Legal Issues in Healthcare Epidemiology and Infection Prevention
Sarah M. Fotheringham
As in many areas of healthcare law, the legal issues and regulations surrounding matters related to epidemiology and infection prevention are numerous and varied. It is not always obvious that a particular issue involving infection prevention may have legal ramifications or attendant legal obligations. While it is impossible to identify all of the circumstances in which infection prevention and the law may intersect, this chapter will identify some of the core and fundamental areas of the law that warrant the infection prevention professional’s familiarity or, at the least, awareness.
The legal obligations in this setting arise from multiple sources and occur at the federal, state, and local levels. Compliance with these obligations are critical; not only do they work to promote patient safety and the public health, but failure to adhere to them could place a healthcare institution or provider at risk of substantial legal liability or loss of the ability to continue to provide or receive payment for services.
Below, the legal obligations are discussed from three vantage points: (1) federal regulatory agency enforcement of applicable federal laws, (2) emerging legal issues involving infection prevention, and (3) state law considerations. Again, the chapter is not exhaustive and provides only an overview of areas germane to the practice of healthcare epidemiology and infection prevention. A qualified and licensed attorney should always be consulted for legal advice on a specific situation.
FEDERAL REGULATORY AGENCY AUTHORITY
Epidemiology and infection prevention most frequently interact with the law at the federal agency level. Federal agencies are charged with implementing and enforcing federal law, and they often have broad authority in executing enforcement measures. Discussed below are several agencies with authority in infection prevention matters, the relevant laws they enforce, and how they interact with healthcare facilities.
The U.S. Centers for Medicare and Medicaid Services
The Centers for Medicare and Medicaid Services (CMS), a part of the U.S. Department of Health and Human Services (DHHS), administers the Medicare and Medicaid government insurance programs. In order to participate in and be eligible for reimbursement under Medicare and Medicaid, a healthcare provider must obtain and comply with quality and safety standards set forth in federal regulations known as Conditions of Participation (CoPs) or Conditions for Coverage (CfCs).1 CMS further interprets these standards in detail in the State Operations Manual (SOM), with specific healthcare settings identified in appendices to the SOM.2 The CMS standards and interpretations are numerous and comprehensive, covering many areas, including infection prevention. Given that Medicare and Medicaid are the insurance programs for upward of one-third of the US population,3 compliance with the CMS standards and interpretations is vitally important for most healthcare organizations’ financial health.
Successful completion of an onsite survey is a prerequisite to a determination that a healthcare facility complies with CMS standards.1 The survey may be performed either by a state agency on behalf of the federal government or by a national accreditation organization that has been recognized, through a process known as “deeming,” as having standards and practices that meet or exceed CMS requirements.1 The Joint Commission is perhaps the most wellknown among such accreditation organizations.
Surveys for compliance with CMS standards are generally unannounced and can be time-consuming and intense experiences. Given that they can occur at any time, the best practice is to have preidentified point persons and procedures (eg, space and supplies for the surveyors, a means to communicate the surveyors’ arrival to healthcare personnel, contact information for individuals who may be called upon to participate in the survey, etc.) so as to create an experience for the surveyors that is as seamless and efficient as possible. In addition, it is advised that the healthcare facilities continuously stay up-to-date on the applicable standards, as once they are in effect, they immediately become a possible focus of a survey. Flexibility is also key, as each survey is individualized and unpredictable, often lasting multiple days and sometimes even weeks.
In the event a survey identifies a deficiency, the facility is generally given the opportunity to submit a plan of correction.1 In such cases, a resurvey to ensure compliance
will likely be required.1 However, the presence of substantial noncompliance or the failure to address any noncompliance can make the facility ineligible for participation in Medicare and Medicaid,1 resulting in disastrous financial and reputational consequences.
will likely be required.1 However, the presence of substantial noncompliance or the failure to address any noncompliance can make the facility ineligible for participation in Medicare and Medicaid,1 resulting in disastrous financial and reputational consequences.
The CMS standards governing infection prevention with which healthcare facilities must comply are numerous and varied. By way of example, they include the following for hospitals4,51:
An established Infection Prevention Program and Resources, including a qualified and designated Infection Prevention Officer who sets infection prevention policies
Quality Assessment and Performance Improvement (QAPI) and training programs designed to address issues within the institution
Systems to prevent transmission of multidrug-resistant organisms (MDRO) and to promote antimicrobial stewardship
Infection prevention systems and personnel training and immunizations
Hand hygiene resources and practices
Injection practices and sharps safety
Personal protective equipment (PPE)/standard precautions
Cleaning and disinfection practices
Equipment reprocessing and sterilization
Practices surrounding indwelling urinary catheters, central venous catheters, respiratory/ventilator therapy, spinal injections, surgical procedures, and pointof-care devices
Standard precautions and patient isolation (ie, contact, droplet, and airborne isolation precautions)
As mentioned above, the costs associated with a finding of noncompliance with these standards are great, and thus the infection prevention professional’s time becoming familiar with the CMS standards is well spent.
Centers for Disease Control and Prevention
The U.S. Centers for Disease Control and Prevention (CDC) is an operating component of DHHS. It is an agency charged with protecting Americans’ health,6 and while it has some limited regulatory authority,7 it performs foundational scientific work to prevent, detect, and respond to health threats.8 The CDC provides extensive resources and recommendations on effective infection prevention and management in a variety of healthcare settings, including training materials, continuing education courses, a Guidelines and Guidance Library, and other assessment and response tools.9 The CDC also receives advice and guidance from the Healthcare Infection Control Practices Advisory Committee (HICPAC).10 The areas in which HICPAC provides input to the CDC include infection prevention (including the surveillance and prevention of healthcare-associated infections), antimicrobial resistance, development of policies, and new and updated surveillance methodologies.10
The CDC and HICPAC recommendations are generally considered standards of care and/or accepted practices11 and therefore may inform other federal regulatory agency enforcement efforts, including those involving infection prevention. Thus, while they may not be directly involved in enforcement activity, their recommendations bear careful attention.
U.S. Occupational Safety and Health Administration
The Occupational Safety and Health Administration (OSHA) is an agency of the U.S. Department of Labor (DOL). It enforces the Occupational Safety and Health Act and has the responsibility to ensure safe and healthful working conditions by setting and enforcing standards and providing training, outreach, education, and assistance.12 OSHA has authority over most private sector employers and personnel, through either federal OSHA or by an OSHAapproved state job safety and health plan.13 State and local government agencies are not covered by federal OSHA but may have the same protections if the state has an OSHAapproved state program.13 In addition, states may have their own laws similar to those imposed by OSHA. OSHA also monitors and inspects federal agencies.13
Under the Occupational Safety and Health Act’s “General Duty Clause,” covered employers are required to provide a place of employment free from recognized hazards that cause or are likely to cause death or serious physical harm to personnel.14 Given the number of hazards faced by healthcare personnel and the high rate of workplace injuries and illnesses they suffer, OSHA has issued numerous standards and provided guidance in multiple areas affecting such personnel, some of which involve infection prevention and are summarized below. Failure to comply with OSHA standards may result in hefty monetary penalties, and particularly egregious situations may result in criminal charges.15
Personal Protective Equipment Standard Under the PPE standard, employers must evaluate whether personnel need PPE to protect them from injury or illness resulting from contact with chemical, radiological, physical, electrical, mechanical, or other workplace hazards.16,17 While PPE may be essential, it is considered the last line of defense after engineering controls, work practices, and administrative controls.17 Employers must also train personnel on when and how to use PPE, as well as PPE’s limitations and proper care, maintenance, and disposal.17,18 Generally, PPE must be provided at the employers’ expense.19
Bloodborne Pathogens Standard OSHA’s Bloodborne Pathogens Standard prescribes safeguards to protect personnel who can be reasonably anticipated to contact blood or other potentially infectious materials (OPIM).20,21 The Bloodborne Pathogens Standard has several components, including20,22,23:
Establishing a written exposure control plan containing a list of job classifications where there is occupational exposure, along with a list of the tasks that result in exposure
Annually updating the written exposure control plan, including annual documentation that the employer has considered and begun using appropriate safer medical devices, as well as documentation that the employer has solicited input from frontline healthcare personnel regarding effective controls
Implementing the use of universal (now standard) precautions
Identifying and using engineering controls (such as sharps disposal containers, self-sheathing needles, and safer medical devices) and work practice controls
Providing appropriate PPE
Making hepatitis B vaccinations available to all personnel with potential occupational exposure, after personnel has received the required training and within 10 days of initial assignment to a job with occupational exposure
Providing postexposure evaluation and follow-up to all personnel who experience an exposure incident (including source testing and testing of the personnel, offering postexposure prophylaxis and counseling, and evaluating reported illnesses)
Using labels and signs to communicate hazards on items such as containers of contaminated reusable sharps or containers used to store, transport, or ship blood or OPIM
Providing information and training to personnel upon initial assignment, at least annually thereafter, and when new or modified tasks or procedures affect personnel’s occupational exposure
Maintaining records
Respiratory Protection Standard The respiratory protection standard addresses prevention of occupational diseases caused by breathing contaminated air.24 In the healthcare setting, the potential for inhaling bacteria, viruses, and chemicals leading to injury or illness requires the use of PPE such as respirators and face masks.25 The respiratory protection standard contains mandatory respirator fit testing, user seal check, cleaning, questionnaire, and education procedures.26 It further requires employers to provide employees with a medical evaluation to determine whether the employee is able to use a respirator before the employee is fit tested or required to use the respirator.27
OSHA has also published a Hospital Respiratory Protection Program Toolkit based in part on the CDC and HICPAC’s “2007 Guideline for Isolation Precautions: Preventing Transmission of Infectious Agents in Healthcare Settings.”25,28 That Guideline recommends that respiratory protection should be used in healthcare settings when certain tasks are performed and that the use of respirators should comply with the Respiratory Protection Standard.25
Specific to tuberculosis, OSHA regulations require employers to record all work-related tuberculosis cases.29 OSHA has also issued an Instruction titled “Enforcement Procedures and Scheduling for Occupational Exposure to Tuberculosis”30 that relies on the CDC’s “Guidelines for Preventing the Transmission of Mycobacterium tuberculosis in Health-Care Settings, 2005.”31 The CDC Guidelines provide a thorough framework for tuberculosis prevention, including a robust tuberculosis infection prevention plan that is part of an overall infection prevention program, and the Instruction mandates that OSHA inspections will include a review of such plan.30,31 The Instruction further adopts the CDC Guidelines’ recommendation that employees wear a National Institute for Occupational Safety and Health (NIOSH)-approved N95 filtering facepiece respirator to protect against tuberculosis hazards.30
Ethylene Oxide and Formaldehyde Standards Ethylene oxide and formaldehyde are used as sterilants but can have harmful effects on healthcare personnel. The Ethylene Oxide and Formaldehyde Standards address requirements such as monitoring exposure, written plans for handling emergency exposures, PPE, recordkeeping, and medical surveillance.32,33 Although OSHA has not adopted a standard with regard to the sterilant glutaraldehyde, it has issued a handbook outlining best practices for the use of glutaraldehyde in the healthcare setting.34
Specific Disease Guidance, Fact Sheet, Information, and Tool Kits OSHA provides information on specific infectious diseases that healthcare personnel are occupationally exposed to, including cytomegalovirus,35 Ebola,36 seasonal influenza,37 pandemic influenza,38 measles,39 Middle East respiratory syndrome (MERS),40 MDROs including methicillin-resistant Staphylococcus aureus (MRSA),41 noroviruses,42 severe acute respiratory syndrome (SARS),43 tuberculosis,44 and Zika virus.45 Although not standards, these fact sheets, tool kits, and other information and guidance can be valuable resources to the infection prevention professional. It is also important to keep in mind that the bloodborne pathogens, PPE, and respiratory protection standards are directly applicable to protection against these infectious diseases.
U.S. Food and Drug Administration
The U.S. Food and Drug Administration (FDA) is an agency within DHHS that regulates, among other things, drugs, biological products, and medical devices. While the FDA enforces legislation46 and rules and regulations,47 it also issues nonbinding Guidance Documents that represent the FDA’s “current thinking on a topic.”48
Examples of areas of FDA regulation that touch on matters of infection prevention include vaccines used for pre-exposure immunization (eg, mumps-measles-rubella, influenza, varicella, hepatitis B),49 infectious disease tests,50 human tissue safety and availability,51 blood donor screening,52 antimicrobial stewardship,53 manufacturing of sterile drug products,54 single-use device (SUD) reprocessing,55 and medical device oversight (including that of PPE).56
An area of FDA regulation and enforcement that has particular relevance to the hospital setting is medical device surveillance. FDA regulations require hospitals, as a “device user facility,”57 to report device-related deaths and serious injuries to the FDA and the manufacturer within 10 work days after the day on which the hospital becomes aware of information that reasonably suggests that a device has or may have caused or contributed to a death or serious injury.58,59 An example of this obligation in the infection prevention context is the spread of infectious pathogens associated with contaminated duodenoscopes or reprocessed SUDs. In addition to reports that must be made promptly after an event, hospitals must submit annual reports by January 1 of each year if they reported any events throughout the calendar year.60,61 Moreover, hospitals are required to develop, maintain, and implement written procedures for medical device reporting, as well as maintain appropriate records.62,63
An additional obligation surrounding device-related deaths and serious injuries arises when the hospital
reprocesses SUDs in house, since hospitals who reprocess SUDs in house are considered by the FDA to be the manufacturer of that device.64 As a result, those hospitals have reporting requirements both as a device user facility and as a manufacturer. Additional manufacturer obligations include reporting events requiring remedial action to prevent certain risks of harm to the public, conducting investigations and evaluating causes of events, reporting device malfunctions, and submitting specified follow-up.65,66
reprocesses SUDs in house, since hospitals who reprocess SUDs in house are considered by the FDA to be the manufacturer of that device.64 As a result, those hospitals have reporting requirements both as a device user facility and as a manufacturer. Additional manufacturer obligations include reporting events requiring remedial action to prevent certain risks of harm to the public, conducting investigations and evaluating causes of events, reporting device malfunctions, and submitting specified follow-up.65,66
Like other federal agencies, the FDA has the authority to inspect healthcare facilities.62 If, during an FDA inspection, the FDA investigator observes conditions that may violate the law, an FDA Form 483 will be issued. The facility subject to inspection is encouraged to respond in writing with a corrective action plan.68 After issuance of the FDA Form 483, the FDA may issue a warning letter, which is a formal notification of a violation of FDA regulations.69 In cases where violations do not reach a threshold of regulatory significance for a warning letter, the FDA may issue an untitled letter, which serves as notice that the FDA is aware of the facility’s violation of federal law.69 If the FDA issues a warning letter, it will also require a corrective action plan and appropriate follow-up.70 Nevertheless, warning letters are considered informal and advisory and do not commit the FDA to taking enforcement action.69 In egregious situations, the FDA will move immediately to enforcement action without first issuing a warning letter.69 More impactful FDA enforcement actions include criminal charges and prosecution, administrative detention, license revocation or suspension, and civil monetary penalties.71,72