Six Steps to Managing an Infection Control Breach

In 1999, the Institute of Medicine published the now famous report “To Err Is Human,” which dropped a bombshell on the medical community by reporting that up to 98,000 people a year die because of mistakes in hospitals. The number was initially disputed but is now widely accepted. Medical error is one of the leading causes of death in the U.S. and the rate of harm is even higher. According to the World Health Organization, the chance of being harmed while traveling by plane is one in a million, while the chance of being harmed in healthcare is only one in 300. Infection control breaches–when there is a failure to follow established infection control procedures that prevent the transmission
of infectious organisms–remain a major threat to patient safety.

In 2004, a health system in North Carolina notified more than 3,500 patients of its failure to appropriately clean surgical instruments. In 2008 and 2009, three Veterans Affairs medical centers notified more than 10,000 patients about a failure to appropriately clean reusable medical equipment. In 2018, a hospital in Denver cancelled all surgeries after it was identified that the hospital had engaged in inadequate surgical instrument sterilization practices for 18 months – notifying 5,800 patients that they may be at risk for Hepatitis B, Hepatitis C, or HIV.  Continued infection control breaches suggest healthcare organizations need to increase efforts to improve the system.

To prevent infections and improve patient safety, healthcare organizations need to implement infection control procedures, regularly assess infection prevention protocols, and establish an infection surveillance program that helps ensure adherence to established protocols. Taking these steps will help prevent an infection control breach from occurring. When facing a breach, organizations need to respond efficiently and effectively.

Evaluating an Infection Control Breach

The CDC outlines the following six steps to evaluate infection control breaches:

1. Identify the infection control breach. Perform direct observation of practices that may have led to the breach, interview staff that were involved, and review records of disinfection procedures.
2. Gather additional data. Determine the time frame of the breach and determine which patients may have been exposed.
3. Notify and involve key stakeholders. Stakeholders should be identified and engaged as early as possible. This may include providers, hospital epidemiologists, risk management, state and local health departments, and the CDC or other regulatory agencies.
4. Perform a qualitative assessment. Category A errors involve gross mistakes with an identifiable risk, such as using contaminated syringes to access multidose medication vials. Category B errors relate to breaches in which the likelihood of exposure is uncertain but less than a Category A error.
5. Make decisions about patient notification and testing. Patient notification is recommended for all Category A breaches. For Category B breaches, the decision to notify patients should include potential risk of transmission, public concern, and duty to warn versus harm of notification. If a decision is made to test for blood-borne pathogens, the CDC recommends testing for HBV, HCV, and HIV.
6. Handle communications and logistical issues. The goal is to achieve consensus on whether patient notification is appropriate and create a uniform message from everyone involved. Decisions about post-exposure prophylaxis must be made (if warranted) as well as plans for follow-up testing and communication plans, including telephone hotlines, web pages, press releases, and direct patient mailings. Media and legal issues should also be anticipated.

Managing an Infection Control Breach

In a previous role, I was asked to lead the operational response to an infection control breach, notifying 260 patients that they may have been exposed to blood-borne pathogens. The breach involved surgical instruments that had been soaked in antimicrobial agents and went through steam sterilization, but additional cleaning steps were not performed as expected.

Upon identification of the breach, the issue was escalated to the leadership team and investigated in accordance with the CDC recommendations. The breach was classified as a Category B Breach (likelihood of blood exposure is uncertain), and after much thoughtful discussion, public health leaders and health system leadership made the decision to notify the affected patients.

Patient notification and management of the recommended Hepatitis B, Hepatitis C, and HIV testing­­­ was complicated and stressful for both the patients and the staff involved. Managing the event required that we take the following steps:

• Activate the incident command system.
• Set up and staff a call center with well-trained, competent staff to manage patient notification processes.
• Select and staff a testing center location.
• Develop workflows for timely processing of samples and results validation.
• Create and send notification letters to affected patients.
• Establish and document workflows and procedures used to notify patients.
• Train call center staff to the workflows.
• Develop communication materials for patients, the public, and health system employees.
• Establish mechanisms for securely tracking and managing patient communication and the outcome of the recommended testing.
• Monitor performance of the call center and testing completion rates, adjusting call center operations accordingly.

We needed to complete these actions as quickly and effectively as possible, carrying out many of them concurrently. It was challenging to balance these tasks–while we sought to restore trust with the patients and public by transparently disclosing the event in a competent, caring manner, we also had to ensure we had adequate time to develop the detailed workplans that would result in the most positive experience possible for the patients. Because we wanted to ensure the breach was not disclosed publicly prior to the impacted patients receiving notification, we involved as few people in the planning activities as possible, which delayed the timeliness of patient notification.

Our team developed an analytics application that was used to track all patient activity. The application minimized the need to access the electronic medical record, ensuring staff accessed the minimum amount of protected health information necessary to effectively manage the event. The application supported staff in escalating issues to the responsible party (risk management, legal, public information officer, lab, physician on call, etc.). We also used the application to monitor performance, track call work volume, and visualize the number of patients that had completed testing and the number still outstanding. We were able to use the application to monitor turn-around time from date of testing to results notification and inform our decision about when to close the call center.

As for protocol changes, the sterilization of supplies was returned to the centralized sterile processing department and the ordering process changed to ensure infection preventionists were included in any/all purchasing of devices used for sterilization–preventing the root cause that contributed to the breach in the first place. The patient notification process was effective, with 92% of the patients completing the recommended testing. While more needs to be done to prevent infection control breaches from occurring and improve patient safety, we responded as quickly as possible in a way that would rebuild trust with both patients and the public.

Additional Reading

Would you like to learn more about this topic? Here are some articles we suggest:

1. Improving Patient Safety: Machine Learning Targets an Urgent Concern
2. Saving Lives: Effective Healthcare Communication Empowers Care Management
3. How to Use Data to Improve Patient Safety

PowerPoint Slides

Would you like to use or share these concepts?  Download this presentation highlighting the key main points.

Click Here to Download the Slides