Cal/OSHA IIPP: Complete Guide to §3203 for CA Employers

Q: Is an IIPP the same as an SB 553 workplace violence prevention plan?

No. The IIPP is required under 8 CCR §3203 and covers all workplace safety hazards. SB 553 (codified at Labor Code §6401.9) requires a separate Workplace Violence Prevention Plan. Most California employers need both.

Q: How often do I have to review my IIPP?

Whenever new hazards are identified, after any workplace incident, and in practice at least annually. §3203 requires the program to be in effect at all times, which means it has to reflect current workplace conditions.

Q: What's the penalty for not having an IIPP?

Cal/OSHA publishes current penalty amounts, and they are adjusted annually. See the Cal/OSHA Citation Statistics page for the latest figures.

Q: Do I need an IIPP if I only have one employee?

Yes. §3203 applies to every California employer with at least one W-2 employee. There is no small-employer exemption.

Q: Can I use the State Fund IIPP Builder?

Yes. State Fund's IIPP Builder℠ is free and open to guests, not just State Fund policyholders. It generates a written plan document that satisfies §3203's written-plan requirement.

The Cal/OSHA IIPP requirement is Title 8, Section 3203 of the California Code of Regulations — a written Injury and Illness Prevention Program that every California employer must establish, implement, and maintain. It has been mandatory for virtually every CA employer since 1991, and §3203 is one of the most-cited standards Cal/OSHA enforces.

An IIPP is not a binder you write once and forget. It is an active program built around eight required elements: responsibility, compliance, communication, hazard assessment, accident investigation, hazard correction, training, and recordkeeping. This guide walks through what §3203 actually requires, who it applies to, and how to keep your program audit-ready.

What Is an Injury and Illness Prevention Program (IIPP)?

An Injury and Illness Prevention Program is a written, workplace-specific safety program required by 8 CCR §3203. The goal is simple: identify the hazards in your workplace before they injure someone, fix them, train employees on safe work practices, and keep records that prove you did it.

Cal/OSHA's IIPP eTool describes the program as a continuous cycle — not a one-time document. You write the plan, but the plan only matters if the inspections, training, and recordkeeping behind it are actually happening.

Who Must Have an IIPP in California?

Every California employer with at least one W-2 employee. There is no small-employer exemption. A two-person office needs an IIPP. A 400-person manufacturer needs an IIPP. The exemptions that exist are narrow and mostly federal or maritime.

This is different from some other California safety rules. SB 553, for example, generally applies at 10 employees (or to any employer whose workplace is open to the public). §3203 has no such threshold — if you have one employee, you need a program.

The 8 Required Elements of a Cal/OSHA-Compliant IIPP

§3203 lists eight elements every written IIPP must include. Missing any one of them is a citable gap.

1. Responsibility

Name the person who is accountable for the program. This is not a shared duty — §3203 wants a specific person (by name or job title) with authority to implement the plan. For small employers, this is usually the owner, office manager, or HR lead.

2. Compliance

Document how you ensure employees actually follow safe work rules. That includes recognition for safe performance, retraining when someone doesn't follow procedures, and discipline as a last resort. "We tell people to be careful" is not a system.

3. Communication

Establish a two-way communication system so employees can report hazards without fear of reprisal, and so safety information reaches every worker — including employees who don't speak English as a first language. Toolbox talks, safety meetings, posted bulletins, and an anonymous reporting channel all qualify.

4. Hazard Assessment

Run scheduled workplace inspections and unscheduled inspections whenever conditions change (new equipment, new processes, new employees, new hazards, after an incident). Each inspection must be documented: who, when, what they found.

5. Accident and Exposure Investigation

When something goes wrong — an injury, a near-miss, a hazardous exposure — §3203 requires an investigation. Document the cause, the contributing factors, and the corrective actions you took.

6. Hazard Correction

Unsafe conditions must be corrected in a timely manner based on severity. Imminent hazards get fixed immediately; lower-severity issues get a documented timeline. The paper trail matters: inspectors want to see that a hazard found on January 5 was actually corrected by January 12.

7. Training

Train every employee on general safe work practices and on the specific hazards of their job. Training is required for new hires, for new job assignments, whenever a new hazard is introduced, and whenever the employer is made aware of a new or previously unrecognized hazard. In practice, most employers run refresher training annually. See our sibling guide on SB 553 training requirements for how workplace-violence training fits alongside your IIPP training.

8. Recordkeeping

Keep records of inspections (what was found, what was corrected) and training (who was trained, when, on what). §3203 also includes a 5-business-day employee access rule — added by a 2017 amendment — requiring employers to make IIPP records available to an employee or their representative within five business days of a written request. Miss the deadline and you have a recordkeeping violation on top of whatever else inspectors find.

Why Cal/OSHA IIPP Compliance Matters

§3203 is consistently one of the most-cited Cal/OSHA standards. That's not because IIPP rules are obscure — they're plainly written — it's because the standard covers so much ground. A missing training record, a stale inspection log, or an unnamed program administrator all trigger the same citation.

Cal/OSHA publishes current penalty amounts on its Citation Statistics page, and the amounts are indexed annually. Rather than memorize numbers, treat the IIPP as an operational program: if inspections are running on schedule and training records are current, the penalty question rarely comes up.

How to Build (or Maintain) Your IIPP

There are two starting points, depending on where you are today.

Starting from scratch

Use one of the free, authoritative templates. Cal/OSHA publishes an IIPP guide and model program, and State Compensation Insurance Fund offers a free IIPP Builder℠ that's open to guests, not just policyholders. Both will get you a written plan document that satisfies §3203's written-plan requirement.

Already have a plan

Most California employers already have something in a binder. The real compliance work — the part that actually fails audits — is keeping training records current, documenting inspections, logging incidents, and retraining on schedule. That's the operating layer State Fund's IIPP Builder doesn't ship, and it's what CompliantCA is built to handle: import your existing plan, track who's been trained on what, log hazards and incidents, and export an audit packet when Cal/OSHA asks.

Common IIPP Compliance Mistakes

“We have a plan, it's in the binder”

A plan written in 2014 that hasn't been updated since is a liability. §3203 requires the program to reflect current hazards and current staff. If you've added equipment, moved locations, or hired a new crew, the plan needs to catch up.

No proof of training

This is the gap Cal/OSHA inspectors ask about first. You can train every employee perfectly and still get cited if you can't produce a record showing who was trained, when, and on what topic. Training without a record is, for audit purposes, training that didn't happen.

Hazard inspections not documented

Walk-throughs count only if they're written down. A simple log with date, inspector, area, findings, and corrective actions is enough — but the log has to exist.

Missing the 5-business-day access rule

If an employee requests IIPP records in writing, you have five business days to produce them. Employers who don't know this rule exists often blow the deadline and hand inspectors an easy citation.

Frequently Asked Questions

Is an IIPP the same as an SB 553 workplace violence prevention plan?

No. They're separate requirements under separate statutes. The IIPP is required by §3203 and covers all workplace safety hazards. The WVPP is required by Labor Code §6401.9 (added by SB 553) and covers workplace violence specifically. Most California employers need both. See our What Is SB 553 guide for the workplace-violence side.

How often do I have to review my IIPP?

Whenever hazards change, after incidents, and in practice at least annually. §3203 requires the program to be in effect and current at all times — annual review is the minimum cadence most employers settle on to stay ahead of it.

What's the penalty for not having an IIPP?

Cal/OSHA publishes current penalty amounts at its Citation Statistics page, and they are adjusted annually. Check the live page for today's figures rather than memorizing a number that will be out of date next year.

Do I need an IIPP if I only have 1 employee?

Yes. §3203 has no headcount threshold. One W-2 employee triggers the requirement.

Can I use the State Fund IIPP Builder?

Yes. The IIPP Builder℠ is free and open to guests, not just State Fund policyholders. It produces a written plan document; you're still responsible for running the program after the document is generated.

Sources & References

8 CCR §3203 — Injury and Illness Prevention Program — California Code of Regulations
Cal/OSHA IIPP Guide and Model Program — Cal/OSHA
Cal/OSHA IIPP eTool — Cal/OSHA
Cal/OSHA Citation Statistics — Cal/OSHA
IIPP Builder℠ — State Compensation Insurance Fund

CompliantCA organizes compliance records using Cal/OSHA-published requirements. We are not a law firm and do not provide legal advice. Review your IIPP with your safety officer or attorney before adoption.

Cal/OSHA IIPP: The California Employer's Guide to §3203 Compliance