Building an Emergency Preparedness Plan: Risk Assessment


Are you ready to meet the Emergency Preparedness Plan deadline for your rural health clinic (RHC) or federally qualified health center (FQHC)? The purpose of an emergency preparedness plan is to safeguard human resources, maintain business continuity, and protect physical resources. This plan will help maintain access to health care during an emergency or natural disaster.

What’s in an Emergency Preparedness Plan?

Your emergency preparedness plan will include:

  • An emergency plan (including a risk assessment),
  • Policies and procedures,
  • A communication plan,
  • And a training and testing program

Risk Assessment

The first step is to conduct a facility-based risk assessment. A risk analysis and risk management plan (required by HIPAA) will put you on the right track. Nevertheless, the Centers for Medicare and Medicaid Services (CMS) wants your risk assessment to take an all-hazards approach, which looks at all possible emergencies and disasters and spells out the response procedures for each.

Emergencies can take many forms, including natural disasters and man-made emergencies. Therefore, you can’t rely on the same response for every emergency. For example, how you respond to an active shooter is much different than how you respond to a ransomware attack on your systems.

In your risk assessment, answer the following:

  • How might emergencies limit or stop our operations?
  • Which functions do we need to carry out our operations? What must continue in an emergency?
  • What risks or emergencies could we expect to face? Does our geographic location add any new risks or challenges?
  • What arrangements with other health care facilities do we need to make?

Facility-based Risk Assessment

A “facility-based” risk assessment is specific to your building(s). This allows you to identify, as well as eliminate, natural disasters based on your facility and geographic area. For instance, an RHC in Florida should prepare for an approaching hurricane, whereas an RHC in South Dakota might face a three-day blizzard. However, both RHCs should prepare for a power outage or other facility-based emergency that requires an immediate response.

Community-based Risk Assessment

A community-based risk assessment is one that other organizations develop, such as public health agencies, emergency management agencies, and regional health care coalitions. You can use a community-based risk assessment while conducting your own facility-based assessment. However, if you use a community-based assessment or plan, you must have a copy of it and work with the organization that developed it to make sure it meets your facility’s needs.

You may have already addressed many emergencies and hazards in your HIPAA security risk analysis and risk management plan. Nevertheless, you should review your current security plan for areas that overlap with the CMS Emergency Preparedness Plan and include an all-hazards approach.

We at HIPAAtrek believe that the HIPAA security rule already covers many of the CMS requirements. We have created an Emergency Preparedness Plan and HIPAA security rule crosswalk, so you don’t have to reinvent the wheel.

For more information, contact us at

Overwhelmed? Grab our Guide to Policy Management!

Without the right tools, policy management can be a lot to handle. We’ve created this workflow to get you started.

Policy Management Workflow

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »