Back to Blog
SB 553 Compliance

"PII in Incident Logs: The Privacy Trap Employers Miss"

"SB 553 violent incident log PII requirements: what must be documented vs redacted, access restrictions, digital vs paper security, and HIPAA intersection."

Protekon Compliance Team

April 13, 2026

"PII in Incident Logs: The Privacy Trap Employers Miss"

You have two problems and you do not know about either of them.

Problem one: SB 553 requires you to maintain a violent incident log. If you do not have one, you are out of compliance and a Cal/OSHA citation is coming.

Problem two: If you maintain that log incorrectly — specifically, if you include personally identifiable information that the law requires you to exclude — you have created a liability that is worse than the citation you were trying to avoid.

Welcome to the privacy trap. Almost every employer who takes a stab at SB 553 compliance walks right into it.

What SB 553 Actually Requires in Your Incident Log

Let me lay out what the law says, because the number of business owners operating on secondhand summaries is alarming.

California Labor Code Section 6401.9 requires employers to maintain a violent incident log for every workplace violence incident. The log must include:

  1. **Date, time, and location** of the incident
  2. **A detailed description** of the incident
  3. **A classification** of who committed the violence (Type 1: criminal intent, Type 2: customer/client, Type 3: worker-on-worker, Type 4: personal relationship)
  4. **The type of violence** (physical attack, threat, sexual assault, animal attack, or other)
  5. **The circumstances** at the time of the incident (working alone, poorly lit area, understaffed, etc.)
  6. **Consequences of the incident** — whether an injury occurred, what kind, whether it was reported to law enforcement
  7. **What actions were taken** — investigation, corrective actions, follow-up

That is a comprehensive list. You need detail. You need specifics. You need enough information that someone reviewing the log a year from now can understand what happened and what you did about it.

But here is the trap: you need all of that detail while simultaneously protecting the privacy of every person involved.

What Must Be Excluded: The PII Prohibition

The same section of the law that requires the detailed log also requires that the log contain **no personally identifiable information** of any person involved in the incident.

No names. No employee ID numbers. No job titles that identify a specific individual. No physical descriptions that could identify someone. No home addresses. No phone numbers. No Social Security numbers.

Nothing that allows a reader of the log to figure out who was involved.

Think about that for a minute. You need to document a detailed account of what happened, including the classification of violence and the circumstances, but you cannot include any information that identifies the people involved.

This is where 90% of employers fail. Because documenting a workplace violence incident without naming anyone requires a system — and most employers are trying to do it with a blank Word document.

The Three Ways Employers Get This Wrong

**Mistake 1: Including names directly.** This is the obvious one. "John Smith in the warehouse threatened Maria Garcia on March 15." That log entry violates the PII prohibition. Both names need to be replaced with anonymized identifiers — "Employee A," "Employee B," or a case reference number.

**Mistake 2: Including identifying details that function as PII.** "The night shift supervisor in our Riverside warehouse, who has been with us for twelve years, made threatening statements to the new hire in department 7." You did not use names. But if your Riverside warehouse has one night shift supervisor who has been there twelve years, you just identified them. Anyone with access to the log and basic company knowledge can figure out who this is.

This is functional PII, and it violates the statute just as thoroughly as using a name.

**Mistake 3: Maintaining the detailed investigation file and the incident log as a single document.** Your investigation file — the one your HR team or safety coordinator uses internally — needs names, witness statements, disciplinary actions, and all the identifying details necessary to manage the situation. That file is confidential and access-restricted.

Your incident log is a separate document. It contains the anonymized record required by SB 553. It does not contain names. It does not reference the investigation file by case number in a way that allows cross-referencing.

Two documents. Two purposes. Two access levels. If you are combining them into one, you are creating a privacy violation every time you log an incident.

Access Restrictions: Who Can See What

The incident log is not a public document, but it is not fully confidential either. Here is who has access and under what conditions:

**Cal/OSHA inspectors.** They can request your incident log during an inspection. They are entitled to review it. This is the primary audience for the log — it demonstrates that you are tracking incidents and responding to them.

**Employees and their representatives.** Under certain circumstances, employees and authorized employee representatives may request access to the incident log. This is why the PII prohibition exists — the log must be reviewable without exposing the identities of victims, perpetrators, or witnesses.

**Management and HR.** Internal personnel responsible for workplace safety should have access to the log for trend analysis and plan review purposes.

**Nobody else.** The log should not be posted in a break room, included in company-wide emails, shared with clients, or stored on a shared drive accessible to all employees.

If you are maintaining the log on a shared Google Drive folder that half the company has access to, stop reading this article and go fix that immediately.

Digital vs. Paper: Security Considerations

SB 553 does not specify whether your incident log must be digital or paper. Both are acceptable. Neither is automatically better. Both can fail catastrophically.

**Paper log failures:**
- Stored in an unlocked file cabinet accessible to anyone in the office
- No backup — a fire, flood, or office move and the log is gone
- No audit trail — no way to prove when entries were made or if they were altered
- Multiple copies floating around with no version control

**Digital log failures:**
- Stored in a shared folder without access controls
- No encryption at rest or in transit
- No access logging — no record of who viewed the log and when
- Stored on personal laptops that could be stolen or lost
- Backed up to personal cloud storage accounts outside company control

The right answer depends on your organization, but the minimum requirements are the same regardless of format:

  1. **Access controls.** Only authorized personnel can view the log.
  2. **Audit trail.** You can demonstrate when entries were created and by whom.
  3. **Backup and recovery.** The log survives hardware failure, natural disaster, or employee departure.
  4. **Encryption.** If digital, the log is encrypted at rest and in transit.
  5. **Physical security.** If paper, the log is in a locked cabinet in a restricted area with a sign-out sheet.

The HIPAA Intersection: When Healthcare Makes It Worse

If you are in healthcare, you have an additional layer of complexity that makes most employers' heads spin.

When a workplace violence incident results in a physical injury, the medical treatment information associated with that injury may be protected health information (PHI) under HIPAA. This creates a dual-regulation scenario:

SB 553 requires you to document the consequences of the incident — whether an injury occurred and what kind.

HIPAA restricts how you store, transmit, and share medical information about individuals.

The intersection point is this: your incident log can note that "an injury occurred requiring emergency medical treatment" but it cannot include diagnostic details, treatment specifics, or medical provider information in a way that connects to an identifiable individual.

For non-healthcare employers, this intersection is narrow. You document that an injury occurred, you note the general nature (laceration, contusion, etc.), and you move on.

For healthcare employers — where the victim may be a patient, the perpetrator may be a patient, and the incident may have occurred in a treatment setting — the intersection is a minefield. Patient information involved in the incident must be handled under HIPAA rules even when it appears in an SB 553 document.

If you operate in healthcare and you do not have a documented protocol for how workplace violence incident logs handle PHI, you have a compliance gap that spans two regulatory frameworks simultaneously.

Building a Log That Survives Scrutiny

Here is what a defensible incident log entry looks like:

**Date:** March 15, 2026
**Time:** 2:45 PM
**Location:** Building C, Loading Dock Area
**Incident Type:** Physical attack
**Violence Classification:** Type 3 (worker-on-worker)
**Description:** Employee A made verbal threats toward Employee B regarding a scheduling dispute. Employee A then pushed Employee B against a wall. Employee B sustained a minor shoulder contusion. Other employees in the area intervened and separated the individuals.
**Circumstances:** Area was understaffed during shift change. No supervisor present in the immediate area. Lighting adequate. No prior documented incidents between these individuals.
**Injury:** Yes — minor contusion, treated on-site by first aid. No emergency medical transport.
**Law enforcement:** Not contacted — situation was resolved by on-site management.
**Corrective actions:** Investigation initiated same day (Case #2026-015). Shift change supervision protocol under review. Area staffing levels under review. Both employees referred to EAP.
**WVPP review trigger:** Yes — incident documented as trigger for off-cycle plan review per Section 4.2 of WVPP.

Notice what is present: detail, context, classification, consequences, and corrective actions.

Notice what is absent: names, employee IDs, job titles that identify individuals, physical descriptions, or any other PII.

The case reference number (2026-015) links to the confidential investigation file, which is stored separately with restricted access. The incident log does not contain the investigation file, and the investigation file is not accessible to anyone who can access the log.

The Cost of Getting This Wrong

Getting the incident log wrong exposes you on multiple fronts simultaneously:

**No log at all:** Direct SB 553 violation. Cal/OSHA citation. Per-violation penalty.

**Log with PII:** Privacy violation. Potential employee complaints. If the log is accessed during an inspection, the inspector now sees that you are collecting PII you should not be collecting — which signals broader compliance failures.

**Log with PII that gets breached or improperly shared:** Now you have an employment law claim. The employee whose identity was exposed in a workplace violence incident log — whether they were the victim, the perpetrator, or a witness — has grounds for a complaint. In healthcare settings, add a HIPAA violation on top.

**Log without sufficient detail:** The log exists but it is so vague that Cal/OSHA deems it inadequate. A log entry that says "incident occurred, no injuries, situation resolved" tells the inspector nothing and satisfies nobody.

You need the Goldilocks zone: detailed enough to demonstrate compliance, anonymized enough to protect privacy, structured enough to survive an audit.

Stop Treating This as a Forms Problem

The reason most employers get the incident log wrong is because they treat it as a forms problem. They download a template, fill in the blanks, and file it away.

The incident log is not a forms problem. It is a systems problem.

You need a protocol for who creates the entry, when it must be created, what information is included, what information is excluded, who reviews the entry for PII before it is finalized, where it is stored, who has access, and how long it is retained.

That protocol needs to be written down, and the people responsible for executing it need to be trained on it.

If your current system is "whoever was there fills out the form and gives it to HR," you do not have a system. You have a liability waiting to activate.

The privacy trap is real, it is common, and it is entirely preventable — if you build the system before the incident forces you to improvise.

Stay ahead of Cal/OSHA

Get the weekly compliance brief.

One email a week: new regulations, enforcement trends, and the templates we publish. No spam, unsubscribe any time.

See where you stand

What would Cal/OSHA cite you for today?

Run the compliance score. You'll see the gaps, the fine exposure, and the remediation path.

Get your score

Related Articles

"Is SB 553 Applicable to My Business: A Screening Guide"

"Is SB 553 Applicable to My Business: A Screening Guide"

"Decision tree for SB 553 applicability: employees in CA, on-site work, public interaction, exemptions, and common misconceptions."

"SB 553 Permanent Standard: What Is Coming Next"

"SB 553 Permanent Standard: What Is Coming Next"

"Cal/OSHA Standards Board rulemaking for the SB 553 permanent standard: expected changes, public comment timeline, and what employers should prepare for."

"After a Workplace Violence Incident: Your 72-Hour Checklist"

"After a Workplace Violence Incident: Your 72-Hour Checklist"

"Hour-by-hour response checklist: immediate safety, Cal/OSHA reporting, incident log, investigation, WVPP review, and employee support services."

"Why Free WVPP Templates Fail OSHA Inspection"

"Why Free WVPP Templates Fail OSHA Inspection"

"Common template failures: generic language, missing elements, no employee involvement, no hazard assessment, no training program. What Cal/OSHA actually checks."