CMS Emergency Preparedness Rule Explained: Requirements, Compliance Checklist, and Updates for Healthcare Providers

The Centers for Medicare & Medicaid Services (CMS) Emergency Preparedness Rule sets consistent, all-hazards standards that every participating provider and supplier must follow to protect patients, support staff, and sustain operations during crises. It is embedded in the Medicare and Medicaid Conditions of Participation and Conditions for Coverage, ensuring preparedness is not optional but essential to safe care.

Use the following at-a-glance compliance checklist to gauge readiness and close gaps before your next survey.

• Complete and document an all-hazards risk assessment and develop a facility Emergency Operations Plan (EOP).
• Build a communication plan with redundant Emergency Communication Systems for staff, patients/residents, and external partners.
• Establish policies and procedures for evacuation, shelter-in-place, subsistence needs, and continuity of operations.
• Verify Facility Emergency Power Requirements and maintain/testing records for generators and essential electrical systems.
• Provide initial and ongoing training, conduct exercises, and capture after-action reports with improvement plans.
• Demonstrate Incident Command System Integration and Healthcare Provider Coordination with community partners.
• Organize documentation for the Survey and Certification Process, including leadership approvals and update cycles.

National Emergency Preparedness Requirements

The CMS rule establishes a unified framework for All-Hazards Emergency Preparedness across provider and supplier types. It requires four integrated program elements: risk assessment and planning, a communication plan, written policies and procedures, and training and testing. Together, these elements anchor compliance with the Medicare and Medicaid Conditions of Participation.

Strong programs embed Incident Command System Integration, align with local emergency management, and coordinate with healthcare coalitions. Facilities should define leadership roles, succession, and decision-making thresholds that activate the EOP and clarify who can direct evacuation, curtail services, or request external support.

Key program elements

• Documented all-hazards risk assessment (HVA) and a current EOP tailored to your services and patient population.
• Communication plan with up-to-date contacts, redundant modalities, and procedures for information sharing and patient tracking.
• Policies and procedures addressing subsistence, security, evacuation/shelter-in-place, and clinical/regulatory considerations.
• Training and testing program with exercises, after-action improvement, and timely plan updates.

Coordination and resources

Healthcare Provider Coordination is expected. Participate in community planning, share situational awareness during incidents, and align with local hazard profiles (e.g., severe weather, wildfires, cyberattacks). Integrate Facility Emergency Power Requirements and life safety needs into planning and exercises.

Provider and Supplier Applicability

The rule applies broadly to Medicare- and Medicaid-participating providers and suppliers, including hospitals, critical access hospitals, long-term care facilities, ambulatory surgical centers, home health agencies, hospices, end-stage renal disease facilities, rural health clinics and FQHCs, community mental health centers, PRTFs, CORFs, clinics/rehab agencies, and others governed by CMS Conditions of Participation or Coverage.

Expectations are risk-based and service-specific. For example, inpatient facilities plan for evacuation and sustained operations, while home-based providers emphasize patient-level planning, communication with caregivers, and coordination with community resources. Integrated health systems may align plans across multiple sites while preserving site-specific procedures.

Risk Assessment and Planning

Begin with a structured all-hazards risk assessment to identify realistic threats and operational vulnerabilities. Consider patient acuity, dependence on power and medical gases, supply chain fragility, staffing, cybersecurity, and environmental risks such as flooding or wildfire.

Planning steps that work

• Profile hazards and rank them by likelihood and impact; include cascading effects (e.g., power loss leading to IT downtime).
• Define essential functions, minimum staffing, and trigger points for curtailment or evacuation.
• Map critical resources (water, oxygen, medications, PPE), vendors, and mutual-aid or transfer agreements.
• Develop continuity of operations (COOP) strategies and downtime procedures for clinical and administrative systems.
• Align the EOP with Incident Command System Integration so roles and job action sheets are clear under stress.

What to document

• Dated hazard vulnerability analysis with leadership approval.
• Current EOP, annexes (evacuation, surge, infectious disease), and site maps with utility shutoffs.
• Resource inventories and vendor/MOU documentation for re-supply and patient transfer.
• Update logs showing reviews after exercises, real events, or significant operational changes.

Communication Plan Compliance

Effective communication saves lives and preserves continuity. Your plan should specify who communicates what, to whom, and by which channels under varying scenarios. Build redundancy into Emergency Communication Systems so single-point failures do not silence you.

Core elements to include

• Comprehensive contact lists for leaders, departments, physicians, staff, volunteers, patients/residents, caregivers, suppliers, and partner agencies.
• Redundant modalities: phone, SMS, email, paging, radios, satellite, and web-based alerting, with clear activation criteria.
• Procedures for sharing patient/resident information and tracking locations during evacuations, consistent with privacy requirements.
• Methods to coordinate with local emergency management, public health, EMS, and healthcare coalitions for situational awareness and resource requests.
• Designated primary and alternate command locations and a written communications plan (e.g., ICS Form 205) embedded in the EOP.

Proving compliance

Maintain records of call-tree drills, alert-system tests, and updates to contact lists. After each test or incident, produce after-action notes and incorporate improvements into the plan.

Policies and Procedures for Emergencies

Policies and procedures translate planning into action. They should be specific enough to guide operations yet flexible enough to adapt to dynamic conditions.

Evacuation and shelter-in-place

• Decision criteria, routes, roles, transport resources, receiving-facility coordination, and patient/resident tracking.
• Procedures for medications, records, durable medical equipment, and continuity of critical treatments.

Sustaining safe operations

• Subsistence supplies (food, water, pharmaceuticals, oxygen/medical gases), infection prevention, security, and waste management.
• Clinical prioritization, conservation strategies, and ethical frameworks for scarce-resource allocation when relevant.

Facility Emergency Power Requirements

Identify essential electrical loads (life safety, critical, equipment) and ensure alternate power can support them. Maintain generators and the emergency power supply system per applicable codes (such as NFPA 99 and NFPA 110 as adopted by CMS), document testing and maintenance, safeguard fuel, and plan for prolonged outages and load shedding. Incorporate power-failure workflows into training and exercises.

Training and Testing Protocols

Every person with a role in your EOP needs role-appropriate training at onboarding and at defined intervals thereafter. Cover activation criteria, ICS roles, communication procedures, evacuation and sheltering, emergency power contingencies, and patient/resident movement and tracking.

Exercises that build readiness

• Participate in community-based full-scale exercises when available; use facility-based or tabletop exercises when community activities are not feasible.
• Vary scenarios (e.g., severe weather, cyber disruption, utility failure, surge) to surface different gaps.
• Produce after-action reports and improvement plans; assign owners and deadlines and verify completion.

Documentation to retain

• Training rosters, curricula, and competencies for employees, licensed independent practitioners, and volunteers.
• Exercise documentation: objectives, participants, evaluations, after-action reports, and evidence of plan updates.

Update the emergency preparedness program at defined intervals and whenever exercises, incidents, or major operational changes reveal new risks or solutions. Some provider types may follow annual review cycles, while others may be permitted biennial reviews under burden-reduction updates—always follow the most stringent requirement that applies to you.

Compliance Verification Process

CMS verifies compliance through the Survey and Certification Process, conducted by state survey agencies and approved accrediting organizations. Surveyors review documents, interview staff, and observe operations to confirm that planning translates into capability.

What surveyors typically examine

• Current, leadership-approved EOP; documented risk assessment; communication plan; and policies and procedures.
• Training and testing records, after-action reports, and evidence of improvement implementation.
• Emergency power documentation (testing, maintenance, fuel management) and life safety integrations.
• Proof of Healthcare Provider Coordination: coalition participation, MOUs, transfer agreements, and joint exercises.

Findings and follow-through

Deficiencies are cited under emergency preparedness tags, and organizations submit plans of correction with timelines and evidence of completion. Significant or repeated noncompliance can trigger enforcement actions according to provider type and severity.

Conclusion

Compliance with the CMS Emergency Preparedness Rule is a continuous improvement journey. Anchor your program in an all-hazards assessment, harden policies and power dependencies, practice with purposeful exercises, and prove readiness with clear documentation and coordination. Doing so protects patients and staff while meeting federal participation requirements.

FAQs.

What providers are covered under the CMS Emergency Preparedness Rule?

The rule covers a broad range of Medicare- and Medicaid-participating providers and suppliers, including hospitals, critical access hospitals, long-term care facilities, ambulatory surgical centers, home health agencies, hospices, ESRD facilities, rural health clinics and FQHCs, community mental health centers, PRTFs, CORFs, clinics/rehab agencies, and more subject to CMS Conditions of Participation or Coverage.

How often must emergency plans be updated?

Update the program on a defined cycle and whenever exercises, incidents, or operational changes warrant. Hospitals, CAHs, and long-term care facilities commonly use annual reviews, while some other provider types may follow biennial reviews under burden-reduction updates. Always comply with the most stringent requirement among CMS, your accreditor, and state or local rules.

What training is required for healthcare personnel?

Provide initial and periodic training aligned to roles: EOP activation, ICS roles, communication procedures, evacuation and sheltering, emergency power contingencies, patient/resident movement and tracking, and job-specific clinical or support tasks. Retain rosters and competencies, and validate effectiveness through exercises and after-action improvements.

How is compliance with the rule verified?

Compliance is verified through surveys by state agencies or accrediting organizations. Surveyors review your documented program, interview staff, and observe operations. Deficiencies are cited under emergency preparedness tags, and you must submit and complete a plan of correction within defined timelines to resolve issues.