Please enter the text in the same order as shown in the Image below
Take Courses
Get Certified
Attend Events
Explore Resources

Regulations Webinar Q&A: Healthcare Edition

December 1, 2017 Leave a comment DRI Admin

Thanks to all who attended DRI’s recent webinar, “Beyond Compliance: Getting Real About Regulations.” We received some great questions from attendees who wanted to hear more — here are the responses on some healthcare-focused questions via Mike Mastrangelo, CHPCP, Program Director for Institutional Preparedness, University of Texas Medical Branch at Galveston.

Q: Does the Kaiser Permanente model of the HVA meet the assessment guideline for healthcare organizations?

MM: The short answer is yes. The latest version of the tool is available at:  

A healthcare organization can download the tool at no charge. There is a tab for data entry that includes the number of activations and alerts the healthcare organization experienced. This provides some level of quantification for the Probability entry argument. These data auto-populate the next worksheet “Hazards”. Scores can be assigned for the “Impact” of an occurrence for each listed hazard. The tool is prepopulated with common types of hazards that a healthcare organization might face (including Zombies). The list can be edited as needed. Impacts include “Human”, “Property”, and “Business Impact” (so information from a Business Impact Analysis could be used for this score).

Scores are then added for factors that might mitigate the risk (pre-existing response plans, internal response capabilities, and external agency response capabilities). The resulting score gives a relative rank for each hazard. The healthcare organization can therefore use the tool to develop a list of Priority Risks.

For healthcare organizations using Joint Commission accreditation for deemed status purposes, Joint Commission released revisions to their Emergency Management standards aligned with the new CMS rule that went into effect on 15 November 2017. The Joint Commission standard is that a hospital conducts a Hazard Vulnerability Analysis “to identify potential emergencies that could affect demand for the hospital’s services or its ability to provide those services, the likelihood of those events occurring, and the consequence of those events.” The Kaiser Permanente tool addresses Likelihood (Probability) and Consequence (Severity/Impact), so it satisfies the Joint Commission as well as the CMS requirement.

Q: What is REALLY expected of hospitals from the CMS “Emergency Preparedness Rqts for Medicare & Medicaid Participating Providers?

MM: Since the question asks specifically about hospitals, I’ll focus on those requirements, but bear in mind that the new regulations apply to 17 types of healthcare institutions (not just hospitals and including for example, long-term care facilities). In talking to officials from the US Department of Health and Human Services – they are serious about enforcing the regulations as a means toward preventing tragedies that we have witnessed in some healthcare facilities in for example, Hurricane Katrina and Hurricane Irma. The full set of requirements is available at:

The rules are divided into 4 core areas: 1) Conduct a risk assessment and do emergency planning to specifically include (but not be limited to): hazards likely in geographic area; care-related emergencies; equipment and power failures; interruption in communications, including cyber attacks; loss of all or a portion of facility; loss of all or a portion of supplies. The plan must be reviewed annually; 2) Maintain a communication plan that; complies with Federal and State laws; has a system to contact staff, including patients’ physicians, and other necessary persons; is well-coordinated within the facility, across health care providers, and with state and local public health departments and emergency management agencies; 3) Maintain policies and procedures (e.g. an Emergency Operations Plan); and 4) Train and test the plan annually.

For those hospitals using Joint Commission accreditation for deemed status purposes (demonstrating compliance with CMS requirements), the highlights of the Joint Commission revised Emergency Management standards include:

  • A specific requirement for continuity strategies and these must include a succession plan and a delegation of authority plan. The standards note that “A continuity of operations strategy is an essential component of emergency management planning.”
  • A requirement for hospitals to have a procedure in place to request an 1135 waiver so that healthcare can be provided at alternate care sites if an emergency requires such sites. (The waiver, if approved, provides certain regulatory relief and makes operating at an alternate care site a practical option. An alternate care site in healthcare continuity planning would be akin to a backup site in general continuity planning.)
  • A requirement for a shelter in place plan (with patients and staff) – including a plan that specifically addresses how the hospital will obtain and replenish non-medical supplies including food and bedding.
  • A requirement for an annual review of plans
  • Specific requirements for an emergency communications plan
  • Documentation of contact with local response agencies regarding emergency planning
  • A specific requirement that the emergency operations plan address the roles and responsibilities of staff for communications, resources and assets, safety and security, utilities, patient management and evacuation
  • A required ability to track staff during an emergency
  • A requirement for documentation of staff training and demonstration of knowledge on emergency procedures through exercises
  • Addressing the use of volunteers during an emergency including integration of state or federal medical assistance teams (e.g. federal Disaster Medical Assistance Teams)

More specific requirements related to the provision of emergency power and lighting –  plans must address the provision of power to essential utilities such as heating and cooling, vertical and horizontal transport, and steam for sterilization. Joint Commission emphasizes that “The essential utility systems include mechanisms for maintaining temperatures at a level that protects patient health and safety and the safe and sanitary storage of provisions.” (For example, it would do little good to have an emergency generator that is not supplying power to cooling capacity if the hospital is on the southern coast of the US during the height of summer.)

The locations of generators must comply with NFPA 99 – essentially meaning that emergency power equipment should be put in locations where they would be expected to operate during incidents that have a high probability of occurrence in the hospital’s geographic location (based on the Hazard Vulnerability Analysis. (There are numerous past examples for instance of hospital generators, switches, or fuel pumps flooding and not operating . . . in areas that are prone to flooding). Joint Commission allows that if the generator is not already located in a safe area, it must be once the facility is renovated or if a new facility is built.

The hospital must be able to track patients during an emergency at the hospital, at an alternate care site; or if evacuated to a receiving hospital.

The final revision (EM 04.01.01) addresses how hospital systems have an option to manage emergency planning through an integrated emergency preparedness program.

The topic of the new CMS rule was included as a session in the 2017 Joint Commission Emergency Preparedness Conference. In addition to the information above, the Joint Commission presenters noted that their surveyors will expect that the risk of cyber-intrusion will be on every hospital HVA, that they will expect that the Hospital’s Environment of Care Committee (EOC) will address that risk appropriately. (The UTMB EOC includes a member from Information Services and another member from Information Security.) Cyber incidents should be addressed in a similar manner to other types of utility failures in terms of documentation and process improvement.

A team from Joint Commission met recently in Houston with a group of hospitals that were affected by Hurricane Harvey. Their first question was whether the assembled hospital representatives thought that it would be beneficial to extend the ‘96-Hour Analysis’ period to a longer period – given the duration of the Harvey incident. The consensus in the room was that this was not necessary, but I would expect that after they similarly meet with hospitals affected by Maria and Irma, we might see an extension to this planning requirement.

Every indication that I’ve seen is that CMS and Joint Commission will take these new requirements seriously and that surveys will be rigorous – aimed at good compliance with the requirements.

Q: What regulatory requirements are there for preparedness in the event of an active shooter incident?

MM: First let me say that Scott Cormier (also on the DRI Healthcare Committee) and I co-chaired a national committee convened by the Department of Homeland Security, Critical Infrastructure and Key Resources, Healthcare and Public Health Sector Specific Council to develop a planning guide for active shooter preparedness in the healthcare setting. Scott and I authored major sections of the original version. The latest version is available on the FBI website (free download) at

Scott will present on active shooter planning for healthcare at DRI2018.

The CMS and Joint Commission Emergency Management requirements apply to possible “active shooter” incidents. If an active shooter is a plausible risk it should be included in the Hazard Vulnerability Analysis or risk assessment. A reasonable person would assume that it should be included in every assessment. For my institution, UTMB Galveston, we include Active Shooter as a Priority Risk. This means that in addition to our All-Hazards emergency response plan, we have a specific plan for active shooter incident response, and that we conduct annual training and exercises. UTMB was one of the first hospitals in the US to conduct an active shooter/full-scale police response exercise in the hospital during normal working hours.

Academic Medical Centers also have regulations relevant to active shooter. This includes The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act or Clery Act, signed in 1990; The Clery Act requires institutions to give timely warnings of crimes that represent a threat to the safety of students or employees. This was a major factor in the decision by institutions of higher education to invest in mass notification systems.

States and governing boards have also enacted laws in response to the 2007 Virginia Tech shooting. Texas passed House Bill 1831 requiring institutions of higher education to have emergency preparedness programs in place. House Bill 2758 requires that institutions of higher education have emergency alert/notification systems. The University of Texas System implemented UT System Policy 172 requiring all UT institutions to have emergency preparedness plans. Obviously, regulations will vary by state.

1115 Broadway
12th Floor
New York, NY 10010

London Office
Tallis House
2 Tallis Street
London, EC4Y 0AB

©2022 DRI International, Inc. All Rights Reserved.