Latest changes to HIPAA still have problems; complying with OSHA needlestick directive

June 1, 2002

Proposed changes to the medical privacy rule under the Health Insurance Portability and Accountability Act (HIPAA) have caused concern among organizations representing laboratories and other healthcare providers. Tommy Thompson, Secretary of the Department of Health and Human Services Department, said the modifications were needed to fix problems that otherwise could have made it more difficult for patients to get quality care quickly and easily. 

One proposed change is the elimination of a requirement that hospitals, doctors, and other providers obtain a patients written consent before using the patients personal health information for treatment, payment, or healthcare operations. 

In addition, the proposed privacy rule would require business associate agreements between laboratories and private accrediting organizations that define the responsibilities of both parties with respect to protected patient information.

After reviewing the proposed changes, the College of American Pathologists (CAP) called for further revisions. CAP maintains that the latest proposal retains a burdensome requirement that laboratories enter into costly business associate agreements with private accrediting organizations. 

CAP estimates that more than 6,000 CAP-accredited laboratories would be affected by this provision. Because the federal government recognizes CAP accreditation under a federal law requiring regular inspections of clinical laboratories, the pathology organization believes it fits the privacy rules definition of a health oversight agency. Therefore, CAP and its accredited laboratories should be exempt from the business associate requirement, the pathology organization argues.

Complying with OSHA needlestick directive

To help reduce the number of needlestick injuries in the workplace, laboratories and other health care facilities are required to be in compliance with the Needlestick Safety and Prevention Act. Under that law, the Occupational Health and Safety Administration (OSHA) expects employers in the healthcare field to use safer medical devices whenever feasible. While the workplace safety agency says there is not one medical device that is necessarily safer than another nor appropriate in all situations, employers must consider and implement devices that are appropriate, commercially available, and effective. 

As part of this effort, OSHA recently issued a revised directive for enforcing the bloodborne pathogens standard that was published in January as required under the Needlestick Act. 

While the exact number of needlestick injuries sustained annually in the U.S. is unknown, current estimates vary between 600,000 and 800,000 injuries. 

The revised directive updates an earlier one and implements changes made to the bloodborne pathogens standard. A major section of the revised standard is the development of an exposure control plan
(ECP) by laboratory operators and other providers. The ECP must document changes in technology that help eliminate or reduce exposure to bloodborne pathogens. 

It also must include documentation of an employers annual consideration and implementation of safer medical devices. In addition, employers must record the solicitation and input provided by frontline employees in their selection of safer devices.

Employers also are required to comply with a new recordkeeping rule requiring the establishment and maintenance of a log of percutaneous injuries from contaminated sharps. Effective Jan. 1, 2002, the rule requires all employers, whether or not they are covered by the bloodborne pathogens standard, to record all work-related needlesticks and cuts from sharp objects contaminated with another persons blood.

If an employee is later diagnosed with an infectious bloodborne disease, the identity of the disease must be entered in the record and the classification changed from an injury to an illness. The needlestick log, OSHA says, will help both employees and employers track all needlesticks to help identify problem areas of operations.

In addition, employers must devise ways to maintain the privacy of employees who have experienced needlestick injuries. To comply with this requirement, legal experts recommend establishing a system whereby entries in the log do not identify the employee by name but rather by some code.

The revised directive includes engineering control evaluation forms, a website resources list, and a model exposure control plan which incorporates the most current Centers for Disease Control guidelines regarding management of occupational exposure to the hepatitis B and C viruses and the HIV virus. For more details, go to

Joan Szabo is a Washington, DC, freelance writer specializing in healthcare issues. She has been writing the Washington Report column for MLO for five years.

©2002 Nelson Publishing, Inc. All rights reserved.

Photo 115879330 © Karenr |
Photo 124723736 © Steveheap |
Photo 129549884 © Katarzyna Bialasiewicz |
Photo 159136554 © Alberto Masnovo |