CMS Now Requires Risk Management, No Exceptions for Non-Compliance

New Business Continuity Concerns for Healthcare Providers

Hospitals are no stranger to the concept of emergency preparedness, but the Centers for Medicare and Medicaid Services (CMS) has some definite ideas on what is acceptable in this arena and is making them clear in new Conditions of Participation, which must be implemented by Nov. 15, 2017.

And CMS is expanding at least some of the same requirements to 16 other types of inpatient and outpatient providers — and suppliers — from ambulatory surgery centers and psychiatric residential treatment facilities to organ procurement organizations, many of whom may not have thought about business continuity in such a prescriptive way before.

Some key takeaways from the rule for affected entities:

  • Organizations need to take an “all hazards” approach to their emergency plan, which must be reviewed and updated annually. Preparing for active shooters, power outages and pandemics won’t be enough.
  • Emergency plans must be managed by policies and procedures, no longer simply operational guidelines (so no more flexibility).
  • Inpatient and outpatient facilities MUST coordinate with local agencies.
  • Organizations must maintain contact with clinicians AND staff, both during and after the emergency, and must have an effective communications plan for patients and family members to cover the same time period.
  • Facilities transferring patients during an emergency must ensure that the receiving facilities have the same standards for privacy and security of patient data.
  • All employees must be trained and tested on the emergency plan, and must be able to demonstrate knowledge of emergency procedures, evacuation routes and patient instructions (expect this to come up in future accreditation surveys).
  • Organizations must conduct two exercises annually, and one of these must be a full-scale facility or community-based drill.

CMS states that it will be granting no exceptions for non-compliance, including failure to provide required documentation to the agency.

So, how do you get ready for these new requirements?

You can certainly read the (yawn) Final Rule, but I would recommend the more accessible resources to be found at the website of the Assistant Secretary of Preparedness and Response (ASPR) of the federal Department of Health and Human Services (HHS). ASPR’s Healthcare Emergency Preparedness Information Gateway, TRACIE (Technical Resources, Assistance Center, Information Exchange), has a wealth of information, including specific requirements by provider type, a helpful overview presentation and more.

Oh, and you may want to make sure your business continuity management (BCM) system is up to the task.

The following two tabs change content below.

Jay Lechtman

Jay Lechtman joined Riskonnect as senior director, market strategy and development in 2016. Prior to Riskonnect, Jay was vice president of market development for Quantros, responsible for developing new market opportunities for the legacy incident reporting system vendor in ambulatory, retail pharmacy, safety data assets, EHR integration and Patient Safety Organization (PSO) services. Jay has more than 20 years leading strategic growth initiatives for a number of healthcare information technology and services companies, including Ingenix (now Optum), part of UnitedHealth Group. He is a journalist by training, with degrees from The Johns Hopkins University and Stanford University, and with experience in local, national and international news, politics and features with several mainstream and specialty publications including The Baltimore Sun.

Request Your Free Riskonnect Demo

Pin It on Pinterest