Bloodborne Pathogens and HIPAA Training Checklist: Roles, Records, Best Practices

This Bloodborne Pathogens and HIPAA Training Checklist gives you a practical roadmap to meet the OSHA Bloodborne Pathogens Standard while protecting privacy obligations under HIPAA. It focuses on the roles you assign, the records you maintain, and the best practices that keep employees safe and information secure.

Use it to verify your Exposure Control Plan, Training Documentation, sharps injury log, universal precautions, PPE program, and confidential post-exposure medical processes are complete, current, and auditable.

Bloodborne Pathogens Training Requirements

Who must be trained

• All employees with reasonably anticipated occupational exposure to blood or other potentially infectious materials (OPIM), including clinical, laboratory, housekeeping, laundry, EMS, law enforcement, maintenance, and designated first-aid responders.
• Training must be provided at no cost, on paid time, and in a language and literacy level employees understand, with opportunities for interactive questions and answers.

Frequency and timing

• Initial training at or before assignment to tasks with occupational exposure.
• Annual refresher training within 12 months of the previous session.
• Additional training whenever new tasks, procedures, or technology create new exposure risks.

Required topics

• An explanation of the OSHA Bloodborne Pathogens Standard and where it is accessible.
• Your Exposure Control Plan (ECP): roles, procedures, engineering/work-practice controls, and how employees can obtain a copy.
• Modes of transmission; universal precautions; safe handling of sharps and regulated waste.
• PPE selection, use, limitations, donning/doffing, and disposal.
• Hepatitis B vaccination program, including timing (offer within 10 working days of assignment after training) and the Hepatitis B Vaccination Declination option.
• Emergency actions and post-exposure procedures, including access to a Confidential Medical Evaluation and follow-up.
• Labels, color-coding, signage, and housekeeping requirements.

Training Documentation

• Date of training and a concise content outline or syllabus.
• Names and qualifications of trainers.
• Names and job titles of all attendees.
• Retention: keep training records for at least three years and make them available to employees and regulators upon request.

Exposure Control Plan Development

Your Exposure Control Plan is the backbone of compliance. Keep it written, worksite-specific, accessible to employees, and reviewed at least annually and whenever tasks change.

Core elements to include

• Exposure determination: job classifications and tasks with occupational exposure.
• Methods of compliance: universal precautions; engineering controls; work-practice controls; PPE.
• Housekeeping and regulated waste handling, labeling, and laundry.
• Hepatitis B vaccination program and procedures for Hepatitis B Vaccination Declination.
• Post-exposure evaluation and follow-up process ensuring a Confidential Medical Evaluation.
• Communication of hazards: signs, labels, and employee information/training.
• Recordkeeping: Training Documentation, medical records, and sharps injury log.

Annual review and safer devices

• Assess new engineering controls and safety-engineered devices each year.
• Solicit input from non-managerial employees and evaluate data from percutaneous injuries to guide purchasing and practice changes.

Accessibility and distribution

• Maintain the current ECP in a location or system employees can access without barriers.
• Communicate updates promptly and integrate them into training and supervision.

Recordkeeping for Training and Medical Records

Keep training and medical records distinct. Training records demonstrate compliance; medical records support employee health and must remain confidential.

Training records

• Maintain the elements listed under Training Documentation for at least three years.
• Store in a retrievable format and provide access to employees, their representatives, and regulators when required.

Medical records

• Maintain confidential medical records for each employee with occupational exposure for the duration of employment plus 30 years.
• Include Hepatitis B vaccination status (dates, series completion, or Hepatitis B Vaccination Declination), results of examinations and testing, post-exposure evaluation and follow-up documentation, and the healthcare professional’s written opinion.
• Store separately from personnel files; release only with written authorization or as required by law.

Privacy and HIPAA alignment

• For covered entities and business associates, treat all post-exposure and vaccination information as PHI and apply the HIPAA minimum necessary standard.
• Even if HIPAA does not apply, safeguard confidentiality with access controls, audit trails, and secure storage.

Sharps Injury Log Management

Maintain a sharps injury log to track percutaneous injuries from contaminated sharps. Use it to drive prevention and safer device adoption while protecting individual privacy.

Required data elements

• Type and brand of the device involved.
• Department or work area where the incident occurred.
• Brief description of how the incident happened (e.g., during disposal, during a procedure).

Confidentiality and retention

• Do not include names or other identifiers; maintain confidentiality at all times.
• Retain the sharps injury log for at least five years following the end of the calendar year and review trends routinely.

Prevention feedback loop

• Analyze incident patterns to update engineering and work-practice controls.
• Use findings to inform purchasing of safety-engineered devices and targeted training.

Implementation of Universal Precautions

Universal precautions require treating all human blood and OPIM as infectious, regardless of perceived risk. Embed this assumption into daily practice.

Engineering and work-practice controls

• Use safety-engineered sharps and puncture-resistant, closable, leakproof sharps containers; replace before overfilling.
• Prohibit bending, shearing, or recapping needles. If recapping is unavoidable, use a one-handed technique or mechanical device.
• Perform hand hygiene immediately after glove removal and after any contact with blood or OPIM.
• Prohibit eating, drinking, applying cosmetics or lip balm, and handling contact lenses in exposure-prone areas.

Housekeeping and regulated waste

• Decontaminate surfaces and equipment with appropriate disinfectants on a scheduled basis and after spills.
• Contain, label/color-code, and dispose of regulated waste in accordance with policy and law.
• Bag contaminated laundry at the point of use; handle minimally; do not take contaminated items home for cleaning.

Labeling and specimen handling

• Use biohazard labels or color-coding for containers, refrigerators/freezers, and contaminated equipment.
• Package and transport specimens to prevent leakage and exposure.

Personal Protective Equipment Usage

Selection and availability

• Provide PPE based on task-specific risk assessment: gloves, gowns/lab coats, face shields, masks, and eye protection; respirators when indicated.
• Ensure a range of sizes and barrier types are readily accessible at points of use, at no cost to employees.

Use, removal, and disposal

• Train employees to don/doff PPE correctly, avoid self-contamination, and remove PPE before leaving the work area.
• Replace damaged or contaminated PPE immediately; never reuse single-use items.
• Dispose of contaminated PPE properly or route for controlled laundering as applicable.

Maintenance and laundering

• Provide cleaning, laundering, repair, and replacement of PPE at no charge to employees.
• Store PPE clean and dry in designated locations; prohibit home laundering of contaminated garments.

Post-Exposure Evaluation and Follow-Up

Immediate first aid and reporting

• For needlesticks and cuts, wash the area with soap and water; for mucous membrane exposures, flush with water for at least 15 minutes.
• Report immediately to the designated supervisor or occupational health contact and document the incident.

Confidential Medical Evaluation

• Provide a prompt, no-cost, confidential evaluation by a licensed healthcare professional.
• Document the route and circumstances of exposure; identify and test the source individual as permitted by law.
• Obtain baseline blood testing for the exposed employee (with consent); offer post-exposure prophylaxis per current public health guidance.
• Provide counseling and evaluation of reported illnesses; offer Hepatitis B vaccination if not previously completed or if the employee rescinds a prior declination.

Follow-up and documentation

• Ensure timely written opinion to the employer stating whether Hepatitis B vaccination is indicated and whether it was received; all other findings remain confidential.
• Schedule follow-up testing and visits at recommended intervals and update medical records accordingly.

HIPAA and privacy safeguards

• Limit disclosures to the minimum necessary; separate identifiable medical information from incident reports.
• Secure records, restrict access to designated personnel, and audit access to protect confidentiality.

Conclusion

Build a living Exposure Control Plan, deliver high-quality training, document rigorously, and respond to incidents with a Confidential Medical Evaluation. By aligning OSHA Bloodborne Pathogens Standard requirements with HIPAA privacy safeguards, you reduce risk, protect employees, and maintain trustworthy records that stand up to scrutiny.

FAQs.

What are the annual training requirements for bloodborne pathogens?

Provide initial training at or before exposure-prone duties begin, then annual refresher training within 12 months of the previous session. Training must be interactive, cover your Exposure Control Plan, universal precautions, engineering/work-practice controls, PPE, Hepatitis B vaccination, and post-exposure procedures, and be offered at no cost on paid time.

How must training and medical records be maintained?

Keep Training Documentation—dates, content summary, trainer qualifications, and attendee names/titles—for at least three years. Maintain confidential medical records (vaccination status, declinations, test results, evaluations, and written opinions) for the duration of employment plus 30 years, stored separately and released only with authorization or as required by law.

What information is required in a sharps injury log?

Record percutaneous injuries from contaminated sharps with three elements: the type and brand of device, the department/work area, and a brief description of how the incident occurred. Exclude names and identifiers, protect confidentiality, and retain the log for at least five years to support trend analysis and prevention.

How should employers comply with HIPAA in exposure incidents?

Provide a prompt, Confidential Medical Evaluation, treat test results and medical details as PHI, and disclose only the minimum necessary information. Keep identifiable medical records separate from incident reports, restrict access to designated personnel, and use secure systems to store and audit records and communications.