CMS Emergency Preparedness Ruling

Bill DiMartini, MBCI Bill DiMartini, MBCI | Oct 12, 2017

CMS Emergency Preparedness RulingPublished on September 16, 2016 by the Centers for Medicare and Medicaid (CMS), the “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers” Final Rule (81 FR 63860), commonly referred to as the CMS Emergency Preparedness Final Rule, sets requirements for health care providers and suppliers that participate in Medicare and Medicaid to develop enhanced emergency response programs.

The ruling is comprised of four best practice standards: Risk Assessment and Emergency Planning, Policies and Procedures, Communications Planning, and Training and Testing. As as a prerequisite for participation in Medicare and Medicaid, all participant facilities (providers and suppliers) are expected to be in compliance with these requirements by November 15, 2017.

Avalution has studied these new regulations to create services that tightly align with the requirements and help organizations become compliant and increase preparedness. If you’re looking for assistance with achieving compliance, please contact us.

In the meantime, let’s take a closer look at the background and ruling provisions.


Formally known as the Health Care Financing Administration, CMS administers the nation’s Medicare program, and collaborates with state governments to administer Medicaid, the State Children’s Health Insurance Program (SCHIP), and health insurance portability standards. Concerned about the state of emergency response planning by providers and suppliers (as observed during recent natural and man-made events), CMS developed guidelines to bolster emergency response and planning.


The Risk Assessment and Emergency Planning provision requires the development of an emergency plan based on a risk assessment. These risk assessments are to be performed using an “all-hazards” approach that focuses on capacities and capabilities.

Requirements include:

  1. Documented risk assessment;
  2. Strategies to address events identified in the risk assessment (including coordination with other providers, and evacuation and/or shelter in place);
  3. Continuity of operations, patient population, and succession planning; and,
  4. A process for collaboration with emergency services (local, state, regional, federal).

The regulations allow for an integrated health system response, but specifically requires each facility under the health system to be addressed and certified.

The “all-hazards” approach outlined by CMS is consistent with the approach Avalution uses, which focuses on response and recovery strategy identification and business continuity planning based on resource loss (facility, personnel, technology, supplier) – regardless of what causes the disruption.

The Policies and Procedures provision calls for the development and implementation of policies and procedures that support the execution of the emergency plan, consistent with the risk assessment findings. These policies and procedures must address a range of issues, including subsistence needs, evacuation plans, and procedures for sheltering in place and tracking patients and staff during an emergency. Additionally, policies and procedures must also ensure the ability to maintain and preserve confidential patient information, per HIPAA requirements.

Of note, this is a great place to integrate Crisis Management Planning. For health care providers, the Crisis Management Plan integrates emergency response with steps to activate business continuity and disaster recovery procedures to provide a comprehensive, efficient, and effective approach to initial response and recovery solutions. This includes the coordination with local providers to receive patients and sharing patient information.

The third provision is the Communication Plan, requiring facilities to ensure it maintains updated contact information for staff, as well as other entities (other providers, suppliers, emergency authorities, etc.). The facility must identify and document a primary (as well as an alternate) means to communicate with patients and other key stakeholders.

Lastly, the Training and Testing provisions calls for the development and maintenance of training and testing programs – ranging from initial training on policies and procedures to training that requires employees to demonstrate knowledge of emergency procedures. Providers are required to conduct two exercises: one that is community-based, and the other at the providers’ choice (typically, a table-top or single facility simulation). An important provision to note is that if a provider has to activate their plan in an actual incident, they would be exempt from the requirement for a community-based plan for one year. When a community-based exercise is not available, providers have the flexibility to conduct an exercise based on the individual facility.

The training and testing provision is the most questioned provision in the ruling. It is clear that the CMS wants all providers and suppliers to complete exercises by November 15, 2017. CMS defines a “full-scale” exercises as multi-agency, multi-jurisdictional, multi-discipline exercise involving functional and “boots on the ground” response. “Facility-based” is designed as specific to the facility, including but not limited to hazards based on the geographic location, patient, resident and client population, and facility type. CMS subsequently provided information on the types of exercise scenario’s, including natural disasters (e.g., earthquake, hurricane, blizzard), power outages, fire, and cyberattack.

All provisions of the CMS Emergency Preparedness Rule are to be completed by November 15, 2017 with annual processes in place for oversight – especially related to reviewing risk assessments, ensuring plan updates, and conducting two exercises. Currently, CMS surveyors are being trained to observe compliance.


Developing a plan of action addressing all four components of the Final Rule should begin with a gap analysis, assessing the current state of preparedness and comparing this to the CMS guidelines (as well as to the organizations own business continuity expectations).

If you’re looking for assistance, Avalution provides services to enable CMS compliance. These services are based upon our extensive experience supporting health care providers and suppliers in developing integrated emergency response and business continuity programs. Services include:

  • Developing policies and procedures for Health Care providers based on sustaining key patient care and clinical operations, including the criteria for diverting patients to other facilities, the continuation of emergency room operations in an alternate location, relocation of patients, replenishment of pharmacy, relocation of the lab, and continuation of outplacement services, such as radiology or physical therapy.
  • Conducting customized training and awareness programs.
  • Facilitating exercises, ranging from table-top to actual simulations. Avalution has successfully developed exercises to address events such as active shooter, cyberattacks and pandemic outbreaks. The exercise is key to the validation of the Crisis Management, Crisis Communication, and Business Continuity Plans.
  • Leveraging Catalyst, our business continuity and IT disaster recovery planning software that has helped numerous organizations maintain the information efficiently. Moreover, Avalution has assisted organizations with identifying the best means to share patient information among providers, while also ensuring patient data privacy.

If you’re interested in learning more about these services and how Avalution can assist your organization with achieving CMS compliance, please contact us today. We look forward to speaking with you.


Bill DiMartini
Avalution Consulting: Business Continuity Consulting