The Centers for Medicare and Medicaid Services (CMS), a part of the U.S. Department of Health and Human Services (DHHS), administers the Medicare and Medicaid government insurance programs. In order to participate in and be eligible for reimbursement under Medicare and Medicaid, a healthcare provider must obtain and comply with quality and safety standards set forth in federal regulations known as Conditions of Participation (CoPs) or Conditions for Coverage (CfCs).¹ CMS further interprets these standards in detail in the State Operations Manual (SOM), with specific healthcare settings identified in appendices to the SOM.² The CMS standards and interpretations are numerous and comprehensive, covering many areas, including infection prevention. Given that Medicare and Medicaid are the insurance programs for upward of one-third of the US population,³ compliance with the CMS standards and interpretations is vitally important for most healthcare organizations’ financial health.

Successful completion of an onsite survey is a prerequisite to a determination that a healthcare facility complies with CMS standards.¹ The survey may be performed either by a state agency on behalf of the federal government or by a national accreditation organization that has been recognized, through a process known as “deeming,” as having standards and practices that meet or exceed CMS requirements.¹ The Joint Commission is perhaps the most wellknown among such accreditation organizations.

Surveys for compliance with CMS standards are generally unannounced and can be time-consuming and intense experiences. Given that they can occur at any time, the best practice is to have preidentified point persons and procedures (eg, space and supplies for the surveyors, a means to communicate the surveyors’ arrival to healthcare personnel, contact information for individuals who may be called upon to participate in the survey, etc.) so as to create an experience for the surveyors that is as seamless and efficient as possible. In addition, it is advised that the healthcare facilities continuously stay up-to-date on the applicable standards, as once they are in effect, they immediately become a possible focus of a survey. Flexibility is also key, as each survey is individualized and unpredictable, often lasting multiple days and sometimes even weeks.

In the event a survey identifies a deficiency, the facility is generally given the opportunity to submit a plan of correction.¹ In such cases, a resurvey to ensure compliance
will likely be required.¹ However, the presence of substantial noncompliance or the failure to address any noncompliance can make the facility ineligible for participation in Medicare and Medicaid,¹ resulting in disastrous financial and reputational consequences.

The CMS standards governing infection prevention with which healthcare facilities must comply are numerous and varied. By way of example, they include the following for hospitals^4,51:

As mentioned above, the costs associated with a finding of noncompliance with these standards are great, and thus the infection prevention professional’s time becoming familiar with the CMS standards is well spent.

The Occupational Safety and Health Administration (OSHA) is an agency of the U.S. Department of Labor (DOL). It enforces the Occupational Safety and Health Act and has the responsibility to ensure safe and healthful working conditions by setting and enforcing standards and providing training, outreach, education, and assistance.¹² OSHA has authority over most private sector employers and personnel, through either federal OSHA or by an OSHAapproved state job safety and health plan.¹³ State and local government agencies are not covered by federal OSHA but may have the same protections if the state has an OSHAapproved state program.¹³ In addition, states may have their own laws similar to those imposed by OSHA. OSHA also monitors and inspects federal agencies.¹³

Under the Occupational Safety and Health Act’s “General Duty Clause,” covered employers are required to provide a place of employment free from recognized hazards that cause or are likely to cause death or serious physical harm to personnel.¹⁴ Given the number of hazards faced by healthcare personnel and the high rate of workplace injuries and illnesses they suffer, OSHA has issued numerous standards and provided guidance in multiple areas affecting such personnel, some of which involve infection prevention and are summarized below. Failure to comply with OSHA standards may result in hefty monetary penalties, and particularly egregious situations may result in criminal charges.¹⁵

Personal Protective Equipment Standard Under the PPE standard, employers must evaluate whether personnel need PPE to protect them from injury or illness resulting from contact with chemical, radiological, physical, electrical, mechanical, or other workplace hazards.^16,17 While PPE may be essential, it is considered the last line of defense after engineering controls, work practices, and administrative controls.¹⁷ Employers must also train personnel on when and how to use PPE, as well as PPE’s limitations and proper care, maintenance, and disposal.^17,18 Generally, PPE must be provided at the employers’ expense.¹⁹

Bloodborne Pathogens Standard OSHA’s Bloodborne Pathogens Standard prescribes safeguards to protect personnel who can be reasonably anticipated to contact blood or other potentially infectious materials (OPIM).^20,21 The Bloodborne Pathogens Standard has several components, including^20,22,23:

Respiratory Protection Standard The respiratory protection standard addresses prevention of occupational diseases caused by breathing contaminated air.²⁴ In the healthcare setting, the potential for inhaling bacteria, viruses, and chemicals leading to injury or illness requires the use of PPE such as respirators and face masks.²⁵ The respiratory protection standard contains mandatory respirator fit testing, user seal check, cleaning, questionnaire, and education procedures.²⁶ It further requires employers to provide employees with a medical evaluation to determine whether the employee is able to use a respirator before the employee is fit tested or required to use the respirator.²⁷

OSHA has also published a Hospital Respiratory Protection Program Toolkit based in part on the CDC and HICPAC’s “2007 Guideline for Isolation Precautions: Preventing Transmission of Infectious Agents in Healthcare Settings.”^25,28 That Guideline recommends that respiratory protection should be used in healthcare settings when certain tasks are performed and that the use of respirators should comply with the Respiratory Protection Standard.²⁵

Specific to tuberculosis, OSHA regulations require employers to record all work-related tuberculosis cases.²⁹ OSHA has also issued an Instruction titled “Enforcement Procedures and Scheduling for Occupational Exposure to Tuberculosis”³⁰ that relies on the CDC’s “Guidelines for Preventing the Transmission of Mycobacterium tuberculosis in Health-Care Settings, 2005.”³¹ The CDC Guidelines provide a thorough framework for tuberculosis prevention, including a robust tuberculosis infection prevention plan that is part of an overall infection prevention program, and the Instruction mandates that OSHA inspections will include a review of such plan.^30,31 The Instruction further adopts the CDC Guidelines’ recommendation that employees wear a National Institute for Occupational Safety and Health (NIOSH)-approved N95 filtering facepiece respirator to protect against tuberculosis hazards.³⁰

Ethylene Oxide and Formaldehyde Standards Ethylene oxide and formaldehyde are used as sterilants but can have harmful effects on healthcare personnel. The Ethylene Oxide and Formaldehyde Standards address requirements such as monitoring exposure, written plans for handling emergency exposures, PPE, recordkeeping, and medical surveillance.^32,33 Although OSHA has not adopted a standard with regard to the sterilant glutaraldehyde, it has issued a handbook outlining best practices for the use of glutaraldehyde in the healthcare setting.³⁴

Specific Disease Guidance, Fact Sheet, Information, and Tool Kits OSHA provides information on specific infectious diseases that healthcare personnel are occupationally exposed to, including cytomegalovirus,³⁵ Ebola,³⁶ seasonal influenza,³⁷ pandemic influenza,³⁸ measles,³⁹ Middle East respiratory syndrome (MERS),⁴⁰ MDROs including methicillin-resistant Staphylococcus aureus (MRSA),⁴¹ noroviruses,⁴² severe acute respiratory syndrome (SARS),⁴³ tuberculosis,⁴⁴ and Zika virus.⁴⁵ Although not standards, these fact sheets, tool kits, and other information and guidance can be valuable resources to the infection prevention professional. It is also important to keep in mind that the bloodborne pathogens, PPE, and respiratory protection standards are directly applicable to protection against these infectious diseases.

The U.S. Food and Drug Administration (FDA) is an agency within DHHS that regulates, among other things, drugs, biological products, and medical devices. While the FDA enforces legislation⁴⁶ and rules and regulations,⁴⁷ it also issues nonbinding Guidance Documents that represent the FDA’s “current thinking on a topic.”⁴⁸

Examples of areas of FDA regulation that touch on matters of infection prevention include vaccines used for pre-exposure immunization (eg, mumps-measles-rubella, influenza, varicella, hepatitis B),⁴⁹ infectious disease tests,⁵⁰ human tissue safety and availability,⁵¹ blood donor screening,⁵² antimicrobial stewardship,⁵³ manufacturing of sterile drug products,⁵⁴ single-use device (SUD) reprocessing,⁵⁵ and medical device oversight (including that of PPE).⁵⁶

An area of FDA regulation and enforcement that has particular relevance to the hospital setting is medical device surveillance. FDA regulations require hospitals, as a “device user facility,”⁵⁷ to report device-related deaths and serious injuries to the FDA and the manufacturer within 10 work days after the day on which the hospital becomes aware of information that reasonably suggests that a device has or may have caused or contributed to a death or serious injury.^58,59 An example of this obligation in the infection prevention context is the spread of infectious pathogens associated with contaminated duodenoscopes or reprocessed SUDs. In addition to reports that must be made promptly after an event, hospitals must submit annual reports by January 1 of each year if they reported any events throughout the calendar year.^60,61 Moreover, hospitals are required to develop, maintain, and implement written procedures for medical device reporting, as well as maintain appropriate records.^62,63

An additional obligation surrounding device-related deaths and serious injuries arises when the hospital
reprocesses SUDs in house, since hospitals who reprocess SUDs in house are considered by the FDA to be the manufacturer of that device.⁶⁴ As a result, those hospitals have reporting requirements both as a device user facility and as a manufacturer. Additional manufacturer obligations include reporting events requiring remedial action to prevent certain risks of harm to the public, conducting investigations and evaluating causes of events, reporting device malfunctions, and submitting specified follow-up.^65,66

Like other federal agencies, the FDA has the authority to inspect healthcare facilities.⁶² If, during an FDA inspection, the FDA investigator observes conditions that may violate the law, an FDA Form 483 will be issued. The facility subject to inspection is encouraged to respond in writing with a corrective action plan.⁶⁸ After issuance of the FDA Form 483, the FDA may issue a warning letter, which is a formal notification of a violation of FDA regulations.⁶⁹ In cases where violations do not reach a threshold of regulatory significance for a warning letter, the FDA may issue an untitled letter, which serves as notice that the FDA is aware of the facility’s violation of federal law.⁶⁹ If the FDA issues a warning letter, it will also require a corrective action plan and appropriate follow-up.⁷⁰ Nevertheless, warning letters are considered informal and advisory and do not commit the FDA to taking enforcement action.⁶⁹ In egregious situations, the FDA will move immediately to enforcement action without first issuing a warning letter.⁶⁹ More impactful FDA enforcement actions include criminal charges and prosecution, administrative detention, license revocation or suspension, and civil monetary penalties.^71,72