the total costs of the regulation. OSHA 
estimated that not collecting the case-specific data from OSHA Forms 
300 and 301 would generate a small additional cost savings for the 
government because that portion of the reporting and data collection 
system has not yet been created and would not have to be created under 
this final rule. OSHA estimated a lump sum savings from not creating 
the software to collect the data from Forms 300 and 301 to be $450,000. 
OSHA did not receive any comments about the cost to the government of 
creating software to collect the data from Forms 300 and 301 and finds 
that the original estimates are reasonable in light of overall costs 
expected, so in the FEA OSHA will retain the estimate of $450,000. 
Annualized at 3 percent over 10 years, this would represent a savings 
to the government of $52,754 per year; annualized at 7 percent over 10 
years, the cost savings would be slightly higher: $64,070. This 
estimate underestimates costs to the government of having a system for 
collection of this data. It includes the costs of software development, 
but it does not include other administrative costs, or the analysis 
that would be needed in order to use the data received by the system 
for enforcement purposes.
    A significant source of costs that was identified during the 
preparation of this economic analysis is the anticipated costs of 
attempting to remove PII and information that enables re-identification 
of individuals from data that would have been collected under the 2016 
final rule. This cost was not considered in the rulemaking preceding 
the 2016 final rule because OSHA anticipated using software for this 
purpose. As explained above, a court could require OSHA to release the 
data as a result of a FOIA request. This risk is not insignificant--in 
a recent decision, subsequent to publication of the NPRM for this rule, 
in a lawsuit seeking to order OSHA to enforce the requirement for 
covered employers to submit their Form 300 and 301 data from 2017 to 
OSHA electronically, the court concluded that OSHA would likely be 
required to release a significant portion of the data to the plaintiffs 
under FOIA despite OSHA's concerns about employee privacy. See Public 
Citizen Health Research Group v. Acosta, No. 18-1729, slip op. at 9 
(D.D.C. Dec. 12, 2018). The court reasoned that, if some records 
present a meaningful possibility of re-identification, OSHA could 
redact any sensitive information ``on a case by case basis.'' Id. If 
the Form 300 and 301 data were to be released, OSHA would need to 
manually review the data to be released--from approximately 775,000 
cases annually--to remove PII and other information that could allow 
re-identification of ill or injured workers. This review would be 
necessary because, as noted above, software cannot guarantee full 
scrubbing of PII and has no ability to judge re-identifiable 
information. OSHA has therefore added annual costs for case-by-case 
review.
    As noted above, OSHA estimates, based on the time it has taken OSHA 
staff to review and remove personal information from other OSHA data, 
that case-by-case review would require two levels of review. OSHA 
anticipates that the first level review would be done by a GS-12, Step 
5 Analyst (on the Washington, DC locality GS pay scale) and that 
analyst's work would be reviewed by a GS-14, Step 5 Supervisor (also on 
the Washington, DC locality pay scale).
    The government hourly labor costs for the work of these employees 
were calculated in the following manner. Federal GS-12, Step 5 Analysts 
would conduct most of the review work. The fully-loaded hourly wage of 
a GS-12, Step 5 Analyst is calculated by taking the annual salary, 
dividing by the requisite 2087 hours worked per year, adding a fringe 
benefit factor of 1.6, and finally adding a 17 percent overhead charge. 
Using that formula, the fully-loaded hourly wage rate of a GS-12, Step 
5 Analyst is $78.38 (annual salary of $92,421/2087 hours = base wage of 
$44.28 x 1.6 + $44.28 x .17 = $78.38). A GS-14, Step 5 Supervisor would 
review the review work. Using the same formula, the fully-loaded hourly 
wage rate of the supervisor is $110.14 (annual salary of $129,869/2087 
hours = base wage of $62.23 x 1.6 + $62.23 x .17 = $110.14).
    The cost calculation for manually reviewing Form 300 and 301 data, 
and removing any PII and other information that could allow re-
identification of ill or injured workers, is as follows. OSHA is 
estimating that the first level review by the GS-12, Step 5 Analyst 
would take, on average, six minutes per record to review the record and 
redact any PII and other information that could allow re-identification 
of ill or injured workers. The agency is also estimating that all 
records would need to be reviewed. The first level review would have an 
estimated total annual cost of $6,076,323 (775,210 records x 6 minutes 
per record x 1 hour per 60 minutes x $78.38 per hour). The second level 
review completed by the GS-14, Step 5 Supervisor is estimated to take, 
on average, one minute per record and, again, all records would need to 
undergo this second level review. The supervisor review of the first-
level review has an estimated total annual cost of $1,423,064 (775,210 
records x 1 minute per record x 1 hour per 60 minutes x $110.14). The 
total labor cost to review and remove PII by examination of each record 
is estimated to be $7,499,387 ($6,076,323 + $1,423,064) annually.
    OSHA notes that these numbers are broadly consistent with the 
annual costs of MSHA's data collection and publication program (from 
the MSHA ICR Supporting Statement, https://www.reginfo.gov/public/do/DownloadDocument?objectID=76285301).

C. New Costs (From the EIN Collection)

    In the PEA, OSHA also estimated the potential new costs of amending 
the recordkeeping regulation to require covered employers to submit 
their EINs electronically along with their injury and illness data 
submission. The agency anticipated that some employees given this task 
would already know their employer's EIN from their other duties, but 
others would need to spend some time finding out this information. OSHA 
estimated an average of 5 minutes for an employee to find out his or 
her employer's EIN and to enter it on the submission form. Therefore, 
OSHA

[[Page 401]]

estimated that the unit cost for a submission would be the loaded wage 
of the employee who submitted the information multiplied by his or her 
time plus overhead, or $4.68 [(5/60) x $56.10]. (83 FR at 36502).
    OSHA did not receive any comments on this estimate, and the agency 
has determined that the preliminary estimate was reasonable. Therefore, 
OSHA has retained the 5 minute estimate in this FEA. The updated unit 
cost for a submission would be the wage of the employee who submitted 
the information multiplied by his or her time plus overhead, or $4.75 
[(5/60) x $56.96].
    In the PEA, OSHA explained that the currently-implemented 
electronic reporting system is already designed to retain information 
about each establishment based on the login information, including the 
EIN. Therefore, employers would only have to provide OSHA their EIN 
once, so this would not be a recurring cost. However, it would be an 
additional one-time cost for employers who are newly reporting data 
because, for example, the establishment is new or the employer newly 
reached the reporting threshold for employment size. OSHA estimated 
that each year there will be about 10.15 percent more establishments 
that will be required to report their EIN. OSHA derived the 10.15 
percent figure from the U.S. Census Bureau's Statistics of U.S. 
Businesses (SUSB), specifically the employment change data set,\17\ 
which shows the increase in U.S. business establishments from 2014 to 
2015. In 2015, there were 689,819 new establishments, out of a total of 
6,795,201 establishments. Dividing the first figure by the second gives 
a change of about 10.15 percent. (83 FR at 36502). There were no 
comments criticizing OSHA's use of the SUSB data or the methodology to 
estimate the number of new reporting establishments each year, and OSHA 
continues to find the above methodology and estimates to be reasonable. 
Therefore, OSHA is retaining these estimates for the FEA.
---------------------------------------------------------------------------

    \17\ See https://www2.census.gov/programssurveys/susb/datasets/2015/us_state_emplchange_2014-2015.txt.
---------------------------------------------------------------------------

    In the PEA, OSHA estimated costs for covered establishments to 
provide their EINs, using establishment and employment data from the 
U.S. Census County Business Patterns (CBP).\18\ The three categories of 
included establishments included in the CBP data are: (1) All 
establishments with 250 or more employees in industries that are 
required to routinely keep OSHA injury and illness records, (2) 
establishments with 20-249 employees in certain high-hazard industries, 
as defined in the Appendix to the May 2016 final rule, and (3) farms 
and ranches with 20 or more employees. CBP data do not include numbers 
of farms and ranches with 20 or more employees, so in the May 2016 
final rule, OSHA used data from the 2012 Census of Agriculture. Updated 
data from the 2017 Census of Agriculture were not available for the 
PEA, so the PEA used the 2012 count of 20,623 farms with 20 or more 
employees. CBP data also showed that there were 36,903 establishments 
with 250 or more employees in industries required to routinely keep 
records and 405,666 establishments with 20-249 employees in the 
designated high-hazard industries. Combining these figures with 20,623 
farms and ranches results in a total of 463,192 establishments that 
would be required to submit an EIN under the proposed rule. With a cost 
per establishment of $4.68, the total first year cost of providing EINs 
would be $2,165,751 (463,192 x $4.68). The annualized cost over ten 
years at a 3 percent discount rate was $253,892, and at a 7 percent 
discount rate the cost was $308,354. (83 FR at 36502).
---------------------------------------------------------------------------

    \18\ For the CBP, see https://www.census.gov/programs-surveys/cbp.html.
---------------------------------------------------------------------------

    OSHA did not receive any comments on these estimates, and the 
agency has determined that the preliminary estimates were reasonable. 
Therefore, OSHA is retaining them (with the available updates) in the 
FEA. Because updated establishment data were not available, OSHA has 
retained the PEA estimate of 463,192 establishments that would be 
required to submit and EIN under the final rule. With a cost per 
establishment of $4.75, the updated total first year cost of providing 
EINs would be $2,200,162 (463,192 x $4.75).\19\ When this cost is 
annualized over ten years, the annualized cost at a 3 percent discount 
rate is $257,926 and at a 7 percent discount rate the cost is $313,254.
---------------------------------------------------------------------------

    \19\ In addition, note that the totals in Table 1 of this 
section of the preamble, as well as totals summarized in the text, 
may not precisely sum from underlying elements due to rounding. The 
precise calculation of the numbers in the FEA appears in the 
rulemaking docket in the spreadsheet titled ``FEA calculations.''
---------------------------------------------------------------------------

    As noted above, OSHA estimates that 463,192 establishments 
(including establishments with more than 250 employees, those with 20-
249 employees in certain NAICS codes, and farms with more than 20 
employees) will be subject to reporting their EIN in the first year 
under this rule. In the PEA, the agency explained that with 10.15 
percent new establishments each year, there would be an additional 
47,012 establishments each year that would newly need to report their 
EIN, resulting in an additional cost of $4.68 x 47,012 or $219,858. (83 
FR at 36502). OSHA did not receive any comments on the estimated 
additional costs for new establishments each year, and the agency has 
determined that this is a reasonable estimate. Therefore, the agency 
has retained these estimates in the final rule. The final cost for 
those establishments, using the updated unit cost for a submission 
($4.75), will be $4.75 x 47,012 or $223,307. As explained in the PEA, 
the cost for new establishments each year does not occur in the first 
year. (83 FR at 36502). Therefore, OSHA annualized 9 years of new 
establishment costs over ten years, which results in annualized costs 
of $216,608 at a discount rate of 3 percent and $207,676 at a 7 percent 
discount rate.
    OSHA noted in the PEA that the EIN data field is already included 
in the reporting system design, so the agency did not anticipate any 
additional government costs associated with submittal of the EIN. (83 
FR at 36502). Commenters did not object to this determination, and the 
agency has no reason to believe that any such costs will be incurred by 
the government. Therefore, OSHA is not accounting for any additional 
government costs associated with EIN submittal in the final rule.

D. Net Cost Savings

    OSHA presented its estimates of the cost savings associated with 
eliminating the Forms 300 and 301 electronic data submission 
requirements, the new costs associated with collecting the EIN, and the 
net total costs in Table 1 of the proposed rule. (83 FR at 36502-03). 
Commenters on the proposal did not submit any thoughts on these 
estimates. Therefore, OSHA has retained the estimates, with updates, as 
described above. The cost savings of the final rule, the new costs 
associated with collecting the EIN, and the net total cost savings are 
shown in Table 1. Combining the cost savings to the private sector and 
to the government, the estimated total annual cost savings from the 
final rule would be $16,383,000 at a 3 percent discount rate and 
$16,395,000 at 7 percent discount rate. The additional costs to the 
private sector from collection of the EIN are estimated to be $474,000 
at a 3 percent discount rate and $521,000 at 7 percent discount rate. 
The net cost savings for this rule to the private sector are estimated 
to be $8,410,000 at a 3 percent discount rate

[[Page 402]]

and $8,375,000 at 7 percent discount rate.

                  Table 1--Total Cost Savings and Total Additional Costs of the Final Rule \20\
----------------------------------------------------------------------------------------------------------------
                                                                                                FEA annual cost
              Cost savings element                         PEA annual cost savings               savings \21\
----------------------------------------------------------------------------------------------------------------
Cost savings for eliminating electronic          $8,699,173.................................          $8,831,000
 submission of part 1904 records by
 establishments with 250 or more employees
 (Total Private Sector Savings).
Total Government Software Cost Savings, 3        52,754.....................................              53,000
 percent discount rate over ten years.
Total Government Software Cost Savings, 7        64,070.....................................              64,000
 percent discount rate over ten years.
Total Annual Government PII Review Cost Savings  (*)........................................           7,499,000
Total Cost Savings per year, 3 percent discount  8,751,927..................................          16,383,000
 rate over ten years.
Total Cost Savings per year, 7 percent discount  8,763,243..................................          16,395,000
 rate over ten years.
----------------------------------------------------------------------------------------------------------------


 
         New costs from EIN collection                               Cost
----------------------------------------------------------------------------------------------------------------
First Year EIN Cost............................  2,165,751..................................           2,199,000
Annualized First Year Costs, 3 percent discount  253,892....................................             258,000
 rate over ten years.
Annualized First Year Costs, 7 percent discount  308,354....................................             313,000
 rate over ten years.
Subsequent Annual EIN Costs (from new            219,858....................................             223,000
 establishments), starting in second year.
Subsequent annual EIN Cost Annualized at a 3     213,262....................................             217,000
 percent discount rate over ten years.
Subsequent annual EIN Cost Annualized at a 7     204,468....................................             208,000
 percent discount rate over ten years.
Annualized Total EIN Cost, 3 percent discount    467,194....................................             474,000
 rate over ten years.
Annualized Total EIN Cost, 7 percent discount    512,822....................................             521,000
 rate over ten years.
Net Cost Savings, 3 percent discount rate over   8,284,733..................................          15,909,000
 ten years.
Net Cost Savings, 7 percent discount rate over   8,250,421..................................          15,862,000
 ten years.
----------------------------------------------------------------------------------------------------------------
* Not calculated.

    As OSHA explained in the proposal (83 FR at 36503), there could be 
substantial cost savings from requiring covered employers to include 
the EIN in their reporting. There is roughly a 40 percent overlap 
between the BLS SOII sample and private sector establishments required 
to report to OSHA. If OSHA collected Form 300A from all covered private 
sector units and BLS were able to fully match these units and use them 
in generating SOII estimates, the reduction in duplication would 
represent approximately 15,000 hours of respondent burden. In its SOII 
paperwork burden analysis, BLS estimates the total cost of submitting 
this form for private sector establishments to be $891,000. The 
potential cost savings for avoiding duplication is 40 percent of this 
value--$356,000.
---------------------------------------------------------------------------

    \20\ Source: OSHA, Office of Regulatory Analysis.
    \21\ OSHA is reporting these estimates rounded to the nearest 
thousand in order not to suggest a spurious degree of accuracy.
---------------------------------------------------------------------------

E. Benefits

    In the PEA, OSHA preliminarily determined that the substantial 
benefits to worker privacy outweighed the uncertain forgone benefits to 
enforcement. The agency requested comment on its preliminary 
determination, including on its preliminary conclusions that neither 
worker privacy nor enforcement benefits can be meaningfully quantified. 
(83 FR at 36503).
    As discussed in detail in Section III, Summary and Explanation of 
the Final Rule, OSHA received a number of comments regarding its 
preliminary benefits determination.\22\ After carefully reviewing these 
comments, OSHA has determined that the extent of any benefits of 
collecting the data from Forms 300 and 301 for OSHA enforcement and 
compliance assistance activities is currently uncertain. OSHA has 
determined that, at this time, avoiding the risk to worker privacy of 
collecting the data from Forms 300 and 301 outweighs the uncertain 
incremental benefits to enforcement from the data. The rule will also 
allow OSHA to focus its resources on the collection and use of 300A 
data and severe injury reports, which the agency's past experience has 
proven useful.
---------------------------------------------------------------------------

    \22\ The Agency discussed and responded to all public comments 
on this determination in Section III, Summary and Explanation of the 
Final Rule. (See, e.g., Concerns About the Potential Release of 
Sensitive Worker Information and Uncertain Extent of Benefits from 
Collecting the Data from Forms 300 and 301).
---------------------------------------------------------------------------

F. Economic Feasibility

    In the PEA, OSHA stated that proposed elimination of the 
requirement for establishments with 250 or more employees to submit the 
information from OSHA Forms 300 and 301 to OSHA annually would reduce 
costs and so would have no negative feasibility effects. (83 FR at 
36503). Even with the proposed EIN requirement, the proposal still 
resulted in a large overall reduction in costs. (83 FR at 36503).Thus, 
OSHA concluded that the proposed rule was economically feasible. (83 FR 
at 36503). Commenters did not submit any comments objecting to this 
determination and, due to the increase in the wage rates, the reduction 
in costs has increased since the proposal. Therefore, OSHA finds that 
the final rule is economically feasible.

G. Regulatory Flexibility Certification

    In the PEA, OSHA explained that the current requirement for annual 
electronic submission of information from OSHA Forms 300 and 301 
affects only a very small minority of small firms. In many industry 
sectors, there are no small firms with at least 250 employees. Even in 
those industry sectors where the definition of small firm includes some 
firms with at least 250 employees, the overwhelming majority of small 
firms have fewer than 250 employees. There will, however, be some small 
firms affected in some industries. OSHA estimated that removing this 
requirement as proposed would result in a cost savings of, on average, 
$236 per establishment for each establishment with 250 or more 
employees affected by the 2016 final rule.\23\ OSHA preliminarily 
determined that such a small amount of cost savings

[[Page 403]]

would not have a significant impact on a firm with 250 or more 
employees. (83 FR at 36503). Commenters did not object to these 
determinations. OSHA reaffirms its preliminary finding and also finds 
that the updated cost savings of $239 per establishment for each 
establishment with 250 or more employees affected by the 2016 final 
rule will not have a significant impact on a firm with 250 or more 
employees.\24\
---------------------------------------------------------------------------

    \23\ This number was derived by dividing the total estimated 
cost savings to private industry of $8,699,173 from the proposal by 
36,903 affected establishments with 250 or more employees. (83 FR at 
36503).
    \24\ This number is derived by dividing the total final cost 
savings to private industry of $8,831,000 by 36,903 affected 
establishments with 250 or more employees.
---------------------------------------------------------------------------

    The PEA also included a certification that the proposed rule would 
not have a significant economic impact on a substantial number of small 
entities. (83 FR at 36503). OSHA did not receive any comments on this 
certification. As with the proposal, the final rule will result in an 
overall reduction of costs. Removing the requirement for establishments 
with 250 or more employees to submit the information from OSHA Forms 
300 and 301 annually to OSHA would reduce costs, and the estimated cost 
of the EIN requirement is $4.75 per establishment, a negligible amount. 
Hence, per sec. 605 of the Regulatory Flexibility Act, OSHA certifies 
that this final rule will not have a significant economic impact on a 
substantial number of small entities.

H. Executive Order 13771: Reducing Regulation and Controlling 
Regulatory Costs

    Consistent with Executive Order 13771 (82 FR 9339, January 30, 
2017), OSHA's preliminary economic analysis estimated the net annual 
cost savings of this rule to be $8.28 million per year at a 3 discount 
rate, and $8.25 million per year, at a discount rate of 7 percent. (83 
FR at 36501). Therefore, OSHA concluded that the proposed rule was 
expected to be a deregulatory action under the Executive Order. (83 FR 
at 36496). OSHA received several comments on this preliminary 
conclusion.
    One commenter argued that OSHA did not demonstrate how it complied 
the Executive Order or with the Office of Management and Budget's (OMB) 
guidance to agency heads on how to comply with the Executive Order. 
(See Document ID 2033-A1, pp. 6-7 (citing OMB Memorandum M-17-21-OMB, 
Guidance Implementing Executive Order 13771, ``Reducing Regulation and 
Controlling Regulatory Costs'' (Apr. 5, 2017) (OMB Guidance on E.O. 
13771))). But that comment misunderstands the Agency's burden under the 
Executive Order and the related guidance. The guidance defines the term 
``deregulatory action'' to mean ``an action that has been finalized and 
has total costs less than zero.'' (OMB Guidance on E.O. 13771, p. 4). 
In the proposal, OSHA estimated that this rule would have net cost 
savings of $8.28 million per year at a 3 percent discount rate, 
including $8.23 million per year for the private sector and $52,754 per 
year for the government. (See 83 FR at 36500-501, 36502-03). Annualized 
at a 7 percent discount rate, OSHA estimated that the proposed rule 
would have net cost savings of $8.25 million per year, including $8.18 
million per year for the private sector and $64,070 per year for the 
government. (See 83 FR at 36501, 36502-03). The Agency included 
detailed information about how it calculated those numbers. Because 
OSHA expected the rule to have cost savings (i.e., total costs less 
than zero), it stated that it expected the proposed rule to be 
deregulatory action under the Executive Order. (83 FR at 36596). 
Nothing more was required under the Executive Order.
    Another commenter remarked that adding a requirement for additional 
data seemed contrary to OSHA's claim that the proposed rule is a 
deregulatory action under the Executive Order. (Document ID 2039-A1, p. 
3 (quoting 83 FR at 36496)). This comment also misinterprets the 
Executive Order's requirements. As noted above, OMB's guidance defines 
the term ``deregulatory action'' to mean ``an action that has been 
finalized and has total costs less than zero.'' (OMB Guidance on E.O. 
13771, p. 4). This definition does not consider whether part of the 
rule imposes costs, but other portions of the rule provide cost 
savings. Rather, it looks at the total costs imposed by the rule. As 
explained in the proposal, OSHA expected the total costs of the 
proposal to be well below zero. Therefore, the Agency finds that its 
preliminary expectation was correct.
    After carefully considering the comments submitted on this issue, 
OSHA reaffirms its preliminary determination that this rule is expected 
to be a deregulatory action within the meaning of Executive Order 
13771. This finding is based on the Agency's estimate that the total 
annual cost savings from the final rule would be $8,884,000 at a 3 
percent discount rate and $8,896,000 at 7 percent discount rate. 
Further details on the estimated costs and cost savings estimates for 
this rule can be found in Section VI, Final Economic Analysis and 
Regulatory Flexibility Analysis.

V. Unfunded Mandates

    For purposes of the Unfunded Mandates Reform Act (2 U.S.C. 1501 et 
seq.), as well as Executive Order 13132 (64 FR 43255 (Aug. 4, 1999)), 
this final rule does not include any federal mandate that may result in 
increased expenditures by state, local, and tribal governments, or 
increased expenditures by the private sector of more than $100 million. 
Accordingly, OSHA is not required to issue a written statement 
containing a qualitative and quantitative assessment of the anticipated 
costs and benefits of the Federal mandate, as required under Section 
202(a) of the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1532(a)).

VI. Federalism

    The agency reviewed this rule in accordance with the Executive 
Order on Federalism 13132. (64 FR 43255). The final rule involves a 
``regulation'' issued under sections 8 and 24 of the OSH Act (29 U.S.C. 
657, 673), and not an ``occupational safety and health standard'' 
issued under section 6 of the OSH Act (29 U.S.C. 655). Therefore, 
pursuant to section 18 of the OSH Act (29 U.S.C. 667(a)), the rule does 
not preempt state law. The effect of the final rule on states is 
discussed in section VII, State-Plan States.

VII. State-Plan States

    Pursuant to section 18 of the OSH Act (29 U.S.C. 667) and the 
requirements of 29 CFR 1904.37 and 1902.7, within 6 months after 
publication of the final OSHA rule, state-plan states must promulgate 
occupational injury and illness recording and reporting requirements 
that are substantially identical to those in 29 CFR part 1904 
``Recording and Reporting Occupational Injuries and Illnesses.'' All 
other injury and illness recording and reporting requirements (for 
example, industry exemptions, reporting of fatalities and 
hospitalizations, record retention, or employee involvement) that are 
promulgated by state-plan states may be more stringent than, or 
supplemental to, the federal requirements, but, because of the unique 
nature of the national recordkeeping program, states must consult with 
OSHA and obtain approval of such additional or more stringent reporting 
and recording requirements to ensure that they will not interfere with 
uniform reporting objectives (29 CFR 1904.37(b)(2); 29 CFR 1902.7(a)).
    There are 28 state plan states and territories. The states and 
territories that cover private sector employers are Alaska, Arizona, 
California, Hawaii, Indiana, Iowa, Kentucky, Maryland,

[[Page 404]]

Michigan, Minnesota, Nevada, New Mexico, North Carolina, Oregon, Puerto 
Rico, South Carolina, Tennessee, Utah, Vermont, Virginia, Washington, 
and Wyoming. Connecticut, Illinois, Maine, New Jersey, New York, and 
the Virgin Islands have OSHA-approved state plans that apply to state 
and local government employees only.

VIII. Environmental Impact Assessment

    OSHA has reviewed the provisions of this final rule in accordance 
with the requirements of the National Environmental Policy Act (NEPA) 
of 1969 (42 U.S.C. 4321 et seq.), the Council on Environmental Quality 
(CEQ) NEPA regulations (40 CFR parts 1500-1508), and the Department of 
Labor's NEPA Procedures (29 CFR part 11). As a result of this review, 
OSHA has determined that the final rule will have no significant 
adverse effect on air, water, or soil quality, plant or animal life, 
use of land, or other aspects of the environment.

IX. Paperwork Reduction Act

Overview

    This final rule revises an existing collection of information that 
is subject to review by OMB under the Paperwork Reduction Act of 1995 
(PRA) (44 U.S.C. 3501 et. seq.) and its implementing regulations (5 CFR 
part 1320). The PRA generally requires that agencies consider the 
impact of paperwork and other information collection burdens imposed on 
the public, obtain public input, and obtain approval from OMB before 
conducting any collection of information (44 U.S.C. 3507). The PRA 
defines a ``collection of information'' as ``the obtaining, causing to 
be obtained, soliciting, or requiring the disclosure to third parties 
or the public, of facts or opinions by or for an agency, regardless of 
form or format[.]'' (44 U.S.C. 3502(3)(A)). Federal agencies generally 
cannot conduct or sponsor a collection of information, and the public 
is generally not required to respond to an information collection, 
unless it is approved by OMB under the PRA and displays a currently-
valid OMB Control Number. In addition, notwithstanding any other 
provisions of law, no person shall be subject to penalty for failing to 
comply with a collection of information if the collection of 
information does not display a valid OMB Control Number. (See 44 U.S.C. 
3512).

Solicitation of Comments

    OSHA published a Federal Register notice that allowed the public an 
opportunity to comment on the proposed Information Collection Request 
(ICR) containing the information collection requirements in the 
proposed rule for 60 days, as required by 44 U.S.C. 3507. Specifically, 
in the NPRM, OSHA explained how the proposed rule would affect its ICR 
estimates and asked members of the public to submit comments on the 
paperwork requirements. (83 FR at 36504-05). Concurrent with the 
proposed rule, OSHA submitted the ICR to OMB for review (ICR Reference 
Number 201807-1218-002) in accordance with 44 U.S.C. 3507(d).
    In addition to generally soliciting comments on the paperwork 
requirements, the proposed rule indicated that OSHA and OMB were 
particularly interested in comments that:
     Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
     Evaluate the accuracy of the agency's estimate of the 
burden of the proposed collection of information, including the 
validity of the methodology and assumptions used;
     Enhance the quality, utility, and clarity of the 
information to be collected; and
     Minimize the burden of the collection of information on 
those who are to respond, including through the use of appropriate 
automated, electronic, mechanical, or other technological collection 
techniques or other forms of information technology, e.g., permitting 
electronic submission of responses.

(83 FR at 36505).
    OMB concluded its review by filing a comment requesting OSHA to 
resubmit the request at the Final Rule stage, after considering any 
public comments and clarifying how the information collection 
requirements in final rule were changed because of the comments. OSHA 
received a number of comments in response to the proposed rule that 
addressed information collection requirements and contained information 
relevant to the burden hour and costs analysis in the ICR. Summaries of 
these comments and OSHA's responses are found above in Sections III, 
Summary and Explanation of the Final Rule, and IV, Final Economic 
Analysis and Regulatory Flexibility Certification, and in the final 
ICR. OSHA considered these comments when it developed the revised ICR 
associated with the final rule.
    Concurrent with publication of this final rule, the Department of 
Labor has submitted the final ICR, containing the full analysis and 
description of the burden hours and costs associated with the final 
rule, to OMB for approval. A copy of this ICR will be available on the 
internet at http://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201811-1218-004 on the day following publication of the final rule. At the 
conclusion of OMB's review, OSHA will publish a separate notice in the 
Federal Register to announce the results. That notice will also include 
a list of OMB-approved information collection requirements and total 
burden hours and costs imposed by the new standard.

Summary of Information Collection Requirements

    OSHA's existing recordkeeping forms consist of the OSHA 300 Log, 
the 300A Summary, and the 301 Incident Report. These forms are 
contained in the ICR titled Recording and Reporting Occupational 
Injuries and Illnesses (29 CFR part 1904), which OMB approved under OMB 
Control Number 1218-0176 (expiration date 06/30/2021).
    This final rule affects the ICR estimates as follows:
    1. Establishments that are subject to the part 1904 requirements 
and have 250 or more employees will no longer be required to 
electronically submit information recorded on their OSHA Forms 300 and 
301 to OSHA once a year.
    2. Establishments subject to the data collection must provide one 
additional data element, the EIN.
    The burden hours for the reporting requirements under Sec.  1904.41 
are estimated to be 140,545 per year, which is a reduction of 112,694 
burden hours from what was estimated for the previous reporting 
requirements. There are no capital costs for this collection of 
information.
    More specifically, this action amends the recordkeeping regulation 
to remove the requirement for establishments that are required to keep 
injury and illness records under part 1904, and that had 250 or more 
employees in the previous year, to electronically submit to OSHA or 
OSHA's designee case characteristic information from the OSHA Form 300 
(Log of Work-Related Injuries and Illnesses) and OSHA Form 301 (Injury 
and Illness Incident Report) once a year. Under the final rule, these 
establishments are only required to submit summary information from the 
OSHA Form 300A. There are approximately 37,000 establishments that are 
no longer subject to a requirement to submit the information on OSHA 
Forms 300 and 301 for

[[Page 405]]

approximately 775,000 injury and illness cases under the rule. (OSHA 
used BLS's 2015 Survey of Occupational Injuries and Illnesses (SOII) 
data (https://www.bls.gov/iif/oshwc/osh/os/ostb4734.pdf) to estimate 
that, without the final rule, covered establishments with 250 or more 
employees would report 775,210 injury and illness cases per year.)
    In addition, under the final rule, 463,192 establishments are now 
required to provide their EINs to OSHA.
    The OSHA recordkeeping and reporting information collection may be 
summarized as follows. (Note these estimates are for the full burden of 
the recordkeeping and reporting information collection, including 
aspects that are unchanged by this rulemaking).
    Agency: DOL-OSHA.
    Title of Collection: Recording and Reporting Occupational Injuries 
and Illnesses (29 CFR part 1904).
    OMB control number: 1218-0176.
    Number of respondents: 1,002,912.
    Number of annual responses: 5,903,976.
    Total estimated annual burden time: 2,140,856 hours.
    Total estimated annual other costs burden (start-up, capital, 
operation, and maintenance): $0.

X. Consultation and Coordination With Indian Tribal Governments

    OSHA reviewed this final rule in accordance with Executive Order 
13175 (65 FR 67249 (Nov. 9, 2000)) and determined that it does not have 
``tribal implications'' as defined in that order. This final rule does 
not have substantial direct effects on one or more Indian tribes, on 
the relationship between the Federal Government and Indian tribes, or 
on the distribution of power and responsibilities between the Federal 
Government and Indian tribes.

List of Subjects in 29 CFR Part 1904

    Health statistics, Occupational safety and health, Reporting and 
recordkeeping requirements, State plans.

    Signed at Washington, DC, on January 17, 2019.
Loren E. Sweatt,
Deputy Assistant Secretary of Labor for Occupational Safety and Health.

Final Rule

Amendments to Regulations

    For the reasons stated in the preamble, OSHA amends part 1904 of 
chapter XVII of title 29 as follows:

PART 1904--[AMENDED]

Subpart E--Reporting Fatality, Injury and Illness Information to 
the Government

0
1. The authority citation for subpart E of 29 CFR part 1904 continues 
to read as follows:

    Authority:  29 U.S.C. 657, 673, 5 U.S.C. 553, and Secretary of 
Labor's Order No. 1-2012 (77 FR 3912, Jan. 25, 2012).


0
2. In Sec.  1904.41, revise the section heading and paragraph (a)(1), 
add paragraph (a)(4), and revise paragraph (b) to read as follows:


Sec.  1904.41  Electronic submission of Employer Identification Number 
(EIN) and injury and illness records to OSHA.

    (a) * * *
    (1) Annual electronic submission of OSHA Form 300A Summary of Work-
Related Injuries and Illnesses by establishments with 250 or more 
employees. If your establishment had 250 or more employees at any time 
during the previous calendar year, and this part requires your 
establishment to keep records, then you must electronically submit 
information from OSHA Form 300A Summary of Work-Related Injuries and 
Illnesses to OSHA or OSHA's designee. You must submit the information 
once a year, no later than the date listed in paragraph (c) of this 
section of the year after the calendar year covered by the form (for 
example, 2019 for the 2018 form).
* * * * *
    (4) Electronic submission of the Employer Identification Number 
(EIN). For each establishment that is subject to these reporting 
requirements, you must provide the EIN used by the establishment.
    (b) Implementation--(1) Does every employer have to routinely 
submit this information to OSHA? No, only two categories of employers 
must routinely submit this information. First, if your establishment 
had 250 or more employees at any time during the previous calendar 
year, and this part requires your establishment to keep records, then 
you must submit the required information to OSHA once a year. Second, 
if your establishment had 20 or more employees but fewer than 250 
employees at any time during the previous calendar year, and your 
establishment is classified in an industry listed in appendix A to this 
subpart, then you must submit the required information to OSHA once a 
year. Employers in these two categories must submit the required 
information by the date listed in paragraph (c) of this section of the 
year after the calendar year covered by the form (for example, 2019 for 
the 2018 form). If you are not in either of these two categories, then 
you must submit the information to OSHA only if OSHA notifies you to do 
so for an individual data collection.
    (2) Do part-time, seasonal, or temporary workers count as employees 
in the criteria for number of employees in paragraph (a) of this 
section? Yes, each individual employed in the establishment at any time 
during the calendar year counts as one employee, including full-time, 
part-time, seasonal, and temporary workers.
    (3) How will OSHA notify me that I must submit information as part 
of an individual data collection under paragraph (a)(3) of this 
section? OSHA will notify you by mail if you will have to submit 
information as part of an individual data collection under paragraph 
(a)(3). OSHA will also announce individual data collections through 
publication in the Federal Register and the OSHA newsletter, and 
announcements on the OSHA website. If you are an employer who must 
routinely submit the information, then OSHA will not notify you about 
your routine submittal.
    (4) When do I have to submit the information? If you are required 
to submit information under paragraph (a)(1) or (2) of this section, 
then you must submit the information once a year, by the date listed in 
paragraph (c) of this section of the year after the calendar year 
covered by the form (for example, 2019 for the 2018 form). If you are 
submitting information because OSHA notified you to submit information 
as part of an individual data collection under paragraph (a)(3) of this 
section, then you must submit the information as specified in the 
notification.
    (5) How do I submit the information? You must submit the 
information electronically. OSHA will provide a secure website for the 
electronic submission of information. For individual data collections 
under paragraph (a)(3) of this section, OSHA will include the website's 
location in the notification for the data collection.
    (6) Do I have to submit information if my establishment is 
partially exempt from keeping OSHA injury and illness records? If you 
are partially exempt from keeping injury and illness records under 
Sec. Sec.  1904.1 and/or 1904.2, then you do not have to routinely 
submit information under paragraphs (a)(1) and (2) of this section. You 
will have to submit information under paragraph (a)(3) of this section 
if OSHA informs you in writing that it will collect injury and illness 
information from you. If you

[[Page 406]]

receive such a notification, then you must keep the injury and illness 
records required by this part and submit information as directed.
    (7) Do I have to submit information if I am located in a State Plan 
State? Yes, the requirements apply to employers located in State Plan 
States.
    (8) May an enterprise or corporate office electronically submit 
information for its establishment(s)? Yes, if your enterprise or 
corporate office had ownership of or control over one or more 
establishments required to submit information under paragraph (a) of 
this section, then the enterprise or corporate office may collect and 
electronically submit the information for the establishment(s).
* * * * *
[FR Doc. 2019-00101 Filed 1-24-19; 8:45 am]
 BILLING CODE 4510-26-P