Significantly, in its advice letter, OSHA justified its right to seek access to employer self-audits in order to prove employer knowledge of the condition, as well as for classification of violations and calculation of penalties.

OSHA does not hesitate to threaten to issue subpoenas for all employer self-audits.  Faced with such a request or subpoena, employers have no choice but to comply.  Neither OSHA nor the courts recognize the so-called “self-audit privilege”.  However, OSHA does recognize and respect, as it must, the attorney-client privilege, if it has been properly invoked and protected, so an employer is justified in refusing to produce privileged audits.

Some employers wrongly believe that there is nothing to hide. After all, they reason, an OSHA inspector can always find some technical violation of the standards -- it’s best not to antagonize the inspector and it shows good faith to admit the violation, so just agree to remedy it and pay the penalty – so goes the logic -- after all, the penalty can often be reduced at the informal conference.  However, our experience is that such thinking is naïve and dangerous.  OSHA inspectors and officials will take every advantage given to them; on the other hand, they are used to dealing with safety managers and OSHA counsel who assert the employer’s rights in a professional and courteous manner.   

Unfortunately, the disclosure of an unprivileged audit, particularly one done improperly, can be disastrous for the employer. ²  OSHA uses these audits, not only to establish employer knowledge of the violative conditions, but also to establish conscious disregard, in other words, to classify the violations as willful and to impose significant penalties.³  

Where uncorrected violations have caused serious injury or loss of life, an unprivileged self-audit can provide fodder for criminal investigators and can lead to indictments against the company and its officials.  In our experience, well intended, over-zealous and unguided auditors (both internal and outside contractors) commonly make statements in their audit reports that amount to the “smoking gun”, for example, opining that failure to correct the problem will result in serious injury or death!  Of course, once violations have been found and reported, the employer must take action, often at considerable expense, to remedy them.  One can imagine a “worst case scenario” in which OSHA discovers an unprivileged audit disclosing a condition that caused bodily injury or death, along with emails from managers expressing objections to the remedy as “too expensive”. 

Clearly, it is better to find and document problems so that they can be remedied, than to turn a blind eye.  Moreover, the proper use of self-audits often serves as a positive indicator to OSHA that the employer is acting in good faith. Thus, we support self-audits, whether or not they are part of a written safety and health program.  The key is to do them properly, so that they cannot be used as a weapon against the employer.  

How Do You Create and Protect the Privilege?

The attorney-client privilege is an evidentiary rule of court that is recognized in both state and federal courts.  Under these rules, a client has a privilege to refuse to disclose and to prevent any other person from disclosing confidential communications made for the purpose of facilitating the rendition of professional legal services to the client, for example (this is the example that is involved in privileging an audit), between the client or his representative and his lawyer and the lawyer’s representative.

The rule on privilege protects confidential communications made by the client as well as to the client.  It also protects not only confidential communications between the lawyer and his client, but also among others who need to know the content of the confidential communications, for example, an outside safety and health professional hired by the lawyer so that the lawyer can provide legal advice to his client. 

Thus, to create the attorney-client privilege, the client must seek legal advice from his attorney and satisfy the following elements:  there must be

1. A communication;
2. made between privileged persons;
3. in confidence;
4. for the purpose of seeking legal advice. 

If these elements are satisfied, then you, the client, may permanently protect the confidential communications between you and your attorney (as well as the confidential communications between your attorney and his safety and health auditor) from disclosure by you or your attorney, so long as the privilege is not waived.

You can choose to waive the privilege at any time, for example, by turning over to an OSHA inspector, the results of the audit.  You can also waive the privilege accidentally, for example, by telling the OSHA inspector, or anyone else outside the privilege (the union, other non-managerial employees, etc.) the contents of the audit report, or disclosing a copy of the report to any of them.

So how is a privileged audit done? 

In our practice, a privileged audit can be performed directly by OSHA counsel or, more often, we hire an outside safety or health professional to conduct the audit for us as attorneys. 

First, the client retains us by letter to provide legal advice, and authorizes us to conduct, or to hire a professional safety and health specialist to conduct, the audit.  Often, the audit can be focused on the particular hazards in the workplace, or the most likely problem areas. 

Second, we may retain a safety and health professional consultant who is acceptable to the client, by letter containing clear instructions to report the results to us as attorneys, first orally, and then, in writing. The consultant is not allowed to communicate their results to the client. Frequently, we find that our informal discussion with the consultant is helpful in limiting or containing the written report, so that we can, at the appropriate time, consider waiving the privilege and making the report available to an OSHA inspector. 

Finally, we communicate the results in a privileged discussion and/or written report together with our legal advice. 

As just one real life example, an employer wished to conduct a privileged audit to explore possible exposures of employees to environmental hazards that could cause cancer.   We advised that OSHA regulations require certain disclosures to employees who are exposed.  Further, we advised that the employer was likely to need to defend against possible citations by disclosing its response and remedial actions.  The client was rightly concerned that premature or unnecessary disclosure of drafts of the consultant’s findings, conclusions and opinions could be misinterpreted and used against them.  Accordingly, the drafts were protected by privilege, and a final report was approved and prepared for the record, so that it could be disclosed to employees and, if necessary, to OSHA. 

Specific OSHA Requirements

Employers should be aware that there are specific requirements in the OSHA standards for certain written programs or policies, hazard analysis and/or employee training.  Moreover, OSHA often cites employers for failure to assess hazards and/or to train employees, as part of any citation for violation of the general duty clause or a particular standard.  Examples of some of the specific standards that require written programs, employee training, and/or audits are as follows -- the list is not meant to be exhaustive:  

Under 29 CFR 1926.20(b), all construction employers must have a safety and health program with frequent and regular inspections of job sites by a competent person; and general industry employers are subject to various standards, among others, those dealing with confined spaces, 29 CFR 1910.146 (written program); lockout/tagout, 29 CFR 1910.147(c) (written policy specific to each energy source, and periodic inspections); process safety management, 29 CFR 1910.119 (comprehensive process hazard analyses, inspections, incident investigations, and compliance audits); hazardous waste, 29 CFR 1910.120; hazard communications, 29 CFR 1200 (written policy, training on MSDS sheets); bloodborne pathogens (written policy and training); personal protective equipment (PPE), 29 CFR 1910.132 (assess exposure hazards, and training); respirators, 29 CFR 1910.134(b)(f) (written procedures for selection and use, hazard assessment, surveillance of work area conditions and degree of employee exposure or stress, and  regular inspections and evaluations); the lead standard, 29 CFR 1910.1025(d), (e) (monitoring employee exposures to airborne lead, written compliance plan to reduce exposures to the permissible level, and semi-annual updates); and hearing conservation, 29 CFR 1910.95(c).

Conclusion

In short, employers need to anticipate and respond to what is likely to be a more vigorous and aggressive enforcement approach from OSHA.  This may include preparation of a written safety and health plan with employee involvement, employee training and properly conducted self-audits.