By Tara Gibson - March 24, 2020
When organizations develop a healthcare disaster preparedness plan, most are already familiar with the requirements of CMS Emergency Preparedness Rule because they had implemented them as security best practices. However, there are three factors organizations may not be so familiar with.
When the Centers for Medicare and Medicaid (CMS) published its Emergency Preparedness Rule in 2016, the agency acknowledged many healthcare organizations were already applying versions of the requirements, but in a way that isolated their efforts to prevent, mitigate, respond, and recover from disasters from the efforts of federal, state, tribal, and local emergency response networks. It was also the case, according to CMS, that the existing requirements were being applied inconsistently.
The requirement for organizations to develop a structured healthcare disaster preparedness plan has the objective of integrating individual organizational preparedness with federal, state, tribal, and local emergency response networks, and ensuring the requirements are applied consistently. Although there is “no-one-size-fits-all” framework for different types of healthcare organization, CMS has identified four core elements of emergency preparedness, and designed its Rule around these elements.
Healthcare organizations are exposed to many different types of risk every day. Most already have policies and procedures in place to prevent as many risks as they can, or mitigate their consequences. The Risk Assessment and Planning core element of the Emergency Preparedness Rule also requires organizations to develop strategies for how they will respond to a disaster and recover from it.
The policies and procedures an organization develops to support its healthcare disaster preparedness plan will depend on the nature of its operations and whether it is an inpatient or outpatient facility. There are slightly different requirements for each of the seventeen types of healthcare provider or supplier and these are subject to change as the Emergency Preparedness Rule matures.
Most organizations have some form of communications strategy for alerting staff and emergency services to a disaster. However, the Emergency Preparedness Rule stipulates that organizations have to ensure communication systems are coordinated across the facility and compatible with those of other healthcare organizations, public health agencies, and emergency management agencies.
It is also the case most organizations educate their staff on policies and procedures during a disaster, and conduct regular drills to comply with the requirements of the Joint Commission and NFPA. However, whereas it was previously sufficient to conduct facility-based drills, organizations now have to conduct full-scale, community-based drills with the involvement of other healthcare organizations, public health agencies, and emergency management agencies.
Because most organizations are familiar with many of the requirements of the Emergency Preparedness Rule, it is possible to overlook some of the other requirements. This can make the difference between compliance with the Emergency Preparedness Rule and being underprepared when a disaster occurs. Consequently, we suggest organizations should pay particular attention to the following three factors:
Originally, the CMS interchanged the words emergency and disaster regularly; and, for an event to be considered a risk in a healthcare disaster preparedness plan, it had to be an adverse event that had an impact on people, property, or business continuity. However, in CMS' most recent “Interpretive Guidance”, the agency has defined both words separately and started using them in context:
Emergency: A hazard impact causing adverse physical, social, psychological, economic or political effects that challenges the ability to respond rapidly and effectively. It requires a stepped-up capacity and capability (call-back procedures, mutual aid, etc.) to meet the expected outcome, and commonly requires change from routine management methods to an incident command process to achieve the expected outcome.
Disaster: A hazard impact causing adverse physical, social, psychological, economic or political effects that challenges the ability to respond rapidly and effectively. Despite a stepped-up capacity and capability and change from routine management methods to an incident command/management process, the outcome is lower than expected compared with a smaller scale or lower magnitude impact.
The differences between the original definition and the revised definitions may only be subtle, but they are important to be aware of - particularly as they represent a significant departure from the Joint Commission's definitions, which were most commonly relied upon by healthcare facilities seeking Joint Commission accreditation. For the record, the Joint Commissions definitions are:
Emergency: An unexpected or sudden event that significantly disrupts the organization's ability to provide care, or the environment of care itself, or that results in a sudden, significantly changed or increased demand for the organization's services
Disaster: A type of emergency that, due to its complexity, scope, or duration, threatens the organization's capabilities and requires outside assistance to sustain patient care, safety, or security functions
Due to the requirement to integrate healthcare disaster preparedness with local emergency response networks, it may be necessary to change the structure of the emergency management team. Many healthcare organizations base their emergency management team's structure on the ICS 300 model; but due to the requirement to collaborate with external emergency agencies, ICS 300 is not an appropriate model to support a healthcare disaster preparedness plan - particularly in the Operations Section.
In a blog discussing the components of a hospital emergency management team, we elaborate on the differences between the ICS 300 model and a model for healthcare disaster preparedness. The example Operations Section below may not be a practical model for smaller organizations, but it demonstrates the range of roles and capabilities required by the Emergency Preparedness Rule. Certainly the blog is worth a read for healthcare organizations basing their emergency responses on the ICS 300 model.
A potentially overlooked factor within the Communications Plan element of the Emergency Preparedness Rule is that the plan must include a primary and alternate means for communicating with staff and local emergency management agencies before, during, and after any emergency or disaster. This is so that, if one system is inoperable due to the emergency or disaster, organizations can continue to communicate, provide instructions to staff, and request assistance when necessary.
Due to the risk that in-house communication systems may be inoperable during an emergency (i.e. cyberattack) or disaster (i.e. widespread power failure), it is not appropriate to use (say) an in-house mail server as the primary channel of communication and an intranet as the alternate. Instead organizations should implement at least one communication solution with multi-modal communication capabilities (i.e. SMS, email, voice broadcasts, etc.) that can be integrated with the WebEOC system.
Bearing in mind that buildings may be inaccessible during an emergency and mains power may not be available, it is important that the chosen communication solution(s) can be operated remotely (i.e. via a smartphone or tablet) and charged up independently of a mains power supply (i.e. via a solar-powered battery charger).
Tara is a Marketing Coordinator on the Rave Mobile Safety marketing team. She loves writing about all things K-12 education, and manages the Rave social media channels. When she's not working, she's taking care of her smiley, shoe eating, Instagram-famous fur baby, Enzo!
As the summer months warm up and states relax some of the strict social distancing and stay-at-home protocols first...