blue landscape graphic with modern design



1. We want to start doing blood draws for our patients. How do we get CLIA-certified?

If all specimens will still be referred to another lab for testing, a CLIA certificate is not required. However, if you will actually generate test results, visit the CLIA website for an application with instructions.

2. How often must I run controls for waived tests?

As often as the manufacturer recommends – read your package insert! If an analyzer is involved, read the manufacturer user guide for it as well as the package insert for strips or reagent packs.

3. We have a new partner in our practice. The others want her to assume the role of laboratory director. Can she do this?

It depends. If your lab has a Certificate of Waiver or Provider Performed Microscopy, yes she can. Remember that only providers can report microscopies. However, if your lab does non-waived testing (formerly moderate and high complexity), the director must have appropriate training and experience in running a laboratory, or must acquire at least 20 CME’s in laboratory director responsibilities. There are several avenues for obtaining the required CME’s.

4. What’s the best way to calibrate our pipettes?

Read the package inserts for your pipettes!

At least one pipette manufacturer stipulates in the package insert that their pipettes must be calibrated every three months. Most pipettes require calibration every 12 months.

Additionally, this manufacturer states that the calibration must be done at 50% humidity. This means that most laboratories would have to outsource this responsibility. Seldom can a laboratory attain that level of humidity.

If you have a pipette that requires calibration every three months and you cannot do this in-house, you have two options:

  1. Find a company that can do that for you. The manufacturer may offer that service or may be able to make a recommendation.
  2. Replace the pipette with a different one that only requires annual calibration and does not require 50% humidity. You may be able to do the calibration in-house.


1. May physicians’ offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?

Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502 (a)(1)(iii).

2. Can a physician’s office FAX patient medical information to another physician’’s office?

The HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider for treatment purposes. This can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. Examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other physician’s office, and placing the fax machine in a secure location to prevent unauthorized access to the information. See 45 CFR164.530©.

3. Are appointment reminders allowed under the HIPAA Privacy Rule without authorizations?

Yes, appointment reminders are considered part of treatment of an individual and therefore, can be made without an authorization.

4. May physician’s offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonable safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other person regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a close envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).

5. Does a physician need a patient’s written authorization to send a copy of the patient’s medical record to a specialist or other health care provider who will treat the patient?

No. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CDR 165.501.

6. Does the HIPAA Privacy Rule permit doctors,, nurses,, and other health care providers to share patient health information for treatment purposes without the patient’s authorization?

Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient. See 45 CFR 164.506.

7. Is a hospital permitted to contact another hospital or health care facility, such as a nursing home, to which a patient will be transferred for continued care, without the patient’s authorization?

Yes. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment or payment purposes, as well as to another covered entity for certain health care operations of that entity. See 45 CFR 164.506 and the definitions of “treatment,” “payment,” and “health care operations” at 45 CFR 164.501.

8. Are health care providers required by the HIPAA Privacy Rule to post their entire notice at their facility or may they post just a brief description of the notice?

Covered health care providers that maintain an office or other physical site where they provide health care directly to individuals are required to post their entire notice at the facility in a clear and prominent location. The Privacy Rule, however, does not prescribe any specific format for the posted notice, just that it include the same information that is distributed directly to the individual. Covered health care providers have discretion to design the posted notice in a manner that works best for their facility, which may be to simple post a copy of the pages of the notice that is provided directly to individuals.

9. Is a physician required to give her notice to every patient or can she just post the notice in her waiting room and give a copy to those patients who ask for it?

The HIPAA Privacy Rule requires a covered health care provider with direct treatment relationships with individuals to give the notice to every individual no later than the date of first service delivery to the individual and to make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If the provider maintains an office or other physical site where she provides health care directly to individuals, the provider must also post the notice in the facility in a clear and prominent location where individuals are likely to see it, as well as make the notice available to those who ask for a copy. See 45 CFR 164.520© for other notice provision requirements.

10. Is our medical practice required to notify patients through the mail of any changes to our notice?

No. The HIPAA Privacy Rule does not require a covered health care provider to mail out its revised notice or otherwise notify patients by mail of changes to the notice. Rather, when a covered health care provider with a direct treatment relationship with individuals makes a change to his notice, he must make the notice available upon request to patients or other person on or after the effective date of the revision, and, if he maintains a physical service delivery site, post the revised notice in a clear and prominent location in his facility. See 45 CFR 164.520©(2)(iv). In addition, the provider must ensure that the current notice, in effect at that time, is provided to patients at first service delivery, and made available on his customer service web site, if he has one. See 45 CFR 164.520©.

11. Does the HIPAA Privacy Rule permit a doctor to discuss a patient’’s health status,, treatment, or payment arrangements with the patient’s family and friends?

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other person if they patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonable infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

  • A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
  • A hospital may discuss a patient’s payment options with her adult daughter.
  • A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
  • A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, as covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). Thus, for example:

  • A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.
  • A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone.

In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.

12. May adults with mental retardation control their protected health information if they are able to authorize uses and disclosures of their protected health information?

Individuals may control their protected health information under the HIPAA Privacy Rule to the extent State or other law permits them to act on their own behalf. Further, even if an individual is deemed incompetent under State or other law to act on his or her own behalf, covered entities may decline a request by a personal representative for protected health information if the individual objects to the disclosure (or for any other reason), and the disclosure is merely permitted, but not required, under the Rule.

However, covered entities must make disclosures that are required under the Rule (i.e., disclosures to the Secretary under subpart C of part 160 regarding enforcement of the Rule, and to the individual under 45 CFR 164.524 and 164.528 with respect to the individual’s right of access to his or her protected health information and an accounting of disclosures, respectively). Consequently, with respect to the individual’s right of access to protected health information and for an accounting of disclosures, covered entities must provide the individual’s personal representative access to the individual’s protected health information or an accounting of disclosures upon the request of the personal representative, unless the covered entity, in the exercise of professional judgment, believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. The Rule allows a specified time period before a covered entity must act on such a request; and during this interim period, and individual and his personal representative will have an opportunity to resolve any dispute they may have concerning the request.

13. What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.

By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, and expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

14. Does the HIPAA Privacy Rule permit hospitals and other health care facilities to inform visitors or callers about a patient’s location in the facility and general condition?

Yes. Covered hospitals and other covered health care providers can use a facility directory to inform visitors or callers about a patient’s location in the facility and general condition. The Privacy Rule permits a covered hospital or other covered health care provider to maintain in a directory certain information about patients – patient name, location in the facility, health condition expressed in general terms that does not communicate specific medical information about the individual, and religious affiliation. The patient must be informed about the information to be include in the directory, and though whom the information may be released, and must have the opportunity to restrict the information or to whom it is disclosed, or opt out of being included in the directory. The patient may be informed, and make his or her preferences known, orally or in writing. The facility may provide he appropriate directory information – except for religious affiliation – to anyone who asks for the patient by name. Religious affiliation may be disclosed to members of the clergy, who are given additional access to directory information under the Rule.

15. My State law says II may provide information regarding an injured workers’ previous condition, which is not directly related to the claim for compensation, to an employer or insurer if I obtain the workers’ written release. Am I permitted to make this disclosure under the HIPAA Privacy Rule?

A covered entity may disclose protected health information where the individual’s written authorization has been obtained, consistent with the Privacy Rule’s requirements at 45 CFR 164.508. Thus, a covered entity would be permitted to make the above disclosure if the individual signed such an authorization.

16. My State law says I may disclose records, relating to the treatment I provided to an injured worker, to a workers’ compensation insurer for purposes of determining the amount of or entitlement to payment under the workers’ compensation system. Am I allowed to share this information under the HIPAA Privacy Rule?

Yes. A covered entity is permitted to disclose an individual’s protected health information as necessary to comply with and to the full extent authorized by workers’ compensation law. See 45 CFR 164.512(l).

17. Can the fact that a patient has been “treated and released,” or that a patient has died, be released as part of the facility directory?

Yes. The fact that a patient has been “treated and released,” or that a patient has died, may be released as part of the directory information about the patient’s general condition and location in the facility, provided that the other requirements at 45 CFR 164.510(a) also are followed.

18. Are health care providers restricted from consulting with other providers about a patient’s condition without the patient’s written authorization?

No. Consulting with another health care provider about a patient is within the HIPAA Privacy Rule’s definition of “treatment” and, therefore, is permissible. In addition, a health care provider (or other covered entity) is expressly permitted to disclose protected health information about an individual to a health care provider for that provider’s treatment of the individual. See 45 CFR 164.506.


1. Do we have to use safer sharps? Can’t we just evaluate them?

Response from OSHA: (emphasis added) OSHA’s bloodborne pathogens standard at 29 CFR 1910.1030(c)(1)(iv) requires employers to evaluate safer medical devices to eliminate or minimize employee exposure to blood or other potentially infectious materials (OPIM). Employers must solicit input from non-managerial employees in the selection process [29 CFR 1910.1030(c)(1)(v)]. Engineering controls, including safety scalpels, must be implemented where their use is feasible [29 CFR 1910.1030(d) (2)(i)]. The Exposure Control Plan (1910.1030(c)(1)(i)) shall:

  • Reflect changes in technology that eliminate or reduce exposure to bloodborne pathogens [1910.1030(c)(1)(iv)(A)].
  • Document annually consideration and implementation of appropriate commercially available and effective safer medical devices designed to eliminate or minimize occupational exposure [1910.1030(c)(1)(iv)(B)].
  • Solicit input from non-managerial employees responsible for direct patient care, who are potentially exposed to injuries from contaminated sharps, in the identification, evaluation, and selection of effective engineering and work practice controls and shall document the solicitation in the Exposure Control Plan [1910.1030(c)(1)(v)].

2. The last OSHA Bulletin stated that we are not required to maintain a Sharps Injury Log because we are not required to maintain the OSHA 300 Log. Does this exempt us from documenting sharps injuries?

Absolutely not! Employers are required to document details of all sharps injuries! The documentation must include at least all information required for sharps injury logs. In the Bloodborne Pathogen section of the DoctorsManagement OSHA Manual, there are forms for this purpose.

Some State programs DO require all healthcare facilities, including medical and dental offfices with 11 or more employees, to maintain the OSHA 300 Log. This includes Minnesota OSHA.

3. What are OSHA requirements for Hepatitis B Vaccine?

Healthcare employers must offer Hepatitis B vaccination to all employees at risk for exposure to bloodborne pathogens. The vaccine must be offered within 10 days of being assigned responsibilities that pose a risk for exposure. It must be offered totally free of charge to the employee and under the supervision of a healthcare professional authorized by State laws. There must be documentation that the healthcare professional has evaluated the employee and determined that it is safe for the employee to receive the vaccine. The employee has the right to decline the vaccine but must sign the declination form.

The employer must provide a blood test 1- 2 months following the third shot. If the test does not show that the employee is immune, the employer must offer a second series, following the same requirements as for the first series. The employer must pay for the blood tests as well. If the employee still does not show immunity, the employer must encourage the employee to seek further medical evaluation but is not required to pay for it.

The employer must maintain documentation (shot records, test results, or signed declination) for the duration of employment plus 30 years unless the employee stays with that employer less than 12 months from hire. In that case, the employer should offer the documentation to the employee when he or she leaves. If the employee does not want the records, the employer should shred them.

4. Is a routine booster dose of hepatitis B vaccine required?

This response is directly from OSHA.

Because the U.S. Public Health Service (USPHS) does not recommend routine booster doses of hepatitis B vaccine, they are not required at this time. However, if a routine booster dose of hepatitis B vaccine is recommended by the USPHS at a future date, such booster doses must be made available at no cost to those eligible employees with occupational exposure.

5. Are we required to provide employee TB skin testing?

Possibly not. OSHA does not have a formal tuberculosis standard but may use the General Duty Clause to cite employers who are not adequately protecting employees from recognized hazards. Federal OSHA currently relies on its compliance directive from 1996, which essentially exempts dental procedures unless performed in a hospital or a correctional institute and medical practices that are not performing high risk procedures (bronchoscopy, intubation, sputum induction, aerosolized treatments) on patients suspected or confirmed for active tuberculosis infection.

The Centers for Disease Control and Prevention issued new guidelines in December 2005, stating that all healthcare employers should provide initial TB testing for all healthcare workers. The CDC has no enforcement authority. A few State OSHA programs have indicated that they are already following the new recommendations: Alaska, Arizona, Massachusetts, Michigan, Nevada, New Mexico, South Carolina, Vermont and Wyoming. However, we had no luck in verifying this on their web sites.

Washington’s State OSHA continues to use the older CDC guidelines, and Tennessee OSHA says they will follow Federal OSHA’s lead. To date, other State programs have not responded to our query.

6. May we have coffee cups at the nurses’ station?

Whether you can have food and/or beverages in areas within the medical or dental practice depends not upon what you call the area but rather how you use the area.

¨ If injections are administered at the nurses’ station, or bandages are changed there, for example, no food or beverages are allowed. ¨ If the nurses’ station is used only for administrative tasks, such as talking to patients over the phone or completing paperwork, food or beverages would not be forbidden by OSHA. However, keep in mind all the other issues, such as general untidiness, insects, and potential damage to computers and important papers.

7. How often are we required to have OSHA training?

OSHA requires training for all employees when they are first hired (prior to being exposed to the hazards), anytime new hazards (new chemicals, for example) are added or the individual’s job responsibilities change resulting in exposure to different hazards, anytime the regulations change, and each year.

8. How should we discard expired medications?

OSHA does not address the disposal of wastes. The Environmental Protection Agency (EPA), the Resource Conservation and Recovery Agency (RCRA), and various State agencies do. Your very best resource for your locality is your waste hauler. Waste haulers are highly regulated themselves and will not give you information that may put them at risk if your, their customer, does something inappropriate. Some waste haulers will tell you to place expired medications in the biohazard bags, while others will tell you to package it separately and label the container “Chemical Waste.” It depends upon local regulations and how the waste hauler ultimately disposes of the waste.

9. Does OSHA allow health care workers to wear “Crocs”?

Here an excerpt from a letter from OSHA dated July 17, 2006, responding to this question. The same response pertaints to sandals, open toe shoes, clogs, and flip flops.

You had a specific question relating to the use of “Crocs” Brand shoes (those that have a partially open heel but a covered toe) in a pharmacy setting. You asked for OSHA to interpret its guidelines on foot protection.

OSHA does not have a specific policy, or guidelines, on the wearing of open-heeled shoes. However, OSHA does have regulations pertaining to personal protective equipment, and more specifically, to protective footwear. They are found at 29 CFR 1910.132 and 1910.136 (copies enclosed). 29 CFR 1910.136(a) requires the use of protective footwear when employees are working in areas where there is a danger of foot injuries due to falling or rolling objects, or objects piercing the sole, and where there is a possibility of the employee’s feet being exposed to an electrical hazard.

In general, the standards require that foot protection be used whenever it is necessary by reason of hazard of processes or environment which could cause foot injury. If you are exposed, however infrequently, to those hazards during the course of your business activities, then, during that period of exposure, you would be required to wear protective footwear. If an employee is not exposed to any hazards to the feet, then the use of protective footwear would not be required.

Normally, the employer will determine which, if any, of the employees are exposed to a foot injury hazard. Ultimately, the determination of appropriate footwear in the absence of any of the previously mentioned hazards would be a matter for labor-management negotiation to which OSHA would not be a party.

10. What are OSHA’s regulations about storing items under the sinks in the clinical areas?

We have been unable to find any OSHA regulations relating to the storage of items under the sink, nor have we been able to link it to employee health and safety. This question seems to be triggered by guidelines from some accrediting agency (possibly Joint Commission, formerly the Joint Commission on the Accreditation of Health Care Organizations or JCAHO) or a managed care organization. One explanation is that patient care items could be contaminated by potential leakage.

11. How often do we need to update our OSHA Manual?

OSHA requires all employers to evaluate hazards and produce a written protection program initially, and to update the written program anytime the hazards change or when OSHA’s standards change. The last standard change impacting healthcare was in 2001, with the release of the new Bloodborne Pathogen Standard. The Hazardous Communications Standard requires employers to update their Chemical List annually. The Bloodborne Pathogen Standard requires employers to review their exposure risk categories every year to be sure they are still accurate and to update them if needed. This Standard also requires employers to evaluate new safer medical devices periodically. Interpretations from OSHA indicate that this means at least every year.

12. What are OSHA’s guidelines for tracking medication samples?

Again, this is a patient care issue, not an employee safety or health t issue and therefore is not addressed by OSHA at all. However, many managed care organizations and accrediting agencies are very concerned about medication samples. Liability issues are involved as well.

13. Does OSHA require us to have a special license to transport small amounts of biohazardous waste from satellite offices to the central office for pick up by our waste hauler?

No. OSHA does not govern the transport of waste. The transport of hazardous waste, both biohazardous waste and hazardous chemicals, is under the Department of Transportation (DOT) and the Environmental Protection Agency (EPA). Your local EPA is your best resource for licensing questions. The federal Hazardous Materials (HazMat) Regulations do not require placarding for private vehicles, such a cars used by home health agencies or laboratory couriers.

14. In one of the past issues, you mentioned that OSHA is concerned with the accuracy of information in the MSDSs. Will we be fined if OSHA inspects us and finds errors in our MSDSs?

No. OSHA holds the manufacturer, not the employer or the distributor, responsible for the accuracy of the information in the MSDS. However, if the distributor or employer has information indicating errors, he or she should report that to the manufacturer and to OSHA. OSHA is working with manufacturers to improve the reliability of this information.

15. What are OSHA’s regulations concerning personal heaters?

OSHA does not govern personal heaters, but the local fire marshal does. Follow electrical safety guidelines and use only those heaters approved by your local fire marshal.

16. What does OSHA require concerning disposal of contaminated sharps used in the home?

Homes are not governed by OSHA. Therefore, OSHA has NO guidelines for disposal of contaminated sharps used in the home. However, this may be governed by state regulations. Please refer to ¨ or call your solid waste dept. or public health department for advise.

US EPA Recommendations:

  • Place in puncture-resistant container and seal
  • Take to drop box or supervised collection site
  • Consider Mail back program Home needle destruction devices Syringe exchange program

17. What are OSHA’s regulations concerning the use of lighted candles in private practices?

OSHA does not govern the use of candles, but the local fire marshal may. The use of lighted candles is forbidden in many public buildings. Yes, restaurants, spas and other establishments do use them.

Call Us (800) 635-4040