Building an Emergency Preparedness Plan: Policies and Procedures


Are you still developing your Emergency Preparedness Plan for your rural health clinic (RHC) or federally qualified health center (FQHC)? Most likely, you’ve already conducted an all-hazards risk assessment. You found all possible emergencies that could happen at your facility – including man-made and natural disasters – and developed responses for each. Now, your next step is to solidify your plan in policies and procedures.

The Centers for Medicare and Medicaid Services (CMS) requires the following:

§ 491.12 (b) Policies and procedures. The RHC/FQHC must develop and implement emergency preparedness policies and procedures…. The policies and procedures must be reviewed and updated at least annually.

Policies and procedures should address the hazards you found during the risk assessment. Furthermore, your policies and procedures must address safe evacuation, shelter, preservation of medical documents, and volunteers.

Safe Evacuation

First, you must develop an evacuation plan that considers the evacuees’ care and treatment needs. It should spell out staff responsibilities, transportation, and evacuation locations. Where will patients go? Where will staff members go? How many vehicles do you have, and what other transportation will you need? Additionally, RHCs and FQHCs must put exit signs to guide evacuees.

Shelter in Place

Not every emergency requires evacuation. In some emergencies, such as a tornado, everyone shelters indoors. Therefore, you must have a “shelter in place” plan for patients, staff, and volunteers. How will you determine who will shelter in place before an evacuation? How well can your building withstand a disaster? What steps can you take before an emergency to make your building safe for shelter? Your policies and procedures should lay out these critical areas in detail.

Preserve Medical Documentation

You must have a system that preserves patients’ medical information, keeping their records safe and readily available during and after an emergency. How will you protect the privacy and security of medical records, both electronic and hard copy? Your policies and procedures should explain the plan and show how HIPAA is upheld in the process.


Additionally, you must have policies and procedures that show how you plan to use volunteers and staff members of varying skill levels during an emergency. For instance, some volunteers may be health care professionals, while others may have no medical qualifications. How will you make sure volunteers can perform services within their scope of practice and training? Furthermore, federally designated health care professionals may volunteer in an emergency, such as the Public Health Service staff, National Disaster Medical System teams, the Department of Defense Nurse Corps, or the Medical Reserve Corps. You may have to look at your state laws and regulations for guidance on how to manage volunteers of all levels.

A Final Note on Policies and Procedures

Reviewing your policies and procedures annually, as CMS requires, allows you to update them as needed. They should address the hazards identified in your risk assessment, as well as how you will safely evacuate patients and staff, shelter in place, preserve medical documentation, and manage volunteers. CMS recommends you have a central place to keep your emergency preparedness plan documents, making it easier for them to review if they conduct a survey.

Remember, you may have already addressed some areas of the Emergency Preparedness Plan, so review your HIPAA policies for overlap. The HIPAAtrek platform houses all your HIPAA policies and procedures in a centralized location. Contact us to learn more.

Overwhelmed? Grab our Guide to Policy Management!

Without the right tools, policy management can be a lot to handle. We’ve created this workflow to get you started.

Policy Management Workflow

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »