Occupational health clinics occupy a unique position in the healthcare compliance landscape. Unlike a primary care practice or hospital, an occupational health clinic typically serves both individual patients and employer clients simultaneously — creating a layered set of obligations under HIPAA, OSHA, and state workers' compensation laws. The data generated in an occupational health setting — work fitness evaluations, drug and alcohol screening results, injury documentation, exposure records, immunization records — is subject to multiple overlapping regulatory frameworks, each with different retention periods, disclosure rules, and access requirements.
Most HIPAA cloud storage guidance is written for physician practices and health systems. It addresses the standard covered entity obligations — BAAs, encryption, access controls, audit logs — without acknowledging the specific complexity that occupational health clinics face. The result is that many occupational health providers are using cloud storage that meets HIPAA's minimum requirements but fails to address OSHA's 30-year retention rule or the business associate obligations that arise when serving employer clients.
What makes occupational health data unique?
The core distinction is the dual-client relationship. An occupational health clinic providing pre-employment physicals, drug screenings, and injury treatment for an employer's workforce is simultaneously serving the individual employee as a patient and the employer as a client. This creates a tension in how information can be disclosed: the employee's medical information is protected under HIPAA, but the employer has a legitimate interest in fitness-for-duty determinations and work restrictions.
HIPAA permits disclosure of work-related health information to employers under specific conditions — primarily when the employer needs the information to comply with OSHA or other occupational health laws, or when the employee has authorized disclosure. But the disclosure rules are narrow, and the documentation requirements are significant. The clinic must be able to demonstrate, for any disclosure to an employer, that the disclosure was authorized and appropriate.
Types of Records Occupational Health Clinics Generate
HIPAA vs. OSHA retention requirements: where they diverge
The most significant compliance gap for occupational health clinics is the difference between HIPAA's record retention standard and OSHA's. HIPAA requires covered entities to retain policies, procedures, and documentation for six years from the date of creation or the date when the document was last in effect. OSHA 29 CFR 1910.1020 requires employee exposure records and related medical records to be retained for the duration of employment plus 30 years.
| Record Type | HIPAA Retention | OSHA Retention | Governing Rule |
|---|---|---|---|
| HIPAA policies and procedures | 6 years | N/A | 45 CFR §164.530(j) |
| Employee exposure records | N/A | Employment + 30 years | 29 CFR §1910.1020 |
| Employee medical records | 6 years (HIPAA) | Employment + 30 years | 29 CFR §1910.1020 |
| Audiometric test records | N/A | Employment + 30 years | 29 CFR §1910.95 |
| Respirator medical evaluations | N/A | Employment + 30 years | 29 CFR §1910.134 |
| Drug testing results (DOT) | 6 years (HIPAA) | 1–5 years (DOT) | 49 CFR §382.401 |
| Workers' comp records | State-specific | State-specific | Varies by state |
The practical implication is significant: an occupational health clinic using a cloud storage platform with a six-year retention policy may be compliant with HIPAA but non-compliant with OSHA. Records that should be retained for 30 years after an employee's last day of employment may be deleted automatically when the platform's retention policy expires. This is a gap that most generic HIPAA cloud storage guides do not address.
OSHA's 30-year retention requirement for exposure and medical records is one of the longest in any regulatory framework. An occupational health clinic that treats a 25-year-old worker today may need to produce that worker's exposure records in 2056.
BAA obligations for occupational health clinics
When an occupational health clinic provides services to an employer and handles protected health information on the employer's behalf — for example, maintaining fitness-for-duty records or drug screening results for the employer's workforce — the clinic is functioning as a business associate under HIPAA. A Business Associate Agreement (BAA) is required between the clinic and the employer.
The BAA defines how protected health information may be used and disclosed, assigns responsibility for safeguarding it, and establishes breach notification obligations. For occupational health clinics serving multiple employer clients, this means maintaining a separate BAA with each employer client — and ensuring that the clinic's own cloud storage and IT infrastructure is covered by BAAs with its technology vendors.
Cloud storage compliance checklist for occupational health clinics
Use this checklist to assess whether your current cloud storage infrastructure meets the requirements of HIPAA, OSHA, and your business associate obligations. Each item maps to a specific regulatory requirement.
Built for Occupational Health's Compliance Complexity
AXIS CloudSync provides HIPAA-aligned cloud storage with a same-day BAA, encryption, role-based access, and audit logging — designed for organizations managing sensitive health data across multiple employer clients. Starting at $18/user/month.
Start Free TrialFrequently Asked Questions
Are occupational health clinics covered entities under HIPAA?
Yes, if they provide health care services and transmit health information electronically in connection with covered transactions. Most occupational health clinics that bill insurance or transmit electronic claims are covered entities.
How long must occupational health clinics keep employee medical records under OSHA?
OSHA 29 CFR 1910.1020 requires employee exposure records and related medical records to be retained for the duration of employment plus 30 years. This is significantly longer than the HIPAA standard of 6 years from creation or last effective date.
Does a BAA cover occupational health services provided to employer clients?
When an occupational health clinic provides services to an employer and handles protected health information on the employer's behalf, the clinic is functioning as a business associate. A BAA is required between the clinic and the employer.
Can occupational health clinics use consumer cloud storage like Dropbox or Google Drive?
Not without a signed BAA. Consumer versions of these services do not offer BAAs and are not HIPAA compliant. Business versions offer BAAs, but configuration and access controls must still be managed appropriately.
