Hazard Communication Exemptions

The simplest way to determine whether a product is considered hazardous is to rely on the determination of the manufacturer. Since most hazardous products are obtained from medical, pharmaceutical, and janitorial supply companies, you can request that a current SDS be provided for each product you purchase from them. The Hazard Communication Standard requires that they provide SDSs to purchasers with the first order of their products and upon request.

Hazard Classification

In some cases, you may request a SDS for a product and be informed by the manufacturer that the product does not contain any hazardous chemicals, as defined by OSHA, or that a hazardous chemical comprises less than 1% of the total product or 0.1% for carcinogenic ingredients. In these cases, the product is considered non-hazardous and a safety data sheet is not required. Whether the notification is verbal (by phone) or by letter, you should record the information or maintain the notice provided for future reference. You may retain the letter or SDS in a file that is separate from SDSs for hazardous products.

Many manufacturers will create a safety data sheet even though a product contains no hazardous ingredients or contains less than the amounts specified above (1% or 0.1% of a carcinogen). When a new safety data sheet is received, section 3 of the product’s safety data sheet should be reviewed for information on ingredients. If there are no ingredients listed in this section, or listed ingredients each comprise less than 1% of the product (0.1% if carcinogenic), you may then determine that a safety data sheet need not be maintained for employee review.

Aside from reviewing the chemical composition of a product, from that point the decision whether to include a product in your Hazard Communication Plan can become confusing.

Specific Exemptions

In addition to those products that are considered non-hazardous due to their composition, the Standard exempts certain products (i.e., consumer products, cosmetics, OTC medications, and most sample drugs), due to the way in which the products are used. You are not required to maintain SDSs for these items even though the products may contain hazardous ingredients in amounts above the minimum threshold (1% or 0.1%). Note – while there are exemptions, you always have the option to maintain SDSs for all products (exempt and non-exempt, if available). All exemptions (that pertain to medical/dental settings) are covered in this article.

Consumer Products

OSHA exempts consumer products from Hazard Communication requirements, with the condition that “the employer can show that it is used in the workplace for the purpose intended by the manufacturer or importer of the product, and the use results in a duration and frequency of exposure which is not greater than the range of exposures that could reasonably be experienced by consumers when used for the

purpose intended.”  In other words, if the product is available to regular household consumers and is used in the same manner and with the same frequency/duration that a normal consumer would use it, then it is exempt from Hazard Communication requirements. For example, isopropyl alcohol and bleach may be purchased and used by any member of the general public. However, the frequency of use is probably much greater in a medical/dental practice than in a home. Therefore, the products would not be exempt. On the other hand, window cleaners, furniture polish, kitchen cleansers, etc. are most likely used with the same frequency and duration as with normal consumers and, therefore, would be exempt.

The Hazard Communication Standard also exempts foods, drugs, or cosmetics intended for personal consumption by employees while in the workplace.

OTC Medications and Samples

There are two specific exemptions pertaining to drugs within the Hazard Communication Standard. They are as follows:

• Drugs that are dispensed by a pharmacy to a healthcare provider for direct administration to a patient.
• Any drug when it is in solid, final form for direct administration to the patient (i.e., tablets, pills, capsules).

As you can see with both exemptions, there is minimal opportunity for employee exposure to hazardous chemicals. If tablets or capsules are broken open, crushed or otherwise manipulated before administration, they will NOT meet the criteria of this exemption, and will require SDSs.

It is important to note that here is no blanket exemption for injectable or liquid medicines. Many of our customers have been misinformed about this fact. A safety data sheet should be requested for every injectable and liquid, whether it is an immunization, medication or hazardous drug. You may then review section 3 of the SDS to make an individual determination of whether the injectable is hazardous (or contains a hazardous chemical in concentrations of at least 1%, or 0.1% of a carcinogenic chemical). As stated previously, you should maintain any documentation (i.e., the SDS or letter) that demonstrates that a product is non-hazardous and therefore exempt from requirements. If it is determined that a SDS is required for any product, the employer should ensure that the product is properly labeled with hazard information and included on the practice’s chemical inventory.

Recently, many providers received a notification from TriZetto Provider Solutions alerting them of a data breach affecting patient PHI. TriZetto provides clearinghouse services for covered entities like medical practices and hospitals.

If you received this alert from TriZetto, the message will include an estimated number of patients associated with your organization whose information was compromised. The information that was compromised includes patient name, address, date of birth, Social Security Number, health insurance information, and other demographic and health information. The breach did not include any financial information.

The HIPAA Breach Notification Rule requires notifications to be provided to affected patients within 60 days of discovery of a breach. When a business associate, like TriZetto, experiences a breach, either the business associate or the covered entity must take responsibility for providing patient notifications. TriZetto has offered to send patient notifications at no cost, but affected entities must opt-in to this service before the date listed in their notification.

If your organization has received this alert from TriZetto, we recommend the following steps:

1. Authorize TriZetto to send individual patient notifications by following the instructions in the email notification you received. Be sure to do this before the date listed in your notification from TriZetto. If you do not choose this option, your practice will be responsible for sending breach notifications to affected patients, which can be expensive and time-consuming.
2. Ensure that you have an up-to-date Business Associate Agreeement on file with TriZetto if you contract with them directly. If TriZetto is a subcontractor of your electronic health record (EHR) company, you must have a Business Associate Agreement with the EHR company. In this case, the EHR company utilizes Trizetto as a subcontractor, and will have a downstream BAA in place with Trizetto, which covers your organization.

If you have questions or concerns about this breach, please reach out to Eagle Associates.

HIPAA’S Privacy Rule requires an individual’s protected health information (PHI) to be maintained confidentially for 50 years beyond decease. The executor or administrator of the person’s estate has the right to obtain copies of the individual’s record, release copies to other parties, etc. Certain other disclosures may be made without the authorization of the executor/administrator of the estate.

For a Relative’s Healthcare

If a family member needs medical information for their own healthcare, you may disclose relevant PHI directly to the person’s healthcare provider without obtaining authorization from the executor/administrator. You would conduct appropriate identity verification on the relative and the provider before making a disclosure.

To Coroners, Medical Examiners, Funeral Directors, Organ Donation

You may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. Also permitted are disclosures of PHI to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. PHI may be disclosed to organ procurement organizations for the purpose of facilitating organ, eye or tissue donation and transplantation.

Previous Involvement

The practice may disclose a limited amount of PHI to a personal representative (designated before the patient’s death), family member or other individual who was involved in the patient’s care (or payment related to the patient’s healthcare) if the individual had access prior to the patient’s death. However, such access must be limited to only that information which is relevant to the person’s involvement in the decedent’s care or payment for care. For example, it would be permitted to release a final bill if requested by a family member or other individual who is intending to help clear a financial obligation of the deceased patient. However, it would not be permitted to disclose an entire patient record to such an individual. Individuals who request more information than is directly relevant to the individual’s involvement should be referred to the executor to obtain written authorization for the disclosure.