Let me tell you what nobody in healthcare compliance wants to admit.
You are operating under two regulatory masters who do not talk to each other, do not coordinate their enforcement, and do not care that you are already drowning in the other one's requirements. Cal/OSHA wants to protect your employees. OCR/HIPAA wants to protect your patients' data. Both of them will fine you into oblivion if you fail, and neither will accept "but we were busy complying with the other guy" as a defense.
This is the dual regulatory burden of healthcare, and it is crushing small and mid-size practices across California. Not because the requirements are impossible — they are not — but because most healthcare operators are trying to manage compliance with Post-it notes, outdated binders, and a prayer.
You have 8 platform-wide Cal/OSHA templates that apply to every employer in California. On top of those, you have 4 vertical-specific requirements that are unique to healthcare. On top of those, you have HIPAA. This is not a compliance program. This is a compliance ecosystem. And if any single piece breaks, the whole thing is exposed.
Let me walk you through every piece, in plain language, with zero filler.
The 8 Platform-Wide Templates in Healthcare Context
1. Injury and Illness Prevention Program (IIPP)
Your IIPP in healthcare is not the same as an IIPP in an office. Your employees face sharps injuries, patient handling injuries (the number one cause of lost work time in healthcare), chemical exposures from sterilization agents, and violence from patients in altered mental states.
Your IIPP must identify hazards specific to clinical operations. Needlestick exposures. Lifting injuries from patient transfers. Latex allergies. Exposure to glutaraldehyde, formaldehyde, and ethylene oxide. Slip hazards from spilled fluids. Ergonomic hazards from prolonged surgical procedures.
Document the hazard identification process. Document the correction procedures. Document the training. And inspect regularly — not annually, regularly. A clinical environment changes faster than an office. New equipment, new procedures, new chemicals. Your IIPP must keep pace.
2. Workplace Violence Prevention Plan (WVPP)
Healthcare workers are five times more likely to experience workplace violence than workers in any other industry. Five times. That is not a statistic you can afford to ignore.
Your WVPP must address Type 2 violence from patients, which is the dominant category in healthcare. Patients in pain, patients under the influence, patients experiencing psychiatric emergencies, patients with dementia — these are the people your staff treats every day, and any one of them can become violent without warning.
Emergency departments, psychiatric units, and waiting rooms are the highest-risk areas. Your plan must include engineering controls (panic buttons, security barriers, controlled access), work practice controls (buddy systems, de-escalation protocols), and administrative controls (staffing levels, patient screening).
California's SB 553 requires a violent incident log. In healthcare, this log will fill up fast. Maintain it anyway. The data it generates is your best tool for identifying patterns and preventing future incidents.
3. Heat Illness Prevention Plan
Most healthcare environments are climate-controlled, but not all of them. Laundry facilities in hospitals run hot. Central sterilization departments run hot. Maintenance and groundskeeping staff work outdoors. Mobile health units and community outreach staff work in the field.
If you have any employee working in conditions above 80 degrees Fahrenheit, you need a heat illness prevention plan. Do not assume your entire operation is exempt because the clinical areas are air-conditioned.
4. Hazard Communication Program (HazCom)
Healthcare facilities are swimming in hazardous chemicals. Sterilization agents. Chemotherapy drugs. Laboratory reagents. Cleaning and disinfection chemicals. Anesthetic gases. Mercury from broken thermometers and sphygmomanometers (yes, some facilities still have them).
Your HazCom program must maintain a complete chemical inventory for every department. Safety Data Sheets must be accessible to every employee who might encounter a chemical — and in healthcare, that means clinical staff, housekeeping staff, maintenance staff, and laboratory personnel.
Pay special attention to hazardous drugs. NIOSH publishes a list of hazardous drugs that require special handling procedures. If your facility administers chemotherapy, antiviral agents, or hormone therapies, your HazCom program must address these specifically, and your staff must be trained on safe handling, spill cleanup, and exposure response.
5. OSHA 300 Log and Recordkeeping
Healthcare has some of the highest injury rates of any industry. Needlesticks, back injuries, patient assaults, slips and falls — your 300 log will be busy.
Record everything. Needlestick injuries are recordable if they involve medical treatment beyond first aid. Patient handling injuries are recordable. Workplace violence injuries are recordable even if the employee tries to downplay them. Exposure incidents involving blood or other potentially infectious materials must be recorded.
Post the 300A summary from February 1 through April 30. Every year. No excuses.
6. Emergency Action Plan (EAP)
Healthcare EAPs are inherently more complex than other industries because you cannot simply evacuate patients the way you evacuate able-bodied office workers. You have patients on ventilators, patients in surgery, patients who cannot walk, patients in isolation.
Your EAP must include shelter-in-place procedures for patients who cannot be moved. It must include backup power protocols. It must address medication and supply access during emergencies. It must include procedures for infant security during evacuations.
And your EAP must coordinate with local emergency management. When a mass casualty event occurs, your facility is not just protecting its own employees — it is receiving casualties. Your EAP must address surge capacity and emergency operations.
7. Incident Investigation Procedures
In healthcare, incident investigation overlaps with quality improvement, risk management, and peer review. You need to understand where Cal/OSHA investigation requirements end and where these other processes begin — because the protections are different.
Cal/OSHA incident investigations focus on employee safety. Was the sharps container full? Was the patient handled with proper body mechanics? Was the violent patient screened appropriately? Document root causes, implement corrective actions, and follow up to verify implementation.
Do not let peer review protections become an excuse for failing to investigate employee safety incidents. They are different processes with different purposes, and Cal/OSHA will not accept "that's covered by peer review" as a response to an employee injury investigation.
8. Training Records and Documentation
Healthcare training requirements are extensive, and the documentation burden is real. Every employee needs training on the IIPP, WVPP, HazCom, EAP, and any department-specific hazards. Clinical staff need additional training on bloodborne pathogens, hazardous drugs, patient handling, and radiation safety (if applicable).
New employee orientation must include safety training before the employee begins clinical work. Not during the first week. Before. This is a regulatory requirement, and "we were short-staffed so we put her on the floor without training" is a citation waiting to happen.
Track everything. Name, date, topic, trainer, duration. When Cal/OSHA shows up — and they will — your training records are the first thing they ask for.
The 4 Healthcare-Specific Templates
Now we get to the requirements that separate healthcare from every other industry. These are not optional add-ons. These are regulatory mandates with their own enforcement mechanisms and their own penalty structures.
Bloodborne Pathogens Exposure Control Plan (29 CFR 1910.1030)
If your employees have any reasonably anticipated contact with blood or other potentially infectious materials — and in healthcare, that is virtually everyone — you must have a written Exposure Control Plan.
This plan must include an exposure determination: a list of every job classification where employees have occupational exposure, broken down by tasks and procedures that create the exposure. Not a generic statement. A specific, task-by-task analysis.
The plan must implement Universal Precautions. Every patient, every time, treated as if their blood is infectious. No exceptions. No shortcuts. No "but I know this patient."
Engineering controls come first: sharps with engineered sharps injury protections, self-sheathing needles, needleless IV systems. Work practice controls come second: hand hygiene, no recapping needles, no hand-carrying contaminated sharps.
Hepatitis B vaccination must be offered to every employee with occupational exposure, at no cost to the employee, within 10 working days of assignment. If the employee declines, they must sign a declination form. If they later change their mind, you must provide the vaccine.
Post-exposure evaluation and follow-up must be available within hours, not days. When a needlestick occurs, the exposed employee needs immediate access to medical evaluation, source patient testing (if consent is obtained), and prophylactic treatment if indicated.
Your sharps injury log must be maintained separately from the OSHA 300 log. It must include the type and brand of device involved, the department, and a description of the incident. This data drives your annual review of the Exposure Control Plan.
HIPAA Security Risk Assessment (SRA)
Here is where Cal/OSHA ends and OCR begins, but the compliance obligation is no less real.
Every covered entity must conduct a Security Risk Assessment at least annually. Not a checklist. Not a self-assessment you found on Google. A thorough, documented analysis of the risks to the confidentiality, integrity, and availability of electronic protected health information.
Your SRA must identify every system that creates, receives, maintains, or transmits ePHI. Your EHR. Your practice management system. Your email (if you send PHI by email, and you probably do). Your fax machines (yes, fax). Your portable devices. Your cloud storage. Your backup systems.
For each system, identify the threats and vulnerabilities. Calculate the risk level. Implement security measures to reduce the risk to a reasonable and appropriate level. Document everything.
The penalty for failing to conduct an SRA starts at $137,886 per violation category per year. OCR has settled cases for millions of dollars, and the most common finding in every single enforcement action is "failed to conduct a risk assessment." Every. Single. One.
Business Associate Agreement (BAA) Tracker
Every vendor, contractor, or service provider who accesses PHI on your behalf is a business associate, and you must have a signed BAA with each one before they touch a single record.
Your IT company. Your billing company. Your cloud hosting provider. Your shredding company. Your answering service. Your transcription service. Your EHR vendor. Your email provider (if you send PHI through it). Your accounting firm (if they see billing records with patient information).
Maintaining a BAA inventory is not optional — it is a HIPAA requirement. You must know who your business associates are, what PHI they access, and when the BAA was last reviewed. When a business associate has a breach, you need to know immediately, and you need to know exactly what data they had access to.
Most small healthcare practices I encounter cannot produce a complete list of their business associates. That is a compliance failure that will cost you when OCR comes calling.
Aerosol Transmissible Disease Plan (8 CCR 5199)
This is California-specific, and it is one of the most comprehensive ATD standards in the country.
If your employees have occupational exposure to aerosol transmissible diseases — and in healthcare, they do — you must have a written ATD plan. This includes exposure to tuberculosis, measles, chickenpox, COVID-19, influenza, and any other disease transmitted by the airborne or droplet route.
Your plan must include source control measures: early identification of patients with suspected ATD, immediate isolation, and respiratory protection for employees entering isolation areas.
Negative pressure rooms are required for airborne infection isolation. These rooms must be monitored daily when in use — checking the direction of airflow with smoke tubes or pressure monitors. Maintenance and testing must be documented.
Respiratory protection is mandatory for employees entering airborne isolation rooms. N95 respirators at minimum, and every employee who uses a respirator must be fit-tested annually. Not trained. Fit-tested. There is a difference, and Cal/OSHA knows the difference.
Exposure incidents must be reported, and post-exposure medical evaluation must be provided. For TB exposures, this means baseline and follow-up TB testing. For other ATDs, the evaluation follows CDC post-exposure guidelines.
The ATD plan must be reviewed annually and updated whenever there is a change in procedures, a new ATD is identified, or an exposure incident reveals a deficiency.
The Dual Regulatory Burden
Here is the uncomfortable truth about healthcare compliance: you cannot manage Cal/OSHA and HIPAA separately. They overlap. They intersect. And the gaps between them are where violations hide.
An employee needlestick is both a Cal/OSHA recordable event and a potential HIPAA issue (if the source patient's status is disclosed inappropriately during the investigation). An IT system failure is both a HIPAA security incident and potentially a Cal/OSHA hazard (if it affects medication dispensing or patient monitoring). A workplace violence incident is both a Cal/OSHA WVPP event and a HIPAA concern (if patient information is compromised during the chaos).
You need a unified compliance management system. Not two binders. Not two spreadsheets. One system that tracks both regulatory frameworks, identifies the overlaps, and ensures nothing falls through the cracks.
The Cost of Fragmented Compliance
Most healthcare practices manage Cal/OSHA compliance with one consultant and HIPAA compliance with another. Neither knows what the other is doing. Both are billing you separately. And neither is identifying the gaps between their respective domains.
The result is a patchwork of policies that look complete on paper but fall apart under scrutiny. Cal/OSHA shows up and finds your BBP Exposure Control Plan has not been updated in three years. OCR shows up and finds your SRA was a one-page checklist from 2019. Both of them fine you. Both of them are right.
Protekon Handles Both Sides
Protekon delivers all 8 platform-wide Cal/OSHA templates configured for healthcare operations, plus the 4 healthcare-specific templates: Bloodborne Pathogens Exposure Control, HIPAA Security Risk Assessment, BAA Tracker, and Aerosol Transmissible Disease Plan.
One platform. Both regulatory frameworks. Every template maintained, tracked, and updated as regulations change. Employee training documented. Incident investigations tracked. SRA completed annually. BAA inventory current.
You went into healthcare to take care of patients. Let Protekon take care of compliance.
**[Unify your Cal/OSHA and HIPAA compliance with Protekon — schedule a demo today.](https://protekon.com/demo)**
