When it comes to workplace safety and health, proper recordkeeping is not just good practice, it’s the law. Employers are required to keep certain medical and exposure records for their workers. These records are important for tracking long-term health effects and for meeting regulatory requirements.
This article provides a simple overview of how long employers must keep these records, what rules apply under OSHA and HIPAA, and what best practices can help avoid legal and safety issues.
Why Medical and Exposure Records Matter
Medical and exposure records help monitor worker health, especially in industries where employees may be exposed to hazardous chemicals, noise, radiation, or biological agents. These records help track long-term risks and protect workers even years after they’ve left the job.
They can also be important for legal claims, compensation cases, or OSHA inspections. That’s why federal rules set clear timelines for how long these documents must be kept.
OSHA’s Record Retention Rules (29 CFR 1910.1020)
The main regulation that covers this topic is OSHA standard 29 CFR 1910.1020, titled Access to Employee Exposure and Medical Records. This rule applies to most employers in general industry, construction, maritime, and other sectors.
Here are the basic timelines:
1. Exposure Records: Keep for 30 Years
Exposure records include anything that shows an employee’s contact with toxic substances or harmful physical agents. This can include:
- Air sampling results
- Biological monitoring results
- Safety Data Sheets (SDS)
- Exposure assessments (even if results are “non-detect”)
These must be kept for at least 30 years after the employee’s last date of employment. This long period helps track health conditions that may develop slowly, like cancer or respiratory diseases.
2. Medical Records: Keep for Duration + 30 Years
Employee medical records related to workplace exposure must also be kept long-term. These may include:
- Medical exams
- Laboratory test results
- Medical questionnaires
- Diagnoses linked to workplace exposure
Keep these for the length of employment, plus 30 years. So if someone worked at your company for 10 years, you must keep their related medical records for 40 years total.
3. Exceptions to the 30-Year Rule
There are a few exceptions where records do not have to be kept for 30 years. These include:
- First aid records if they involve only a one-time treatment
- Records of employees who worked less than one year, if the records are given to the worker upon termination
- Some chemical inventories or SDSs used only for short-term projects
Always check the regulations to see if your records fall under these exceptions.
HIPAA and Medical Record Privacy
While OSHA focuses on how long records must be kept, HIPAA (Health Insurance Portability and Accountability Act) covers privacy and access to those records. If you are a healthcare provider or your workplace has a health clinic, HIPAA rules apply.
Key points under HIPAA:
- Workers have the right to access their medical records
- Employers must protect private health information (PHI)
- Records must be stored securely, with access limited to authorized personnel
HIPAA does not set retention timelines for employers, it mainly governs how information is handled, not how long it is kept.
What Happens If Records Are Missing?
Failing to keep required records can result in serious problems:
- OSHA penalties (including fines)
- Difficulty defending against lawsuits or claims
- Delayed compensation for injured workers
- Loss of trust and poor legal standing
In one notable OSHA audit, over 700 cases of recordkeeping failures were found at a single employer when reviewing medical files. This included missing exposure records that were supposed to be kept for 30 years.
Best Practices for Employers
Here are some simple steps to help you stay on track:
1. Use Digital Storage
Paper files can get lost or damaged. Switching to secure digital storage helps organize records and makes them easier to find when needed.
2. Label Records Clearly
Make sure it’s easy to tell which records are medical, exposure-related, or fall under OSHA rules. Use folders or tags to avoid confusion.
3. Train HR and Safety Staff
Everyone handling medical or exposure records should know what’s required. Even small mistakes like deleting old exposure records can lead to legal trouble.
4. Have a Retention Schedule
Create a clear policy that outlines how long each type of record is kept. Stick to OSHA’s 30-year rule and review the schedule once a year.
5. Plan for Employee Access
Employees have the right to request copies of their own medical or exposure records. You must respond within 15 working days of the request under OSHA rules.
State-Specific Rules
While OSHA sets the federal standard, some states may have their own additional recordkeeping laws. For example:
- California often has stricter health and safety rules
- New York may require separate record access systems
- Texas may follow OSHA closely but still have additional notice requirements
It’s smart to check with your state’s labor or health department for local rules.
Conclusion
Keeping medical and exposure records isn’t just about paperwork, it’s about long-term safety, legal protection, and respecting worker rights. Under OSHA rules, most of these records must be kept for 30 years, even after a worker leaves the company. HIPAA rules add another layer by requiring privacy and secure handling.
By following these simple guidelines and staying organized, employers can stay compliant and build a safer, more responsible workplace.
