Imagine waking up one day to learn that as much as 50-70% of your income was going to disappear within a year unless you complied with a new federal law affecting your industry. Well, that scenario is all too real for the health care community, those who operate hospitals, skilled nursing facilities, ambulatory surgery centers, behavioral health practices, centers…any organization that accepts Medicaid and/or Medicare insurance from patients and is reimbursed by Centers for Medicaid and Medicare Services (CMS) for those services.
In 2016, the CMS announced a new Emergency Preparedness Final Rule requiring these organizations to conduct annual, all-hazards security assessments and emergency preparedness/active shooter training and drills. Health care organizations had one year to comply. As Pinkerton Director Dr. Keith E. Noble, Ph.D. and Pinkerton Risk Adviser Caroline Ramsey-Hamilton, CHS-III have witnessed, many affected health care providers have still not met these requirements.
Requirements of the CMS New Final Rule
On September 8, 2016, the Federal Register posted the final details for the rule called the “Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” The regulation went into effect on November 16, 2016. Health care providers and suppliers affected by this rule were required to comply and implement all regulations by November 15, 2017.
The CMS stated that the purpose of the rule was, “To establish national emergency preparedness requirements to ensure adequate planning for both natural and man-made disasters, and coordination with federal, state, tribal, regional and local emergency preparedness systems.”
The rule further stipulates that it applies to all 17 medical provider and supplier types. Each provider and supplier must be in compliance with Emergency Preparedness regulations to participate in the Medicare or Medicaid program.
But why only target medical facilities with this new rule? “Simply put, medical operations present more workplace violence risks than other organizations,” says Ramsey-Hamilton. “Depending upon the size of the organization, you could have hundreds or thousands of people entering your facilities each year, many under duress from a medical condition or some form of mental illness. It’s a tinderbox that can ignite at any time.”
Statistics from the Occupational Safety and Health Administration (OSHA) support Ramsey-Hamilton’s statement. From 2002 to 2013, incidents of serious workplace violence (those requiring days off for the injured worker to recuperate) were four times more common in health care than in private industry on average. In 2013, the broad “health care and social assistance” sector had 7.8 cases of serious workplace violence per 10,000 full-time employees. Other large sectors such as construction, manufacturing, and retail all had fewer than two cases per 10,000 full-time employees. The graph below shows the most common source of injury to health care professionals.
Injuries inflicted by people are just one risk facing medical facilities. The new rule will ensure that other risks are identified and mitigated as well.
Stressing the Importance of Preparedness and Training
There are four core elements in the new regulation, addressing the need for health care facility operators to assess and understand the risks involved with their business and provide annual training so that all personnel are prepared for emergency situations. These elements are discussed below.
Risk Assessment and Emergency Planning
Perhaps the biggest and most time-consuming activity regarding the new rule is the first core element: Risk Assessment and Emergency Planning. A comprehensive, all-hazards risk assessment, if not performed recently, can be daunting for an administrative team to undertake. For most companies, security personnel are there to react to threats, not analyze risks. “It can be a big job,” says Dr. Noble. “As we do with our clients, an assessment requires a holistic approach so that administrators can understand the interconnection between risks and how they could combine to impact business operations. Equally important is to analyze how to create potential solutions.”
Some of the key elements required in the CMS-mandated risk assessment are:
- Hazards likely in geographic area, like flooding or hurricanes
- Human emergencies like active shooter or assaults
- Equipment and power failures
- Interruption in communications, including cyber attacks
- Loss of the use of the physical facility of facility
- Lack of food and/or water for an extended period
Communication Plan Development
The second element requires that a communication plan be developed so that all stakeholders, including staff, patients, visitors, local authorities and health departments, are kept informed during an emergency.
Policies and Procedures
After an assessment is performed and a communication plan developed, the third element is to ensure that standard policies and procedures are to be developed and/or updated based on the assessment findings. “Too often, assessments are not utilized and no changes are made,” said Dr. Noble. “That will change given that this rule requires a review of policies and procedures so that they comply with federal and state laws.”
Training and Testing
The final core element is training and testing, which also must be done annually. “Certainly, the number of active shooter incidents recently has focused attention on the need to train personnel for emergency situations and keep them trained,” said Ramsey-Hamilton. Beyond Active Shooter Training, the CMS notes the following areas where training should be provided, depending on geographic area and the probability of incidents:
- Cyber Security Attack
- Single-Facility Disaster (power-outage)
- Medical Surge (i.e. community disaster leading to influx of patients)
- Infectious Disease Outbreak
Many Medical Facilities Not in Compliance with New Rule
“It seems that every week, sometimes every day, I learn about another health care facility that has been given an immediate jeopardy finding, risking their accreditation because they are out of compliance,” says Ramsey-Hamilton. “They had a year to comply, so other factors are at play for why they haven’t done what is required.”
Dr. Noble agrees. “Initially, budgeting was a main issue. Adding the new required activities meant that funds would need to be spent to be in compliance. However, any operation that had never done a risk assessment or hadn’t provided emergency preparedness training did not have those items in their budget when this was announced in 2016. A whole budget cycle had to come around before they could be added and evaluated.”
However, as both Dr. Noble and Ramsey-Hamilton noted, the current 2017-18 budgets of most medical operations should have included the required activities from the new rule. Even so, two main factors still have operators remaining out of compliance: confusion and lack of resources.
“There is confusion about how to get started,” says Ramsey-Hamilton. “A lot of these companies have never done an assessment and, therefore, don’t know the process, what to look for, who to speak with and how to analyze what they find. They also don’t know what department should handle the assessment and can provide training.”
Dr. Noble further notes that assessments and training require specific skills not often possessed by existing security personnel or local law enforcement.
“These activities are not done as an add-on to a security manager’s job. It takes someone with experience so that all the major risks are analyzed and proper training for emergencies are conducted regularly. It takes time, personnel resources and money…none of which most facilities have in abundance.”
The impact of not being in compliance can be severe. The Federal Government, through reimbursements to health care operations and other methods, represents nearly 30% of all health care spending annually. “I’ve seen some operations rely on reimbursements from CMS for anywhere from 40 to 75 percent of their revenue,” says Ramsey-Hamilton. “Losing this income would severely impact or even close some facilities.”
Certainly, this new CMS Final Rule sent a shockwave through the medical industry and companies are still struggling to comply. However, Dr. Noble believes that the industry will be more secure as a result. “It’s important that companies understand where they are most at risk and determine ways to mitigate those risks, which include the required training. We think this is a positive step and stand ready to assist companies that want our experience and knowledge as they work towards compliance.”