8. Management of Healthcare Personnel Health Records
Infection Control in Healthcare Personnel: Infrastructure and Routine Practices for Occupational Infection Prevention and Control Services (2019)
For healthcare organization leaders and administrators
Establish systems to maintain confidential work-related healthcare personnel health records, preferably in electronic systems, that:
limit access only to authorized personnel,
enable rapid access by authorized clinical providers,
facilitate aggregation and de-identification of information,
allow tracking and assessments of trends in infectious risks, screening tests, exposures, and infections, and
enable confidential reporting to internal departments and individuals or external groups.
Consider enabling electronic system features that:
notify occupational health services when occupational infection prevention and control services are due, and
communicate work restrictions with other healthcare organization data systems (e.g., human resources information systems).
For occupational health services leaders and staff
Participate in the development of policies and plans that facilitate confidential, efficient exchange of healthcare personnel health information.
Maintain healthcare personnel records and databases that include medical evaluations, infectious disease screening, evidence of immunity and immunizations, exposure and illness management, and work restrictions.
Maintain confidentiality, use appropriate authorizations, and provide only necessary information when sharing healthcare personnel records.
Facilitate healthcare personnel data aggregation for reporting performance measures and supporting occupational health services quality improvement activities.
Make copies of individual records promptly available to healthcare personnel upon their request, preferably within 15 days.
- EHR = Electronic Health Record
- HCP = Healthcare Personnel
- HIPAA = Health Insurance Portability and Accountability Act
- IPC = Infection Prevention and Control
- NHSN = National Healthcare Safety Network
- OHS = Occupational Health Services
- OSHA = Occupational Safety and Health Administration
OHS collects, maintains, reports, and ensures confidentiality of HCP health information in order to provide efficient occupational IPC services. OHS maintains HCP information related to preplacement, periodic, and episodic medical evaluations as provided by OHS or other consulted external medical providers, such as:
- job-related, infectious diseases screening,
- evidence of immunity to vaccine-preventable diseases,
- offered and administered immunizations ,
- exposure and illness management services, and
- counseling services.
Information systems designed to record and rapidly retrieve confidential HCP data, such as evidence of immunity, can enable efficient responses to infectious exposures and outbreaks. The systems can also highlight trends in infectious disease risk, exposures, and illnesses among HCP.
Electronic health records and electronic information systems
Electronic health record (EHR) and other electronic health information systems can provide options that might enhance HCP records management. EHRs can automatically generate alerts, such as those about the need for postexposure follow-up, immunizations, or other services. They can also facilitate access to HCP-related information entered by other departments, such as information on work restrictions entered by the human resources department, to allow communication and shared decision-making about HCP.
The use of EHRs can expedite mandated reporting of immunization data and trend analyses of vaccination coverage , as well as facilitate other risk assessment and reduction activities and quality improvement efforts. EHR use can improve documentation of vaccine contraindications and reduce medical discrepancies (e.g., HCP receiving an immunization despite reporting an immunization contraindication) to ensure HCP safety.
Selected HCP record documentation and retention requirements
OSHA requirements related to occupational exposures and acquired infections include establishing and retaining employee medical records, maintaining confidentiality, and providing records to employees when requested [3-6]. OSHA requires employers to record certain work-related injuries and illnesses on the OSHA 301 “Injury and Illness Report” form, maintain the OSHA 300 “Log of Work-Related Injury and Illnesses,” and annually complete the OSHA 300A “Summary of Work-Related Injury and Illnesses .” In addition, the OSHA Respiratory Protection standard requires documentation of medical clearance and other services related to respirator use. Other federal, state, and local documentation requirements for occupational IPC services may exist.
Reporting HCP information
OHS may need to report aggregated (and de-identified) health information to various sources, and to do so electronically. Sources might include internal departments or individuals, such as IPC services and senior management, or external sources, such as NHSN .
Confidentiality and security of HCP health information
Safeguarding the confidentiality of HCP health information ensures compliance with requirements  and can build HCP confidence in OHS. Defining who may access confidential HCP health records can facilitate protection of HCP information and enforcement of record access restrictions. Keeping HCP records and information in the same system as patient care information can risk unauthorized staff access to private information. Some HCO separate patient and HCP records by using separate paper files or electronic systems. State and local requirements for the separation of patient and HCP records may exist.
The 1996 HIPAA Privacy Rule  provides federal protections for individually identifiable health information held by covered entities and their business associates, and grants patients several rights with respect to that information. Requesting or providing HCP medical information or records may require HIPAA-compliant consent, depending on the purpose and recipient of the information.
- Advisory Committee on Immunization Practices; Centers for Disease Control and Prevention. Immunization of health-care personnel: recommendations of the Advisory Committee on Immunization Practices (ACIP). MMWR Recomm Rep 2011 Nov 25;60(RR-7):1-45.
- Salazar M, Stinson KE, Sillau SH, et al. Web-based electronic health records improve data completeness and reduce medical discrepancies in employee vaccination programs. Infect Control Hosp Epidemiol. 2012 Jan;33(1):84-6.
- Standard 1910.1030 – Toxic and Hazardous Substances, Bloodborne Pathogensexternal icon. Occupational Safety and Health Administration. Revised April 3, 2012. Accessed August 20, 2019.
- Table of Contents/Authority for 1904. PART 1904 — Recording and Reporting Occupational Injuries and Illnessesexternal icon. Occupational Safety and Health Administration. Revised November 24, 2017. Accessed August 20, 2019.
- Standard 1910.134 – Respiratory Protectionexternal icon. Occupational Safety and Health Administration. Revised June 8, 2011. Accessed August 20, 2019.
- Standard 1910.1020 – Access to employee exposure and medical recordsexternal icon. Occupational Safety and Health Administration. Revised June 8, 2011. Accessed August 20, 2019.
- OSHA Forms for Recording Work-Related Injuries and Illnesses[PDF – 12 pages]pdf iconexternal icon. Occupational Safety and Health Administration. Accessed August 20, 2019.
- National Healthcare Safety Network (NHSN). CMS Requirements. Centers for Disease Control and Prevention. Updated August 9, 2019. Accessed August 20, 2019.
- Health Insurance Portability and Accountability Act of 1996. Public law 104-191pdf icon[PDF – 169 pages]external icon. 104th Congress. Published August 21, 1996. Accessed August 20, 2019.
- Health Information Privacyexternal icon. U.S. Department of Health and Human Services. Accessed August 20, 2019.