Ensuring Compliance With the CMS Emergency Preparedness Final Rule

Brian Williams, MHA, MBA
healthcare workers meeting

It’s always better to be safe than sorry, and preparing for emergencies is especially crucial for healthcare facilities. Proper preparedness ensures the safety and well-being of both patients and staff. It’s why compliance with the CMS Emergency Preparedness Final Rule is so important.

The CMS Emergency Preparedness Final Rule — implemented by the Centers for Medicare & Medicaid Services (CMS) — sets forth guidelines and requirements healthcare providers must follow regarding their emergency response capabilities.

Let’s explore this rule and the best practices that help healthcare organizations achieve compliance.


Get checklists, templates, and ideas to update your emergency preparedness plan.

What Is the Emergency Preparedness Final Rule?

The CMS Emergency Preparedness Final Rule was originally established by the Centers for Medicare & Medicaid Services on November 15, 2016. Its intent is to ensure all healthcare facilities participating in Medicare and Medicaid programs are adequately prepared to respond to emergencies.

The Emergency Preparedness Final Rule identifies four essential elements that are key to a comprehensive and effective approach to emergency preparedness for certain Medicare and Medicaid participating providers and suppliers. These essential elements include the following:

  1. Risk Assessment and Emergency Planning. Develop an emergency plan based on a risk assessment and using an “all-hazards” approach, which provides an integrated system for emergency planning that focuses on capacities and capabilities.
  2. Policies and Procedures. Develop and implement policies and procedures based on the emergency plan and risk assessment that are reviewed and updated at least annually.
  3. Communication Plan. Develop and maintain an emergency preparedness communication plan that complies with federal, state and local laws.
  4. Training and Testing. Develop and maintain training and testing programs, including initial training in policies and procedures.

These requirements strengthen the overall resilience of healthcare organizations. Together, they ensure the safety and well-being of patients, staff, and the community during emergencies or disasters.

Changes to the Burden Reduction Final Rule

During protracted emergencies, government agencies are known to relax enforcement of regulations as a way to expedite relief. This was especially evident during the COVID-19 pandemic. CMS adjusted the Burden Reduction Final Rule to relax some of the requirements, to help healthcare facilities and organizations better-cope with the extenuating circumstances of the pandemic.

Some of the major changes to the Burden Reduction Final Rule included:

  1. Biennial review of your emergency program, decreased from an annual review. Long-term care (LTC) facilities are still required to review their emergency program annually.
  2. Emergency plans no longer need to include documentation of efforts to contact local, tribal, regional, state, and federal emergency preparedness officials or a facility’s participation in collaborative and cooperative planning efforts.
  3. The training requirement has decreased from annually to every two years.
  4. Inpatient testing requirement flexibility is increased so that one of the two annually-required testing exercises may be an exercise of the facility’s choice.
  5. Outpatient testing requirement has been relaxed from two testing exercises to one testing exercise annually.

It remains to be seen if these standards will continue to be a longstanding norm; however, in the meantime, it’s important for facilities to adjust their compliance tracking accordingly.

What Facilities Must Comply With the Emergency Preparedness Final Rule?

The Emergency Preparedness Final Rule applies to a range of healthcare facilities that participate in Medicare and Medicaid programs.

  • Hospitals
  • Hospices
  • Transplant Centers
  • Religious Nonmedical Health Care Institutions (RNHCIs)
  • Ambulatory Surgical Centers (ASCs)
  • Psychiatric Residential Treatment Facilities (PRTFs)
  • All-Inclusive Care for the Elderly (PACE)
  • Long-Term Care (LTC) Facilities
  • Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF/IID)
  • Home Health Agencies (HHAs)
  • Comprehensive Outpatient Rehabilitation Facilities (CORFs)
  • Critical Access Hospitals (CAHs)
  • Community Mental Health Centers (CMHCs)
  • Organ Procurement Organizations (OPOs)
  • Rural Health Clinics (RHCs)
  • Federally Qualified Health Centers (FQHCs)
  • End-Stage Renal Disease (ESRD) Facilities

It’s important to note that the specific requirements and scope of compliance may vary for different facility types. It’s advisable to consult the official CMS guidelines and regulations to ensure accurate and up-to-date information for your particular facility.

What Are the Penalties of Non-Compliance?

Failure to meet the Emergency Preparedness criteria is a condition-level deficiency and could result in a termination from the CMS program (following a 60-day remediation program). CMS also has the power to deny Medicare and Medicaid payments to facilities that fail to meet the emergency preparedness requirements. This can result in significant financial consequences for the non-compliant facility.

Generally, recognition of non-compliance requires the facility to develop and implement a corrective action plan, to address the identified deficiencies and achieve compliance within a specified timeframe. Failure to comply with the corrective action plan can lead to further penalties.

5 Strategies to Ensure Emergency Preparedness Compliance 

Healthcare providers that are already accredited may be able to use some of those completed actions to also count toward the compliance of the CMS Rule’s requirements.

1. Develop Comprehensive Emergency Plans

Build as many disaster scenarios as you can and prioritize your response based on the greatest impact to the organization! Create and regularly update emergency plans that encompass all aspects of preparedness, including communication protocols, evacuation procedures, patient tracking, and resource management. Ensure that the plans align with the specific requirements outlined in the CMS rule. Don’t forget to test the plan — specifically without involvement from the plan author — so you can see the response.

2. Review and Update Plans Annually

Sure, you’re only required to do it once a year — but what happens if some of your key incident response team members leave and you have no way to contact the new ones? Conduct After Action Reviews (AARs) and create Improvement Action Plans (IAPs) on a routine basis, not just post-emergency. Here, the benefits of online compliance software are invaluable. Features like version control for documentation and the ability to electronically share and collaborate on policies is critical in maintaining compliance.

3. Conduct Regular Training and Exercises

Train staff on emergency procedures, roles, and responsibilities, and make sure they have access to relevant policies and procedures. Conduct drills and exercises to test the effectiveness of the plans and identify areas for improvement. Document these trainings and exercises to demonstrate compliance with the rule. Here again, a cloud platform like MedTrainer offers pre-built templates, so you’re OSHA-compliant in 15 minutes. Employees can access plans anywhere, and you can require employees to acknowledge receipt and review of the plans.

4. Learn From Recent Disasters

Identify areas where you can apply learnings from recent disasters to ensure continuous improvement to your disaster preparedness plans. For example, consider how staffing shortages exacerbate emergency responses and include staff well-being tools and ways to utilize volunteers in your plan. It’s also smart to identify your organization’s limits — such as number of patients who can be accepted, number of staff needed to operate, etc. — during planning. Check out the CMS expanded guidance for Emerging Infectious Disease (EID) planning to include potential patient surges, additional staffing needs, risk assessment considerations, and more.

5. Build Community Relationships

The COVID-19 pandemic taught us that emergencies require more than just a well-written disaster plan. To be better prepared for future emergencies, healthcare organizations must establish partnerships beyond their current networks to improve overall preparedness for emergency responses. Foster relationships and collaborate with local emergency management agencies, community organizations, and neighboring healthcare facilities. Engage in regular communication and coordination to ensure a unified and coordinated response during emergencies.

Emergency Planning Is Ongoing and Critical

Ensuring compliance with the CMS Emergency Preparedness Final Rule is vital for healthcare facilities to effectively respond to emergencies. Forethought to worst-case situations is the key to safeguarding the well-being of patients, staff, and the community. It comes down to developing comprehensive emergency plans, conducting regular training and exercises, establishing collaborative partnerships, maintaining robust communication systems, and implementing risk mitigation strategies.

If your organization is looking for solutions to help create compliance accountability, turn to MedTrainer. Check out our on-demand webinar, Your Disaster Preparedness Plan After the End of Federal Emergency Declarations, to learn more about what you can do to stay proactive in emergency preparedness efforts.