Home / Uncategorized / Healthcare Providers Face New Rules For “All Hazards” Emergency Planning

Healthcare Providers Face New Rules For “All Hazards” Emergency Planning

 MANDATE: All Healthcare Providers Must Comply

to New Rules or Face Loss of Medicare Funding

“All Hazards” Assessment, Planning and

Preparation Deadline is Nov. 15, 2017

By Ron Lander, CPP, CHEPS, CMAS, PSM

Forest fires in Georgia, earthquakes in New Jersey, Typhoon remnants in Seattle, Tornados in California. This article isn’t about climate change, it’s about preparing your healthcare facility for ALL HAZARDS!

On September 16, 2016, six weeks before America’s “historic” election, the U.S. Centers for Medicare and Medicaid Services (CMS) published CMS-3178 – The Final Rule for Healthcare Emergency Preparedness. The purpose of this new regulation is to:

  • Establish consistent emergency preparedness requirements across provider and supplier networks,
  • Establish a more coordinated response to natural and man-made disasters, and
  • Increase patient safety during emergencies.

This is not a sleepy regulation that gives the healthcare industry up to five years to prepare, like HIPAA (Healthcare Insurance Portability and Accountability ACT). This rule mandates that if healthcare facilities do not comply by NOVEMBER 15, 2017, they risk not receiving Medicare and Medicaid reimbursements in December!

Who does this effect? This applies to seventeen Medicare and Medicaid provider sectors, ranging from Home Healthcare workers to major Cancer Treatment centers, medical laboratories and everything in between.

Beyond the techno jargon and acronyms, the goals of the Rule recognize that there are systemic gaps in the emergency Planning and Implementation process that must be closed by establishing consistency and encouraging coordination across the Emergency Preparedness sector of the United states and its possessions.

While the timing is not ideal, this Rule is the result of tragedies of unprecedented proportions. Hurricane Katrina, where dozens of hospital and eldercare home patients died, Superstorm Sandy, where countless hospital “backup systems” were flooded or insufficient for the need, the Anthrax Scare of last decade and the recent H1N1 Epidemic were the catalysts for this type of rule to be developed. In addition, as I have traveled around the country conducting countless assessments, I have discovered numerous cases where nobody on the overnight shift or weekends knew how to operate important life-support critical systems like generators, or who to call when the fuel runs out! Refer to article: http://www.campussafetymagazine.com/article/Backup-Generators-Prove-to-Be-Weak-Link-During-Hurricane-Sandy


Further, there are requirements to provide:

  • Risk Assessment and Planning Document

Each individual facility must (internally or externally) perform a Risk Assessment to identify the areas that must be dealt-with in order to conform with the Final Rule.

  • Policies and Procedures

Based on the Risk Assessment, develop an emergency plan using an all-hazards approach-focusing on capabilities and capabilities that are critical for a full spectrum of emergencies, or disaster specific to the respective location(s).

  • Communications Plan

Develop and maintain a communications plan to ensure that Patient care must be well coordinated within the facility, across healthcare providers and with State and Local public health departments and emergency systems

  • Training and Testing Plan

Develop and maintain training and testing programs, including initial and annual re-training, conducting drills and exercises (full-participation and tabletop) in an actual incident that tests the plan and the staff’s ability to work together and accomplish the goals of the exercise.


Why haven’t we heard about this rule before?

Apparently, this Rule was developed in late 2013 and sent to the White House. Apparently, while preparing to close the books, the Obama team discovered the document in September, 2016 and quickly approved it, making it law in sixty days and giving 365 years for the healthcare community to comply with the regulations.


What does this mean to the healthcare security department?

While this rule does not apply directly to the “healthcare security” departments, consultants who have experience in healthcare risk, vulnerability and threat assessments are best positioned to provide the necessary assessments in a timely manner.

Security Integrators should be prepared for a demand for the following hardware and software to support the theme of this regulation:

  • Intelligent Access Control
  • Visitor Management
  • Mass Evacuation Alert Programs and Systems
  • More extensive use of video surveillance so management can quickly assess an incident
  • Interoperability with appliances that serve the community on public service networks
  • Backup systems for all electronic functions from the Network Infrastructure to the simplest of healthcare support tools.



What does this mean to the healthcare community?

This Rule is not intended to only focus on large and medium-sized hospitals. It specifically aims at smaller facilities like Behavioral Health Facilities, Eldercare Homes and small laboratories that are more focused on patient service rather than preparing for a major a disaster.


What should the healthcare community do?

  1. Download the 186-page rule from ultra-safe.com/cms3178.html (or) https://www.federalregister.gov/documents/2016/09/16/2016-21404/medicare-and-medicaid-programs-emergency-preparedness-requirements-for-medicare-and-medicaid
  2. While this rule focuses on Emergency Preparedness, it obviously touches on Business Continuity. Make sure the C-Suite is aware of this rule and emphasize the timeliness.
  3. Begin following the three-step process to implement the changes or retain a consultant with healthcare experience to perform the assessment and support your organization as the respective plans evolve.
  4. There is a possibility that the new Administration may give the healthcare community additional time to complete the steps necessary to be compliant, but it is doubtful that it will be eliminated.


Ron Lander is the Chief Specialist at Ultrasafe Security Solutions of Norco, Ca. He is a member of ASIS-International, IAHSS, ESA, CAA, WBFAA and AFIO. He is certified by the Anti-Terrorism Accreditation Board (ATAB) as a Healthcare Emergency Planning Specialist and a member of the ASIS Healthcare Security Council and was recently an ASIS Council Vice President for six years.  Ron is also Chief Technology Officer (CTO) for Security Management Services International, Inc. (SMSI Inc.).