OSHA requirements are set by statute, standards and regulations. Our interpretation letters explain these requirements and how they apply to particular circumstances, but they cannot create additional employer obligations. This letter constitutes OSHA's interpretation of the requirements discussed. Note that our enforcement guidance may be affected by changes to OSHA rules. Also, from time to time we update our guidance in response to new information. To keep apprised of such developments, you can consult OSHA's website at https://www.osha.gov.

June 21, 2017

Mr. James R. Cross
Executive Director
National Association for Public Safety Infection Control Officers
9250 Mosby Street, Suite 100
Manassas, Virginia 20110

Dear Mr. Cross:

Thank you for your letter to the Occupational Safety and Health Administration’s (OSHA) Directorate of Enforcement Programs regarding the application of OSHA’s Bloodborne Pathogens (BBP) Standard, 29 CFR 1910.1030. Specifically, you are requesting clarification on whether, under the BBP standard, a medical facility is required to provide source patient testing results to designated officers of emergency response employers (“designated officers”) when emergency response employees (“EREs”) have sustained exposures to communicable diseases, under Part G of the Ryan White HIV/AIDS Treatment Extension Act of 2009, 42 U.S.C. 300ff-131 et seq., (“Ryan White Law, Part G”). Your letter also raises questions about the privacy rules under the Health Insurance Portability and Accountability Act of 1996. Pub. L. No. 104-191, 110 Stat. 1936 (1996) (HIPAA). You are also asking whether the BBP standard prohibits a hospital from requiring EREs to receive post-exposure follow-up at the hospital. This letter constitutes OSHA’s interpretation only of the requirements discussed and may not be applicable to any question not delineated within your original correspondence. For clarification, your questions have been paraphrased. Our responses follow. 

Background: The Occupational Safety and Health Act of 1970, 29 U.S.C. 651 et seq. (“OSH Act”), is designed to protect private-sector and United States Postal Service employees in the Nation from workplace safety and health hazards. The OSH Act does not cover State and local governments and their employees. 29 U.S.C. 652 (5) and (6). Many EREs are employed by police departments and municipal fire and rescue services and thus would not be covered by Federal OSHA. In accordance with this exemption, Federal OSHA also does not cover medical facilities operated by State and local governments.

However, pursuant to section 18 of the OSH Act, 29 U.S.C. 667, States may enact and enforce laws for the occupational safety and health of private-sector employees if their programs are approved by Federal OSHA (“State Plans”) and if those plans include State and local government employees. 29 U.S.C. 667 (b) and (c)(6). The States must issue occupational safety and health standards as effective as Federal OSHA’s standards and enforce them as effectively as Federal OSHA does. 29 U.S.C. 667(c)(2). In other words, the State standards may provide more protection than the Federal OSHA standard. Thus, all of the States with State Plans have issued bloodborne pathogens standards which are the same as or at least as effective as the Federal OSHA BBP standard. As of this writing, twenty-two States have State Plans which cover private-sector and State and local government employees. Six States have plans which cover only State and local government employees. For more information on State Plans visit www.osha.gov/dcsp/osp/stateprogs. There, Federal OSHA provides general information about each State Plan, including contact information. For more detailed information on each State Plan, including the State’s BBP standard, visit the State Plan’s own website, which is linked to Federal OSHA’s webpage for the State.

In addition, hospitals receiving Medicare payments which are operated by State or local governments in States without OSHA State Plans must comply with the OSHA BBP standard. The U.S. Department of Health and Human Services enforces this requirement. 42 U.S.C. 1395cc(a)(1)(V) and (b)(4). 

Question 1: Is it an OSHA violation for a medical facility to refuse, due to HIPAA requirements, to provide source patient test results to Designated Officers of emergency responders who have sustained bona-fide occupational exposures to communicable diseases as stated in the Ryan White Law, Part G.

Response: The OSHA BBP standard and the Ryan White Law, Part G are separate requirements enforced by different entities. This response focuses on the OSHA BBP standard. For further interpretation of the Ryan White Law, Part G, please consult with the United States Department of Health and Human Services (HHS). 

The BBP Standard establishes requirements that must be met by the employers of workers who have reasonably anticipated exposure to blood or other potentially infectious materials (OPIM). 29 CFR 1910.1030. If an ERE suffers an “exposure incident,” i.e., “… a specific eye, mouth, other mucous membrane, non-intact skin, or parenteral contact with blood or other potentially infectious materials that results from the performance of an employee's duties” (29 CFR 1910.1030(b)), the employer of the affected ERE is required to initiate post-exposure and follow-up, per paragraph 29 CFR 1910.1030(f)(3), for its exposed employee. OSHA requires this post-exposure evaluation and follow-up to be given as soon as possible after exposure. If the source patient information is not under the control of the employer’s physician, then OSHA would expect the employer to perform due diligence to satisfy the requirements at paragraph 29 CFR 1910.1030(f)(3) by contacting the physician, medical office, or medical facility having the source patient information.

The obligations of employers who are not the employers of exposed employees are governed by OSHA directives on multi-employer worksites found in OSHA’s BBP standard directive, CPL 02-02-069, Enforcement Procedures for the Occupational Exposure to Bloodborne Pathogens, paragraph XI, and CPL 02-00-124, Multi-Employer Citation Policy. The multi-employer worksite policy in paragraph X of CPL 02-00-124, sets forth the obligations of various types of employers, such as employers who create the hazard (“creating employers”) and employers who control the hazard (“controlling employers”). So, while OSHA may cite the EREs’ employer for its failure to meet the requirements of post-exposure follow-up in the BBP standard, OSHA would, on a case-by-case basis, evaluate various employment situations to determine whether other employer(s) also bear OSHA responsibilities. As a matter of sound medical practice and public health, it is imperative to have the full cooperation of all entities possessing or controlling medical information that can aid in expediting the necessary follow-up for employees who experience an exposure incident. Medical facilities are urged to cooperate, to the extent allowed by applicable Federal (and/or State) laws, to assure expeditious transfer of information that is critical to protecting the health of affected EREs.

With respect to your question as to whether compliance with OSHA’s BBP standard for post- exposure follow-up would violate HIPAA, please be advised that OSHA coordinated this response with the National Institute for Occupational Safety and Health (NIOSH). From our preliminary discussions with NIOSH, it does not appear that a medical facility would violate HIPAA by complying with OSHA’s BBP standard for post-exposure follow-up. See the HIPAA rules at 45 CFR 164.512(a)(1) which provide: “(1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.” 

Question 2: Is it an OSHA violation for medical facilities to dictate the post-exposure follow-up procedures and testing to be provided to emergency responders who are not employed by the facility following an exposure incident involving a patient transported to that facility?

Response: The BBP standard does not prohibit the medical facility from requiring EREs to follow its post-exposure follow-up and testing protocols. OSHA may cite the ERE’s employer if the requirements of post-exposure follow-up in the BBP Standard are not met. See the response to question 1 regarding OSHA’s requirements imposed on the employer in this scenario. 

Thank you for your interest in occupational safety and health. We hope you find this information helpful. OSHA’s requirements are set by statute, standards, and regulations. Our letters of interpretation do not create new or additional requirements but rather explain these requirements and how they apply to particular circumstances. This letter constitutes OSHA’s interpretation of the requirements discussed. From time to time, letters are affected when the Agency updates a standard, a legal decision impacts a standard, or changes in technology affect the interpretation. To assure that you are using the correct information and guidance, please consult OSHA’s website at https://www.osha.gov. If you have further questions, please feel free to contact the Office of Health Enforcement at (202) 693-2190.



Thomas Galassi, Director

Directorate of Enforcement Programs