Wednesday, August 24, 2016

Discussion Point: Patients Making Recordings In Healthcare Settings

Policies Restricting Patient Recordings In Medical Settings

 HCSI

What are your opinions on a medical office or practice creating a policy to prevent/limit patients from making audio/video recordings in exam rooms or other common areas where HIPAA or patient privacy could be violated by improper use of these recordings?


Does the office or practice have free reign to create such a policy?  What if any limitations might apply?

What about the patient?  Do they have any "rights" providing them the freedom to be able to record a procedure or practitioner giving treatment instructions for example? 

What about recordings in a maternity ward/nursery or during child birth?  What about the potential for cell phones to disrupt sensitive medical equipment?  What about patient's using apps like Pokemon Go and inadvertently or covertly overhearing and recording sensitive patient information?
What HIPAA regulations or legal ramifications might be evoked by such a situation?  How does an office notify patients of and enforce such a policy?  Should the office require patients to sign an acknowledgement of said policy or is a posted sign or notice adequate?

I would love to hear all your thoughts on this topic and any addition related issues that might come up that I have not already listed in the situations above. 

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Friday, August 19, 2016

Compliance Essentials: Training

Training is one of the essential cornerstones of any effective compliance program.

Training is an investment for any organization. That investment pays great dividends in the form of liability protection when it comes to compliance. However, with that being said, some organizations are still hesitant to train their employees or outright refuse to make this very important investment.

When it comes to Federal and State compliance, the decision to train employees has been taken out of the hands of the organizations. For example, with HIPAA compliance, the Office for Civil Rights (OCR), states:


"§164.530(b)(1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity."

In the event of a HIPAA audit, the auditor will ask him or herself a discovery question:


"Does the covered entity train its work force and have a policies and procedures to ensure all members of the workforce receive necessary and appropriate training in a timely manner as provided for by the established performance criterion?"

In addition, the auditor will take the following action:

"Obtain and review such policies and procedures. Areas to review include training each new member of the workforce within a reasonable period of time and each member whose functions are affected by a material change in policies or procedures. From the population of new hires within the audit period, obtain and review a sample of documentation of necessary and appropriate training on the HIPAA Privacy Rule that has been provided and completed."

And finally, the auditor will:

"Obtain and review documentation that workforce members have been trained on material changes to policies and procedures required by the HITECH Act."

What is the above patter of the auditor?

  1. As a mater of policy, require that all employees are being fully trained
  2. Ensure that each organization has established policies and procedures
  3. Verify that training is being done by obtaining documentation on training and policies/procedures
This similar pattern is followed by other government organizations. Documented compliance training is required in the areas of OSHA, Medicare, and other various areas where compliance is required.

When organizations give their employees the resources and information they need to be compliant with these various regulations, they begin to establish a culture of compliance within the organization. 

Compliance training is not a request or addressable, it is REQUIRED!!!!!

Employee training is an investment worth making. However, compliance training is not just a good investment, it is liability protection that any organization cannot be without.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Thursday, August 18, 2016

Friday, August 5, 2016

Compliance Essentials: Documentation

Documentation is one of the essential cornerstones of any effective compliance program.

Henry was understandably nervous on the day his office was being audited by the Office for Civil Rights (OCR). While still feeling some butterflies, he was confident that his compliance efforts will pass the HIPAA audit. Henry was then asked a series of questions:

Auditor - Does your office have establish policies and procedures?
Henry - Yes we do!
Auditor - Show them to me.
Henry - Here is a copy of our employee handbook.
Auditor - This does not contain the necessary written information.
Henry - I thought it was enough . . .

Auditor - Does your office train your employees continuously?
Henry - Yes we do!
Auditor - Show me the training documentation.
Henry - Our employees are trained on compliance every year at our annual "compliance and pizza" meeting.
Auditor - That is not what I asked for.
Henry - I thought it was enough . . .

Auditor - Show me your breach disclosure log.
Henry - Our breach disclosure log . . .
Auditor - Do you not have one?
Henry - I'm not even sure what that log is.

At this point in the audit, Henry's confidence has vanished and he is now thinking about the possibility of having to look for another job.

OCR has stated that it views compliance as an "ongoing journey". When you are on a journey, your attention is focused on what lies ahead. However, if you stop for a moment and look behind you, you will see past evidence of your journey in the form of footprints. If you turn around, you will be able to retrace your journey by following those footprints. If it was not for your footprints, you would not be able to retrace your journey back to where you started.

This same idea of retracing your footprints and being able to follow the history of your journey, applies to your "ongoing journey of compliance". However, rather then leaving footprints behind you, you leave a paper trail called, documentation. By keeping your documentation up-to-date, you have a history of your compliance activity and evidence of where you currently stand (policies and procedures).

There are numerous benefits to good documentation:
  1. Paper Trail - This will be useful in demonstrating your compliance activity for an audit or possible protection against liability.
  2. Compliance Story - It is not only about what you did and the final outcome, but rather what factors were a part of your decision making process and what lead you to make the final decision.
  3. Hand-Me-Down - When an office changes Administrators or Compliance Officers, the newly appointed employee will be able to review previous documentation and have a better understanding of the organizations compliance history.
  4. Employee "Misunderstandings" - Documentation of policies and procedures go a long way to eliminating the employee "misunderstandings" that tend to crop-up. If an employee says that they did not know the policy, you can refer to the written policy and their acknowledgement of it that they signed during their training.
During an audit by OCR, they are wanting to look at your "ongoing journey of compliance". If your documentation is done well and is up-to-date, then you won't have to shy away from their questions. Simply take their hand and guide them through the history of your "ongoing journey of compliance" by following your own footprints.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner


Tuesday, August 2, 2016

OSHA's New Reporting Rule Impacts the Health Care Industry

New OSHA Injury Reporting Rules
 HCSI
The U.S. Occupational Safety and Health Administration (OSHA) recently issued a final rule that becomes effective January 1, 2017 requiring healthcare industry employers to electronically submit to OSHA injury and illness data from their OSHA logs. This information will then become publicly available on the OSHA website.

As a corollary, and “to ensure the completeness and accuracy of injury and illness data,” the final rule also:
  • Creates an explicit requirement that employees must be informed of their right to report work-related injuries and illnesses free from retaliation;
  • Specifically requires that an employer's procedure for reporting work-related injuries and illnesses must be reasonable and not deter or discourage employees from reporting; and
  • Explicitly prohibits retaliation against employees for reporting work-related injuries or illnesses.
The requirement to report data applies to: (1) work locations with 250 or more employees, and (2) work locations with 20 to 249 employees in specific “high-risk industries” identified in the rule. The rule includes several types of healthcare industries in its definition of high-risk industries. Specific healthcare industries that must comply with this rule if they have 20 or more employees at a particular work location are:
  • Ambulatory healthcare services;
  • General medical and surgical hospitals;
  • Psychiatric and substance abuse hospitals;
  • Specialty (except psychiatric and substance abuse) hospitals;
  • Nursing care facilities;
  • Residential mental retardation, mental health, and substance abuse facilities;
  • Community care facilities for the elderly; and
  • Other residential care facilities.
Businesses with 250 or more employees at a work location in industries covered by the new recordkeeping regulation must submit information from their 2016 Form 300A by July 1, 2017. These employers will also be required to submit information from all 2017 forms (300A, 300, and 301) by July 1, 2018. Starting in 2019, the information must be submitted by March 2 each year. Businesses with 20-249 employees in high-risk industries, including those healthcare industries mentioned above, must submit information from their 2016 Form 300A by July 1, 2017, and their 2017 Form 300A by July 1, 2018. Starting in 2019, the information must be submitted by March 2 each year.

OSHA will make the injury and illness data public. After removing any Personally Identifiable Information that could be used to identify individual employees, OSHA will post the data on its website, and anyone will be able to download it. Employers in the above-referenced high-risk industries (and those with 250 or more employees) should begin planning now to ensure compliance with the January 1, 2017 reporting deadlines.

The new rule also emphasizes that employees who report workplace related injuries and illnesses may not be discriminated against or retaliated against because they have reported such injuries or illnesses. It provides OSHA with the authority to cite an employer for retaliation even in the absence of any employee complaint. The commentary to the rule says:
  • Employers must have a reasonable procedure for employees to report work-related injuries and illnesses.
  • Employers’ reporting procedures cannot deter or discourage reasonable employees from accurately reporting a workplace injury or illness.
  • Blanket or automatic post-accident testing policies are prohibited and will be viewed as taking an adverse action against, retaliating against, or discouraging employees from reporting accidents.
  • Employers need not specifically suspect drug use before testing, but there should be a reasonable possibility that drug use by a reporting employee was a contributing factor to the reported injury or illness in order for an employer to require testing, and, even then, the testing should be limited to only the employee who caused the accident rather than everyone involved.
Although the new rule does not prohibit all post-accident/post-injury drug testing policies, OSHA’s position is that the circumstances of some accidents make it unlikely that drug use was a contributing factor, and therefore testing employees in these situations would be viewed as retaliation. OSHA provides these examples of circumstances where required drug testing would be suspect:
  • After an employee reports a bee sting;
  • When an employee has a repetitive strain injury;
  • After an injury caused by a lack of machine guarding; or
  • When a machine or tool malfunctions.
The rule acknowledges many employers implement post-accident/post-injury drug testing policies because they are located in states that offer workers’ compensation premium reductions for enacting Drug Free Workplace Policies. Compliance with these workers’ compensation programs or other state or federal laws or regulations requiring post-accident/post-injury or reasonable suspicion testing are still permitted.

Employers must also specifically inform employees: (i) they have the right to report work-related injuries and illnesses; and (ii) the employer is prohibited from retaliating against employees for reporting work-related injuries or illnesses. Employers also must establish a reporting procedure that does not deter or discourage an employee from reporting work-related injuries and illnesses. These posting and reporting requirements are effective as of November 1, 2016.

In light of OSHA’s new rule, employers in the health care industry should review drug testing policies as well as accident/injury reporting policies to ensure they do not violate OSHA's new rules.

Also See: Provisions call for employers to electronically submit injury and illness data that they already record.


To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Thursday, July 28, 2016

Preparing for Phase 2 of HIPAA Audits

Phase 2 HIPAA audits are here. It’s no longer a matter of when.
The question is: Are you ready?
 HCSI
On March 21, 2016, the HHS Office for Civil Rights (OCR) launched the second phase of audits for compliance with HIPAA privacy, security and breach notification rules. And in his July 18, article, Second phase of HIPAA audits shifts into high gear, HDM’s Managing Editor Greg Slabodkin informed us that according to OCR, letters were delivered via email to “167 health plans, healthcare providers and clearinghouses” on July 11. Unlike the pilot audits that focused only on covered entities, Phase 2 targets both covered entities and their business associates.
While most of the Phase 2 audits will be desk audits, some onsite audits will be conducted. Phase 2 audits will focus on areas with high occurrences of noncompliance in Phase 1, particularly issues raised during data breach investigations. These include risk analysis and management, notice of privacy practices, timeliness of breach notification, reasonable safeguards, facility access control, and workforce training on policies and procedures.

To prepare for Phase 2 audits, covered entities and business associates should review their HIPAA privacy, security and breach notification policies and confirm that the following requirements are in place and current:

Comprehensive documented risk assessment. Promptly address any deficiencies and complete all action items. Build on the assessment outcomes to create a strong risk assessment management program. Conduct a follow-up security risk analysis periodically to identify, address and document deficiencies that may occur.

Written HIPAA policies and procedures. These should reflect privacy and security standards along with any risks or vulnerabilities identified during the assessment process.

Incident response plan for responding to breach of protected health information (PHI). Implement breach notification policies and procedures that are aligned with requirements under the HIPAA breach notification standards. Conduct practice rounds to prepare staff for a real event should it occur. 

Current Notice of Privacy Practices. Provide printed copies of the most recent notice to patients and also make the notice available on the organization’s website. 

Safeguards to protect all forms of PHI. This applies to paper, electronic and verbal PHI, including mobile devices and storage media. For employees who have personal devices, implement a BYOD policy aligned with HIPAA standards. Keep an up-to-date inventory of all systems and mobile devices.

Workforce training program. Conduct and document training for new employees. Conduct and document ongoing training for all workforce members.


Business associate agreements. Organizations must maintain a current inventory of all business associates. Agreements should be updated and implemented in compliance with current HIPAA requirements.

PHI transmission policy. Verify that all PHI is encrypted, or document a risk analysis to support the decision not to use encryption technology. 

Even if your organization is not selected for a Phase 2 audit, implementing judicious measures now will support future audits and improve HIPAA compliance. 

It doesn’t just end with an audit occurring within the four walls of a healthcare organization. With more healthcare professionals working from home, there is growing concern about the possibility of “at-home” audits - if not now, these may happen in the near future. We’re operating in a virtual world - building a remote workforce, and many HIM departments are sending people home - coders, transcriptionists, even management staff. 

Suppose OCR conducts an onsite audit at your facility and finds that some employees work from home. You must be prepared for the inevitable questions. How are you protecting information offsite? What measures are you taking to make sure PHI is secure? What policies and procedures are in place to address specific issues of at-home worksites? If you’re preparing for OCR audits - or any audits - these are increasingly important points to consider.

Business associates should also be taking a proactive approach in case auditors want to know how workers at home are being audited. Options might include Skype, Facetime or Hangouts. Here are some basic questions to ask employees when evaluating at-home privacy and security risks: 
  • Where are you located in your personal residence? 
  • Is your workspace private? 
  • Are passcodes properly concealed, not posted in the workspace? 
  • Do you use a virtual privacy network (VPN)? 
  • Do you have the capability to print information? 
  • Do you have appropriate shredding capability? 
  • Is your computer set to shut down (encryption mode) in your absence? 
These questions are just the beginning of the conversation. It is critical to communicate clear expectations to employees who work at home - along with consequences if they fail to maintain privacy and security according to your policies and procedures.

A company’s work-from-home policy defines the telecommuting work arrangement, including comprehensive privacy and security practices. The telecommuting employee must sign an agreement to ensure the protection of proprietary information and PHI, and to maintain the same level of confidentiality that exists on the company premises. If issues arise, there are several options depending on the severity of noncompliance - corrective action, education and training, increased audits, return to in-house, or termination of employment.

Although current OCR requirements do not specifically require at-home audits, the regulations clearly state that all reasonable precautions must be taken to ensure that all information is secure and privacy is maintained.

The best way to mitigate regulation issues is to have a solid HIPAA program in place and be well prepared to demonstrate best practices that proactively identify and address risks to PHI.

HIM must work closely with IT and other departments - risk management, C-suite, compliance, training and HR - to properly prepare for audits. HIM directors and their staff understand the content and use of PHI, where it is most likely to be at risk, and how to protect it. As experts in HIPAA and information governance practices, HIM professionals and Compliance Support Partners can lead organizations through a successful audit.

Also See: OCR's Top 7 Areas of Focus During Phase Two Audits



To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Tuesday, July 26, 2016

OCR's Top 7 Areas of Focus During Phase Two Audits

Areas of improvement to focus on within your office.

During phase 2 of the Office for Civil Rights (OCR) HIPAA audits, they have decided to focus their attention on seven areas of compliance. These specific areas were chosen due to their history of non-compliance during multiple audits in the past. This is not to say that OCR will not investigate other areas, but their main focus will be on these specific requirements:

  • Under the HIPAA Privacy Rule
    • Notice of Privacy Practice and consent requirements
    • Provision of notice - electronic notice (NPP acknowledgement in electronic format)
    • Right to access (Patients right to access their PHI)
  • Under the HIPAA Security Rule
    • Security management process - risk analysis (Documented and completed internal risk analysis)
    • Security management process - risk management (Documented policies and procedures that prevent, detect, contain, and correct security violations)
  • Under the Breach Notification Rule
    • Timeliness of notification (Notification of breach given to individual and OCR within required specifications)
    • Content of notification (Notification of breach contains all of the required information as specified by OCR)
These are important areas of compliance that have been neglected or out right ignored by healthcare organizations. If you have not done so, get these areas of compliance in order within your organization.

For information on how to prepare for OCR's Phase 2 HIPAA audits go to:
http://hcsiinc.blogspot.com/2016/07/preparing-for-phase-2-of-hipaa-audits.html




To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Wednesday, July 20, 2016

Patient Authorization For Disclosure Of PHI

Required Elements Of A Patient Authorization
 HCSI

HIPAA requires that certain elements be present on the authorization that the patient is to sign.  Whenever you receive an authorization (or “release”) asking you to disclose PHI and HIPAA requires an authorization for the disclosure, use this checklist to verify that the authorization meets the HIPAA requirements. If any ONE of the following elements is missing, you should NOT release the patient’s PHI until you have a valid authorization signed by the patient. If ALL the elements are present, the authorization is valid. 


•    A description of the PHI to be used or disclosed that identifies it in a specific and meaningful fashion.  They may request the entire medical record, all records between specific dates, or other specific items. 


•    The name or other specific identification of the person(s), or class of persons, who can make the requested use or disclosure.  For example, the signed request should list either your organization or someone in your organization by name.

•    The person(s), or class of persons, to whom you may make the requested disclosure.  The specific entity(ies) to receive the information should be identified.  A cover sheet stating who should receive the information is NOT sufficient.

•    A description of each purpose of the requested use or disclosure.  The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose. The above statement or some other description must be present.

•    An expiration date or an expiration event that is related to the individual or the purpose of the use and disclosure.  The statement “end of research study”, “none”, or similar language is sufficient if the authorization is for a use or disclosure of PHI for research.  Again, the statement must be present.

•   Signature of the patient and date.  If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

•    The individual’ s right to revoke the authorization in writing, any exceptions to that right, and a description of how the individual may revoke the authorization.

•    The ability or inability to condition treatment on the authorization by stating either:  (A) The covered entity may not condition treatment on whether the individual signs the authorization or (B) The consequences to the individual for refusal to sign the authorization.  (Remember that there are very limited circumstances in which action can be a condition on a patient signing an authorization.)

•    A statement that informs of the potential for information to be re-disclosed by the person or organization to which it is sent.  The privacy of this information may not be protected under the Federal Privacy Rule depending on whom the information is disclosed to.

•    If the requested use or disclosure is for marketing purposes.  If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state such remuneration.


--For more healthcare compliance information and discussion please join the LinkedIn group forum: The Healthcare Compliance Solutions Administrative Alert

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Thursday, July 14, 2016

5 Pioneering Changes to Healthcare Compliance Support

Excessive weight of compliance regulations has necessitated the need for more guided compliance support

Dr. Paul was just wrapping-up the recent OSHA audit. He was very frustrated as he was found to be in violation of more than a dozen OSHA regulations. Following the completion of his OSHA audit, he called the company he had entrusted with his compliance, Healthcare Compliance Solutions, Inc. (HCSI). After some discussion between Dr. Paul and the representative at HCSI, it was discovered that after Dr. Paul had purchased the HCSI Compliance Program, he did not fully incorporate the program into his seven locations that he was trying to support with the single compliance officer. Dr. Paul and HCSI worked together to ensure that the next audit, OSHA or HIPAA, would have a much different and positive result.

The case study described above really happened. It was this very situation that made it clear to everybody at HCSI that something different needed to be done in compliance support. Major changes were needed to the compliance industry and HCSI has taken it upon themselves to be the pioneer in the reformation process of healthcare compliance support.

Below is the list of the areas identified where changes are necessary:

  • Training - It was previously thought that all an office needed was to train their employees once a year (if that) on compliance regulations while having a pizza party. Once the information was distributed, the employees would go about their days, having learned very little about the organization's procedures or the compliance regulations, and putting the organization at risk of a breach.
  • Policies and Procedures - This is an issue that has proved to be very costly. The federal regulations require effective and written policies and procedures . For too many years this requirement has been taken lightly. Ineffective or incomplete manuals have become a plague on the healthcare industry. Many organizations simply say, "I have bought a manual, so I am compliant".
  • Updating - The federal government requires every compliance program to be continuously updated. This necessitates the need to constant monitoring, adjusting, and retraining of compliance issues. This is either being done halfheartedly, in disarray, or in most cases, not at all.
  • Support - Most organizations only call their compliance support company when they hit the panic button. As we learned in the case study at the beginning of this article, that is simply reactive when the goal with compliance is to be proactive.
The four points listed above are examples of how compliance is currently being supported in the healthcare industry. They are out-of-date and are simply ineffective in giving the healthcare industry the support it needs in order to comply with the federal regulations.

As previously stated, HCSI has taken it upon themselves to be the pioneer in the reformation process of healthcare compliance support. HCSI has recognized that in order to truly protect yourself from compliance liability and effectively adhere to the regulations, it is vital that a cultural change occur within the organization. By establishing a culture of compliance, any healthcare organization will be able to feel assured about their compliance adherence. In order to help healthcare organizations create a culture of compliance, here are the changes HCSI has made to compliance support in the healthcare industry:
  • Training - Created effective online training where each employee is held accountable for their own training. Each administrator has control over adding, deleting, and monitoring their employees. At the end of each training module, a certificate of completion is printed as proof of employee compliance education.
  • Policies and Procedures - Written policies and procedures that are effective in supporting the office are required. HCSI's Audit Manual contains required policies and procedures that the federal government agencies are looking for. In addition, HCSI has created an extensive Compliance Reference Guide that gives further support and understanding for Compliance Officers.
  • Updating - The federal government calls compliance a "continuous journey" and it is this "journey" that they are looking for during an audit. For this reason, weekly, monthly, and quarterly updates are mailed out to each HCSI client. These quarterly updates are reviewed and initialed by each employee as an ongoing training initiative. These updates keep your employees and compliance staff up-to-date with current compliance information and are an important part of the "continuous journey" of compliance.
  • Support - The excessive weight of compliance regulations are taking a toll on the healthcare industry. HCSI has recognized this issue and has addressed it. In order to help ease the weight of compliance, Utilizing Client Relationship Specialists (CRS), HCSI supports its clients in ways that are unique in the healthcare industry. Every new HCSI client receives a phone call on a quarterly basis. HCSI understands that this first year is critical in creating a culture of compliance within the organization. These quarterly calls are intended to support the administrators and ease their burden. After the first year, HCSI will reach-out to each of their clients multiple times throughout the year. Had this new process been in place previously, it would have helped prevent the OSHA violations Dr. Paul experienced in the case study. In addition to the proactive approach to support, HCSI talks with thousands of healthcare professionals who reach out to HCSI's CRS' for answers to their compliance questions. Nobody likes feeling as though they are in the dark. With effective compliance support, no healthcare professional has to feel that way.
  • Additional Resources - In addition to training, policies, updating, and support, HCSI recognized one missing element of support that has been previously missing within the healthcare industry. Customizable forms, resource updates, informational blog, Facebook community, and a Linkedin group, are all additional ways the healthcare industry is able to receive, well over due, comprehensive compliance support.
As Dr. Paul learned in the case study, healthcare organizations are no longer able to simply buy a manual or do the bare minimum. Healthcare compliance support, as it stands now, is no longer a viable option as it is grossly ineffective in protecting the healthcare organization from liability, from protecting patient's information, and protecting the healthcare employees themselves.

HCSI is pioneering a new compliance support program that is revolutionizing how healthcare organizations are meeting the federal compliance regulations. To begin incorporating a culture of compliance within your healthcare organization, look to HCSI's Compliance Program.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Wednesday, July 13, 2016

Five Areas that Require Bio-hazard Labeling

 HCSI

The Bloodborne Pathogens Standard outlines the regulations for bio-hazard labeling and color-coding. Three signals can alert you to the presence of a bio-hazard or bio-hazardous waste: the word “bio-hazard”, the bio-hazard symbol, or the fluorescent orange or orange-red color-coding.

These five areas are ones to watch for bio-hazard labeling in your facility:

1. Regulated medical waste containers and other containers (according to OSHA) that warning labels must be affixed to:
  • Containers of regulated waste,
  • Refrigerators and freezers containing blood or other potentially infectious material; and
  • Other containers used to store, transport or ship blood or other potentially infectious materials.
EXCEPTIONS include:
  • Containers of blood, blood components, or blood products that are labeled and have been released for transfusion,
  • Individual containers of blood or other potentially infectious materials that are placed in a labeled container during storage, transport, shipment or disposal, or
  • Regulated waste that has been decontaminated.

2. Sharps Containers

Sharps containers must also be labeled or color-coded in accordance with the requirements of the Bloodborne Pathogens Standard.

3. Contaminated Laundry

The Bloodborne Pathogens Standard also requires contaminated laundry to be placed and transported in labeled or color-coded bags. When a facility utilizes Universal Precautions in the handling of all soiled laundry, alternative labeling or color-coding is sufficient if it permits all employees to recognize the containers as requiring compliance with Universal Precautions.
When a facility ships contaminated laundry off-site to a second facility which does not utilize Universal Precautions in the handling of all laundry, the facility generating the contaminated laundry must place such laundry in labeled or color-coded bags or containers.

4. Specimens

Specimens of blood or other potentially infectious materials must be placed in a container which prevents leakage during collection, handling, processing, storage, transport, or shipping. The container for storage, transport, or shipping must be labeled or color-coded and closed prior to being stored, transported, or shipped.

5. Equipment

Equipment that may become contaminated with blood or other potentially infectious materials shall be examined prior to servicing or shipping and shall be decontaminated as necessary, unless the employer can demonstrate that decontamination of such equipment or portions of such equipment is not feasible, according to OSHA. A readily observable bio-hazard label shall be attached to the equipment stating which portions remain contaminated.
Ensure that you have bio-hazard labeling or color-coding, as necessary, in these five areas and in other areas of your facility that fall under the guidelines of OSHA’s Bloodborne Pathogens Standard 1910.1030.  In practice, most facilities typically use BOTH bio-hazard labeling AND color-coding in most cases.

For more information please join the LinkedIn group: The Healthcare Compliance Solutions Administrative Alert

To subscribe to this blog, enter your email address:


Delivered by FeedBurner