Healthcare Perspectives


The CMS Emergency Preparedness Rule Part II: How Your Health Care Organization Can Comply

May 10, 2018

In part one of our blog on the emergency preparedness rule, finalized by the Centers for Medicare & Medicaid Services (CMS), we discussed the 17 health care provider types impacted by the rule and took a quick look at the four core requirements those providers must comply with. Click here to read part one.

In part two, we’ll discuss the requirements more in depth and explain what organizations can do to satisfy them, as non-compliance will result in a health care provider losing its Medicare and Medicaid reimbursement.

To comply with the rule, health care providers must develop 1) an emergency plan, 2) policies and procedures and 3) a communication plan. Then they must 4) train employees on those plans and hold annual exercises to help ensure the organization is prepared to deal with any natural disaster or man-made emergency. These are the four core requirements — but what do they mean for your organization? Let’s take a look:

Emergency Plan and Risk Assessment

To comply with CMS’s rule, health care organizations must develop an emergency plan, but this plan must be based on a risk assessment, and that risk assessment must be performed using an all-hazards approach.

An all-hazards approach considers what’s critical to a provider being prepared for a wide range of emergencies, including equipment and power failures, cyber attacks and interruptions in the food and water supply. It’s also specific to the health care organization’s location and focuses on the type of emergencies they’re most likely to experience. For example, an organization in Los Angeles will want to prepare for an earthquake, but an organization in Chicago won’t.

Consider what emergencies your facility is most likely to experience and then perform a risk assessment to identify hazards and vulnerabilities within your organization. Your emergency plan must:

  • Address the risks identified in your assessment
  • Include safe evacuation and sheltering-in-place plans that address care and treatment needs, evacuation locations and transportation
  • Address the continuity of your operations, including succession plans
  • Include arrangements with other providers to receive patients if necessary and share medical documents
  • Address subsistence needs, alternate energy sources and waste disposal

When developing your emergency plan, consider the ability of your building to physically survive a disaster and what types of steps you can take prior to an emergency to deal with that risk.

Policies and Procedures

After you perform your risk assessment and develop your emergency plan, you will need to create policies and procedures based on both. These policies and procedures direct you to execute specific plans during an emergency based on the circumstances surrounding it.

Policies and procedures must address the issues touched on in the previous section, such as subsistence needs and evacuation plans, and those in your communication plan.

Communication Plan

A plan specifically focused on communication is also necessary to satisfy the emergency preparedness rule. Your communication plan must comply with state and federal laws, and it must include:

  • Names and contact information of your staff as well as other health care organizations you may need to transfer patients to
  • Alternate ways to communicate with your staff
  • The names of and how to contact local, state or federal officials and emergency management agencies, as well as how to cooperate with them to coordinate a proper, integrated responseWays to share patient information, including general condition, location and medical history (the system to track patients and staff must be readily available and shareable, and the system to preserve medical documents must keep them confidential to comply with HIPAA)

Training and Exercise

The last requirement of the emergency preparedness rule is focused on training and practicing. Staff must be able to show they know the emergency procedures and can follow them during drills and exercises. Ensure your staff is fully trained on your emergency plans, policies and procedures, as your organization will have to conduct two separate testing exercises every year. (Note that staff must also go through training annually.)

One of the annual exercises must be a full-scale, community-based exercise. This means your facility must simulate an emergency by creating scenarios with mock patients and directing your staff to respond using your emergency plan. Full-scale, community-based exercises also involve other health care providers and community agencies. The point is to help assess your plan’s effectiveness and allow your staff to get familiar with the processes, including the people they will be coordinating a response with.

Note that if your organization experiences an actual emergency that causes you to deploy your plan, you are exempt from carrying out your community-based exercise for one year afterward. Additionally, if you are unable to perform a community-based exercise, your organization may conduct a facility-based exercise instead.

The other annual exercise allows for more flexibility. You can perform either a facility-based exercise or a tabletop exercise. A tabletop exercise is led by a facilitator, who narrates an emergency scenario to a group of key personnel and challenges them in order to help assess your organization’s emergency plan, policies and procedures.

CMS recommends facilities perform a tabletop exercise before their full-scale exercise so you can make necessary changes to plans based on any revealed weaknesses.

Next Steps

CMS expected facilities to be in compliance with the emergency preparedness rule by November 15, 2017. If your organization isn’t yet compliant, you’ve got a bit of work to do! But the good news is you don’t have to tackle it alone — Wipfli is well-prepared to help your organization take the necessary steps to adhere to the rule. Using our experienced team, you can:

  • Perform an all-hazards-approach risk assessment and use it to create an emergency plan
  • Develop custom policies and procedures
  • Develop a variety of supplemental plans, including communication, evacuation and surge capacity
  • Train your employees on your emergency plan and procedures
  • Conduct full-scale, facility-based and tabletop exercises

To learn more about how your organization can comply with the emergency preparedness rule, contact Wipfli.

Source: “General Presentation - Overview of EP,” Centers for Medicare & Medicaid Services,, accessed March 5, 2018


Wipfli logo square

Wipfli Editorial Team

Healthcare Perspectives blog
Subscribe to Healthcare Perspectives