Protecting Confidentiality Following Communicable Disease Exposures

Fire/EMS department policies typically direct employees to complete incident reports when they sustain an injury on the job. Identifying and correcting problems is a primary reason for incident reports: risk managers, quality assurance officers, safety officers and representatives of insurance companies use them to track trends and to implement policy or systems revisions as needed to prevent a recurrence.

While that is a good practice generally, modifications are needed when the incident involved is an employee exposure to a communicable disease. What is often not considered is that, when an employee has sustained an exposure, that person has rights to privacy.

Current Practices

Most departments have a process for reviewing incident reports and workers’ compensation first reports of injury to assess employee compliance and how risk reduction measures might be established. Employees complete these reports and submit them to their supervisor, who then sends them to a supervisor at the manager/director level and/or Battalion Chief, and then on to the agency safety officer. The reports are then reviewed in safety committee meetings.

It is easy to see that these policies and procedures are problematic for communicable disease exposure incidents because the confidentiality of the employee involved must be protected. If the identity of the exposed employee and information about his or her exposure is being discussed in these meetings, it is a breach the employee’s right to privacy.

Any report generated following the meeting containing this information is a further breach. While it is understandable that managers want to know about exposure incidents so they can make appropriate decisions regarding workplace safety, current practices must change. Even though there are legitimate reasons for the employer to have this information, this does not mean that it is allowable to share it widely in the workplace–especially when the employee has not explicitly authorized this.

Legal Considerations

The following legal standards support that communicable disease exposures should not be included in incident reports:

Occupational Safety and Health Administration

The OSHA Bloodborne Pathogens Standard1 and the OSHA Medical Records Standard2 provide that records containing information regarding an employee exposure to a communicable disease are confidential medical records that must be retained in a confidential medical record file for that employee and not released to any person without the written consent of the employee or as required by law (e.g. court order or OSHA inspection).

The Designated Infection Control Officer (DICO) collects and retains all medical records relating to the Communicable Disease Exposure Control Plan of the department, including exposures reported and vaccine/immunization records. The DICO maintains this part of the confidential medical record file for each employee.

The OSHA Bloodborne Pathogens Standard contains a requirement that an Exposure Report Form be completed when an exposure to blood or other potentially infectious material occurs.

The section addressing exposures, paragraph (f)(3)(i), provides that the employer is required to document, at a minimum, the route of exposure and the circumstances under which the exposure incident occurred.

In addition, there is to be information about the following: engineering controls in use at the time; work practices followed; a description of the device in use; protective equipment or clothing that was used at the time of the exposure incident; location; procedure being performed when the incident occurred; and the employee’s training. The Exposure Report Form must be placed in the exposed person’s confidential medical record.

Health Insurance Portability and Accountability Act

The Exposure Report Form is to contain information on the source of the exposure incident, including the patient’s disease status if known when the exposure was reported. If such personally identifying information and protected health information regarding a patient is disclosed outside the context of treatment, payment or healthcare operations, that is a breach of the HIPAA Privacy Rule. It is now required under HIPAA that the patient whose protected information was breached must be notified by the department directly.3

Centers for Disease Control and Prevention

CDC guidelines for managing communicable disease exposures require that when an exposure occurs, details of that exposure incident must be reported on an Exposure Report Form and the form must be placed in the exposed person’s confidential medical record.4

This document is to contain information on the source of the exposure event. This is to include if the patient was infected with hepatitis B, hepatitis C virus, or human immunodeficiency virus (HIV).

Many departments are not aware that OSHA is enforcing these CDC guidelines, which it has made clear in its Compliance Directive for the Bloodborne Pathogens Standard. In addition, for those departments in states not covered by OSHA regulations, the CDC guidelines are a national standard of care that must be met.

Needlestick Safety and Prevention Act

This law was passed by the U.S. Congress in November 2000 and instructed OSHA to expand its requirement for employers to identify, evaluate and implement needle-safe devices.5 The act mandates the reporting of information about the needlestick injury in a manner that protects the employee’s confidentiality.

Contaminated needlestick injuries must be documented in a confidential sharps injury log that is a confidential medical record. This law also applies to departments in states not covered by OSHA regulations.

Americans with Disabilities Act

The ADA and corresponding state laws also limit employer access to employee medical information.6 The ADA states that employee medical information obtained by an employer must be maintained on separate forms and in separate medical files, and must be treated as a confidential medical record.

The confidentiality provisions of the ADA allow disclosure only to: (1) supervisors and managers who need to know the necessary restrictions on an employee’s duties and necessary accommodations; (2) first aid and safety personnel who need to be informed should emergency treatment of the employee become necessary; (3) government officials who need to assess compliance with the ADA; and (4) as required for workers’ compensation claims or for insurance purposes.

A Possible Solution?

In light of the confidentiality provisions of these laws, a reassessment of the current practice of including communicable disease exposures in incident reports is warranted. Instead of including communicable disease exposures in incident reports, a more appropriate approach is for such exposures to be reported directly and exclusively to the DICO of the department.

This is the process clearly stated in the emergency responder notification provisions of the Ryan White Act, Part G. The DICO is the person who receives notifications from employees when they believe they have sustained an exposure, directs source patient testing and any needed medical follow up for the employee. Why should exposure information be included in incident reports that are not confidential, not submitted directly to the DICO and are not in keeping with the laws governing the exposure follow up process?

The DICO is the person responsible for insuring that an exposure event is properly handled, which begins with determining if a bona fide exposure has occurred. This is a critical step in the process because the right to know the disease status of the source patient in the exposure totally depends on whether an actual exposure occurred.

In addition, verifying the exposure ensures that inappropriate and costly medical follow-up in a medical facility is avoided. Once the DICO confirms the exposure, the DICO in conjunction with the exposure employee completes the Exposure Report Form. The DICO will ensure that all information contained in this form remains confidential–including information regarding the exposed employee and also the disease status of the source patient tested that the DICO has obtained pursuant to the state testing law.

Workers’ compensation related to the exposure can be addressed by the DICO providing the Exposure Report Form directly to the person charged with filing the forms for the department. This is not a confidentiality breach because such forms are legally required and the otherwise confidential information is needed for their completion. By having direct contact between the DICO and the workers’ compensation coordinator, the potential for a breach to those without a legal right to the information is minimized.

The needs of the safety committee and others assessing workplace health and safety issues can be met by monthly or quarterly data reports. The confidentiality of employees and source patients will be maintained because the data contained in the reports does not have personal identifiers.

This report can be distributed up the chain of command and shared with the safety committee without concern over confidentiality breaches.

Changing the practice of including communicable disease exposures in incident reports can be difficult to accept because it has been in place for so long. However, doing everything we can to protect confidentiality and is important for all of us. What if you were the exposed employee?


1. OSHA. (n.d.) Occupational safety and health standards: toxic and hazardous substances, bloodborne pathogens. Retrieved July 8, 2016, from

2. OSHA. (n.d.) Occupational safety and health standards: toxic and hazardous substances, access to employee exposure and medical records. Retrieved July 8, 2016, from

3. U.S. Department of Health and Human Services. (n.d.) HIPAA breach notification rule. Retrieved July 8, 2016, from

4. CDC. (June 29, 2001) Updated U.S. public health service guidelines for the management of occupational exposures to HBV, HCV, and HIV and recommendations for postexposure prophylaxis. Retrieved July 8, 2016, from

5. OSHA. (Nov. 27, 2001) Enforcement procedures for the occupational exposure to bloodborne pathogens. Retrieved July 8, 2016, from

6. U.S. Department of Justice Civil Rights Division. (1990) Americans with Disabilities Act. Retrieved July 8, 2016, from

No posts to display