Medicare Emergency Plan: [Self-Audit Checklist] (42 CFR § 482.15)

Medicare requires participating healthcare providers to maintain an emergency preparedness program that protects patients, staff, and operations during disasters and other emergencies. Under 42 CFR § 482.15, providers, including small practices and facilities, must implement an all-hazards emergency preparedness program that includes risk assessment, policies and procedures, communication planning, and training and testing.

For small practices with limited resources, compliance can appear overwhelming. However, CMS allows flexibility and scalability. Providers are not required to purchase expensive systems or adopt hospital-level infrastructure. Instead, practices may rely on low-cost tools, community partnerships, and free federal resources to meet regulatory requirements. With thoughtful planning and documentation, small practices can remain compliant, survey-ready, and resilient without exceeding their budgets.

Emergencies disrupt healthcare delivery at the moments patients most need care. Natural disasters, power outages, cyber incidents, and public health emergencies can all interfere with operations, records, and communication. To address these risks, CMS established the Emergency Preparedness Rule, codified at 42 CFR § 482.15, which applies to Medicare- and Medicaid-participating providers.

For small practices, compliance with § 482.15 is essential not only to avoid survey deficiencies, corrective action plans, or potential loss of Medicare participation, but also to ensure patient safety and continuity of care. With practical planning and documentation, even small clinics can meet CMS expectations using affordable and accessible tools.

Understanding Emergency Preparedness Under 42 CFR § 482.15

The regulation requires providers to maintain a comprehensive emergency preparedness program based on an all-hazards approach. The program must include four core elements.

1. Emergency Plan – Risk Assessment and Planning (§ 482.15(a))

Providers must develop and maintain a written emergency plan that:

• Is based on a documented, facility-based and community-based risk assessment

• Identifies likely hazards such as severe weather, power outages, fires, cyber incidents, or infectious disease outbreaks

• Addresses patient populations, services provided, continuity of operations, delegations of authority, and succession planning

• Is reviewed and updated at least every two years

Small practices may tailor their plans to their size and scope, but documentation is mandatory.

2. Policies and Procedures (§ 482.15(b))

Policies and procedures must support the emergency plan and address, at a minimum:

• Evacuation and shelter-in-place procedures

• Provision of subsistence needs (food, water, medications, and supplies)

• Protection, confidentiality, and availability of medical records

• Tracking of staff and patients during an emergency

• Staffing strategies and use of volunteers, if applicable

Policies must be reviewed and updated at least every two years and reflect what the practice can realistically implement.

3. Communication Plan (§ 482.15(c))

Providers must maintain a written communication plan that includes:

• Contact information for staff, physicians, vendors, and other providers

• Contact information for federal, state, tribal, regional, and local emergency preparedness officials

• Primary and alternate methods for communicating during an emergency

• Processes for sharing patient information and medical documentation as permitted by HIPAA

• Procedures for communicating patient location, condition, and facility status

The communication plan must also be reviewed and updated at least every two years.

4. Training and Testing (§ 482.15(d))

Providers must develop and maintain a training and testing program that includes:

• Initial and ongoing emergency preparedness training for staff

• Training updates when policies or procedures change

• Documentation of training participation

• At least two exercises per year, which may include:

  • A community-based or facility-based exercise

  • A functional exercise, mock drill, or tabletop exercise

• Documentation of exercises, lessons learned, and plan revisions

Actual emergencies that activate the plan may satisfy certain exercise requirements.

CMS enforces 42 CFR § 482.15 through surveys and certification activities. Deficiencies may result in corrective action plans or jeopardize Medicare participation if not resolved.

The HHS Office for Civil Rights (OCR) may also become involved when emergency plans affect the handling of protected health information (PHI). Emergency plans must account for HIPAA-compliant disclosures and safeguards, particularly when records are shared or facilities evacuate. Aligning emergency preparedness with HIPAA requirements reduces dual enforcement risk.

Step 1: Conduct a Risk Assessment

• Identify common regional hazards (e.g., storms, fires, earthquakes)

• Include operational risks such as EHR downtime or ransomware

• Use free federal tools, such as HHS or FEMA planning resources

• Document findings and mitigation strategies
   (§ 482.15(a)(1))

Step 2: Draft Practical Policies and Procedures

• Create evacuation and shelter-in-place procedures

• Document how records and PHI will be protected

• Address staffing and subsistence needs realistically
   (§ 482.15(b))

Step 3: Build a Communication Plan

• Maintain updated contact lists

• Identify primary and backup communication methods

• Coordinate with local emergency management agencies
   (§ 482.15(c))

Step 4: Train and Test

• Conduct annual training for staff

• Use low-cost tabletop exercises or community drills

• Document attendance and outcomes
   (§ 482.15(d))

Step 5: Maintain Documentation

• Keep emergency plans, policies, risk assessments, and training logs organized

• Ensure documents are readily retrievable for surveyors

Case Study

A small family practice in a coastal region was surveyed after a hurricane. CMS found:

• No documented risk assessment

• No written evacuation plan

• No staff training records

• No formal communication strategy

The practice received a citation under 42 CFR § 482.15 and was required to submit a corrective action plan to maintain Medicare participation.

By contrast, another small clinic partnered with local emergency management to conduct a free tabletop exercise using FEMA materials. The clinic documented risk assessments, training, and communication protocols. During survey, CMS found the clinic compliant, noting that the program was appropriate to the clinic’s size and resources.

Key Lesson: Documentation and realism, not budget size, determine compliance.

Common Pitfalls to Avoid

• No written risk assessment

• Outdated contact lists

• Missing training documentation

• Unrealistic plans that cannot be implemented

• Failure to protect PHI during emergencies

Each of these issues is frequently cited during CMS surveys.

• Partner with local emergency management agencies

• Use free FEMA and HHS planning tools

• Incorporate cybersecurity into risk assessments

• Maintain simple emergency “go kits”

• Assign clear responsibility for preparedness activities

These strategies support compliance without significant financial burden.

Emergency readiness should be part of routine operations, not a one-time exercise. Leadership participation, staff engagement, and periodic review reinforce preparedness and confidence. Over time, this culture improves both regulatory compliance and patient trust.

42 CFR § 482.15 requires Medicare-participating providers to maintain a comprehensive emergency preparedness program, but it allows flexibility based on provider size and scope. Small practices can meet these requirements without large budgets by documenting risk assessments, developing realistic policies, maintaining communication plans, and conducting low-cost training and testing.

Preparedness protects patients, staff, and the practice itself, and it is achievable with planning, documentation, and commitment.

• 42 CFR § 482.15 Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers

• Emergency Preparedness Rule Resources

• Preparedness Resources

• TRACIE Technical Resources

• Compliance Guidance for Physicians