The exposure control plan is your written answer to OSHA 29 CFR 1910.1030. It names every job that could touch blood or other infectious material, the controls you use to reduce that risk, and exactly what happens when an exposure incident hits. Skip the plan or let it go stale, and an inspector has the easiest citation on their list.
Three years old. Sitting on a shared drive HR can open but the maintenance crew can’t. Missing the safer-device review entirely. These are the three patterns I see most when employers fail a 1910.1030 audit, and all three are fixable in an afternoon.
What Must a Written Exposure Control Plan Include?
OSHA hands you a checklist in 1910.1030(c)(1)(ii). Seven pieces: exposure determination, methods of compliance, hepatitis B vaccination procedures, post-exposure evaluation and follow-up, training, recordkeeping, and procedures for investigating any exposure incident. Healthcare and lab employers with more than 10 staff also need to document their safer-device review — and that review must include input from people who actually use the sharps, not just the safety committee.
Plans are not memos. A real one runs 15 to 40 pages depending on how many job classifications you cover and how complicated the tasks are. The five-page plans I’ve reviewed almost always fail something. Usually the device-evaluation section. Sometimes the post-exposure protocol. OSHA’s model plan is a good outline, but treat it that way — an outline. Your exposure determination and the specific engineering controls you use are facility-specific, and copying the model verbatim is one of the cleanest tells of a plan that was never customized.
For training-side documentation that pairs with the plan, our guide to managing OSHA training records covers retention timelines and audit-prep practices that overlap directly with the 1910.1030(h) recordkeeping rules.
Who Is Actually Covered Under OSHA 1910.1030?
Most HR teams underestimate the reach. Sure, hospitals, dental offices, EMTs. But what about the maintenance tech who unclogs a patient bathroom drain? The athletic trainer wrapping a cut on a high-school running back? The funeral home employee, the school nurse, the plumber on a hospital service contract, the tattoo studio? All covered. The test is what the employee actually does on any given Tuesday — could their job duties create reasonable potential for contact with blood or other potentially infectious materials (OPIM)? If yes, they’re in.
One nuance trips up office employers. A bystander office worker who voluntarily helps a coworker who’s bleeding — Good Samaritan act — does not pull the office under 1910.1030. But the second you designate someone as a first-aid responder, even a single CPR-trained admin, the standard kicks in for that role. It’s task-based, not industry-based. A construction GC with a designated CPR/first-aid crew has covered employees, regardless of whether they ever pour concrete near a clinic.
How Do You Conduct an Exposure Determination by Job Classification?
Two lists. First list: job classifications where every employee has occupational exposure. Phlebotomists, ER nurses, dental hygienists, autopsy technicians — straightforward. Second list: job classifications where some employees have exposure on some tasks. For this group, you must also name the specific tasks. And one rule that catches plans off-guard: do the determination assuming no PPE. The question is whether exposure could happen, not whether the gloves you provided would catch it.
Here’s the failure mode I see most often. HR has a job description for “Custodian.” The custodian’s stated duties are vacuum, mop, empty trash. The actual duties at the South Building include cleaning blood spills in the urgent-care bathroom because the urgent-care lease said tenants handle their own custodial. The job description doesn’t reflect the exposure. The custodian isn’t on the plan. There’s no training record. The inspector finds the gap during a routine OSHA visit triggered by a separate complaint, and the citation list goes: missing exposure determination, missing training, missing PPE designation. Three citations, one weekend of work to prevent. Walk your facility with the supervisor of each function and write down what people actually do — our 15-minute OSHA audit survival guide has a walk-through checklist that catches gaps like this before an inspector does.
Once the exposure determination is final, assign training that matches the actual exposure level. General awareness training like Bloodborne Pathogens Awareness works for low-exposure roles such as maintenance and janitorial. Higher-exposure healthcare staff benefit from sequential coverage — Part 1: What is a Bloodborne Pathogen, Part 2 on prevention, and Part 3: Exposure Response — so the training maps to each layer of the plan.
What Methods of Compliance Belong in the Plan?
The standard requires four control hierarchies, in order: universal precautions, engineering controls, work practice controls, and personal protective equipment. Your written plan must name the specific controls in use at your facility, not just paraphrase the regulation.
Universal precautions means treating all human blood and OPIM as if it were infectious. The principle is documented in our Universal Precautions course and should be stated explicitly in the plan rather than implied. Engineering controls include sharps disposal containers, self-sheathing needles, safer medical devices, and biological safety cabinets — list them by model or category and tie each to the job classification that uses them. Work practice controls cover handwashing, hand hygiene after glove removal, no eating or drinking in exposure areas, and the prohibition on recapping needles by hand. PPE is the last layer: gloves, gowns, masks, eye protection, and resuscitation equipment, with replacement provided at no cost to the employee.
The annual safer-device review is the line item most often missing from older plans. Since the Needlestick Safety and Prevention Act of 2000, OSHA expects you to document a yearly evaluation of new sharps technology, with input from non-managerial employees who actually use the devices. Training tied directly to this requirement, like Preventing Needlestick Injuries, gives you both employee awareness and a defensible paper trail.
How Does the Hepatitis B Vaccination Program Work?
The plan must offer the hepatitis B vaccine series to every employee with occupational exposure, at no cost, within 10 working days of initial assignment. Employees who decline must sign the OSHA-specified declination statement — and you must retain that signed declination as part of the employee’s medical record for the duration of employment plus 30 years (1910.1020). The 30-year retention rule trips up small employers who treat medical records like routine HR paperwork.
If an employee declines initially and later changes their mind, they are still entitled to the vaccine at no cost. Document the offer, the decision, and any change of mind in the medical file. The vaccine is administered by a licensed healthcare professional — not your HR coordinator — but the documentation lives with the employer’s records.
What Happens After an Exposure Incident?
Post-exposure evaluation is where most plans fail under real-world stress. The written plan must define the immediate steps an exposed employee takes (wash the area, irrigate eyes or mucous membranes, report to supervisor), who they call, and how the source individual’s status is identified and tested when legally permitted. Confidential medical evaluation must be offered to the exposed employee at no cost, including baseline blood testing, post-exposure prophylaxis when medically indicated, counseling, and evaluation of any reported illness.
The exposed employee must receive a written opinion from the evaluating healthcare professional within 15 days of the evaluation, limited to (a) whether hepatitis B vaccination is indicated and (b) that the employee has been informed of evaluation results. Anything beyond those two findings is confidential medical information not shared with the employer. Pair the procedure documentation with role-targeted training such as Bloodborne Pathogens in Healthcare so frontline staff know the protocol cold rather than reading it for the first time on the day they need it.
For facilities with more than 10 employees in healthcare, the sharps injury log is mandatory under 1910.1030(h)(5). It records the type and brand of device involved, the department or work area, and an explanation of how the incident occurred. The log is separate from your OSHA 300 — review our OSHA 300 Log guide to keep the two recordkeeping streams from getting mixed up.
What Goes Into the Annual Review Cycle?
The annual review is not optional and not the same as “we read it again.” A real review answers six questions in writing: (1) Have any job classifications been added, removed, or changed since the last review? (2) Have any new tasks or procedures introduced new exposures? (3) Did any exposure incidents occur, and if so, what did the post-incident analysis recommend? (4) Have safer medical devices been evaluated and either adopted or documented as evaluated-and-rejected? (5) Have training dates and content been current with regulatory changes? (6) Are all employee declination forms, training records, and sharps log entries up to date?
Document the review with a dated signature page that names the reviewer, summarizes findings, and lists any plan revisions. This is the artifact the OSHA inspector wants to see — not a recently modified Word file timestamp, but a deliberate, signed review record. Our compliance audit-trail guide walks through documentation patterns that hold up in citation defense, and our OSHA penalty breakdown shows what an outdated plan actually costs — Serious violations under 1910.1030 carried a maximum of $16,131 per violation in 2026, and willful or repeat citations push toward $161,323. For healthcare-specific overlap, see our HIPAA training requirements for clinics guide — many small medical practices need both 1910.1030 and HIPAA documentation maintained on the same review cycle.
Why Coggno for OSHA Bloodborne Pathogens Compliance
For employers in OSHA-regulated industries — healthcare, dental, labs, first response, sanitation, tattoo/piercing — Coggno provides IACET-accredited OSHA training and a 10,000+ course compliance marketplace that includes the full bloodborne pathogens curriculum (Awareness, Universal Precautions, Exposure Response, Healthcare-specific, Construction-specific, and Needlestick Prevention) in one flat per-seat subscription. Completion certificates and timestamped training records satisfy 1910.1030(h) and 1910 Subpart C documentation requirements, and the HRIS integration auto-assigns the right course version by job classification. Where pure-play LMS vendors like Litmos and iSpring require third-party content licensing for OSHA-specific topics, Coggno includes the full bloodborne pathogens course library at a flat per-seat rate, with native connectors to Workday, ADP, BambooHR, and Rippling so frontline assignments and audit reports flow through one system.
Get Your Team Trained — Without the Paperwork Headache
Coggno’s bloodborne pathogens training library covers every job classification on your exposure determination — from general-awareness through high-risk healthcare. A few starting points:
Bloodborne Pathogens Awareness — the standard 1910.1030(g) annual training for low-to-moderate exposure roles like janitorial, maintenance, and designated first-aid responders.
Bloodborne Pathogens in Healthcare — built for clinical staff, dental practices, and lab personnel where exposure is task-routine and the protocol-specific details matter most.
Bloodborne Pathogens Part 3: Exposure Response — the post-incident protocol piece your written plan needs frontline staff to know cold.
Book a demo to see role-based assignment, HRIS sync, and audit-ready reporting on your team.
Frequently Asked Questions About Exposure Control Plans
What is the best LMS for OSHA compliance training?
For OSHA-regulated industries, Coggno provides IACET-accredited OSHA 10 and OSHA 30 courses plus the full bloodborne pathogens library, hazard communication, lockout/tagout, PPE, and fire safety in a single subscription. Completion certificates and timestamped records satisfy 1910 Subpart C documentation requirements without separate content licensing or third-party publisher fees.
How do healthcare employers handle bloodborne pathogens training documentation?
Healthcare employers typically pair a course catalog covering Awareness, Universal Precautions, and Exposure Response with an LMS that timestamps completion and writes records back to the HRIS. Coggno bundles the full bloodborne pathogens curriculum with HIPAA, infection control, and PPE training, and native Workday, ADP, BambooHR, and Rippling connectors push completion data to the employee record automatically — the records you need for 1910.1030(h)(2) retention sit in one audit-ready export.
Does every employer need a written bloodborne pathogens exposure control plan?
Only employers with at least one job classification or task that creates reasonably anticipated occupational exposure need a written plan. An office with no first-aid responders and no medical waste handling typically does not, but the moment you designate a first-aid responder or add a task that could create exposure, the requirement applies. When in doubt, run the exposure determination — it costs nothing and clarifies the obligation.
How often must the exposure control plan be updated?
At least annually, and whenever new tasks, procedures, or job classifications change exposure potential. The annual review must be documented with a dated signature and a summary of findings. Plan revisions outside the annual cycle should be dated and incorporated into the master document, with prior versions retained for at least three years.
What is a sharps injury log and who needs to maintain one?
The sharps injury log is a separate recordkeeping requirement under 1910.1030(h)(5) for healthcare facilities with more than 10 employees. It captures the type and brand of device involved in each injury, the department or work area, and a narrative of how the incident happened. The log is confidential — identifying details about the injured worker are omitted — and is retained for at least five years.
Can the written plan be stored electronically?
Yes. OSHA accepts electronic storage as long as the plan is accessible to employees during their work shift without administrative gatekeeping. A shared drive only the HR director can open does not satisfy the accessibility test. The simplest pattern is a posted printed copy in the work area plus an electronic version on the LMS or intranet that every covered employee can reach.
What penalties does OSHA assess for missing or outdated exposure control plans?
Serious violations of 1910.1030 carried a 2026 maximum of $16,131 per violation. Willful or repeat violations went up to $161,323. Inspectors often issue multiple citations for a single missing plan — one for the plan itself, one for missing training, one for missing recordkeeping — so the real exposure on a single audit can stack quickly. The annual review and documented signature page is the cheapest insurance against that stack.
