As technology in real-time detection systems continues to advance, direct-reading instruments have raised difficult questions about exposure monitoring data collection and management. Because this data is not consistently addressed in the many and varied state, national, and international laws that govern the collection and handling of information about individuals, it is up to the practitioner and organization to determine where this kind of data fits into governance protocols. Any such determination should be grounded in a documented opinion informed by an examination of what rules may apply and how.

WHAT WE ALREADY AGREE ON There are three worker privacy tenets that industrial hygienists generally support. First, worker privacy should be protected. Second, as discussed in a recent paper in the Journal of Occupational and Environmental Hygiene, the sharing of exposure monitoring data improves the management of exposures for all workers and can be done ethically. And third, the collection of personally identifiable information, or PII, should be limited as follows:

COMPLEX QUESTIONS Because of the importance of this data and the complexity of these interactions, opinions vary even at the most fundamental level. Examining these issues in the form of several common questions may help organizations determine their preferred approach.

The federal government in the United States protects health information through HIPAA. (See the article on page 22 for further discussion of the privacy aspects of this law.) The privacy and security rules established in HIPAA apply only to protected health information, as explained on the website of the Department of Health and Human Services (DHHS). HIPAA defines health information as relating to the health of an individual. Even personal exposure monitoring data that exceeds an occupational exposure limit is not necessarily health information, because OELs, as ACGIH maintains regarding its Threshold Limit Values, “do not represent a fine line between a healthy versus an unhealthy work environment or the point at which material impairment of health will occur.” Because exposure monitoring data is not directly associated with health conditions, exposure monitoring is not health information in accordance with the HIPAA definition. Indeed, assuming that exposure data was health information would, by the same logic, also implicate air quality data, model of automobile, and eye color as health information since they all factor in analysis of risk.

Supposing that exposure monitoring data was somehow health information, the next definition to examine would be that of a covered entity. Employers are not covered entities unless they are operating as a health plan, health clearinghouse, or healthcare provider. Most organizations do not meet this definition, especially when their industrial hygiene program is not intended to prevent occupational disease. When an organization employs both the monitored employee and an occupational medicine professional, then the employer could become a covered entity. However, employment records held by a covered entity in its role as an employer are specifically exempt under the DHHS definition of protected health information.

Answer: No, HIPAA does not apply to exposure monitoring records. Exposure monitoring records are not medical records.

Instruments that detect biological signals, such as heart rate, breathing rate, and kinematic motion, are growing in popularity due to their potential to simplify complex modeling, determine the gap between the monitored environment and specific workers, and collect primary data for retrospective analysis. These devices provide data streams such as heart rate that may appear to be sensitive health information. Many of these devices feed a signal into an algorithm, which produces a calculated output.

The key development in these instruments is data capture. Industrial hygienists have been involved in implementing heart rate guidance for heat strain and modeling respiratory protection on breathing rate for nearly a century. Collecting and interpreting this kind of data is not new territory; what is new is the method of recording and storing it.

However, it is important to remember that industrial hygienists are interpreting sensor response and not health information or vital signs. The purpose of interpreting sensor response is to drive exposure control intervention, not the diagnosis of illness or the prevention of disease. Following detection of a signal or condition of sufficient concern, the industrial hygienist will identify a response, which may include investigation, first aid, medical evaluation, or other actions that respect the boundary between exposure monitoring and the practice of medicine.

There is, additionally, a potential distinction between an exposure monitoring device that assesses an exposure, such as a gas, particle, or radiation exposure monitor, and a physiological monitoring device intended to assess the impact of a potential exposure. Physiological monitoring devices that assess factors such as heart rate or skin discharge have received little regulatory attention, and significant questions remain about their role and classification, especially when considering the role of medical monitoring.

Answer: No, exposure monitoring and physiological monitoring devices are not medical devices, because they assess exposures and are not intended to diagnose, mitigate, or prevent disease.

In the U.S., the definition of the practice of medicine varies by state. International definitions also vary in both content and structure and are sometimes tied to licensure or the context of services offered. Several factors separate the practice of medicine from exposure monitoring.

First, industrial hygienists are not attempting to diagnose or treat any disease.

Second, they make recommendations for changes to exposures directly to an employer, rather than to an individual as a patient.

Third, they are assessing the risk of potential health effects, rather than specific conditions.

Fourth, the recommendations made are often generalized to most individuals who may perform a task or experience a similar exposure.

As a further test, consider the industrial hygienists who perform a regulatory function instead of consulting or representing an employer directly. Such regulators are not licensed or expected to practice medicine, nor do they meet any of the three criteria above. In most cases, the only difference between the practice of regulators and other industrial hygienists is the ability to compel adoption of their recommendations.

Operation or assignment of personal monitoring devices that measure gases or aerosols is not the practice of medicine. Neither is the identification of key exposure symptoms or characteristic odors associated with specific toxicants.

Answer: No, the operation of exposure monitoring devices is not the practice of medicine.

Article 9 of GDPR prohibits processing of personal data concerning health. However, that article also exempts exposure monitoring data, which the regulation describes as data that is “necessary for the purposes of carrying out the obligations … in the field of employment.” Sharing monitoring data may not be considered necessary, but properly anonymized data, where the person’s identity is irreversibly removed, no longer falls under GDPR.

Answer: No, GDPR does not apply to anonymized exposure monitoring data. GDPR specifically allows processing of any exposure monitoring data necessary for employer obligations.

In the U.S., the Federal Policy for the Protection of Human Subjects, also known as the “Common Rule,” governs the use of Institutional Review Boards (IRBs), which oversee research on human subjects. Under the Common Rule, research is defined as “systematic investigation […] designed to develop or contribute to generalizable knowledge.” Because most exposure monitoring is not designed to contribute to generalizable knowledge, only to the specific circumstances of exposure, exposure monitoring does not meet the definition of research.

Once exposure monitoring has been collected and anonymized, the definition of human subject no longer applies because the data no longer contains identifiable private information.

Answer: No, exposure monitoring data is not research under the Common Rule. Further, anonymized exposure monitoring data no longer meets the definition of research on a human subject.

The following practices are recommended for handling information about workers:

Get proactive worker consent. Obtaining consent from monitored employees reduces the number of interpretations needed to execute a responsible industrial hygiene monitoring program. Coordinate with your human resources department before making this request.

Set employment policy. Depending on regulations, many employers can require participation in monitoring programs as a condition for employment if such a policy is established before monitoring begins. Doing so also helps reduce refusal to participate in follow-up evaluations, such as when seeking to confirm or repeal OSHA-recordable hearing loss incidents.

Document interpretations. A clear and logical framework outlining acceptable and prohibited actions within an industrial hygiene program can help prevent loss of institutional knowledge and mitigate legal challenges.

Collect exposure monitoring data in the format described in AIHA’s forthcoming guidance document. Collecting and storing exposure monitoring data in a sharable format is the first step to participating in a larger exposure monitoring data sharing collaborative, which will benefit workers everywhere.

Send feedback to The Synergist.