SourceSecurity.com US Edition
Home  |  Settings  |  Marketing Options  |  eNewsletters  |  About Us  |  FAQs    Join SourceSecurity.com on LinkedIn
REGISTERTerms
Bringing the security industry into focus

Healthcare providers face new rules for “All Hazards” emergency planning

Each individual facility must perform a Risk Assessment to identify the areas that must be dealt with to conform with the Final Rule
While the timing is not ideal, this Rule is the result of tragedies of unprecedented proportions

On September 16th, 2016, six weeks before America’s ‘historic’ election, the U.S. Centers for Medicare and Medicaid Services (CMS) published CMS-3178 - The Final Rule for Healthcare Emergency Preparedness. The purpose of this new regulation is to: establish consistent emergency preparedness requirements across provider and supplier networks, establish a more coordinated response to natural and man-made disasters and increase patient safety during emergencies.

Regulating healthcare facilities

This is not a sleepy regulation that gives the healthcare industry up to five years to prepare, like HIPAA (Healthcare Insurance Portability and Accountability ACT). This rule mandates that if healthcare facilities do not comply by November 15, 2017, they risk not receiving Medicare and Medicaid reimbursements in December.

Who does this affect? This applies to seventeen Medicare and Medicaid provider sectors, ranging from Home Healthcare workers to major Cancer Treatment centres, medical laboratories and everything in between.

Beyond the techno-jargon and acronyms, the goals of the Rule recognise that there are systemic gaps in the emergency Planning and Implementation process that must be closed by establishing consistency and encouraging coordination across the Emergency Preparedness sector of the United States and its possessions.

I have discovered numerous cases
where nobody on the overnight
shift or weekends knew how to
operate important life-support
critical systems

Healthcare requirements rule

While the timing is not ideal, this Rule is the result of tragedies of unprecedented proportions. In Hurricane Katrina, dozens of hospital and eldercare home patients died. During Superstorm Sandy, countless hospital ‘backup systems’ were flooded or insufficient for the need. There was also the Anthrax Scare of last decade and the recent H1N1 Epidemic – they were all catalysts for development of this type of rule. In addition, as I have travelled around the country conducting countless assessments, I have discovered numerous cases where nobody on the overnight shift or weekends knew how to operate important life-support critical systems like generators, or who to call when the fuel runs out.

Requirements to be provided

The requirements that are to be provided are:

Risk Assessment and Planning Document

Each individual facility must (internally or externally) perform a Risk Assessment to identify the areas that must be dealt with to conform with the Final Rule.

Policies and Procedures

Based on the Risk Assessment, develop an emergency plan using an all-hazards approach-focusing on capabilities and capabilities that are critical for a full spectrum of emergencies, or disaster specific to the respective location(s).

Communications Plan

Develop and maintain a communications plan to ensure that Patient care must be well coordinated within the facility, across healthcare providers and with State and Local public health departments and emergency systems

Training and Testing Plan

Develop and maintain training and testing programmes, including initial and annual re-training, conducting drills and exercises (full-participation and tabletop) in an actual incident that tests the plan and the staff’s ability to work together and accomplish the goals of the exercise.

The Rule specifically aims at smaller facilities that are more focused on patient service rather than preparing for a major disaster
Security Integrators should prepare for demand for hardware and software to support the theme of this regulation

Healthcare security department

Apparently, this Rule was developed in late 2013 and sent to the White House and while preparing to close the books, the Obama team discovered the document in September 2016 and quickly approved it, making it law in 60 days and giving 365 days for the healthcare community to comply with the regulations.

While this rule does not apply directly to the ‘healthcare security’ departments, consultants who have experience in healthcare risk, vulnerability and threat assessments are best positioned to provide the necessary assessments in a timely manner.

Security Integrators should be prepared for a demand for the following hardware and software to support the theme of this regulation:

  • Intelligent Access Control
  • Visitor Management
  • Mass Evacuation Alert Programmes and Systems
  • More extensive use of video surveillance so management can quickly assess an incident
  • Interoperability with appliances that serve the community on public service networks
  • Backup systems for all electronic functions from the Network Infrastructure to the simplest of healthcare support tools.

The Rule specifically aims at
smaller facilities like Behavioural
Health Facilities, Eldercare Homes
and small laboratories

What should the healthcare community do?

This Rule is not intended to only focus on large and medium-sized hospitals. It specifically aims at smaller facilities like Behavioural Health Facilities, Eldercare Homes and small laboratories that are more focused on patient service rather than preparing for a major disaster.

The healthcare community should:

  • Download the 186-page rule from Ultra Safe or Federal Resister website.
  • While this rule focuses on Emergency Preparedness, it obviously touches on Business Continuity. The healthcare community should make sure that the C-Suite is aware of this rule and emphasise the timeliness.
  • Begin following the three-step process to implement the changes or retain a consultant with healthcare experience to perform the assessment and support your organisation as the respective plans evolve.
  • There is a possibility that the new Administration may give the healthcare community additional time to complete the steps necessary to be compliant, but it is doubtful that it will be eliminated.

Download PDF Version

Follow us for latest editorial and commercial opportunities


Please rate this article


Related videos
Featured White Paper

What Do I Need to Know to Successfully Deploy Mobile Access?

This white paper discusses what you need to know in preparation to deploy a mobile access solution. Using a mobile device to gain access to buildings is not only about solving a particular problem; it's also about doing things better.

Confidence and education in the use of contactless applications and technologies, such as Near Field Communications (NFC) and Bluetooth, are continuously growing. In the era of mobility and cloud computing, companies are increasingly concerned about the security and protection of their physical environment. Correctly implemented, mobile access has the potential to revolutionise the way we open doors.

HID have produced this guide to mobile access configuration to explore the underlying technologies which enable mobile access and discuss what you need to know to implement mobile access control.


See privacy and cookie policy
SourceSecurity.com
Browsing from the Americas? Looking for SourceSecurity.com US Edition?
View this content on SourceSecurity.com US Edition, our dedicated portal for our Americas audience.
Do not show me this again
International EditionUS Edition