On September 16th, 2016, six weeks before America’s ‘historic’ election, the U.S. Centers for Medicare and Medicaid Services (CMS) published CMS-3178 - The Final Rule for Healthcare Emergency Preparedness. The purpose of this new regulation is to: establish consistent emergency preparedness requirements across provider and supplier networks, establish a more coordinated response to natural and man-made disasters and increase patient safety during emergencies.
Regulating healthcare facilities
This is not a sleepy regulation that gives the healthcare industry up to five years to prepare, like HIPAA (Healthcare Insurance Portability and Accountability ACT). This rule mandates that if healthcare facilities do not comply by November 15, 2017, they risk not receiving Medicare and Medicaid reimbursements in December.
Who does this affect? This applies to seventeen Medicare and Medicaid provider sectors, ranging from Home Healthcare workers to major Cancer Treatment centres, medical laboratories and everything in between.
Beyond the techno-jargon and acronyms, the goals of the Rule recognise that there are systemic gaps in the emergency Planning and Implementation process that must be closed by establishing consistency and encouraging coordination across the Emergency Preparedness sector of the United States and its possessions.
I have discovered numerous cases
Healthcare requirements rule
While the timing is not ideal, this Rule is the result of tragedies of unprecedented proportions. In Hurricane Katrina, dozens of hospital and eldercare home patients died. During Superstorm Sandy, countless hospital ‘backup systems’ were flooded or insufficient for the need. There was also the Anthrax Scare of last decade and the recent H1N1 Epidemic – they were all catalysts for development of this type of rule. In addition, as I have travelled around the country conducting countless assessments, I have discovered numerous cases where nobody on the overnight shift or weekends knew how to operate important life-support critical systems like generators, or who to call when the fuel runs out.
Requirements to be provided
The requirements that are to be provided are:
Risk Assessment and Planning Document
Each individual facility must (internally or externally) perform a Risk Assessment to identify the areas that must be dealt with to conform with the Final Rule.
Policies and Procedures
Based on the Risk Assessment, develop an emergency plan using an all-hazards approach-focusing on capabilities and capabilities that are critical for a full spectrum of emergencies, or disaster specific to the respective location(s).
Develop and maintain a communications plan to ensure that Patient care must be well coordinated within the facility, across healthcare providers and with State and Local public health departments and emergency systems
Training and Testing Plan
Develop and maintain training and testing programmes, including initial and annual re-training, conducting drills and exercises (full-participation and tabletop) in an actual incident that tests the plan and the staff’s ability to work together and accomplish the goals of the exercise.
|Security Integrators should prepare for demand for hardware and software to support the theme of this regulation|
Healthcare security department
Apparently, this Rule was developed in late 2013 and sent to the White House and while preparing to close the books, the Obama team discovered the document in September 2016 and quickly approved it, making it law in 60 days and giving 365 days for the healthcare community to comply with the regulations.
While this rule does not apply directly to the ‘healthcare security’ departments, consultants who have experience in healthcare risk, vulnerability and threat assessments are best positioned to provide the necessary assessments in a timely manner.
Security Integrators should be prepared for a demand for the following hardware and software to support the theme of this regulation:
- Intelligent Access Control
- Visitor Management
- Mass Evacuation Alert Programmes and Systems
- More extensive use of video surveillance so management can quickly assess an incident
- Interoperability with appliances that serve the community on public service networks
- Backup systems for all electronic functions from the Network Infrastructure to the simplest of healthcare support tools.
The Rule specifically aims at
What should the healthcare community do?
This Rule is not intended to only focus on large and medium-sized hospitals. It specifically aims at smaller facilities like Behavioural Health Facilities, Eldercare Homes and small laboratories that are more focused on patient service rather than preparing for a major disaster.
The healthcare community should:
- Download the 186-page rule from Ultra Safe or Federal Resister website.
- While this rule focuses on Emergency Preparedness, it obviously touches on Business Continuity. The healthcare community should make sure that the C-Suite is aware of this rule and emphasise the timeliness.
- Begin following the three-step process to implement the changes or retain a consultant with healthcare experience to perform the assessment and support your organisation as the respective plans evolve.
- There is a possibility that the new Administration may give the healthcare community additional time to complete the steps necessary to be compliant, but it is doubtful that it will be eliminated.