Privacy Concern Cases: The Six Times OSHA Tells You NOT to Write the Employee's Name

The OSHA 300 Log has a column for the employee's name, and for almost every case you fill it in. Column B wants a full legal name, and an inspector who finds it blank will ask why. So most employers build the habit of entering the name on every line — which is exactly right, until it isn't.

For six specific categories of injury and illness, the rule flips. Entering the employee's name is no longer required; it is prohibited. You write "privacy case" in the name field instead, and you keep the real name on a separate, confidential list that never goes on the wall, never goes to a coworker, and never goes to a union representative. These are OSHA's "privacy concern cases," defined at 29 CFR 1904.29(b)(7), and they trip employers up in both directions — some enter a name they were supposed to suppress, and others suppress a name they were required to record.

The rule is short, the list is closed, and once you know the six categories the determination takes about ten seconds per case. This post walks through the mechanic, the exhaustive list, the masking discretion most small employers never use, and the two opposite mistakes that turn a privacy rule into a recordkeeping citation.

The Core Mechanic: "Privacy Case" Plus a Confidential List

The operative rule is 29 CFR 1904.29(b)(6). When you have a privacy concern case, you do two things:

You may not enter the employee's name on the OSHA 300 Log. Instead, enter "privacy case" in the space normally used for the employee's name. This will protect the privacy of the injured or ill employee when another employee, a former employee, or an authorized employee representative is provided access to the OSHA 300 Log under § 1904.35(b)(2). You must keep a separate, confidential list of the case numbers and employee names for your privacy concern cases so you can update the cases and provide the information to the government if asked to do so.

So the name comes off the 300 Log and goes onto a separate confidential list, keyed by case number. The 300 Log still carries everything else about the case — the date, the description, the classification, the day counts. Only the name is suppressed, and only on the Log itself.

That confidential list is not optional, and it is not a scrap of paper you reconstruct later. It is a required record. You need it for two reasons the rule names directly: so you can keep updating the case as it evolves (a privacy case can still move from "other recordable" to "days away," and you have to know whose case it is to update it), and so you can produce the name to the government if OSHA asks. The list links each "privacy case" entry back to a real person, and it lives somewhere the people who get access to the 300 Log cannot see it.

One detail that catches employers running digital systems: the confidential list has to be retained as long as the records it supports. Under 29 CFR 1904.33, you keep the 300 Log, the 301 Incident Reports, the annual summary, and the privacy case list for five years following the end of the calendar year they cover. The list is not a working note you delete at year-end. It is part of the five-year record set.

The Six Categories — and Why the List Is Closed

Here is the entire universe of privacy concern cases. OSHA lists them at 29 CFR 1904.29(b)(7), and the list is exhaustive:

You must consider the following injuries or illnesses to be privacy concern cases: (i) An injury or illness to an intimate body part or the reproductive system; (ii) An injury or illness resulting from a sexual assault; (iii) Mental illnesses; (iv) HIV infection, hepatitis, or tuberculosis; (v) Needlestick injuries and cuts from sharp objects that are contaminated with another person's blood or other potentially infectious material (see § 1904.8 for definitions); and (vi) Other illnesses, if the employee voluntarily requests that his or her name not be entered on the log.

Five of these are mandatory and automatic. If a recordable case fits categories (i) through (v), you suppress the name whether the employee asks you to or not — the privacy protection is built in, and the employee's preference does not enter into it. Category (vi) is the only one that runs on employee request, and it has two limits worth pinning down: it applies to illnesses, not injuries, and the request has to come from the employee voluntarily. You do not go around asking employees whether they would like their names left off. If an employee independently asks that an illness not be logged under their name, category (vi) lets you honor it. Absent that request, the name goes on.

The thing that makes this rule easy to get wrong is that the list is closed. You cannot add your own categories. OSHA could not be more direct about this — 1904.29(b)(8) asks and answers the question:

May I classify any other types of injuries and illnesses as privacy concern cases? No, this is a complete list of all injuries and illnesses considered privacy concern cases for part 1904 purposes.

OSHA's recordkeeping FAQ restates the same point: the employer decides whether a case is a privacy concern case using the six types in 1904.29(b)(7), and that is the complete list. There is no residual discretion to decide that some other embarrassing or sensitive injury deserves the same treatment.

The Two Opposite Mistakes

Because the list is both mandatory and closed, there are two ways to get it wrong, and they pull in opposite directions.

The first is under-suppression: entering a name you were required to leave off. A hygienist's contaminated needlestick is a privacy case under category (v) regardless of whether the hygienist cares about privacy. If your 300 Log shows her name next to that case, you have created the exact privacy exposure the rule exists to prevent — and you have done it in a document that current and former employees and their representatives have a right to see.

The second is over-suppression: writing "privacy case" for an injury that is not on the list. This one feels generous and is actually a violation. The 300 Log requires the employee's name for every case that is not a privacy concern case. A worker who is embarrassed about a routine back strain, or a slip in the parking lot, or a laceration on the line does not get name suppression — those are not listed categories, and category (vi) does not reach them because it covers illnesses, not injuries. If you leave the name off anyway, your Log is now missing required information, and an inspector comparing your Log against your 301 Incident Reports will notice the gap.

The discipline is the same one that governs the rest of recordkeeping: follow the rule as written, in both directions. Suppress exactly the six categories, and record the name on everything else.

Masking the Description: The Safeguard Small Shops Never Use

Suppressing the name is sometimes not enough. In a small workplace, the surrounding details of a case can identify the employee even with the name field reading "privacy case." If you have one woman on a six-person crew and the description says "injury to female reproductive organ," you have not actually protected anyone's privacy.

OSHA anticipated this. Under 1904.29(b)(9), you get discretion to soften the description itself:

If you have a reasonable basis to believe that information describing the privacy concern case may be personally identifiable even though the employee's name has been omitted, you may use discretion in describing the injury or illness on both the OSHA 300 and 301 forms. You must enter enough information to identify the cause of the incident and the general severity of the injury or illness, but you do not need to include details of an intimate or private nature. For example, a sexual assault case could be described as "injury from assault," or an injury to a reproductive organ could be described as "lower abdominal injury."

Note the boundaries. You still have to convey the cause and the general severity — you cannot blank out the description entirely or write something meaningless. But you can replace intimate detail with a general, accurate description. "Injury from assault" and "lower abdominal injury" are OSHA's own examples. This discretion applies to both the 300 Log and the 301 Incident Report, so the masked description should be consistent across both forms.

This is a genuinely useful tool for the small employers LogStead serves, and most of them have never heard of it. In a 200-person plant, omitting the name is usually enough. In a four-person field-service shop, the name is often the least identifying piece of information on the line, and the description-masking discretion under 1904.29(b)(9) is what actually protects the worker.

What the Six Categories Look Like in the Field

The categories are abstract until you map them onto the work your people actually do. A few scenarios drawn from the industries LogStead customers run:

Field service and HVAC. A technician reaches into a wall cavity at a customer site and is stuck by a discarded needle. That contaminated sharps injury is a privacy case under category (v) — and it is recordable under 29 CFR 1904.8 regardless of whether any treatment was provided. Separately, a tech who strains a groin or reproductive-area muscle lifting a condenser into place has a category (i) intimate-body-part case.

Manufacturing. A line worker develops work-related hepatitis traced to a workplace exposure — category (iv). A worker who develops a documented, work-related anxiety or PTSD condition, supported by the qualifying medical opinion described below, is a category (iii) mental-illness case.

Construction. A fall that causes a pelvic or reproductive injury is category (i). An assault on a jobsite that injures a worker is category (ii).

Healthcare-adjacent, dental, and tattoo studios. For these shops, contaminated sharps under category (v) are the highest-frequency trigger by far — every recordable contaminated needlestick or instrument cut suppresses the name. A confirmed work-related TB conversion or HIV seroconversion falls under category (iv). We cover the full sharps framework, including the separate Sharps Injury Log these workplaces also have to keep, in sharps injuries and bloodborne pathogens.

Any small shop. An employee who independently asks that a particular illness not appear under their name invokes category (vi) — provided it is genuinely an illness and the request is the employee's own.

Mental Illness Is Employee-Controlled From the Start

Category (iii) — mental illnesses — has a feature the others do not: the case usually does not reach your records at all unless the employee chooses to bring it there.

Mental illness recordability is governed by 29 CFR 1904.5(b)(2)(ix). A mental illness is not considered work-related unless the employee voluntarily provides the employer with an opinion from a physician or other licensed health care professional with appropriate training and experience — a psychiatrist, psychologist, psychiatric nurse practitioner, or similar — stating that the employee has a work-related mental illness. You are under no obligation to go looking for mental-illness information, and the employee controls whether the qualifying opinion ever lands on your desk.

The two provisions stack in the employee's favor. The employee controls whether a mental illness becomes recordable in the first place (1904.5(b)(2)(ix)), and if it does become recordable, the name is automatically suppressed as a privacy case (1904.29(b)(7)(iii)). For an employer, the practical takeaway is simple: do not chase mental-health information, and if an employee brings you the qualifying opinion, record the case without the name and apply the description-masking discretion if the surrounding facts would identify them.

This is also where the privacy rule connects to a broader truth about recordkeeping that we cover in workers' comp denied but OSHA recordable: the OSHA determination runs on OSHA's criteria, independent of what a comp carrier decides.

Who Sees the Log — and Why the Name Is Already Gone

The reason the name comes off the 300 Log in the first place is that the Log is not a private document. Under 29 CFR 1904.35(b)(2), current employees, former employees, and their authorized representatives have a right to see it. A union representing your workers under a collective bargaining agreement can request the entire 300 Log, and the general rule is that you hand it over in full — you do not get to redact employee names case by case to protect privacy on the fly.

Privacy concern cases are the built-in exception to that no-redaction rule, and they work by design rather than by last-minute editing. Because you entered "privacy case" instead of the name when you first logged the case, there is nothing to redact when the representative shows up. The protection was applied at the entry stage, months earlier. This is the elegance of the system: you do the privacy work once, at the moment of recording, and the access rules take care of themselves.

The 301 Incident Report is a different and more restricted animal — the access rules there are narrower, and they interact with privacy cases in their own way. That is the subject of Monday's companion post on the OSHA 301 Incident Report, which covers who can get the case-level detail behind each 300 Log line and how much of it.

And when an authorized government representative asks for your records — an OSHA compliance officer during an inspection, for example — a separate clock applies. Under 29 CFR 1904.40(a), you have four business hours to produce the records, and that is when the confidential privacy-case list earns its keep: OSHA can require the names, and your list is how you produce them. Do not confuse the four-business-hour government rule with the employee-access timeframes under 1904.35; they are different obligations on different clocks.

Electronic Submission Never Carries the Name

If your establishment is large enough to submit data electronically through OSHA's Injury Tracking Application, the privacy architecture extends there too. OSHA does not collect employee names through the ITA at all. For establishments required to submit case-level 300 and 301 data, OSHA does not publish the personally identifying fields — employee name, address, date of birth, date hired, gender, and the treating provider and facility information are not part of what gets posted publicly. OSHA's own instructions on the forms tell employers not to enter personally identifiable information into the narrative fields, and privacy concern cases are still entered as "privacy case" on the underlying 300 Log.

So the privacy protection is consistent across every place the data travels: suppressed on the Log, masked in the description where needed, withheld from coworkers and representatives, kept on a confidential list for the employer and the government only, and stripped of identifiers before anything is submitted or published. If you are working through ITA submission mechanics generally, our ITA portal guide walks through the process.

A Note for Employers Using Recordkeeping Software

If you keep your records in a database or an application rather than on paper, OSHA addressed your situation directly in a July 27, 2018 letter of interpretation. The privacy rules apply identically: the name still comes off the 300 Log view, the confidential case-number-to-name list still has to exist, and only the limited recipients named in 1904.29(b)(10) — an auditor or consultant evaluating your safety program, the people processing a workers' comp or insurance claim, and certain public-health or law-enforcement authorities — may be given access to that confidential list.

The letter also flagged a point worth remembering: providing access through software does not extinguish the right of an employee or representative to demand a paper copy. If someone with a right of access asks for a printout, you provide one. The medium is your choice; the access right is theirs.

The Penalty Reality

Recordkeeping violations, including mishandled privacy cases and access failures, are typically cited as other-than-serious. The current ceiling is $16,550 per violation, with willful or repeated violations reaching $165,514. A quick but important note on those numbers: they are the 2025 figures carried into 2026, not a fresh increase. The Department of Labor's 2026 inflation-adjustment notice (91 FR 31358, May 27, 2026) confirmed there is no 2026 increase, because the data needed for the statutory calculation was not produced during the fall 2025 government shutdown. The 2025 ceilings remain in effect.

OSHA treats recordkeeping as an enforcement matter, not a paperwork technicality. In December 2022, OSHA cited Amazon following inspections at six warehouse facilities for 14 recordkeeping violations — including failing to record injuries and illnesses, misclassifying cases, not recording within the required time, and not providing OSHA with timely records — with $29,008 in proposed penalties. Each unrecorded or mishandled case is its own violation, and they add up. The privacy rules are a small part of that framework, but they are part of it: under-suppress and you expose an employee; over-suppress and your Log is missing required information. Both are findable, and both are citable. (Proposed penalties like Amazon's are not final; they shift through settlement and contest.)

The broader pattern of citation-generating recordkeeping errors is covered in 5 OSHA recordkeeping mistakes that lead to citations.

This post is general compliance information, not legal advice. Verify current regulatory text against eCFR and your state plan's requirements — state-plan states such as California, Washington, and Oregon may impose additional or more stringent privacy and access requirements.