An employee suffered a workplace injury that led to a blood spill, and coworkers cleaned up the blood (we don't yet know what, if any precautions were taken by the coworkers).

Employer has a self-insured group health plan and, in its capacity as sponsor of the health plan, learned after the accident that the injured employee is HIV positive and has advanced stage AIDS. Employer has asked whether it can disclose to the exposed coworkers the fact that the blood to which they were exposed contained the AIDS virus, assuming the employee does not authorize the disclosure. The coworkers know whose blood it was.

45 CFR §164.512(j)(1)(i) allows disclosure of PHI without authorization if the covered entity, in good faith, believes that the disclosure "is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public" and "the disclosure is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat."

The preamble to the regulations focus on physical threats to others (e.g. violence), and note that the exception would apply in "rare circumstances." However, the preamble also notes that "it would be impossible to enumerate all of the scenarios that may warrant disclosure of PHI pursuant to this section."

In the discusion of the benefits and costs of the Privacy Rule, the preamble notes that "Early detection is essential for the survival of a person with HIV." Assuming that a person exposed to the blood of a person with AIDS could himself contract the disease (through a wound or contact with the eyes or mucous membranes), and that early detection is important to prolonging life, it would seem that notification (and subsequent testing of those who were exposed) would be necessary to lessen the "threat" posed by the exposure.

The HIPAA hotline was not helpful, and there are no HHS Q&A's explaining this exception.

Thanks in advance for any thoughts.

First, let the injured employee know that you are going to make the disclosure, then do it. If you're worried about a suit from the injured employee, imagine what will happen if one of the "cleaners" tests HIV positive and you didn't make the disclosure.

Regs aside, you have a moral and ethical obligation to make the disclosure and give your employees every chance they can get to minimize the risks to themselves, their spouses, significant others, people they meet in a bar etc. etc.

You need to check with counsel to see if disclosure of this information would violate state privacy law. Some states prohibit disclosure of an individuals HIV status without consent. These laws may not be preempted by ERISA because they do not relate to the operation of the plan. I am not sure that the regulation would apply to HIV.

Thanks for the responses. I believe the coworkers are going to be informed, and as noted, the company is more fearful of claims by the coworkers than by the sick employee. However, the company would nevertheless like to fit within an exception to the Privacy Rule.

Applicable state law does protect HIV test results, but there is an exception allowing a physician or public health officer to inform "contacts" of those who test positive for HIV. The employee is still in the hospital, and the company might explore the possibility of having a physician or health officer handle the task of informing the coworkers, pursuant to state law. Such individuals would be better equipped to handle such a task in any event and would be able to advise regarding testing and possible treatment. For example, I have read that some individuals who are exposed to HIV are put on AZT as a precautionary measure.