What Practice Owners Need to Know About Personal Liability Under OSHA (29 CFR § 1904.1)

Practice owners can face personal liability under OSHA obligations when recordkeeping, reporting, or supervisory conduct demonstrates willful neglect, falsification, or deliberate obstruction. (29 CFR §1904.1(a)(1)–(2)) sets the employer's duty to maintain accurate logs for work-related injuries and illnesses, and regulators may identify responsible individuals during enforcement. For small healthcare practices, owners must implement simple, durable systems, named Records Custodians, timely incident investigations, transparent reporting, and documented non-retaliation policies, to reduce the chance that an enforcement action becomes a personal legal exposure.

Small healthcare practices frequently believe that a corporate entity shelters owners from enforcement risk. However, regulatory and enforcement realities are more nuanced: OSHA's recordkeeping and related rules impose duties that, when ignored or subverted at the supervisory level, can result in enforcement actions that identify responsible persons. Personal liability risk increases when owners give directives to alter records, instruct supervisors to hide incidents, or fail to maintain required logs. This guide clarifies the obligations of 29 CFR § 1904.1, explains how enforcement can target responsible persons, and provides an affordable, actionable program for small practices to prevent owner-level exposure.

Understanding What Practice Owners Need to Know About Personal Liability Under OSHA Under 29 CFR § 1904.1

(29 CFR §1904.4(a)–(b); §1904.7; §1904.29) sets the scope of OSHA's recordkeeping and reporting requirements. It defines the employer's duty to record and report work-related injuries and illnesses using the prescribed forms and processes. The regulation does not use the phrase "personal liability" explicitly, but enforcement policies and case law show that individuals can be named when investigations reveal personal responsibility, willful actions, or obstruction. For owners, the key legal touchpoints include: accurate, contemporaneous records (OSHA Form 300 / 300A / 301 or equivalent), the duty to report severe injuries (hospitalizations, amputations, loss of an eye) per Part 1904 reporting rules, and the prohibition on falsifying records. Demonstrating consistent, documented processes aligns practice behavior with the regulation and reduces the chance that inspectors will treat lapses as intentional misconduct.

HHS Office for Civil Rights (OCR) enforces HIPAA and focuses on privacy protections, not OSHA safety mandates. However, when injury records or incident documentation include patient information or when a complaint involves both workplace safety and PHI handling, OCR and OSHA inquiries can overlap. Owners should segregate OSHA records from PHI-containing clinical records and be prepared to show the appropriate documents to each agency. Maintaining clear document trails for both OSHA and HIPAA obligations helps owners avoid missteps when multiple agencies request materials during reviews.

This section converts requirements into concrete steps, each tied to specific evidence owners should maintain and low-cost ways to implement them.

Step 1. Assign a Records Custodian

How to comply: Appoint a named Records Custodian responsible for maintaining OSHA logs, receiving incident reports, and communicating with authorities. Make the assignment official through a signed memo or job description.
Required documents/evidence: Delegation memo, job description, and a small responsibility checklist.
Low-cost option: Use an internal staff member (office manager or lead nurse) and document the assignment on a one-page memo.

Step 2. Implement a standardized incident intake process

How to comply: Create a uniform incident report form and process to capture timelines, witnesses, photos, and immediate corrective actions. Require that incidents are reported within 24–48 hours and that the Records Custodian reviews them promptly.
Required documents/evidence: Incident report forms, timestamped photos, witness statements, and signed corrective action entries.
Low-cost option: Use a printable form or a shared cloud form (Google Form) that auto-stamps submissions.

Step 3. Conduct prompt, documented investigations

How to comply: For each incident, record a brief investigation: what happened, root cause analysis, corrective actions, and follow-up verification. Avoid altering original reports.
Required documents/evidence: Investigation memo, photos, corrective action checklist, and follow-up notes.
Low-cost option: Maintain a standard investigation template and store PDFs in a dated folder.

Step 4. Maintain accurate OSHA logs and timely postings

How to comply: Enter recordable incidents in the OSHA 300 log, complete the 301 or equivalent narratives, and post the 300A summary during the required window (February 1–April 30) (29 CFR §1904.29; §1904.32(a)(2); §1904.33(a)) Ensure logs are contemporaneous to avoid inference of concealment.
Required documents/evidence: Completed forms, screenshots of digital logs, and a photo of posted 300A during the posting period.
Low-cost option: Use a spreadsheet that mirrors Form 300 and generate a PDF for archives.

Step 5. Train supervisors on reporting obligations and non-retaliation

How to comply: Provide annual training to supervisors emphasizing truthful reporting, the prohibition on retaliation, and the consequences of record falsification (29 CFR §1904.35(b)(1)(iv); §1904.36). Document training attendance and include a signed non-retaliation policy acknowledgement.
Required documents/evidence: Training slides/notes, attendance roster, signed policy acknowledgements.
Low-cost option: Integrate a 15–20 minute module into routine staff meetings and collect sign-in sheets.

Step 6. Lock down records and track edits

How to comply: Implement controls limiting who can edit OSHA logs and maintain an edit/change log that records who made changes, when, and why. For paper logs, keep originals and append corrections with explanations.
Required documents/evidence: Access control records, edit logs, and original vs. corrected document comparisons.
Low-cost option: Use cloud document history features or maintain a manual change log.

Step 7. Handle OSHA inspections and inquiries carefully

How to comply: Design a standard inspection response packet: a cover letter, requested records organized chronologically, a contact person, and a document trail recording what was provided. Avoid destructive edits during an inspection. If an inspector requests originals, note what was provided and when. Consider legal counsel in higher-risk cases.
Required documents/evidence: Copies of records sent, delivery receipts, and correspondence logs.
Low-cost option: Prepare a template response packet and pre-collect commonly requested items to expedite responses.

Step 8. Be transparent and remediate quickly if errors are found

How to comply: If errors are discovered, document the error, implement corrective actions, and notify OSHA if required. A transparent corrective action plan with evidence of remediation reduces chances of escalation to personal enforcement.
Required documents/evidence: Corrective action plan, implementation evidence (photos, receipts), and follow-up audits.
Low-cost option: Use a corrective action checklist and require supervisor sign-off once actions are complete.

Step 9. Purchase appropriate liability coverage

How to comply: Review insurance options that may provide defense coverage for regulatory actions (e.g., Employment Practices Liability Insurance or similar endorsements). Discuss options with a broker to balance cost and coverage.
Required documents/evidence: Insurance policy summaries, certificates of coverage, and scope of defense coverage.
Low-cost option: Shop small-business packages or add endorsements to existing policies.

Owners should also document near-miss reports and close calls, which provide evidence of proactive safety management and reduce the appearance of neglect. Near-miss data, while not required on OSHA Form 300, forms part of a robust safety program and is persuasive during inspections because it shows active hazard recognition and mitigation. Maintain a simple near-miss log, and link each entry to a corrective action or review note to show continuous improvement.

Additionally, owners must understand the interplay between state plan OSHA programs and federal OSHA: some states operate their own OSHA-approved plans with different enforcement priorities or penalty schedules. When a practice operates in a state-plan state, consult the state agency's guidance to align retention timelines and reporting procedures. Keep a short reference note in your records indicating the applicable state-plan contacts and any state-specific requirements. This small diligence can prevent mismatches in expectations during inspections.

For small practices using third-party payroll or human resources services, ensure contractual clarity about who retains the OSHA logs and who will provide records in response to regulatory requests. Misunderstandings with payroll vendors about record custody have led to delays and additional scrutiny in inspections; a written agreement specifying responsibilities prevents such gaps.

Finally, consider a low-cost table-top exercise once per year to rehearse an OSHA inspection or an employee complaint scenario. Simulations help staff practice document retrieval, inspector interaction basics, and internal communication. Document the exercise results and corrective steps taken; this evidence supports a practice's proactive posture and minimizes the risk that a genuine inspection will expose organizational confusion or concealment.

Case Study

A small two-provider clinic failed to log a non-fatal, but recordable injury after management encouraged a supervisor to classify the incident as non-work-related. An employee later filed a complaint alleging the practice discouraged reporting. OSHA inspected, found inconsistencies between witness statements and the clinic's log, and cited the practice for recordkeeping violations (29 CFR §1904.1(b); §1904.29).

Because the owner had instructed the supervisor to 'quiet it down,' OSHA named the owner as a responsible person in the citation. Remediation included corrective actions, mandatory training, and a third-party audit; fines were moderate, but reputational damage delayed a planned sale. This case shows how owner directives and poor record integrity lead directly to personal exposure.

Common Pitfalls to Avoid Under 29 CFR § 1904.1

Below are common errors owners make, each tied to a legal reference and a practical consequence.

• Directing staff to alter or omit incident entries, which can be interpreted as falsification and lead to personal enforcement actions. (29 CFR 1904.1).

• Failing to promptly classify and log recordable incidents, which creates inconsistencies that inspectors view as intentional concealment. (29 CFR 1904).

• Allowing unrestricted access to edit logs without an audit trail, which impedes investigations and raises suspicion about data integrity. (29 CFR 1904.6).

Avoiding these pitfalls reduces the risk of citations that target individuals and strengthens defenses in the event of inspection.

Practical, affordable steps that owners can implement to guard against personal liability.

• Document delegation: a signed memo naming the Records Custodian reduces ambiguity about who is responsible.

• Preserve originals: never destroy original records; if corrections are needed, append corrections with dates and justifications.

• Visible leadership: make public statements that truthful reporting is expected and rewarded; reinforce this in meetings and policy documents.

• Periodic third-party review: an annual external checklist review or consultant audit can identify weaknesses before regulators do.

These measures create a defensible documentary record demonstrating owner commitment to compliance.

A culture of compliance begins at the top. Owners should model transparency, make compliance a regular agenda item, and reward staff for timely reporting. Create simple rituals: include an "incident review" item in weekly huddles, post anonymized lessons learned, and ensure managers sign off on incident investigations. Over time, these small practices create a norm against concealment and build the documentary evidence useful in defending against enforcement actions.

Final summary: Owners should treat OSHA recordkeeping duties as central risk controls and not as administrative burdens. Implement a Records Custodian model, standardize intake and investigations, lock down record edits, train supervisors, and prepare a standard inspection response packet. These steps reduce both regulatory and personal exposure and preserve business value.

Advisers subsection: Recommended authoritative resources include the Federal Register text for 29 CFR Part 1904 for statutory language and updates, and HHS OCR guidance when an incident potentially involves PHI. For low-cost tools, use spreadsheet templates that mirror OSHA forms, cloud backups for records, and inexpensive training modules for supervisors. Owners facing complex enforcement should consult employment law counsel with OSHA experience and their insurance broker regarding liability coverage.

• Recordkeeping and Reporting Occupational Injuries and Illnesses — 29 CFR Part 1904

• Disposal of Protected Health Information — HHS OCR FAQs

• HHS OCR Enforcement and Compliance Resources