Infectious Disease Epidemiology Unit logo

Infectious Disease Epidemiology Unit

The Infectious Disease Epidemiology Unit conducts surveillance for infectious diseases and investigates clusters and outbreaks.

Contact Info:


Infection Prevention Orientation Manual

Section 3: Authority of the infection Preventionist

Fran Cadez, JD, MBA
October 2014

Download a printable PDF Version of this section.


At the completion of this section the Infection Preventionist (IP) will have a broad understanding of:

  • the authority provided to the IP through state laws and local, state, and federal regulations in order to take actions to prevent the transmission of communicable or infectious diseases
  • the importance of having health care facility policies to support the activities of the IP.

Number of hours

  • Key Concepts – 1 hour


This Chapter will acquaint the IP with the authority provided by local, state, and regulatory agencies for the activities of the IP in the health care facility.  This discussion may not be exhaustive of the authority granted the IP in any given health care setting.  The IP should always consult the health care facility’s polices regarding the IP’s authority to act in a particular health care situation or setting.


Key Concepts

The IP occupies a key position in a health care facility by working to prevent infectious disease from spreading within the institution, which in turn may protect the local community and perhaps even the state.  To be successful, the IP position requires dedication, vigilance, and the willingness to institute preventive procedures and to take action when the situation calls for it.  Support and authority for the IP’s activities can be found in a variety of sources at the federal, state, and local level.  It is important for the IP to understand the authority the IP has been given to act in specific situations.


Types of Authority

“Authority” is defined broadly as the right to exercise powers; to implement and enforce laws (or policies); to provide control over.  “Express authority” is that authority which confers power to do a particular identifiable thing, set forth and declared exactly, plainly, and directly with well-defined limits.   Express authority is not left to inference or implication, but is definite and explicit and is typically determined through laws and regulations.

In contrast, “implied authority” is derived from the conduct of the principal (the hospital or facility) to the agent (the IP) and includes only those acts that are necessary, usual, and proper to accomplish or perform the main authority expressly delegated to the IP. Implied authority may be found in the latitude a facility gives its IP to accomplish specific goals within the institution.  Often, implied authority over time becomes codified and less informal through facility policies as express authority for the IP to act in a certain manner.  For example, in the case of a health care worker who may have been exposed to a potentially infectious disease, the IP’s implied authority would permit the IP to investigate the source and type of disease exposure.  A facility policy could evolve from this broad implied authority to investigate, to detail specific steps permitted in the investigation, persons or departments to be contacted, and reporting requirements following the investigation.


Authority to Establish an Infection Control Program

The primary areas addressing the authority of the IP to establish and conduct an infection control program can be found in state-based regulations and through a national body which evaluates and accredits health care facilities, such as The Joint Commission (TJC) and DNV Healthcare Inc.


State-based Authority

One of the best examples of direct authority regarding the IP may be found in state regulations of the Wyoming Department of Health (WDH) for the licensure of hospitals. This regulation requires the establishment of an Infection Control Program, in conjunction with the hospital’s quality assurance and performance improvement programs.  It specifies lines of reporting for identified problems, methods for developing corrective action, and requires documentation of corrective action and outcomes be maintained.  Specifically:

Section 24. Infection Control Program. An infection control program shall be established based on nationally recognized standards of practice. The program shall prevent, identify, and control infections and communicable diseases.

(a) The infection control program is coordinated by the hospital administrator, the medical staff, and director of nursing services in conjunction with the hospital’s quality assurance and performance improvement programs.

(b) Problems identified are reported to the medical staff, nursing, administration, and addressed in the hospital’s quality assurance and in-service training programs.

(c) Documentation concerning corrective actions and outcomes is maintained.

Please refer to the WDH, Chapter 12, Rules and Regulations for Licensure of Hospitals, May 2012 (or the most current version) for more information.


The Joint Commission and the Centers for Medicare and Medicaid

TJC, a well-known accrediting body for health care facilities, provides specific requirements for infection prevention and control programs.  Some of the requirements for hospitals include: 1) identification of  individuals with clinical authority over the infection prevention program, 2) development and implementation of policies governing the control of infection and communicable diseases, 3) development of a system for identifying, reporting, investigating, and controlling infections and communicable diseases, 4) provision of access to information needed to support the infection prevention and control program, 5) development of an IP program with a written description of activities, including surveillance to minimize, reduce, or eliminate risk of infection, 6) investigation of outbreaks of infection, and 7) reporting infection surveillance, prevention, and control information to appropriate staff within the hospital.  In addition, TJC requires the infection prevention program to be practical and involve collaboration between departments and staff.  TJC also requires the hospital to establish an annual staff flu vaccination program and evaluate the overall effectiveness of the infection prevention program.

Likewise, the Centers for Medicare and Medicaid (CMS) have similar provisions for hospitals to designate an infection prevention officer to develop and implement policies governing control of infections and communicable diseases.  These requirements include a system for identifying, reporting, investigating, and maintaining a log of incidents related to infections and communicable diseases. Please refer to the CMS Conditions of Participation for Hospitals, Code of Federal Regulations (CFR) 42 CFR §482.42 for more information.


Authority to Access and Disclose Protected Health Information

Material to the activities of the IP is the ability to access and disclose or share protected health information, both within and outside the health care institution, related to the IP’s infection control activities.  In this instance, specific federal and state laws provide the needed express authority.  Please refer to the Wyoming State Statutes §35-2-609(a)(ii)(A) (B) and (a)(iv) for more information.

A hospital may disclose health care information about a patient without the patient’s authorization to the extent a recipient needs to know the information. If the disclosure is to any other person who requires health care information for health care education or to provide planning, quality assurance, and peer review or administrative services to the hospital or to assist the hospital in the delivery of health care, the hospital must reasonably believe that the person:

(1) Will not use or disclose the health care information for any purpose other than that for which it is disclosed, and

(2) Will use reasonable care to protect the confidentiality of the health care information.

In addition, the hospital may disclose health care information to any person if the hospital reasonably believes that the disclosure will avoid or minimize an imminent danger to the health or safety of the patient or any other individual.

An IP may also find authority to disclose patient information under the provision of Wyoming laws (Wyoming Statutes §35-2-609[b][ii]).  This statute states that a hospital may disclose health care information about a patient without the patient’s authorization if the disclosure is to federal, state or local public health authorities, to the extent the hospital is required by law to report health care information or when needed to protect the public health.

Likewise, the federal Health Insurance Portability and Accountability Act (HIPAA) provides the express authority for health care providers considered to be covered entities under the federal regulations to use and disclose protected health information.  For more information, please refer to 42 CFR §164.512(a)(l).  This code states that a covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.  Also, the hospital, acting through the express grant of authority from the WDH’s Rules and Regulations cited above concerning the requirement to establish an infection control program to prevent, identify, and control infections and communicable diseases, and other health care providers considered covered entities under the federal regulations, are permitted to “disclose protected health information to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.”  Please refer to the specific code 42 CFR §164.512((b)(1)(iv) for more information.


Authority and Requirement to Report Infectious Diseases to State Health Officer

Wyoming statutes provide a requirement for physicians, health care providers and laboratories to report immediately to the state health officer the communicable diseases or conditions from the WDH’s published list of such reportable diseases and conditions.  For specifics of this law, please refer to W.S. §35-4-107(a).  Ambulatory surgical centers and assisted living centers are also required through regulations of the WDH to comply with all laws and standards relating to communicable and reportable diseases and to have adequate policies and procedures in place to guide these operations.  For more specific information, please refer to the WDH, Chapter 5, Rules and Regulations for Licensure of Ambulatory Surgical Centers, March, 2003 and Chapter 4, Rules and Regulations for the Licensure of Assisted Living Centers, June 2001.For the most up to date copies of this information, please visit the WDH Healthcare Licensing and Survey Office website: The IP’s authority to report these diseases and conditions may be implied in this instance from the requirement of the health care provider, laboratory, ambulatory surgical center, or assisted living center to do so. The same authority to report or disclose protected health information without a patient’s authorization may be found in a similar provision in HIPAA, at 42 CFR §164.512(b)(1)(i).


Authority to Share Information between Healthcare Facilities

The authority of the IP to share information regarding infection control activities, infectious diseases, and communicable conditions may be implied from a Wyoming Statute provision addressing the requirement of the department of health, county health officers, and all the state, county, city, and town officers to “cooperate to prevent the spread of diseases and for the protection of life and the promotion of health within the sphere of their respective duties.”  Please see W.S. §35-1-223 for specific details.


Authority to Take Action to Control Infectious Disease within a Healthcare Facility

Though no express authority in state statute is provided for the IP to take a specific action or conduct a specific activity to control infectious disease, broad authority is provided in the WDH Rules and Regulations, CMS Conditions of Participation for Hospitals, and requirements of TJC cited above to establish a program to identify, control and prevent infectious and communicable diseases. These provisions seem to suggest wide latitude in meeting the need for authority to control infectious disease within a healthcare facility.  In this instance, and perhaps in others, the IP should look to the health care facility’s internal policies to guide actions and activities such as the example policy in the Appendix.

Exercise #1

As applicable, meet with the risk manager, as well as someone from administration, to discuss and review the content of any authority statements and policies, as well as he hospital’s position on the mechanism(s) of the IP’s authority.

Documentation and Reporting

A record of each disclosure of protected health information by an IP should be maintained, in order for the IP or facility to comply with a request for an accounting of disclosures by the patient.  Maintaining the record of disclosures is required for three years under state law (W.S. §35-2-606(b)).  Federal law provides an individual a right to receive an accounting of disclosures for a six year period under 42 CFR §164.528.  The IP’s facility may have different requirements for documenting and maintaining a record of disclosures that are more restrictive than state or federal law and should be consulted as well.



Helpful/Related Readings
  • Grota P, Allen V, Boston KM, et al, eds. APIC Text of Infection Control & Epidemiology 4th Edition. Washington, D.C.: Association for Professionals in Infection Control and Epidemiology, Inc.; 2014.
    • Chapter 8, Legal Issues, by B Sheridan
  • Code of Federal Regulations: 42 CFR §482.42. Available at:
  • Mayhall CG, ed. Hospital Epidemiology and Infection Control (4th Edition). Philadelphia, PA: Lippincott Williams & Wilkins, a Wolters Kluwer business; 2011.
    • Chapter 97, Legal Issues in Healthcare Epidemiology and Infection Control, by MA Bobinski
Helpful Contacts (in WY or US)
Related Websites/Organizations


  1. Standards for Privacy of Individually Identifiable Health Information, 45 CRF Part 164.
  2. Wyoming Statutes Annotated, §35-1-223; §35-2-606 and 609; §35-4-107.
  3. The Joint Commission:
  4. Centers for Medicare and Medicaid, Conditions of Participation for Hospitals, 42 CFR §482.42.



Please download the printable PDF version (linked at the top of the page) to view the following appendices for this section:

Appendix A: Example of a policy expressly providing authority to the IP, Occupational Medicine and the Infectious Disease Specialist for Post-Exposure Guidelines


WIPAG welcomes your comments and feedback on these sections.
For comments or inquiries, please contact:

Cody Loveland, MPH, Healthcare-Associated Infection (HAI) Prevention Coordinator
Infectious Disease Epidemiology Unit,
Public Health Sciences Section, Public Health Division
Wyoming Department of Health
6101 Yellowstone Road, Suite #510
Cheyenne, WY  82002
Tel: 307-777-8634    Fax: 307-777-5573