Infection prevention and control guidelines

1. Principles

Risk assessment and planning

      1. Risk assessment and planning

Last revised: 17 Jun 2024

Risk assessment and planning

Infection prevention and control is part of the practice’s risk management, so the general principles of risk management apply. Managing risk:

  • is part of every organisation’s governance and leadership
  • affects all activities, and involves factors inside and outside the organisation, including human behaviour
  • must be incorporated into all levels of the organisation, including infrastructure and building maintenance, administration, equipment, and work processes according to the ‘hierarchy of controls’ framework.

The hierarchy of controls model for assessing and managing risk ranks risk management strategies from the most effective and reliable to the least (Figure 1.1. Hierarchy of controls – infection prevention and control in general practice). Risk management plans must use the most effective controls, where possible.

The practice’s risk management plan must include assessment and management of infection risk, including within the practice and off-site as relevant , such as during home visits (see Criterion C3.2 – Accountability and responsibility in the Standards). The practice could perform regular infection prevention and control risk assessments to identify infection risks, estimate their probability and identify potential consequences.

A risk matrix can be used to calculate risk level of various situations and events (Table 1.1. Sample risk matrix). Identified risks are managed through education, training and redesign of work practices.

Infection prevention and control policies must be developed, clearly documented, and available to all staff members.

The environmental impact of infection prevention and control processes can be considered during planning. Practices can consider choosing options that reduce this impact.

Figure 1.1.

Figure 1.1.

Hierarchy of controls – infection prevention and control in general practice

PPE: personal protective equipment
The hierarchy of control ranks strategies from most effective (removal of the hazard) to least effective (use of personal protective equipment). The listed actions at each level are selected examples only.
Source: Adapted from NIOSH (2015)2

Table 1.1. Sample risk matrix
Likelihood Consequences
Insignificant Minor Moderate Major Catastrophic
Almost certain Medium High High Extreme Extreme
Likely Medium Medium High High Extreme
Possible Low Medium Medium High High
Unlikely Low Low Medium Medium High
Rare Low Low Low Medium Medium
Low risk Manage by routine procedures.
Medium risk Manage by specific monitoring or audit procedures.
High risk High and extreme risks are serious and must be immediately addressed. The significance and impact of such risks, should they occur, along with their likelihood of occurring, must be addressed in the context of the practice’s existing strategies and controls.
Extreme risk

Source: Adapted from NHMRC (2019)3

Systematically assessing the risk of cross-infection

Practices need to repeatedly reassess and manage risk as circumstances change. The broad steps are as follows:

  1. Communicate and consult.
  2. Establish the context.
  3. Identify risks.
  4. Analyse risks and evaluate risks.
  5. Manage risks and identify potential safeguards.
  6. Monitor and review.
  7. Record key information.

Step 1. Communicate and consult

Ongoing communication with all practice staff is important to keep people informed and to identify emerging risks.

Owners, managers and infection prevention and control coordinators need to develop a culture that encourages and supports staff members to identify risks and report them.

Step 2. Establish the context

The nature and size of the risks of (cross-) infection depend on the context in which the practice operates.

Relevant factors may include:

  • access or lack of access to an infectious diseases unit
  • infrastructure in the local community that affects patients’ ability to maintain good hygiene
  • current local or national disease outbreaks
  • the types of procedures performed in the practice
  • whether the practice uses disposable equipment (such as instruments) or reusable medical devices that require reprocessing on site or off site
  • staff members’ level of training and experience in infection prevention and control
  • financial constraints affecting the quality of equipment, availability of labour or conduct of infection prevention and control protocols.

Step 3. Identify risks

The practice needs to make a comprehensive list of the sources of risk, and the events that might prevent, delay or increase the achievement of effective management of the risk of (cross-) infection. This could be incorporated into the practice’s work health and safety hazard identification and risk-control processes.

This involves infection risk in three areas:

  • What can happen? – consider the range of activities undertaken in the practice and any associated risks
  • When and where? – look around the practice building and consider risks in each area (waiting area, treatment room, consulting rooms, reprocessing area, waste area). Consider vulnerable patients such as unimmunised neonates and immunocompromised people.
  • How and why? – consider any previous incidents or near-misses. Common sources of cross-infection in general practices and other office-based practices include poor ventilation or poor respiratory hygiene/cough etiquette by patients or staff. Less common events include failure of the sterilisation process.

Step 4. Analyse and evaluate risks

Generally, there are two dimensions to consider:

  • magnitude of impact of an infection prevention and control incident
  • the probability of the event occurring and the probability of various potential consequences of the event.

A risk matrix (Table 1.1. Sample risk matrix) can be used to map identified risks and consequences.

The practice must determine which risks have mitigation strategies in place and are determined by risk assessment to be ‘controlled’.

The practice then needs to determine which infection prevention and control strategies will make the most impact on the identified high-priority risks.

Step 5. Treat risks and identify potential safeguards

Most practices have existing policies, procedures and equipment that can assist in providing safeguards against error. Despite this, a reassessment of the situation (for example, after a ‘near miss’) can identify vulnerabilities in these systems and processes.

Start with the potential solutions/safeguards that are easy to do and expected to have a high impact (for example, repositioning sharps containers at point of use, placing alcohol-based handrub in all patient care areas to improve hand-hygiene compliance and reduce the risk of cross-infection).

Then work through strategies that are more complex or more difficult to implement.

Step 6. Monitor and review

The infection prevention and control coordinator must keep up to date with local infection outbreaks (see Disease surveillance and outbreak response).

The team member conducting infection prevention and control risk assessment and management should also stay informed of staff members’ and patients’ actual day-to-day behaviour.

Set up systems to monitor and review behaviour among staff members, such as regular infection prevention and control audits, recording and reviewing the results of the sterilisation cycle, or including infection prevention and control as a discussion point in a clinical meeting after changes to policy. For example, strategies for monitoring staff members’ adherence to hand-hygiene protocols might include direct observation, and monitoring the volume of hand-hygiene products used over a period of time.

Breaches in infection prevention and control procedures must be reported to the person in the practice who has the responsibility to investigate them (and report to public health authorities, if required). All breaches must be followed up and appropriate measures taken to minimise the risk of recurrence (see Criterion QI3.1 – Managing clinical risks in the Standards). Failure to act may also be considered a breach. 

Step 7. Record key information

When setting up a system for recording information relevant to infection prevention and control risk assessment and management in the practice, the practice needs to determine which is useful and how it will be used.

Documentation of performance indicators might serve as a baseline for assessing the effectiveness of infection prevention and control systems.

An incident log of breaches and near-misses might be useful for feedback and training, to improve systems. However, any recorded data may be used in legal proceedings.

RACGP’s Clinical risk management in general practice provides guidance on risk management, including on medicolegal risk.

Role of the infection prevention and control coordinator

The practice should appoint an infection prevention and control coordinator,  This role is a requirement for general practice accreditation. whose roles include:

  • assessing the risks of infection transmission throughout the practice
  • drafting and finalising infection prevention and control policies and protocols for the practice
  • regularly reviewing the infection prevention and control protocols and implementing changes in response to identified risks
  • organising training and education for the entire staff about infection prevention and control protocols and assessing competence
  • monitoring compliance with practice infection prevention and control protocols
  • educating patients on infection prevention and control activities
  • monitoring patients’ infection prevention and control activities
  • ensuring that any contractors (including cleaners, electricians, IT support) who may access premises during or after hours comply with the practice infection prevention and control protocols
  • staying up to date with emerging risks (multi-resistant organisms, epidemics) by monitoring state and national infection surveillance reports.

The infection prevention and control coordinator needs to be motivated and willing to accept the position and subsequently adequately educated, trained and competent to undertake this role and its associated responsibilities. The practice needs to ensure that the nominated staff member is provided with any technical training necessary to attain and maintain competency.

Legal responsibilities

Employers and managers have a responsibility under work health and safety laws to protect staff from injury at work. This includes injury to health from infections acquired in the workplace.

Employers must include infection prevention and control in the practice’s work health and safety policy and procedures under work health and safety legislation. Each practice must have written practice policies and procedures covering all aspects of infection prevention and control.

Healthcare workers who perform procedures with a risk of exposure to blood-borne viruses may be required to undergo interval testing, and those with a known blood-borne viral infection may have monitoring and reporting requirements under public health legislation in their jurisdiction.4

In implementing infection prevention and control measures, employers of healthcare workers must comply with relevant public health, antidiscrimination, privacy, industrial relations and equal employment opportunity legislation in their jurisdiction.