Bloodborne Pathogens Exposure Control Plan: What Every Practice Needs

The OSHA Bloodborne Pathogens (BBP) Standard (29 CFR 1910.1030) is one of the most critical regulations for medical practices. Healthcare workers face daily exposure to blood and other potentially infectious materials (OPIM), and the standard requires employers to protect them through a written Exposure Control Plan (ECP). Failure to maintain an adequate ECP is one of the most frequently cited OSHA violations in healthcare settings. This guide covers what your plan must include and how to keep it current.

What the Exposure Control Plan Must Contain

The ECP is the centerpiece of your BBP compliance program. At minimum, it must include three elements: an exposure determination that identifies which job classifications and tasks involve occupational exposure to blood or OPIM (this must be made without regard to the use of personal protective equipment); the schedule and method of implementation for each provision of the standard, including engineering controls, work practice controls, PPE, hepatitis B vaccination, post-exposure evaluation, communication of hazards, and recordkeeping; and the procedures for evaluating the circumstances surrounding an exposure incident. The plan must be accessible to employees and to OSHA upon request, and it must be reviewed and updated at least annually.

Exposure Determination

The exposure determination is a classification of your workforce by job title and, where appropriate, by specific tasks and procedures. Group A includes job classifications where all employees have occupational exposure — in a medical practice, this typically includes physicians, nurses, medical assistants, phlebotomists, and lab technicians. Group B includes job classifications where only some employees have exposure — for example, administrative staff who occasionally handle specimens or clean exam rooms. Group C includes classifications with no occupational exposure. For each Group A and Group B classification, list the specific tasks and procedures that involve exposure. This determination drives every other element of your program.

Engineering and Work Practice Controls

Engineering controls are the primary means of eliminating or minimizing exposure. In medical practices, the most important engineering controls are sharps disposal containers placed at the point of use, self-sheathing needles and safety-engineered devices, needleless IV systems, and splash guards where appropriate. The Needlestick Safety and Prevention Act requires that employers solicit frontline employee input when selecting safety-engineered sharps devices and document this process in the ECP. Work practice controls include hand hygiene requirements, prohibitions on recapping needles by hand (unless no feasible alternative exists and a one-handed technique is used), prohibition of eating, drinking, or applying cosmetics in areas where exposure is possible, and specimen handling procedures that minimize splashing and spraying.

Personal Protective Equipment

When engineering and work practice controls do not fully eliminate exposure risk, employers must provide appropriate PPE at no cost to employees. This includes gloves (must be replaced when visibly contaminated, torn, or punctured), gowns and lab coats, face shields or masks with eye protection when splashes are anticipated, and resuscitation devices. The employer must ensure PPE is readily accessible, that employees are trained in its proper use, and that contaminated PPE is handled, laundered, or disposed of by the employer. Hypoallergenic gloves or alternative products must be available for employees with latex sensitivities.

Hepatitis B Vaccination

Employers must offer the hepatitis B vaccination series to all employees with occupational exposure, at no cost, within 10 working days of initial assignment. The vaccine must be administered under the supervision of a licensed healthcare professional. Employees may decline the vaccination but must sign a specific declination statement (the exact language is prescribed in Appendix A of the standard). If an employee initially declines but later wishes to be vaccinated, the employer must make the vaccine available at that time. Vaccination records must be maintained for the duration of employment plus 30 years.

Post-Exposure Evaluation and Follow-Up

When an exposure incident occurs — a specific eye, mouth, mucous membrane, non-intact skin, or parenteral contact with blood or OPIM — the employer must provide immediate, confidential medical evaluation and follow-up at no cost to the employee. This includes documenting the route and circumstances of the exposure, identifying the source individual (and testing their blood for HIV and HBV/HCV with consent), testing the employee's blood, providing post-exposure prophylaxis when indicated, and offering counseling. The evaluating healthcare provider must give the employer a written opinion limited to whether the employee was informed of the results and whether hepatitis B vaccination is recommended. All other findings are confidential.

Annual Review and Sharps Injury Log

The ECP must be reviewed and updated at least annually to reflect changes in technology, tasks, and positions. As part of this review, you must solicit input from non-managerial employees with exposure about the identification, evaluation, and selection of engineering controls and work practices. You must also maintain a sharps injury log that records, at minimum, the type and brand of device involved, the department or work area where the incident occurred, and a description of the incident. This log must be maintained in a way that protects employee privacy and retained for five years.

How GuardWell Compliance Helps

GuardWell provides a complete Bloodborne Pathogens compliance module that includes an ECP template tailored to medical practices, exposure determination worksheets, a sharps injury log with automatic OSHA 300 Log integration, post-exposure incident tracking with follow-up task management, and annual review reminders. The platform tracks hepatitis B vaccination status for each staff member and flags overdue declination statements. By centralizing your BBP compliance program in GuardWell, you can demonstrate to OSHA that your practice maintains a current, comprehensive Exposure Control Plan backed by documented implementation.