An exposure control plan (ECP) is a written document that every employer must create when workers could come into contact with blood or other potentially infectious materials on the job. Required under OSHA’s Bloodborne Pathogens Standard (29 CFR 1910.1030), the plan spells out exactly how the employer will eliminate or minimize that exposure. It applies to healthcare workers, lab technicians, janitorial staff, first responders, and anyone else whose job duties carry a risk of contact with blood or bodily fluids.
What the Plan Must Include
At its core, an exposure control plan has three main components: an exposure determination, a schedule for implementing protective measures, and procedures for evaluating incidents after they happen. The exposure determination is the foundation. It requires the employer to sort job classifications into two groups: those where every worker has occupational exposure, and those where only some workers do. For that second group, the plan must list the specific tasks that create the risk. Importantly, this determination is made without considering personal protective equipment. The question isn’t whether gloves make the job safe; it’s whether the job involves potential contact with infectious materials at all.
Beyond the exposure determination, the plan must describe the methods the employer will use to reduce risk. These include engineering controls (physical changes to the workspace, like self-sheathing needles or sharps disposal containers), work practice controls (behavioral protocols like proper handwashing or prohibiting needle recapping), and personal protective equipment such as gloves, gowns, and face shields. The plan should also cover housekeeping procedures, labeling and color-coding systems for biohazardous materials, and the handling and disposal of contaminated waste.
Who Needs One
Any employer with even one employee who has occupational exposure to blood or other potentially infectious materials must have an ECP. This goes well beyond hospitals and clinics. Dental offices, tattoo parlors, funeral homes, correctional facilities, schools with nurses, and cleaning companies that service medical buildings can all fall under the standard. If a worker could reasonably encounter blood or bodily fluids during their normal duties or as a foreseeable part of their job, the employer is on the hook.
Hepatitis B Vaccination Requirements
The plan must address the hepatitis B vaccine. Employers are required to offer the full vaccine series, free of charge, to every worker identified in the exposure determination. The offer must come after the employee completes initial training and within 10 days of their first assignment to a job with occupational exposure. Workers can decline the vaccine, but the employer must document that refusal. If an employee initially declines and later changes their mind, the employer still has to provide it at no cost.
Training Requirements
Every worker covered by the plan must receive training when they’re first assigned to an at-risk role and at least once a year after that. The training can’t be a passive handout or a video watched alone. OSHA requires an opportunity for interactive questions and answers with the person conducting the session.
The content is detailed. Training must cover how bloodborne diseases are transmitted, how to recognize tasks that carry exposure risk, how to properly use and dispose of protective equipment, and what to do in an emergency involving blood or infectious materials. Workers must also learn about the hepatitis B vaccine, including its safety and effectiveness, and be told that it’s available to them at no cost. The employer must also make the full text of the OSHA standard available and explain what it says.
What Happens After an Exposure Incident
The plan must include clear procedures for what to do when an exposure actually occurs, whether that’s a needlestick, a splash of blood to the eyes, or a cut from a contaminated sharp object. The employer is required to provide a confidential medical evaluation and follow-up at no charge to the affected worker. This includes documenting the route of exposure, identifying the source individual when possible, and collecting and testing blood samples.
Needlestick injuries and cuts from contaminated sharps must also be recorded on the OSHA 300 Log. To protect privacy, the employee’s name is not entered on the log. If the worker is later diagnosed with an infectious bloodborne disease as a result of the incident, the employer must update the log entry to reflect the diagnosis and reclassify the case from an injury to an illness.
Annual Review and Updates
An exposure control plan is not a document you write once and file away. OSHA requires employers to review and update it at least annually. The review should account for new or modified tasks and procedures that affect exposure risk, changes in employee positions, and advances in safer devices and technology. If a facility starts using a new type of needle or adds a job role that involves patient contact, the ECP needs to reflect that.
The annual review is also the time to evaluate whether current engineering controls are working and whether newer, safer alternatives are available. OSHA expects employers to actively seek out devices designed to reduce sharps injuries, like retractable needles and blunt-tip suture needles, and document why specific devices were or were not adopted.
Recordkeeping Obligations
The recordkeeping requirements attached to the plan are substantial. Medical records for each employee covered by the standard must be maintained for the duration of their employment plus 30 years. Exposure records must also be kept for 30 years. Training records, which include dates, session content, the trainer’s name, and attendee names and job titles, must be retained for three years from the date of the training session.
All of these records must be made available to employees, their representatives, and OSHA upon request. Medical records are confidential and can only be released with the employee’s written consent, but training and exposure records have no such restriction.
Penalties for Noncompliance
OSHA can cite employers for failing to have an exposure control plan, for having one that’s incomplete, or for failing to follow the plan they’ve written. Common violations include missing annual reviews, incomplete exposure determinations, failure to offer the hepatitis B vaccine on time, and inadequate training. Penalties vary based on the severity and whether the violation is classified as serious, willful, or repeated, but fines for a single serious violation can reach tens of thousands of dollars.
The plan should be accessible to all employees. Workers have the right to obtain a copy of the written ECP, and employers must tell them how to do so during training. Keeping the plan locked in an administrator’s office where no one can find it doesn’t satisfy the requirement.