Executive Summary

​​​​​​​​No longer is it sufficient to manage emergencies as they arise; rather, hospitals must plan and prepare, in advance, to mitigate, respond to, and recover from natural and human-made emergencies and disasters.

Hospitals in the United States have faced a wide variety of large-scale emergencies and disasters resulting from natural, technological, and terrorist-related and other human-made causes. Between 2007 and September 2018, the Federal Emergency Management Agency (FEMA) declared an emergency in the United States 1,451 times. (FEMA "Disaster Declarations")

Out-of-court settlements for deaths and injuries at hospitals during Hurricane Katrina in 2005 made clear that failure to properly prepare for and respond to an emergency can result not only in a horrible human toll but also in disastrous financial consequences for a hospital. Media coverage of several recent natural disasters highlighted providers who demonstrated little to no advanced emergency planning and woefully inadequate responses, placing patient lives at risk and in some cases resulting in patient deaths. Media accounts of emergency planning failures during 2017 Hurricanes Harvey, Irma, and Maria demonstrate that much work remains for hospitals and other providers to complete in order to be sufficiently prepared for events from service disruptions to major disasters. The correct question to ask is not if, but when, will an emergency occur? Then ask, will the organization be ready?

High-visibility disasters have led the federal government to emphasize community-wide emergency planning. The Centers for Medicare and Medicaid Services (CMS) issued the emergency preparedness final rule in 2017, establishing "national emergency preparedness requirements for Medicare and Medicaid participating providers and suppliers to plan adequately for both natural and man-made disasters, and coordinate with federal, state, tribal, regional, and local emergency preparedness systems." (CMS "Final Rule") The rule is enforced through conditions of participation (CoPs) for Medicare and Medicaid service providers. The scope of the regulation was expanded to apply to 17 types of Medicare and Medicaid providers and suppliers, but it excludes fire and rescue units, ambulances, and single- or multispecialty medical groups. The effective date of the regulation was November 15, 2016, with an implementation date of November 15, 2017. In June 2017, CMS released an advance copy of its State operations manual: interpretive guidance for surveyors. Providers can use this guidance to evaluate the organization's emergency preparedness program.

The CMS regulations require organizations to take a "comprehensive, consistent, flexible, and dynamic regulatory approach to emergency preparedness and implement a response that incorporates the lessons learned from the past, combined with the proven best practices of the present into an emergency operations program" (CMS "Final Rule").

CMS contends these new regulations strike a balance between being specific and general that permits providers and suppliers to develop an effective emergency operations plan (EOP).

Risk managers often play a direct role in the development of policies and procedures related to emergency management—such as those addressing disaster-related standards of care, modification of the privileging and credentialing process, and negotiation of mutual-aid agreements with other hospitals. A comprehensive understanding of emergency preparedness is necessary to be effective. This guidance article touches on operations of the emergency operations committee (EOC) and on the planning and mitigation elements of a comprehensive EOP and includes links to resources that can assist organizations in complying with CMS's emergency preparedness final rule. 

Action Recommendations

  • Ensure that the risk manager participates with the EOC.
  • Confirm that the EOP is reviewed and updated, if necessary, at least annually.
  • Ensure that the EOP addresses key components of preparedness, mitigation, response, and recovery.
  • Evaluate how the hospital's EOP fits within the local, regional, and state emergency management programs.
  • Encourage the hospital to join a healthcare coalition (HCC).
  • Prepare for use of volunteer healthcare providers and nonclinical personnel.
  • Ensure that a process is in place for granting temporary privileges to medical staff.
  • Work with the ethics committee to establish crisis standards of care (CSC) and protocols for triage during disasters, and incorporate these standards and protocols into the EOP.
  • Ensure that both a facility-based and a community-based hazard vulnerability assessment (HVA) are conducted at least annually.
  • Evaluate the findings of both the facility-based and community-based HVAs.
  • Confirm that the EOP is consistent with the findings of both HVAs.
  • Review EOP policies and procedures to ensure consistency with the all-hazards focus of the HVA at least annually.
  • Ensure the communications plan includes alternative means for communicating with critical stakeholders.
  • Test alternative communication methods.
  • Ensure that the incident command system (ICS) is flexible enough to address both large- and small-scale emergencies.
  • Work with the EOC and training coordinator to confirm that hospital staff are trained and tested regarding the EOP, their role, and their responsibilities.
  • Ensure that the training and testing plan is reviewed and revised, if needed, on an annual basis.
  • Conduct an annual community-wide drill exercise that includes a surge of incoming patients.
  • Conduct an annual community-wide drill exercise that simulates an event that is so far reaching that the local community cannot support the hospital.

Who Should Read This

Administration, Emergency department, Facilities/building management, Legal counsel, Outpatient services, Risk manager, Security

share with leadership

Ready, Set, Go: Know Your Risks

The issue in focus

In evaluating the readiness of the national healthcare system, the Centers for Medicare and Medicaid Services (CMS) found that while many providers and suppliers have considered emergency preparedness, their strategies do not go far enough in ensuring that they are equipped and prepared to help protect those they serve during emergencies and disasters (CMS "Final Rule"). No longer is it sufficient to manage emergencies as they arise; rather, hospitals must prepare in advance to mitigate, respond to, and recover from natural and human-made emergencies and disasters.

​Abbreviations Used in This Article​

ACS—alternative care site

ASPR-TRACIE—Assistant Secretary for Preparedness and Response, Technical Resources, Assistance Center, and Information Exchange, U.S. Department of Health and Human Services

CMS—Centers for Medicare and Medicaid Services

CoPs—(Medicare) conditions of participation

CSC—crisis standards of care

DRC—Disaster Resource Center (Los Angeles)

EM—emergency management (in reference to Joint Commission standards)

EOP—emergency operations plan

EPA—Environmental Protection Agency

ESAR-VHP—Emergency System for Advance Registration of Volunteer Health Professionals

FEMA—Federal Emergency Management Agency

HCC—healthcare coalition

HEICS—hospital emergency incident command system

HHS—U.S. Department of Health and Human Services

HICS—hospital incident command system

HIPAA—Health Insurance Portability and Accountability Act of 1996

HPP—Hospital Preparedness Program

HVA—hazard vulnerability assessment

ICS—incident command system


LIP—licensed independent professional

MRC—Medical Reserve Corps (part of ASPR TRACIE)

NFPA—National Fire Protection Association

NIMS—National Incident Management System

NOAA—National Oceanic and Atmospheric Administration

OSHA—Occupational Safety and Health Administration, U.S. Department of Labor

Studies of hospital emergency preparedness before the 2001 attacks on the World Trade Center showed that, although the level of hospital preparedness varied, most hospitals were in the early stages of emergency preparedness development. Few had planned comprehensively for large-scale events, and much of the planning focused on chemical incidents. Formal interhospital and community collaboration on emergency preparedness was uncommon, and while most hospitals were in compliance with Joint Commission standards, those standards focused primarily on physical threats to individual hospital facilities, such as bomb threats or loss of utilities (Toner et al.).

Since then, hospitals in the United States and elsewhere have faced a wide variety of large-scale emergencies and disasters from natural, technological, and terrorist-related and other human-made causes. While the United States has been lucky to suffer few events with a catastrophic number of casualtie​s or more than 1,000 deaths, the sheer geographic reach of the disasters ensured that they affected large numbers of people, providers, and suppliers across the nation. (Furin)

The types of emergency events and disasters for which healthcare organizations must be prepared are quite broad. See Types of External Emergencies and Disasters to examine the wide variety of recent human-made and natural disasters.

Between 2007 and September 2018, the Federal Emergency Management Agency (FEMA) declared an emergency in the United States 1,451 times (FEMA "Disaster Declarations"). The correct question to ask is not whether, but when, an emergency will occur. Then ask whether the organization will be ready.

​Beyond the tragic loss of life, the cost of damages from natural disasters has been climbing. From 1980 through 2007, no natural-disaster damage estimates reached $10 billion. In five of the years between 2008 and 2018, damage costs from natural disasters equaled or exceeded $10 billion (see Figure. Billion-Dollar Disaster Events by Year (figures adjusted for the consumer price index).

In 2017, healthcare providers' poor responses to disasters made national headlines (Milstein and Rosenbaum; Breslin). Such disasters extract both a human and a financial toll. Death toll estimates vary, but 82 deaths were attributed to Hurricane Harvey and 61 deaths to Hurricane Irma; initially, more than 55 deaths were attributed to Hurricane Maria, but later updates put deaths related to Maria at 2,975. (Santiago et al.; Willingham) Associated financial costs have also been extraordinary. According to the National Oceanic and Atmospheric Administration (NOAA) National Hurricane Center estimates, in just six weeks in late August and September 2017, damage estimates from Hurricane Harvey reached $125 billion; Hurricane Irma, $50 billion; and Hurricane Maria, $90 billion. Cost estimates from multiple California wine country wildfires in fall 2017 have already reached $9.4 billion. (National Hurricane Center "Costliest"; Kasler). Two hospitals had to be evacuated during these wildfires.


View as PowerPoint slide 

In light of these trends, the nation's health security and its readiness for public health emergencies are high priorities (ASPR TRACIE "Hospital Preparedness Program").

High-visibility disasters have led the federal government to emphasize community-wide emergency planning. Under the authority of the Social Security Act § 1861(e)(9), CMS issued the emergency preparedness final rule that established "national emergency preparedness requirements for Medicare and Medicaid participating providers and suppliers to plan adequately for both natural and man-made disasters, and coordinate with federal, state, tribal, regional, and local emergency preparedness systems." (CMS "Final Rule") The rule is enforced through Medicare and Medicaid service provider conditions of participation (CoPs). The scope of the regulation was expanded to apply to 17 types of Medicare and Medicaid providers and suppliers (see Table. Provider and Supplier Types Affected by CMS's Emergency Preparedness Rule​), but it excludes fire and rescue units, ambulances, and single- and multispecialty medical groups (these entities are covered by a different set of regulations). Requirements of the emergency preparedness rule requirements are based primarily on hospital CoPs. The effective date of the regulation was November 15, 2016, with an implementation date of November 15, 2017. In June 2017, CMS released an advance copy of the State operations manual: interpretive guidance for surveyors. Providers can use the guidance to evaluate the organization's emergency preparedness program.​

​​Ta​​ble. Provider and Supplier Types Affected by CMS's Emergency Preparedness Rule​

Inpatient Outpatient
Facility Type Final Rule Reference Facility Type Final Rule Reference
Critical access hospitals
Section II. NAmbulatory surgical centers Section II. E
Section II. FClinics, rehabilitation agencies, and public health agencies as providers of outpatient physical therapy and speech-language pathology servicesSection II. O
HospitalsSection II. CCommunity mental health centers Section II. P
Intermediate care facilities for individuals with intellectual disabilities Section II. DComprehensive outpatient rehabilitation facilities Section II. M
Long-term care Section II. JEnd-stage renal disease facilitiesSection II. S
Psychiatric residential treatment facilities Section II. GHome health agencies Section II. L
Religious nonmedical healthcare institutions Section II. DHospicesSection II. F
Transplant centersSection II. IOrgan procurement organizations Section II. Q
Programs of all-inclusive care for the elderly Section II. H
 Rural health clinics and federally qualified health centers Section II. R

​​​​​Source: Office of the Assistant Secretary for Preparedness and Response, Technical Resources, Assistance Center, and Information Exchange (ASPR-TRACIE), U.S. Department of Health and Human Services. CMS emergency preparedness rule: resources at your fingertips. Updated 2017 Jun 8 [cited 2018 Apr 13]. 

The emergency preparedness final rule attempts to address the "inconsistency in the level of emergency planning amongst healthcare providers." The goal is to provide consistent emergency preparedness requirements to drive a more "coordinated and defined" response to disasters. The regulations require organizations to take a "comprehensive, consistent, flexible, and dynamic regulatory approach to emergency preparedness and implement a response that incorporates the lessons learned from the past, combined with the proven best practices of the present." The emergency preparedness regulations encourage providers and suppliers to work together with the surrounding community, their states, and adjoining states to meet the goals for comprehensive emergency preparedness. (CMS "Final Rule")

CMS contends that the emergency preparedness regulations were needed because prior federal, state, and local regulations and accreditation standards established a patchwork of inconsistent expectations. CMS asserts that all providers need to adopt the requirements at the same time to achieve a successful, comprehensive, and coordinated community-based approach to emergency preparedness. The requirements in the final rule, CMS contends, "encourage facilities to collaborate with their local partners and healthcare coalitions in their area for assistance" with planning, design, testing, and training. (CMS "Final Rule")

Role of the Risk Manager

While many risk managers are not directly involved in the emergency management planning process, all should be familiar with it, as failure to properly plan for and implement emergency operations plans (EOPs) can result in significant liability for a hospital. Risk managers often play a direct role in developing policies and procedures that relate to disaster-related standards of care, modification of the privileging and credentialing process, and negotiation of mutual-aid agreements with other hospitals.

Understanding Terms: Emergencies, Disasters, and Other Events

Risk managers must understand the difference between "disasters" and "emergencies." While the general public sometimes uses the words interchangeably, the terms have different meanings in the emergency preparedness field. "Disasters" are a subset of "emergencies." A disaster is a type of emergency that overwhelms an individual hospital and requires outside assistance. An emergency, conversely, is an unexpected event that disrupts a hospital's ability to provide care but does not require outside assistance beyond, perhaps, a hazmat team or the local fire department (see Disasters and Emergencies: Definitions from Governmental and Accrediting Bodies). This distinction is particularly important for hospitals because some Joint Commission standards require different responses to emergencies and disasters (e.g., in the handling of temporary credentialing and privileging procedures). Risk managers should understand that different events trigger different responses and varied access to helpful resources. Understanding these differences can help the risk manager provide advice from a risk management perspective as events unfold. No matter how it is defined, a successful response to an emergency requires advance planning.

This guidance article uses the word "disaster" only if the term is specifically used in a Joint Commission standard, other official recommendations, or governmental emergency preparedness programs. Otherwise, the words "emergency," "incident," or "event" are used. For explanations of abbreviations used in the context of this guidance article, see Abbreviations Used in This Article​.

Integrated Health Systems

The CMS regulation permits integrated health systems to have a unified EOP (CMS "Final Rule" §482.15[f]). The integrated EOP must "demonstrate that each separately certified healthcare facility within the system actively participated in the development of the program" (CMS "Final Rule" §482.15[f][1]). Each facility can implement the EOP, and each facility should demonstrate compliance with the EOP (CMS "Final Rule" §482.15[f][3]). The four key elements of the plan must be completed as follows:

(1) An integrated health system must complete a hazard vulnerability assessment (HVA), and each individual facility must also complete an HVA (CMS "Final Rule" §482.15[f][5]).

(2) The unified EOP must include policies and procedures that address the specific needs of each type of facility within the system, including the unique circumstances, patient population served, and services offered (CMS "Final Rule" §482.15[f][2]).

(3) The unified EOP must include a coordinated communication plan. The information communicated should include the location of staff and patients both during and after an emergency or disaster. The regulation excludes some provider types from tracking patients after an emergency when they were transferred to a different facility (CMS "Final Rule" §482.15[b][2]). The transferring entity must, however, retain documentation of the specific name of the receiving facility.

(4) The training and testing will be coordinated, in the hopes of saving coalition leveraging resources, including costs and time-saving efficiencies.

Regulations and Standards

CMS Requirements

Prior to 2016, healthcare facilities had been moving toward more comprehensive emergency management planning. Organizations had been developing more links to the broader community and switching to an "all-hazards" planning process, which shifts the emphasis from planning for a particular type of emergency to delineating the common features of and common strategies to be used when responding to all types of emergencies. These shifts came about as a result of changes in Joint Commission standards and recommendations of the National Fire Protection Association (NFPA), combined with requirements mandated by federal hospital preparedness grants and federal guidance, as well as the national preparedness programs, all of which are community based and use all-hazards planning (ASPR TRACIE "Hospital Preparedness Capabilities"). Since CMS issued the final rule on emergency preparedness, many of the strategies that were previously optional are now mandatory.

​Federal Funding Requirements

The U.S. Department of Health and Human Services (HHS) created the Hospital Preparedness Program (HPP) in 2002 to provide grants to help organizations prepare for bioterrorism and public health emergencies, such as pandemics, by increasing stockpiles of equipment, supplies, and pharmaceuticals (CDC "Pandemic"). HPP promotes, through regional collaboration, sustained national focus on improved healthcare preparedness and response and improved patient outcomes. It also aims to minimize the need for supplemental state and federal resources during emergencies and to enable rapid recovery in the wake of emergencies and disasters. In 2004, the program shifted to an all-hazards, capabilities-based approach. This meant that hospitals had to do more than simply purchase equipment or supplies; they needed to demonstrate the capability to perform core functions common to all responses. (CDC "Strategic") To date, over $5.3 billion has been invested to fund the HPP (ASPR TRACIE "Hospital Preparedness Program"). 

Hospitals that seek HPP funding support regional efforts to help patients "receive the right care at the right place at the right time." More than 86% of the nation's hospitals participate in HPP. (ASPR TRACIE "Hospital Preparedness Capabilities") HPP members must participate in a healthcare coalition (HCC). All coalitions must include four core member types: hospitals, local health departments, emergency management organizations, and emergency medical services (CDC "2017-2022").

HPP participants must also commit to working within the National Incident Management System (NIMS). NIMS was developed to help government, the private sector, and nongovernmental organizations work together "to prepare for, prevent, respond to, recover from, and mitigate the effects of incidents, regardless of cause, size, location, or complexity, in order to reduce the loss of life, property, and harm to the environment" (ASPR TRACIE "NIMS Implementation"). According to FEMA, NIMS "provides stakeholders across the whole community with the shared vocabulary, systems, and processes to successfully deliver the capabilities described in the National Preparedness System." (FEMA "Top 5") Additional frequently asked questions about NIMS are available through FEMA (see Resource List​).

FEMA outlines a process for the whole com​munity​ to conduct preparedness activities to achieve the National Preparedness Goal of a "secure and resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk" (FEMA "National Preparedness Goal"). Steps in the National Preparedness System include the following:

  • Identifying and assessing risk
  • Estimating capability requirements
  • Building and sustaining capabilities
  • Planning to deliver capabilities
  • Validating capabilities
  • Reviewing and updating all capabilities

The "whole community" means that the emergency operational plan is guided by two principles: "involving people in the development of national preparedness documents" and "ensuring their roles and responsibilities are reflected in the content of the materials" (FEMA "Whole Community"). Among other things, this means hospitals participating in the HPP must undertake the following:

  • Participate in interagency mutual-aid or mutual-assistance agreements
  • Promote and ensure proper hospital processes, equipment, communications, and data interoperability to facilitate the collection and distribution of accurate information with local and state partners during an incident
  • Manage all emergency incidents, exercises, and preplanned events with consistent application of incident command system (ICS) organizational structures, doctrines, processes, and procedures

The ICS is a management methodology that allows a hospital to manage and respond to an emergency incident such as a terrorist attack or flooding. ICS was adapted for hospitals in 1987. Since then, what was originally termed the Hospital Emergency Incident Command System (HEICS) has been modified by dropping the letter "E" from the acronym to make clear that a Hospital Incident Command System (HICS) can be applied to both emergent and nonemergent situations.

HPP program measures include the following (FEMA "Developing and Maintaining"):

  • Having redundant, interoperable communications systems in place among hospitals, public health agencies, and emergency managers
  • Being able to report the number of beds available within 60 minutes of a request
  • Having plans for surge capability, hospital evacuation, as well as shelter of patients and staff

​Joint Commission

Joint Commission's Seven Critical Areas​

Joint Commission has identified seven critical areas that a hospital must be able to manage during any and every type of emergency. Discussed in detail later in this guidance article, they include the following:

  • Communications
  • Resources and assets
  • Safety and security
  • Staff responsibilities
  • Utilities
  • Patient clinical and support activities
  • Disaster volunteer management

Although not all organizations are Joint Commission accredited, the agency's standards represent good practices that are worthy of consideration. Joint Commission emergency management (EM) standards identify four phases of emergency preparedness: mitigation, preparedness, response, and recovery. Mitigation and preparedness generally occur before an emergency, while response and recovery occur during and after an emergency, largely guided by the HICS.

Joint Commission requires hospitals to use an all-hazards approach to their emergency preparedness processes—that is, hospitals must be able to manage everything from a temporary utility outage to a catastrophic natural or human-made event. However, not all hazards are equally likely; nor will all hazards have the same impact on a hospital. Thus, Joint Commission requires hospitals to perform an HVA once a year. Properly done, the HVA will identify potential hazards and their impact, as well as the hospital's vulnerabilities to the impact. Both the effect on the demand for the hospital services and the hospital's ability to provide those services should be evaluated (Joint Commission "Comprehensive Accreditation Manual").​ Joint Commission also requires that organizations develop an incident command structure that integrates with the community-based command structure (Joint Commission "Comprehensive Accreditation Manual"). Additional resources on incident command structures, specifically the refreshed NIMS, are available on the NIMS page at the FEMA website. Many Joint Commission requirements for hospitals are not applicable to nursing homes, physician offices, and other settings. Risk managers are advised to consult Joint Commission standards applicable to the organization. (FEMA "NIMS")

National Fire Protection Association

NFPA has one code and one standard that specifically address emergency preparedness. Like Joint Commission, however, NFPA has other codes and standards that affect emergency preparedness, such as the fire-related requirements of the Life Safety Code. NFPA's "Health Care Facilities Code" (NFPA "99") was completely rewritten and expanded in 2012 to correlate with Joint Commission emergency management standards, as well as to incorporate lessons learned from recent disasters (NFPA "Committee on NFPA 99"). The 2018 edition incorporates technical changes and new technologies and materials. NFPA 99 continues to require an organization to conduct an emergency preparedness HVA to evaluate management of critical resources and assets.

The 2016 edition of NFPA's Standard on disaster/emergency management and business continuity programs (NFPA "1600") addresses general (rather than hospital-specific) aspects of emergency management and six critical emergency management areas (the seventh critical area, disaster volunteer management, was added in 2018).



 OSHA Inspections, Citations, and Penalties


The Emergency Planning and Community Right-to-Know Act, enforced by the U.S. Environmental Protection Agency (EPA), specifically addresses the role of hospitals when a release of hazardous chemicals occurs anywhere in the community at large. The community emergency response committee is required to designate certain hospitals to treat people contaminated by the chemicals. Among other things, such hospitals must have an on-site decontamination facility, communication systems to notify the hospital from the scene of the contamination, all necessary supplies, and specially trained personnel. Designated hospitals must coordinate their training and preparation with the community emergency response committee.

The U.S. Occupational Safety and Health Administration (OSHA) requires hospitals to develop emergency action plans for the release of hazardous materials, fires, and for example, the use of ethylene oxide. OSHA requires hospitals to provide employees with appropriate personal protective equipment, such as respirators, when dealing with an emergency involving infectious airborne agents. For more information on OSHA requirements, see the guidance article OSHA Inspections, Citations, and Penalties.

State and Local Requirements

Every state has an agency or office responsible for coordinating the state's response to emergencies and disasters and for working with the federal government in these circumstances. Many local jurisdictions have emergency management offices. Similarly, state and local public health departments are also involved in emergency preparedness planning for public health emergencies. Additionally, 72 or more major urban areas have federally funded metropolitan medical response systems that help the community prepare for mass-casualty events. Hospitals should be working with these groups, because catastrophic events will require a coordinated response by all emergency responders and healthcare providers, not just by hospitals but also by nursing homes, clinics, doctors' offices, and more. (National Academies)

State laws and licensing standards typically require, fund, or strongly encourage hospital emergency preparedness, usually setting forth various minimum standards regarding the maintenance of an emergency plan. Such standards address the following (Finan):

  • Shelter-in-place procedures
  • Evacuation procedures
  • Measures for receiving an influx of patients (surge)
  • Procedures for ensuring that medical records are adequately maintained and accompany patients during evacuation
  • Requirements dealing with the interruption of utilities and after-life care

Hospitals and nursing facilities may be required to have the ability to shelter patients and staff in place for certain periods. In addition, organizations need to ensure they have a means, in the event of an evacuation, to release patient information as permitted under 45 CFR § 164.510.

For more information, see the guidance article Evacuation.

States also have the ability to declare states of emergency or disaster, and such declarations affect the manner of response and availability of resources. State emergency declarations may waive certain laws (e.g., privacy laws) and determine the extent of responsibility and liability for harm (e.g., standards of care) that arises during an incident. Some legal analysts and state policymakers address qualified standards of care, variously known as disaster, adjusted, or altered standards, or—the term that this guidance article will use—crisis standards of care. Because negligence is based on state law, any state crisis standards of care (CSCs), policy guidance, or recommendations will affect legal determinations of liability for hospitals and healthcare providers during disasters.

Action Plan

​Evaluate the Approach of the Emergency Operations Committee

Action Recommendation: Ensure that the risk manager participates with the emergency operations committee (EOC).

Potential Emergency Operations Committee Members​​​

EOC membership could include personnel from departments such as the following:

  • Risk management
  • Administration
  • Admissions
  • Emergency department
  • Information technology
  • Pharmacy
  • Public relations
  • Materials management
  • Medical staff
  • Nursing
  • Infection control
  • Facilities
  • Engineering
  • Safety
  • Purchasing
  • Security

Hospitals should have an established EOC to coordinate emergency operation efforts within the hospital or healthcare system, as well as to plan activities with nearby healthcare facilities; local, state, and federal agencies; and others. The EOC should, at minimum, include representatives with operational knowledge of and decision-making authority for Joint Commission's Seven Critical Areas. If the risk manager is not a member of the EOC, it is recommended that he or she be included in meetings periodically to ensure familiarity with key personnel and the EOP. See Potential Emergency Operations Committee Members​ for a list of personnel. 

The EOC may wish to create subcommittees representing Joint Commission's seven critical areas to ensure that all important aspects of advance planning and preparation have been addressed. Input from the local emergency planning agency, public health agencies, local media, the American Red Cross, police and fire departments, and utility companies should be solicited to assist the EOC in developing the EOP. While these groups may not always be able to serve on the committee, a draft of the EOP should be sent to them for review.

Risk managers should be available to the EOC to assist with review of Joint Commission, NFPA, and NIMS requirements, as well as federal, state, and local laws relating to emergency management and response. EOC members should also pay particular attention to any state bar association guidance in these matters, including liability issues, mutual-aid agreements, and memoranda of understanding.

It is recommended that the risk manager distribute this guidance article to members of the EOC, any subcommittees, individuals with specific responsibility within the HICS, and top management.

Disaster Coordinators

A national review of hospital preparedness found that hospitals that had hired full- or part-time disaster coordinators (often using HPP funding) were among the most prepared (Toner et al.). In addition to serving on the EOC, disaster coordinators can provide sustained and expert knowledge of preparedness and response planning efforts, including interacting with hospital leaders at the executive level, coordinating preparedness activities within the hospital and with regional health coalitions, and interacting with the state-level HPP coordinator. Disaster coordinators who had both involvement in the day-to-day preparations (e.g., planning, drills, stockpile management) and access to hospital leadership were found to be the most effective (Toner et al.). The current challenge in healthcare preparedness is catastrophic health events. (Toner and Hansen)

Clinical Care Committee

The EOC should consider whether to recommend the creation of a separate clinical care committee or subcommittee that would determine how a hospital's resources can be best used to meet community needs and develop clinical policies and procedures required to support the response to an emergency. Membership on the clinical care committee will vary depending on the size of the hospital, the type and duration of an incident, and the scope of the challenges entailed. In addition to the chief medical officer, members could include representatives from administration, medical staff, nursing, pharmacy, respiratory therapy, infection control, critical care, emergency medicine, legal, affected specialties (such as pediatrics or burn care), and facilities.

By identifying possible committee members before an event occurs, the committee can work on an ongoing basis with the EOC to identify potential scarce resources, related strategies, and recommendations. In specialized clinical areas (e.g., pediatrics, trauma, burn units), expertise itself will be a scarce resource and, because local specialists will be occupied with incident-related patients, advance planning with facilities in other geographic areas to provide telemedicine or hotline support can be useful. In preparation for mass-casualty events, planning for this type of support should be a priority at the regional or state level, and activation and operational policies should be established prior to an incident. (IOM)

​Evaluate the Emergency Operations Plan

Action Recommendation: Confirm that the EOP is reviewed and updated, if necessary, at least annually.

Action Recommendation: Ensure that the EOP addresses key components of preparedness, mitigation, response, and recovery.

Action Recommendation: Evaluate how the hospital's EOP fits within the local, regional, and state emergency management programs.

Action Recommendation: Encourage the hospital to join a healthcare coalition.

Action Recommendation: Prepare for use of volunteer healthcare providers and nonclinical personnel.

Action Recommendation: Ensure that a process is in place for granting temporary privileges to medical staff.

Action Recommendation: Work with the ethics committee to establish CSCs and protocols for triage during disasters, and incorporate these standards and protocols into the EOP.

CMS requires EOPs to address the three key responsibilities of effective emergency planning: safeguarding human resources; maintaining business continuity; and protecting physical resources (CMS "Final Rule"). To accomplish these goals, CMS outlines four components of an effective healthcare provider's EOP:

  • Conducting an HVA
  • Developing consistent policies and procedures
  • Establishing an effective communications plan
  • Conducting sufficient training and testing of the EOP

Hospital readiness is complicated because many hospitals are accredited and must adhere not only to CMS regulations but also to accrediting body standards. In accordance with Joint Commission standard EM.02.01.01, an EOP should be "sufficiently nimble to address a range of emergencies of different duration, scale, and cause."

Emergency planning is an ongoing process. In addition, access to resources may change, personnel needs and availability may change, and community infrastructure (e.g., road damage) may alter the effectiveness of an EOP. To address these and other changes, CMS requires an annual HVA. For accredited organizations, Joint Commission standard EM.03.01.01 requires hospitals to conduct an annual HVA to identify "risks, hazards, and potential emergencies that may arise in the next 12 months using an all-hazards approach." Important elements of an all-hazards approach to emergency planning include "developing an EOP that is flexible and scalable enough to adapt to a wide variety of disasters; focuses on the continuity of essential services that must remain consistent regardless of the disaster; and assesses the risks most likely to affect an individual facility and community. (CMS "State Operations Manual") Once the HVA is completed, the organization must then compare the HVA findings to the scope, objectives, and planned interventions of the EOP. Any gaps or discrepancies should be corrected. Often, hospitals do not act alone when responding to an emergency; therefore, regional and state coordination in developing and exercising the EOP is essential. Organizations need to incorporate community-based HVA strategies into their individual EOP. (42 CFR § 482.15[a][1])

Emergency preparedness involves three strategies: planning, implementation, and assessment. Joint Commission standard EM.01.01.01 identifies four phases of emergency management: preparation, mitigation, response, and recovery. NFPA adds one additional phase between response and recovery (NFPA "1600" §1.1.2): continuity. When evaluating current operational challenges raised during emergencies and disasters, remember that the EOP should address different actions to be taken during each of the four or five phases. The EOP must identify alternative care sites (ACSs) for patient care—a key component in preparing for medical surge. Finally, the EOP must be updated as needed to incorporate opportunities for improvement based on findings from both facility- and community-based HVAs and findings from drills and actual events.

The written EOP, which is just one component of a hospital's emergency preparedness program, must describe how a hospital will manage all of Joint Commission's Seven Critical Areas as defined in Joint Commission standard EM.02.01.01.

Although no EOP can provide specific response instructions for a particular emergency, the plan should provide flexibility for staff to apply the critical thinking skills necessary to anticipate and respond to any emergency (MHA). All employees and medical staff, not just EOC members and department heads, must know and understand the EOP.

Key Phases of Emergency Preparedness

Phase 1: Preparedness. Preparedness consists of ongoing planning and associated actions that will increase an organization's resiliency—its capacity and capability to respond to, and recover from, a hazard's impacts. As with mitigation, preparedness can also extend to building design. An example is a 14-story tower built for Rush University Medical Center in Chicago that includes features designed to address bioterrorism and pandemic infections. The building includes ambulance bays that can be converted to large decontamination rooms; pillars in the lobby equipped with hidden panels for oxygen and other gases (thus permitting the lobby to be used for more beds and treatment); and the ability to switch airflows to exhaust airborne agents high above street level so that entire quadrants can be isolated. (Rubin)

Joint Commission specifically requires hospitals to implement, in advance, all EOP components that require prior preparation in order to manage and provide for the seven critical areas during an emergency. Among other Joint Commission–related preparedness activities, the hospital must ensure that its ICS is integrated into, and consistent with, the community's command structure and that individuals with official roles (e.g., the incident commander) have received the proper, NIMS-compliant training. In addition, preparedness includes all training, drills, and exercises; these are performed to stress and evaluate the EOP.

Hospitals can undertake additional preparedness activities pertaining to legal and insurance matters. The 2016 edition of NFPA 1600 also suggests that recovery planning take into account issues such as the succession of individuals in leadership and other key roles, the predelegation of authority to leadership to act and to redelegate authority, steps that the facility can take to help personnel respond quickly (e.g., developing standard operating procedures for alerting, notifying, locating, and recalling personnel; delegating disaster or emergency assignments, responsibilities, and emergency duty locations), and the preparation of measures to protect resources, facilities, and personnel.

Phase 2: Mitigation. Mitigation consists of all activities that reduce or eliminate the probability of a hazard occurring or eliminate or reduce the hazard's impact if it does occur. Mitigation activities reduce loss of life and property by lessening the impact of disasters. An effective mitigation effort should begin with, and be based on, the HVA, as this will help the disaster coordinator and EOC prioritize issues during follow-up mitigation and preparedness planning (ASPR TRACIE "Management").

Mitigation elements should always be considered when constructing new buildings or rehabbing existing ones. In addition to providing advice on complying with applicable building codes, FEMA and others have developed design guides and other tools that can assist planners. For example, FEMA notes that winds habitually overturn improperly attached roof-mounted ventilation, air conditioning, and radio communication equipment (e.g., satellite dishes) and can change airflow from ventilation, whereas sewers tend to back up or break down during floods and earthquakes. (FEMA "Design Guide")

NFPA suggests mitigation strategies such as using applicable building construction standards to evaluate opportunities for improvement. Strategies include relocation, retrofitting, or removal of structures at risk (e.g., moving backup generators from areas susceptible to flooding); provision of protective systems for equipment at risk; and redundancy or duplication of essential personnel, critical systems, equipment, information, operations, or materials (NFPA "NFPA 99").

Other mitigation activities include the following:

  • Maintaining ongoing programs of environmental assessment, such as regular environmental, safety, and security rounds or a building maintenance program to identify potential problems before they occur—increased frequency in environmental rounding may be necessary during an actual emergency
  • Establishing programs for testing, inspection, and preventive maintenance of backup systems and facility safety and security features
  • Reducing the use of hazardous materials (including mercury), properly training handlers to prevent spills and leaks, and optimally designing storage rooms and cabinets to ensure proper storage or disposal
  • Installing and monitoring facility security through access control and perimeter security systems—increased frequency in security rounds may be necessary during an actual emergency

Phase 3: Response. Phase 3 includes the activities that directly address the hazard's impact, including actions taken immediately in anticipation of a slowly evolving incident (such as a hurricane making landfall at a foreseeable time) and actions taken during and after an impact has occurred. The response phase also proceeds based on the hospital's ICS. Response focuses on saving lives, protecting property and the environment, and meeting basic human needs after an incident.

Phase 4: Recovery. Phase 4 activities restore the hospital to "normal" after a major incident. This phase of emergency management also proceeds based on the hospital's ICS. Recovery focuses on maintaining continuity of care and restoring important community assets after an incident. Systems such as adequate staffing, shelter, infrastructure, and health and social services need to return to their preemergency status.

Coordination with the Broader Community

As emergency preparedness emerged as a high-profile concern for healthcare organizations nationwide, many experts emphasized the need for hospitals to work with other organizations in their communities to coordinate plans and ensure the most efficient, effective care possible in emergencies. Many such arrangements have evolved beyond informal discussions to formal operational HCCs.

One of the most significant factors contributing to the improved level of healthcare emergency preparedness across the nation has been the cooperative relationships occurring within individual hospitals and among neighboring hospitals, public health departments, emergency preparedness agencies, and other parties. This networking led to the emergence of formal HCCs. EOCs at hospitals that are not already participating in an HCC should consider joining one or working to form one as CoPs now require Medicare and Medicaid providers to coordinate with the broader community to develop and maintain emergency preparedness. HCCs are one of the cornerstones of national healthcare emergency preparedness. These coalitions have been extremely successful in planning and conducting disaster exercises, as well as demonstrating operational response functions during actual incidents.

EOP interventions that include the broader community should be practiced. Organizations should document efforts to contact community emergency agencies regarding conducting disaster drills. In addition, during an actual emergency, organizations should document the efforts they make to contact emergency agencies (e.g., date and time called, name of agency and contact, whether a message was left). (CMS "Final Rule" §482.15[a][4])

Over the past two years, California has faced a variety of disasters, including multiple wildfires, flooding, and mudslides. The Disaster Resource Center (DRC) coalition in Los Angeles, California, assists providers in coordinating large-scale disaster response. Los Angeles County has more than 100 acute care hospitals serving 10 million people; it received a federal grant to coordinate planning, training, exercises, and participation in developing a regional disaster plan. The DRC coordinates surge capacity planning, facilitates drills and exercises, stockpiles pharmaceutical caches, procures supplies, coordinates staff sharing, conducts personal protective equipment and decontamination training, and facilitates communications planning. The coalition has also developed regional disaster plans and a software system for resource and bed tracking; facilitated increased interhospital communication; and provided funding for staff and disaster coordinators at participating hospitals. For more information, see the California Hospital Association Hospital Preparedness Program Checklists & Tools

Disaster Volunteer Management

Hospitals that cannot meet the immediate needs of their patients often rely on disaster volunteers who may be licensed independent practitioners (LIPs) or non-LIPs who are legally required to have a license or other certification. Because the usual credentialing and privileging processes cannot be performed during a large-scale emergency (e.g., mass-casualty event), Joint Commission standards EM.02.01.13 and EM.02.02.15 allow for a modified process once the EOP has been activated. Criteria include verification of licensure or other certification required to practice a profession and oversight of the care, treatment, and services provided. Medical staff bylaws must identify which individuals are responsible for granting disaster privileges for LIPs, and the hospital must do the same for non-LIP disaster volunteers.

There is help. The Emergency System for Advance Registration of Volunteer Health Professionals (ESAR-VHP) helps preregister volunteer health professionals and verifies their credentials and qualifications in advance of an emergency. All 50 states have operational ESAR-VHP systems with registered volunteers who can be deployed within 24 hours. The usual deployment lasts two weeks. The ESAR-VHP program is administered at the state level.

A medical reserve corps (MRC) is also housed within the office of the Assistant Secretary for Preparedness and Response (U.S. HHS). The MRC had nearly 200,000 volunteers in 982 units across all states and reported participation in approximately 15,440 local activities in 2017. Together, these two units—ESAR-VHP and the MRC—can provide volunteer public health and medical capability coverage to 91% of the U.S. population (ASPR TRACIE "Medical Reserve Corps").

Before any volunteer can provide patient care, the hospital must obtain a valid government-issued photo identification (ID), such as a driver's license; at least one proof of licensure such as a current picture ID from a healthcare organization; ID indicating that the individual is a member of a recognized state or federal response organization (e.g., ESAR-VHP or a disaster medical assistance team); or confirmation by a currently privileged hospital practitioner or by a staff member with personal knowledge of the volunteer practitioner's ability to act as an LIP volunteer practitioner during a disaster.

A safe and effective emergency volunteer program has several elements and should do the following:

  • Describe how the permanent medical staff will be able to distinguish volunteers from hospital staff
  • Outline the process for supervising volunteers
  • Outline criteria that help staff determine, within 72 hours, whether disaster privileges or responsibilities granted to volunteers should continue (this decision is based on the observation and supervision activities)


 Medical Staff Credentialing and Privileging

Policies and procedures must address the use of volunteers in an emergency and other emergency staffing strategies, including the process for integration of state or federally designated healthcare professionals to address surge needs during an emergency (42 CFR § 482.15[b][6]). A variety of legal issues need to be addressed regarding the use of volunteers, such as workers' compensation coverage, malpractice coverage, OSHA requirements, financial arrangements for payment, and liability. Risk managers should ensure that these areas have been properly addressed. For example, hospitals can develop a letter of agreement covering such issues as the volunteer's relationship to the healthcare organization and the time limits for that relationship or a waiver of compensation and indemnifications granted by local laws or statutes. Many state bar associations have done work on these matters. For more information, see the guidance article Medical Staff Credentialing and Privileging.

Crisis Standards of Care

Surge capacity is the ability to expand patient care capabilities in response to a sudden or prolonged demand and is a crucial component of an emergency management program. Surge capacity encompasses such things as the number of potential patient beds; available space (e.g., single rooms that may be converted into doubles, or cafeterias or ACSs); the availability of all types of healthcare personnel; and the availability of necessary pharmaceuticals, medical equipment, and supplies. (Joint Commission "Health Care")

Federal preparedness planning includes funding and guidance to help hospitals prepare for surge capacity. Hypothetical scenarios sometimes address catastrophic health events with truly horrific numbers of casualties. This type of planning is being done at the regional level as well, anticipating medical responses from all hospitals and healthcare systems in a given area. For many hospitals, just a few more casualties than usual can cause them to reach surge capacity. For example, most hospitals in Canada may begin to fail if five or more critically injured patients arrive simultaneously (McAlister), and in England, the Royal London Hospital received 194 casualties from the July 2005 terrorist attacks and resuscitation room capacity was reached within 15 minutes (Aylwin).

A variety of federal and state resources are available to assist hospitals. Preparing for a medical surge, especially at mass-casualty levels, cannot be done in isolation; rather, hospitals should work with local and state emergency agencies, existing HCCs, nearby hospitals, and other relevant response partners to assess the need for the following (ASPR TRACIE "Hospital Preparedness Capabilities"):

  • Additional medical equipment, pharmaceuticals, and other patient care supplies
  • Equipment that assists with the provision of specialized medical evaluation and care such as pediatrics, burn, and trauma care equipment and supplies or mobile assets to supply services such as radiology or pharmacy
  • Mobile teams of healthcare professionals and mobile caches of equipment and/or supplies
  • Mobile trailers or shelters to provide space for treatment of patients, storage of surge supplies, and resources for emergency communication
  • Decontamination assistance
  • Equipment that can deliver power, heating, ventilation, air conditioning, and potable water, as well as equipment that can provide food storage and equipment to sustain essential patient services
  • Systems that can provide redundant communication and information management capabilities (e.g., failover and backup, remote site hosting)

The EOP must identify ACSs for patient care—a key component in preparing for medical surge. ACSs are used to provide medical care outside hospital settings for patients who would normally be treated as inpatients and to triage patients. They may also help in managing matters unique to a particular mass-casualty event, such as the distribution of vaccines or quarantining of infectious patients. (ASPR-TRACIE "Considerations")

ACSs may be either fixed or mobile. Fixed sites are nonmedical buildings, such as hotels, armories, or auditoriums that are close enough to the hospital and the right size to be adapted to provide medical care (Joint Commission "Health Care"). Mobile medical facilities are either tractor-trailer-based specialized units with surgical and intensive care capabilities or fully equipped hospitals stored in container systems.

Risk managers should consider several issues when reviewing their facilities' identified ACSs, including the level and scope of medical care to be delivered, the physical infrastructure required, staffing requirements for the delivery of such care, the medical equipment and supplies needed, and the management systems required to integrate such facilities with the overall delivery of healthcare (GAO). However, although most ACSs are used for patient care, some may also be used for patient evacuation, which requires different plans, staffing, and resources (MHA).

​Conduct an All-Hazards Vulnerability Assessment

Action Recommendation: Ensure that both a facility-based and a community-based HVA are completed at least annually.

Action Recommendation: Evaluate the findings of both the facility-based and community-based HVAs.

Action Recommendation: Confirm that the EOP is consistent with the findings of both HVAs.

Action Recommendation: Review EOP policies and procedures to ensure consistency with the all-hazards focus of the HVA at least annually.

NFPA HVA Checklist​

NFPA A5.2.1 outlines steps that should be used in conducting a comprehensive HVA, including the following:

(1) Determine the methodology the entity will use to conduct the assessment and determine whether the entity has the necessary expertise to perform the assessment.

(2) Consult with internal or external experts to assess the vulnerability of the entity's assets to identified hazards.

(3) Identify and categorize assets (e.g., human resources, buildings, equipment, operations, technology, electronic information, suppliers, vendors, third-party service providers).

(4) Identify threats and hazards—natural, human caused (accidental and intentional), and technology caused.

(5) Evaluate hazard and risk exposures to which the entity is exposed.

(6) Assess the existing current preventive measures and mitigation controls against credible threats.

(7) Categorize threats, hazard and risk exposures, and potential incidents by their relative frequency and severity. Keep in mind that many combinations of frequency and severity may be possible for each, as well as cascading impacts.

(8) Evaluate the residual hazard and risk exposures (those that remain hazardous after prevention and mitigation activities).

In accordance with CMS regulations, organizations should conduct both a facility- and a community-based HVA on at least an annual basis (CMS 42 CFR § 482.15[a][1]). The HVA should focus on "the capacities and capabilities that are critical to preparedness for a full spectrum of emergencies or disasters." The assessment should evaluate the patient population, "including but not limited to, persons at risk, the types of services that the facility would be able to provide in an emergency, continuity of operations, including delegations of authority and succession plans" (CMS "Final Rule"; 42 CFR § 482.15[a][3]).

Joint Commission, NFPA, FEMA, and others also require or recommend that hospitals conduct an annual HVA (see NFPA HVA Checklist​ for an example). According to Joint Commission standard EM.01.01.01, the HVA should "identify potential emergencies that could affect demand for [the organization's] services or its ability to provide those services," decide how likely the threats are, and assess their potential impact on operations. When working with community partners to prioritize the emergencies identified in the HVA, hospitals must determine which partners are critical to maintain safe operations. Joint Commission requires hospitals to communicate to community emergency response agencies about identified needs and vulnerabilities.

Types of hazards. When conducting an all-hazards assessment, hazards are often divided into categories. For example, NFPA 99 distinguishes between natural hazards (e.g., geological, meteorological, and biological), human-caused events (e.g., accidental or intentional), and technological events. A hospital may face multiple disasters simultaneously—hurricanes are often accompanied by flooding, and earthquakes may be followed by tsunamis in coastal communities.

FEMA, like other government agencies and educational institutions, has maps and statistics that can help emergency planners identify the probability of many natural hazards. While most risk managers and EOC members may have an understanding of many of the natural hazards their hospital might face (e.g., hospitals in "Tornado Alley" are likely familiar with this hazard), it is wise to do more research. For example, while 90% of American seismic activity occurs in southern California and western Nevada, 39 states are considered to include areas that face a moderate to major threat of a major earthquake (Erickson). Similarly, in the past 10 years, disastrous river flooding has occurred far more frequently than the 100-year flood event statistics would predict, according to the U.S. Geological Survey (Dinicola).

When evaluating potential hazards, an important distinction is whether a hazard is internal to the facility, such as a fire or the loss of electricity, or external. External incidents may affect the structural and nonstructural integrity of the hospital itself, damage or destroy an entire community, or have no structural effect on the hospital at all, such as in the event of a school shooting. External events may involve a high number of casualties or very few. Some external events evolve slowly, such as infectious disease epidemics or hurricanes; these disasters give hospitals (and the overall community) time to activate plans in an orderly fashion, adjust resources, and request and obtain outside assistance. However, other events, such as a bridge collapse, bombing, or mass-casualty shooting, provide little to no notice and evolve rapidly. Because staff must respond immediately, with little to no time to prepare, these events benefit most from planning, drills, and the ability to rapidly mobilize resources. (Roccaforte and Cushman) For more information, see Types of External Emergencies and Disasters​​.

​HVA tools. Many tools are available to perform an HVA, such as the Kaiser Permanente HVA. Typically, these tools ask the user to rank such things as the probability of a hazard; the human, property, business, and medical care impact; the building's structural and nonstructural vulnerabilities (windows and facades or mechanical, electrical, and piping installations); and the facility's current level of preparedness (e.g., staff training, availability of internal and external resources).

Technology risks should also be considered when looking at vulnerabilities. FEMA's most recent analysis of overall national preparedness, which includes industries other than healthcare, indicates that cybersecurity is one of the nation's biggest gaps in coverage (FEMA "National Preparedness System").

The All-Hazards Approach in Policies and Procedures

CMS requires development of policies and procedures that support the HVA process and the comprehensive implementation of the EOP. If the EOP is modified after the annual HVA, policies and procedures should also be reviewed and revised, if necessary.

Several key elements must be included in policies and procedures that support the EOP. For example, policies must address providing subsistence needs for staff and patients in case they are expected to shelter in place. The required items include food, water, and medical and pharmaceutical supplies. Other environmental factors must also be addressed, such as alternative energy sources to maintain temperatures to protect patient health and safety, to maintain the safe and sanitary storage of provisions, to provide emergency lighting, to detect fire, and to set and extinguish alarms. (42 CFR 482[b][1][i‐ii][A‐C]) For more information on emergency power, see Emergency and Stand-by Power Systems. Organizations should also prepare for maintaining sewage utilities and hazardous waste disposal during emergency events (CMS "Final Rule" §482.15[b][1][ii][D]).

Organizations should have policies and procedures regarding the following (CMS "Final Rule"):

  • Sheltering in place for patients, staff, and volunteers (§482.15[b][4])
  • Supporting medical documentation that preserves patient information, protects the confidentiality of patient information, and secures and maintains availability of records (§482.15[b][5])
  • Assisting the organization with providing information about the general condition and location of patients under the facility's care, as permitted under shelter-in-place regulations (§482.15[c][6])

​Evaluate the Communication Plan

Action Recommendation: Ensure the communication plan includes alternative means for communicating with critical stakeholders.

Action Recommendation: Test alternative communication methods.

Action Recommendation: Ensure that the ICS is flexible enough to address both large- and small-scale emergencies.

In every recent disaster, the number one lesson learned seems to center on communications, not just the well-reported instances of communication system failures but also the need for strategic information: Who needs to know what? When do they need to know it? And who will tell them? (MHA)

The new regulations require an enhanced communication plan that outlines how healthcare providers and suppliers will communicate during an emergency or disaster. Organizations must have "a system to contact appropriate staff, patients' treating physicians, and other necessary persons in a timely manner to ensure continuation of patient care functions throughout the facilities and to ensure that these functions are carried out in a safe and effective manner." (CMS "Final Rule") The communication plan must also include primary and alternate means for communicating with hospital staff and with federal, state, tribal, regional, and local emergency management agencies (CMS "Final Rule" §482.15[c][3]).

The emergency preparedness communication plan must be reviewed and updated, if necessary, at least annually (CMS "Final Rule" §482.15[c]). The communication plan must include the names and contact information for staff; entities providing services under arrangement; patients' physicians, other hospitals, and critical access hospitals; and disaster volunteers (CMS "Final Rule" §482.15[c][1]).

The communication plan should incorporate strategies for sharing demographic and medical information about patients with other healthcare providers, and for making sure that the process for sharing information will meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) for release of information during emergencies (CMS "Final Rule" §482.15[c][4-5]). The plan should also include a process for providing to the incident command center, or its designee, information about the hospital's occupancy, needs, and ability to provide assistance (CMS "Final Rule" §482.15[c][7]).

In accordance with Joint Commission standard EM.02.02.01, a hospital's EOP must address how it will communicate during emergencies. Once the EOP has been activated, the public information officer and communications officer, both specific positions within the ICS, typically serve as conduits for information to internal and external stakeholders, including staff, visitors, families, and news media. The organization must plan for how information will be disseminated. Large medical systems should have a plan in place for notifying satellite sites as needed of the activation of the EOP. Disasters such as the World Trade Center attack and Hurricane Katrina exposed major weaknesses in telephone, cell phone, and police fire and radio networks. Redundant communication systems are needed (e.g., satellite phones for external communication, radio phones for internal communications) when cell phone towers become unavailable (Larkin). Meeting in advance with local radio and television stations to establish plans for mass notification of the public or of facility staff will make the process easier if it must be implemented during a real emergency (MHA).

Using social media, such as the organization's official Facebook or Twitter account, to provide information to the public in real time may help correct and clarify erroneous information or rumors. Apps for smartphones and tablet computers, hotlines, text messaging, and email can be quick ways to provide both internal and external communication. Unless otherwise authorized by the incident commander, the designated public information officer should be the only person permitted to communicate with the broader community and the media on behalf of the organization.

Strengthening Incident Command Systems


 The Hospital Incident Command System

The ICS is a standardized, on-scene, all-hazards incident management approach that allows for the integration of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure. The ICS enables a coordinated response among different jurisdictions, government agencies, and private organizations (such as hospitals) and establishes common processes for planning and managing resources. NIMS can help organizations successfully exchange information with external stakeholders to facilitate more efficient response and recovery efforts. NIMS was developed to allow all levels of government, the private sector, and nongovernmental organizations to work together "to prepare for, prevent, respond to, recover from, and mitigate the effects of incidents, regardless of cause, size, location, or complexity, in order to reduce the loss of life, property, and harm to the environment" (ASPR TRACIE "NIMS Implementation"). For more information on NIMS, see Federal Funding Requirements.

In accordance with Joint Commission standard EM.01.01.01, an organization's ICS should be "consistent with its community command structure." The following are some of the key features of a successful ICS:

  • Unified command structure. Such a structure allows disparate entities (both public and private) to collaborate and actively participate in the response and recovery.
  • Modular organization. Response resources are divided into the following five functional areas, all of which can be expanded or reduced based on the incident:
    • Command, which establishes the incident goals and objectives
    • Operations, which develops the specific tactics and executes activities
    • Planning
    • Logistics
    • Administration/finance
    • Planning, logistics, and administration/finance all support the command and the operations sections.
  • Comprehensive resource management. Systems are needed to describe, maintain, identify, request, and track resources.
  • Common terminology.
  • Integrated communications. Communications should be integrated both internally and externally.

For more information about hospital ICSs, see the guidance article The Hospital Incident Command System.

Conduct Employee Training

Action Recommendation: Work with the EOC and training coordinator to confirm that hospital staff are trained and tested regarding the EOP, their role, and their responsibilities.

Action Recommendation: Ensure that the training and testing plan is reviewed and revised, if needed, on an annual basis.

Action Recommendation: Conduct an annual community-wide drill exercise that includes a surge of incoming patients.

Action Recommendation: Conduct an annual community-wide drill exercise that simulates an event that is so far reaching that the local community cannot support the hospital.

Joint Commission standard EM.02.02.07 requires that staff and LIPs know in advance what they are expected to do during an emergency. All training activities, from educational programs conducted outside of the hospital (e.g., formal ICS training, clinical education in disaster medicine) to training on-site (e.g., responsibilities during a fire or hazardous materials spill), must take place before an emergency occurs. Properly trained (and drilled) staff do not have to pause to think about what to do or whom to call; they simply do it. Disasters are often dynamic or chaotic situations, and effective training helps prepare staff to take on unexpected responsibilities and adjust to changes in patient volume or acuity, work procedures, or conditions without having to make ad hoc decisions.

Organizations should develop and maintain an emergency preparedness training and testing program based on the EOP, the facility- and community-based HVAs, emergency preparedness policies and procedures, and the communications plan (CMS "Final Rule" §482.15[d]). The training and testing program must be reviewed and updated at least annually (CMS "Final Rule" §482.15[d][1]). Mandatory training and testing should be provided to all new employees, including employed physicians, and then conducted on an annual basis thereafter (CMS "Final Rule" §482.15[d][1][i]). Employees must demonstrate that they understand the EOP, including their role and responsibilities (CMS "Final Rule" §482.15[d][1][iv]). Volunteers must also be trained and tested on their understanding of completing tasks important to their role (CMS "Final Rule" §482.15[d][1][i]). Documentation of the training must be maintained by the organization (CMS "Final Rule" §482.15[d][1][iii]).

Compliance Drill Exercises

One major goal of the new regulation is to have organizations participate in community-based training exercises. CMS's response to public comments about the proposed regulation confirmed that CMS expects providers to join HCCs to meet the community-based training requirements. CMS believes that working together with coalition partners reduces the administrative burden on an individual organization. (CMS "Final Rule")

Conducting an integrated exercise planned with state and local entities should help identify gaps in the current processes that can then be fixed before an actual emergency occurs. Community-based exercises allow organizations to test incident command and control procedures, including communication plans that are critical when an emergency creates patient surge beyond capacity. (CMS "Final Rule") ASPR-TRACIE (2017-2022) lists proper handling of surge as the fourth of the key capabilities of community-based emergency preparedness programing.

Therefore, in accordance with the Final Rule at 42 CFR § 482.15[d][2], the organization's EOP must be tested at least twice a year. Two annual drill exercises are conducted to test staff knowledge and to identify opportunities for improvement of emergency preparedness planning. One drill must be a full-scale exercise that is community-wide. CMS's State operations manual defines a full-scale exercise as "any operations-based exercise (drill, functional, or full-scale exercise) that assesses a facility's functional capabilities by simulating a response to an emergency that would impact the facility's operations and their given community." A full-scale exercise is also "an operations-based exercise that typically involves multiple agencies, jurisdictions, and disciplines performing functional or operational elements."

If a community-wide exercise is not possible, organizations need to obtain and maintain documentation about their efforts to coordinate with community partners to conduct a community-based exercise. The documentation should reflect the attempt to schedule the event and include the reasons the exercise could not be conducted. The organization will be asked to show this documentation at the time of licensure survey. (CMS "Final Rule" §482.15[d][2][i])

If an organization experiences a natural or human-made emergency that requires activation of the EOP, the organization is exempt from engaging in a community- or facility-based full‐scale exercise for one year following the onset of the event (CMS "Final Rule" §482.15[d][2][i]). The organization's response to the event must be evaluated to identify safe practices and the findings documented, including opportunities for improvement. An effective method to evaluate an organization's performance during an emergency is to conduct a debriefing of critical staff within 24 or 48 hours after the end of the event.

Organizations must conduct a second exercise that may include but is not limited to a second full‐scale facility-based exercise or a tabletop exercise that meets specific parameters. The State operations manual defines a tabletop exercise as follows:

[Such an exercise] . . . involves key personnel discussing simulated scenarios in an informal setting. Tabletop exercises can be used to assess plans, policies, and procedures. A tabletop exercise is a discussion-based exercise that involves senior staff, elected or appointed officials, and other key decision making personnel in a group discussion centered on a hypothetical scenario. Tabletop exercises can be used to assess plans, policies, and procedures without deploying resources. (CMS "State Operations Manual")

Other possibilities include holding a group discussion led by a facilitator, using a narrated, clinically relevant emergency scenario and a set of problem statements, directed messages, or prepared questions designed to challenge the emergency plan (42 CFR § 482.15[d][2][ii][B]).

Finally, organizations need to analyze the response to and maintain documentation of all drills, tabletop exercises, and emergency events. Postevent review of the EOP is included in this process. Based on evaluation of the effectiveness of the EOP during the drill or actual emergency, revisions to the EOP may be needed (42 CFR § 482.15[d][2][iii]).


 Disaster Drills

Checklist​ for Disaster Drill Planning

Joint Commission standard EM.03.01.03 requires that hospitals evaluate and test their EOP by conducting actual emergency exercises at least twice a year; tabletop sessions are not enough to satisfy the entire drill requirement. However, if the organization activated the EOP, the actual response (and feedback after the response) can take the place of an exercise. Hospitals that offer emergency services, or those that are community-designated disaster receiving stations, must include an influx of simulated patients (medical surge) in this exercise; a tabletop exercise cannot be substituted for this drill. In one of their exercises, hospitals must test their capabilities by simulating an escalating event in which the local community is unable to support the hospital; tabletop sessions are acceptable for the community portion of this exercise. Additionally, hospitals that have a defined rol​e in their community's response plan must participate in at least one community-wide exercise per year; tabletop sessions are acceptable to satisfy this part of the standard. The drill exercises completed in accordance with Joint Commission standards will meet the CMS two-drill requirements.

Hospitals must designate an individual who is responsible to activate the EOP and to end the EOP episode, including drill exercises. Hospitals must also designate an individual whose sole responsibility is to monitor the effectiveness of the exercises. This may be the same person who activated the EOP. In this role, the designee will evaluate the following:

  • Internal and external communications
  • Resource mobilization and asset allocation, including equipment, supplies, personal protective equipment, and transportation
  • Management of the four other critical resource areas

Based on this monitoring, hospitals must use a multidisciplinary process (which includes LIPs to document and communicate deficiencies and opportunities for improvement to the improvement team responsible for monitoring environment-of-care issues). For more information on conducting exercises, see the guidance article Disaster Drills and see the Checklist for Disaster Drill Planning.

Additional Materials​

Disasters and Emergencies: Definitions from Governmental and Accrediting Bodies



​Combines emergencies and disasters in their final rule and incorporates both internal and external events that affect the target population or the community at large

Joint Commission

Defines an emergency as an unexpected or sudden event that significantly disrupts the organization's ability to provide care, or the environment of care itself, or that results in a sudden, significantly changed or increased demand for the organization's services​

Department of Homeland Security

​Defines an emergency as any incident, whether natural or human-caused, that requires responsive action to protect life or property

Stafford Disaster Relief and Emergency Assistance Act           

Defines an emergency as any occasion or instance for which, in the determination of the U.S. president, federal assistance is needed to supplement state and local efforts and capabilities to save lives and to protect property and public health and safety, or to lessen or avert the threat of a catastrophe in any part of the United States​



​Combines emergencies and disasters in their final rule and incorporates both internal and external events that affect the target population or the community at large

Joint Commission

​Defines a disaster as a type of emergency that, due to its complexity, scope, or duration, threatens the organization's capabilities and requires outside assistance to sustain patient care, safety, or security functions

Department of Homeland Security

​Defines a disaster as an occurrence of a natural catastrophe, technical accident, or human-caused incident that has resulted in severe property damage, deaths, and/or multiple injuries


​States that during disasters, responding entities are forced into more and different kinds of interactions with other groups and may lose some of their autonomy and direct control over their own functioning. Other differences include the crossing of jurisdictional boundaries; a more coordinated relationship among public and private sector entities becomes necessary; and performance standards for responding entities change and reflect disaster-relevant priorities

Large-scale disasters

National Academy of Medicine

​Notes that a catastrophic disaster is characterized by four attributes:

  • Most or all of the community's infrastructure is impacted
  • Local officials are unable to perform their usual roles for a period of time extending well beyond the initial aftermath of the incident
  • Most or all routine community functions—work, recreation, worship, and education—are immediately and simultaneously interrupted
  • Surrounding communities are similarly affected, and thus there are no regional resources to come to the aid of the affected local communities

Department of Homeland Security

​Defines a large-scale disaster as one that exceeds the response capability of the local jurisdiction and requires state and potentially federal involvement

Stafford Disaster Relief and Emergency Assistance Act

​Defines a major disaster as "any natural catastrophe . . . or, regardless of cause, any fire, flood, or explosion, in any part of the United States, which in determination of the U.S. President causes damage of sufficient severity and magnitude to warrant major disaster assistance under [the] Act to supplement the efforts and available resources of states, local governments, and disaster relief organizations in alleviating the damage, loss, hardship, or suffering caused thereby"


​Defines a major disaster as "any natural catastrophe (including any hurricane, tornado, storm, high water, wind driven water, tidal wave, tsunami, earthquake, volcanic eruption, landslide, mudslide, snowstorm, or drought), or, regardless of cause, any fire, flood, or explosion which in the determination of the U.S. President causes damage of sufficient severity and magnitude to warrant major disaster assistance under . . . [the Stafford] Act" to supplement governments and disaster relief organizations

Large casualty numbers

National Academy of Medicine

​Defines catastrophic events as events that result in such a large number of casualties that the entire local healthcare system is overwhelmed and an integrated federal and/or state emergency response is necessary

Department of Homeland Security

​States that mass-casualty events require a mass care response. Mass care is defined as actions taken "to protect evacuees and other disaster victims from the effects of the disaster." Activities include mass evacuation, mass sheltering, mass feeding, access and functional needs support, and household pet and service animal coordination

Stafford Disaster Relief and Emergency Assistance Act

​States that multiple-casualty events, such as a major transportation accident, may cause a medical surge at an individual hospital but do not overwhelm the entire healthcare system

Sources: CMS: Centers for Medicare and Medicaid Services; FEMA: Federal Emergency Management Agency.




42 CFR § 482.15. Condition of participation: emergency preparedness. 2017.

42 USC § 116. Emergency Planning and Community Right-to-Know Act. 1986.

42 USC § 1395x. Social Security Act § 1861(e)(9). Health insurance for aged and disabled.

42 USC § 5122[1]). Robert T. Stafford Disaster Relief and Emergency Assistance Act.

44 CFR § 206.1 et seq. Federal disaster assistance.

ASPR TRACIE (Office of the Assistant Secretary for Preparedness and Response, the Technical Resources, Assistance Center, and Information Exchange), U.S. Department of Health and Human Services:

2017-2022 Health care preparedness and response capabilities. 2017 Nov [cited 2018 Feb 22]. https://www.phe.gov/Preparedness/planning/hpp/reports/Documents/2017-2022-healthcare-pr-capablities.pdf

CMS and disasters: resources at your fingertips. Updated 2017 Jun 8 [cited 2018 Apr 13]. https://asprtracie.s3.amazonaws.com/documents/cms-ep-rule-resources-at-your-fingertips.pdf

Considerations for the use of temporary surge sites for managing seasonal patient surge. 2018 Mar 22 [cited 2018 Jul 23]. https://asprtracie.s3.amazonaws.com/documents/aspr-tracie-considerations-for-the-use-of-temporary-care-locations-for-managing-seasonal-patient-surge.pdf

Hospital preparedness capabilities: national guidance for healthcare system preparedness. 2012 Jan [cited 2018 Feb 6]. http://www.phe.gov/Preparedness/planning/hpp/reports/Documents/capabilities.pdf

Hospital Preparedness Program [infographic]. [cited 2018 Mar 1]. https://www.phe.gov/Preparedness/planning/hpp/Documents/HPP-15-anniversary.pdf

Management of individual healthcare assets (tier 1). Chapter 2. In: Medical surge capacity and capability handbook: a management system for integrating medical and health resources during large-scale emergencies. 2013 May 14 [cited 2018 Mar 2]. http://www.phe.gov/Preparedness/planning/mscc/handbook/chapter2/Pages/default.aspx

Medical Reserve Corps. https://mrc.hhs.gov/CMS/File/MRC_Quarterly_Report_FY17Q4.pdf

NIMS implementation for healthcare organizations guidance. 2015 Jan [cited 2018 Feb 4]. https://www.phe.gov/Preparedness/planning/hpp/reports/Documents/nims-implementation-guide-jan2015.pdf

Aylwin CJ, König TC, Brennan NW, Shirley PJ, Davies G, Walsh MS, Brohi K. Reduction in critical mortality in urban mass casualty incidents: analysis of triage, surge, and resource use after the London bombings on July 7, 2005. Lancet 2006 Dec 23;368(9554):2219-25. https://www.sciencedirect.com/science/article/pii/S0140673606698966?via%3Dihub PubMed: https://www.ncbi.nlm.nih.gov/pubmed/17189033 doi: 10.1016/S0140-6736(06)69896-6

Breslin S. Two more deaths reported from Hurricane Irma nursing home tragedy in Hollywood, Florida. The Weather Channel. 2017 Oct 11 [cited 2018 Feb 22]. https://weather.com/storms/hurricane/news/2017-10-11-hollywood-florida-retirement-home-deaths-hurricane-irma#/

Centers for Disease Control and Prevention (CDC), U.S. Department of Health and Human Services:

2017-2022 Hospital Preparedness Program (HPP)—Public Health Emergency Preparedness (PHEP) cooperative agreement. [cited 2018 Jul 23]. https://www.cdc.gov/phpr/readiness/00_docs/PHEP-Funding-CDC-RFA-TP17-1701.pdf

Pandemic influenza plan: 2017 update. 2017 [cited 2018 Feb 6]. https://www.cdc.gov/flu/pandemic-resources/pdf/pan-flu-report-2017v2.pdf

Centers for Medicare and Medicaid Services (CMS), U.S. Department of Health and Human Services:

Final rule: emergency preparedness. 42 CFR § 482.1-§ 482.66.

State operations manual. Appendix Z—Emergency preparedness for all provider and certified supplier types. Interpretive guidance. Advance copy. 2017 Jun [cited 2018 Apr 13]. https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertEmergPrep/Downloads/Advanced-Copy-SOM-Appendix-Z-EP-IGs.pdf

Dinicola K. The "100-year flood." Fact sheet 229-96. U.S. Geological Survey. 2016 Nov 29 [cited 2018 Mar 1]. https://pubs.usgs.gov/fs/FS-229-96/

Erickson J. Quakes, eruptions, and other geological cataclysms. New York (NY): Facts on File; 1994.

Federal Emergency Management Agency (FEMA), U.S. Department of Homeland Security:

Developing and maintaining emergency operations plans: comprehensive preparedness guide (CPG) 101. Ver. 2.0. 2010 Nov [cited cited 2018 Jul 22]. https://www.fema.gov/media-library-data/20130726-1828-25045-0014/cpg_101_comprehensive_preparedness_guide_developing_and_maintaining_emergency_operations_plans_2010.pdf

Design guide for improving hospital safety in earthquakes, floods, and high winds: providing protection to people and buildings. FEMA 577. 2007 Jun [cited 2018 Jul 22]. https://www.fema.gov/media-library-data/20130726-1609-20490-1678/fema577.pdf

Disaster declarations by year. [cited 2018 Jul 22]. https://www.fema.gov/disasters/year

National Incident Management System (NIMS). 2018 Jun 11 [cited 2018 Feb 14]. https://www.fema.gov/national-incident-management-system

National Preparedness Goal. 2018 May 2 [cited 2018 Jul 22]. https://www.fema.gov/national-preparedness-goal

National Preparedness System. 2018 May 2 [cited 2018 Jul 22. https://www.fema.gov/national-preparedness-system

Top 5 FAQ. NIMS frequently asked questions. 2017 Oct 17 [cited 2018 Feb 14]. https://www.fema.gov/nims-frequently-asked-questions#item1

Whole community. 2018 May 2 [cited 2018 Jul 22]. https://www.fema.gov/whole-community

Finan S. Disaster preparedness: legal issues faced by hospitals in the post-Katrina environment. ABA Health eSource. 2006 Nov [cited 2018 Feb 19; link no longer available].

Furin MA. Disaster planning. Medscape. Updated 2016 Oct [cited 2018 Mar 1]. https://emedicine.medscape.com/article/765495-overview

Government Accountability Office (GAO). Emergency preparedness: states are planning for medical surge, but could benefit from shared guidance allocating scarce medical resources. Report to Congressional requesters. 2008 Jun [cited 2018 Mar 1]. http://www.gao.gov/assets/280/276514.pdf

Health Insurance Portability and Accountability Act. Pub. L. No. 104-191 (1996).

Institute of Medicine (IOM); Board on Health Sciences Policy; Committee on Guidance for Establishing Standards of Care for Use in Disaster Situations; Hanfling D, Altevogt BM, Viswanathan K, Gostin LO, eds. Crisis standards of care: a systems framework for catastrophic disaster response. Volume 1: Introduction and CSC framework. Washington (DC): National Academies Press; 2012. http://nap.edu/13351

Joint Commission:

Comprehensive accreditation manual for hospitals. Oakbrook Terrace (IL): Joint Commission Resources; 2018 Jan 1.

Health care at the crossroads: strategies for creating and sustaining community-wide emergency preparedness systems. 2003 May 27 [cited 2018 Feb 24]. https://www.jointcommission.org/assets/1/18/emergency_preparedness.pdf

Kaiser Permanente. Hazard vulnerability analysis. 2017 Jan [cited 2018 Feb 22]. https://www.calhospitalprepare.org/hazard-vulnerability-analysis

Kasler D. Wine country wildfire costs now top $9 billion, costliest in California history. Sacramento Bee 2017 Dec 8 [cited 2018 Feb 8]. http://www.sacbee.com/news/state/california/fires/article188377854.html

Larkin H. 12-Step disaster plan. Hosp Health Netw 2006 May;80(5):46-8. http://www.er-emergency.com/preparedness-12-step-disaster-plan PubMed: https://www.ncbi.nlm.nih.gov/pubmed/16773881   

McAlister VC. Drills and exercises: the way to disaster preparedness. Can J Surg 2011 Feb;54(1):7-8. [cited 2018 Feb 20]. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3038369/ PubMed: https://www.ncbi.nlm.nih.gov/pubmed/21251426 doi: 10.1503/cjs.036910

Milstein K, Rosenbaum S. 'Need help ASAP': the story behind the photo of nursing home residents trapped in hurricane flood water. Time.com. 2017 Aug 28 [cited 2018 Feb 20]. http://time.com/4917743/la-vita-bella-nursing-home-dickinson-texas-photo/

Missouri Hospital Association (MHA). Preparedness and partnership: lessons learned from the Missouri disasters of 2011. A focus on Joplin. 2012 [cited 2018 Feb 6]. https://web.mhanet.com/2012_Lessons_Learned.pdf

National Academies of Sciences, Engineering, and Medicine. Evaluation of the metropolitan medical response system program to enhance local capability to respond to terrorism with weapons of mass destruction. [cited 2018 Feb 20]. http://nationalacademies.org/hmd/Activities/PublicHealth/LocalTerrorResponse.aspx

National Centers for Environmental Information, National Oceanic Atmospheric Administration. U.S. billion-dollar weather and climate disasters. 2018 [cited 2018 Feb 28]. https://www.ncdc.noaa.gov/billions/ 

National Fire Protection Association (NFPA):

Committee on NFPA 99. Memorandum. No. 99-442. 2010 Mar 2 [cited 2018 Feb 6]. https://www.nfpa.org/Assets/files/AboutTheCodes/99/99_A2011_HEA-HES_ROP_ballot.pdf

NFPA 99: Health care facilities code. Quincy (MA): NFPA; 2018.

NFPA 1600: Standard on disaster/emergency management and business continuity/continuity of operations programs. Quincy (MA): NFPA; 2016.

National Hurricane Center, National Oceanic Atmospheric Administration. Costliest U.S. tropical cyclones tables updated. 2018 Jan 26 [cited 2018 Feb 8]. https://www.nhc.noaa.gov/news/UpdatedCostliest.pdf

Roccaforte JD, Cushman JG. Disaster preparedness, triage, and surge capacity for hospital definitive care areas: optimizing outcomes when demand exceeds resources. Anesthesiol Clin 2007 Mar;25(1):161-77. PubMed: https://www.ncbi.nlm.nih.gov/pubmed/17400163 doi: 10.1016/j.anclin.2007.01.002

Rubin BM. New Rush hospital designed to treat infectious threats. Chicago Tribune 2011 Nov 30 [cited 2018 Feb 6]. http://www.chicagotribune.com/lifestyles/health/ct-x-1130-rush-tour-20111130-story.html

Santiago L, Shoichet CE, Kravarik J. Puerto Rico's new Hurricane Maria death toll is 46 times higher than the government's previous count. CNN.com. 2018 Aug 28 [cited 2018 Aug 29]. https://www.cnn.com/2018/08/28/health/puerto-rico-gw-report-excess-deaths/index.html

Toner E, Hansen MB. The next challenge in healthcare preparedness: catastrophic health events. Johns Hopkins Center for Health Security, Bloomberg School of Public Health. 2010 Mar [cited 2018 Mar 1]. http://www.upmc-cbn.org/report_archive/2010/cbnreport_03052010.html

Toner E, Waldhorn R, Franco C, Courtney B, Rambhia K, Norwood A, Inglesby TV, O'Toole T. Hospitals rising to the challenge: the first five years of the U.S. Hospital Preparedness Program and priorities going forward. Center for Biosecurity, University of Pittsburgh Medical Center. 2009 Mar [cited 2018 Feb 6]. http://www.upmchealthsecurity.org/our-work/pubs_archive/pubs-pdfs/2009/2009-04-16-hppreport.pdf

U.S. Department of Health and Human Services (HHS). Majority of U.S. hospitals meet all-hazards preparedness measures [news release]. 2011 May 5 [cited 2018 Mar 1]. https://wayback.archive-it.org/3926/20140108162209/http://www.hhs.gov/news/press/2011pres/05/20110505a.html

Willingham AJ. A look at four storms from one brutal hurricane season. CNN. 2017 Nov 21 [cited 21018 Feb 8]. https://www.cnn.com/2017/10/10/weather/hurricane-nate-maria-irma-harvey-impact-look-back-trnd/index.html

Resource List

ECRI Institute Resources

Additional Resources

American Health Lawyers Association

American Hospital Association

ASPR TRACIE (Office of the Assistant Secretary for Preparedness and Response, Technical Resources, Assistance Center, and Information Exchange, U.S. Department of Health and Human Services)

California Emergency Medical Services Authority

 California Hospital Association

Centers for Disease Control and Prevention, U.S. Department of Health and Human Services

Emergency System for Advance Registration of Volunteer Health Professionals

Federal Emergency Management Agency (FEMA), U.S. Department of Homeland Security

Kaiser Permanente

National Fire Protection Association

Occupational Safety and Health Administration, U.S. Department of Labor

Related Resources

Topics and Metadata


Emergency Preparedness; Facilities and Building Management; Equipment and Facility Planning; Quality Assurance/Risk Management; Supply Chain Management; Laws, Regulations, Standards


Emergency Department; Hospital Inpatient; Hospital Outpatient; Trauma Center

Clinical Specialty

Emergency Medicine


Corporate Compliance Officer; Health Educator; Healthcare Executive; Information Technology (IT) Personnel; Legal Affairs; Materials Manager/Procurement Manager; Public Health Professional; Risk Manager

Information Type


Phase of Diffusion


Technology Class


Clinical Category



SourceBase Supplier

Product Catalog








Publication History

​Published November 27, 2018​