Operational-resilience and continuity obligations for healthcare providers, payers and medical-device makers — US (CMS, HHS/OCR, FDA), the EU (NIS2, EHDS, MDR/IVDR) and Canada.
| Jur. | Regulator | Domain | Obligation (with source quote) | Citation | Status |
|---|---|---|---|---|---|
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must include design controls that allow the device to detect, resist, respond and recover from cybersecurity attacks. “The manufacturer should consider design controls that will allow the device to detect, resist, respond and recover from cybersecurity attacks.” | Section 2.1.1, Table 1 (Reliability and Availability) | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must develop a strategy addressing cybersecurity risk that includes planning for continued monitoring of and response to emerging risks, vulnerabilities and threats. [adjacent] “a manufacturer must have a strategy to address the cybersecurity risk of a medical device (Class I to Class IV) that runs software code. This strategy should include...Planning for continued monitoring of and response to emerging risks, vulnerabilities and threats” | Section 2.1 | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must implement a post-market vigilance plan to track, assess, and respond to newly discovered vulnerabilities throughout the device's expected service life. [adjacent] “Post-market vigilance: A plan to track, assess, and respond to newly discovered vulnerabilities...This plan should apply throughout the expected service life.” | Section 2.2 | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must have a patching plan to update device software to maintain safety and effectiveness, either regularly or in response to identified vulnerabilities. [adjacent] “Patching: A plan to update the software to maintain the safety and effectiveness of the device either regularly, or in response to an identified vulnerability.” | Section 2.2 | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must have a formalized vulnerability disclosure process covering obtaining, assessing, developing mitigations, and disclosing vulnerabilities to stakeholders. [adjacent] “Vulnerability Disclosure: A formalized process for obtaining cybersecurity vulnerability information, assessing vulnerabilities, developing mitigation and remediation strategies, and disclosing the existence of vulnerabilities.” | Section 2.2 | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must incorporate cybersecurity into device-specific risk management throughout the device lifecycle, including identifying hazards, estimating risks, controlling risks, and monitoring effectiveness of controls. [adjacent] “Manufacturers should incorporate medical device cybersecurity into each device's risk management process...identify any cybersecurity hazard, estimate and evaluate the associated risks, control those risks to an acceptable level, monitor the effectiveness of the risk controls” | Section 2.1.2 | final |
| CA | HEALTH_CANADA | cybersecurity | For Class III and IV licence applications, manufacturers must submit a maintenance plan describing post-market processes to ensure continued safety and effectiveness including vigilance, patching, vulnerability disclosure, and information sharing. [adjacent] “A summary of the device's maintenance plan should be included. The summary should describe the post-market process(es) by which the manufacturer intends to ensure the continued safety and effectiveness of the device throughout its life-cycle.” | Section 2.3.5.4 | final |
| CA | HEALTH_CANADA | cybersecurity | The cybersecurity BOM must include instructions on backup and restore features, software update procedures, and how the device can be hardened in its environment. “the cybersecurity BOM should include any instructions or information related to: ...Backup and restore features. How users download software/firmware, if applicable...How the device can be hardened in its environment.” | Section 2.3.1 | final |
| CA | HEALTH_CANADA | cybersecurity | The cybersecurity BOM must include information on features that protect critical device functionality even during a cybersecurity incident. “Features that protect critical functionality of the device, even during a cybersecurity incident.” | Section 2.3.1 | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must define and document a response process or plan for how the device, manufacturer, or user will respond to a cybersecurity event. “Respond: A defined process or plan should be developed on how the device, manufacturer or user will respond to a cybersecurity event.” | Appendix A | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must implement detection processes or measures to identify when the device has been compromised due to a cybersecurity event. [adjacent] “Detect: Processes or measures should be in place to identify when the device has been compromised due to a cybersecurity event.” | Appendix A | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must consider software maintenance design controls specifying how software will be updated against newly discovered threats, including patch frequency and update connection requirements. [adjacent] “The manufacturer should consider how the software will be updated to secure the device against newly discovered cybersecurity threats...The manufacturer should consider how often a device will need to be updated via regular and/or routine patches.” | Section 2.1.1, Table 1 (Software Maintenance) | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must consider how third-party, open-source, and operating system software components will be updated or controlled to maintain device security. [adjacent] “The manufacturer should consider how operating system software, third-party software (e.g., libraries) or open source software will be updated or controlled.” | Section 2.1.1, Table 1 (Software Maintenance) | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must conduct cybersecurity vulnerability testing including known vulnerability testing, malware testing, FUZZ testing, and structured penetration testing. [adjacent] “Known Vulnerability Testing...Malware Testing...Malformed Input Testing (i.e., FUZZ testing)...Structured Penetration Testing: This type of testing requires a cybersecurity expert who is familiar with hacking techniques.” | Section 2.1.3, Table 2 | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must use a cybersecurity vulnerability assessment tool or scoring system to rate vulnerabilities and determine urgency of response. [adjacent] “manufacturers should consider using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need and urgency of the response.” | Section 2.2 | final |
| CA | HEALTH_CANADA | cybersecurity | Manufacturers must consider design controls to secure data transfer to and from the device to prevent unauthorized modification and disruption of device communications. [adjacent] “The manufacturer should consider how data transfer to and from the device is secured to prevent unauthorized modification and disruption. Manufacturers should determine how the devices/systems will authenticate each other.” | Section 2.1.1, Table 1 (Secure Communications) | final |
| EU | EU_EHDS | health it resilience | Shall be provided through the cross-border infrastructure referred to in Article 23. (Art. 12) [adjacent] “shall be provided through the cross-border infrastructure referred to in Article 23.” | Article 12, Regulation (EU) 2025/327 | final |
| EU | EU_EHDS | health it resilience | Shall also be competent for monitoring and enforcing the application of Articles 3 and 5 to 10 of this Regulation. (Art. 22) [adjacent] “shall also be competent for monitoring and enforcing the application of Articles 3 and 5 to 10 of this Regulation.” | Article 22, Regulation (EU) 2025/327 | final |
| EU | EU_EHDS | health it resilience | Obligations of manufacturers of EHR systems (Art. 30) [adjacent] “shall: (a) ensure that the harmonised software components of their EHR systems and the EHR systems themselves, to the extent that this Chapter establishes requirements for them, are in conformity with the essential requirements laid down in Annex II and with the common specificat” | Article 30, Regulation (EU) 2025/327 | final |
| EU | EU_EHDS | health it resilience | European digital testing environment (Art. 40) [adjacent] “shall develop a European digital testing environment for the assessment of harmonised software components of EHR systems.” | Article 40, Regulation (EU) 2025/327 | final |
| EU | EU_EHDS | health it resilience | Handling of risks posed by EHR systems and of serious incidents (Art. 44) “shall carry out an evaluation in relation to the EHR system concerned covering all relevant requirements laid down in this Regulation.” | Article 44, Regulation (EU) 2025/327 | final |
| EU | EU_EHDS | health it resilience | Controllership (Art. 74) [adjacent] “shall be deemed controller for the making available of personal electronic health data requested pursuant to Article 60(1) to the health data access body.” | Article 74, Regulation (EU) 2025/327 | final |
| EU | EU_EHDS | health it resilience | Capacity building The Commission shall support the sharing of best practices and expertise to build capacity within Memb (Art. 82) [adjacent] “shall support the sharing of best practices and expertise to build capacity within Member States to strengthen digital health systems for primary use and secondary use taking into account the specific circumstances of the different categories of stakeholders involved.” | Article 82, Regulation (EU) 2025/327 | final |
| EU | EU_EHDS | health it resilience | Storage of personal electronic health data by health data access bodies and secure processing environments (Art. 87) [adjacent] “shall store and process personal electronic health data in the Union when performing pseudonymisation, anonymisation and any other personal data processing operations referred to in Articles 67 to 72, through secure processing environments within the meaning of Article 73 and Art” | Article 87, Regulation (EU) 2025/327 | final |
| EU | EU_EHDS | health it resilience | Evaluation, review and progress report (Art. 102) [adjacent] “shall carry out a targeted evaluation of this Regulation, and submit a report on its main findings to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment” | Article 102, Regulation (EU) 2025/327 | final |
| EU | EU_MDR | cybersecurity | Establish and operate a security risk management system across the entire lifecycle of the medical device as a continuous iterative process, including security risk analysis, evaluation, control, residual risk evaluation, and reporting. [adjacent] “establish and operate a risk management system across the entire lifecycle of the medical device as a continuous iterative process, requiring regular systematic updating.” | MDR Annex I, Section 3; MDCG 2019-16 rev.1 §3.2 | final |
| EU | EU_MDR | cybersecurity | Adopt risk control measures for design and manufacture conforming to safety principles and taking account of the state of the art, including security risks with safety impacts. [adjacent] “adopt risk control measures for the design and manufacture of the devices conforming to safety principles and taking account of the generally acknowledged state of the art.” | MDR Annex I, Section 4; IVDR Annex I, Section 4 | final |
| EU | EU_MDR | cybersecurity | Develop and manufacture software-incorporating devices in accordance with the state of the art, taking into account the principles of the development lifecycle, risk management (including information security), verification, and validation. [adjacent] “the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.” | MDR Annex I, Section 17.2; IVDR Annex I, Section 16.2 | final |
| EU | EU_MDR | cybersecurity | Set out minimum requirements concerning hardware, IT network characteristics, and IT security measures, including protection against unauthorised access, necessary to run the software as intended. [adjacent] “Manufacturers shall set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.” | MDR Annex I, Section 17.4; IVDR Annex I, Section 16.4 | final |
| EU | EU_MDR | cybersecurity | Include in the Instructions for Use minimum requirements concerning hardware, IT network characteristics, and IT security measures, including protection against unauthorised access, necessary to run the software as intended. [adjacent] “minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.” | MDR Annex I, Section 23.4(ab); IVDR Annex I, Section 20.4.1(ah) | final |
| EU | EU_MDR | cybersecurity | Design devices for lay persons to perform appropriately for their intended purpose, taking into account lay person skills and environment, including cybersecurity-relevant operating instructions such as software updates and data backups. [adjacent] “devices for use by lay person...shall be designed and manufactured in such a way that they perform appropriately for their intended purpose taking into account the skills and the means available to lay persons.” | MDR Annex I, Section 22.1 | final |
| EU | EU_MDR | cybersecurity | Conduct security verification and validation testing (including security feature testing, fuzz testing, vulnerability scanning, and penetration testing) to ensure all security requirements have been met. [adjacent] “The primary means of security verification and validation is testing. Methods can include security feature testing, fuzz testing, vulnerability scanning and penetration testing.” | MDR Annex I, Section 17.2; IVDR Annex I, Section 16.2; MDCG 2019-16 rev.1 §3.7 | final |
| EU | EU_MDR | cybersecurity | Implement a 'secure by design' approach including a defence-in-depth strategy across the full product development lifecycle, covering security management, requirements specification, secure design, secure implementation, V&V, issue management, update management, and security guidelines. [adjacent] “The overall approach for security management for medical devices...The following common eight practices define most of the necessary processes that should be in place to establish a 'Defense-in-Depth strategy'.” | MDR Annex I, Section 17.2; MDCG 2019-16 rev.1 §3.1 | final |
| EU | EU_MDR | cybersecurity | Perform threat modelling to systematically identify, enumerate, and prioritise vulnerabilities and attack vectors for the medical device. [adjacent] “Threat Modelling techniques are a systematic approach for analysing the security of an item in a structural way such that vulnerabilities can be identified, enumerated, and prioritised.” | MDR Annex I, Section 17.2; MDCG 2019-16 rev.1 §3.4 | final |
| EU | EU_MDR | cybersecurity | Implement data backup and disaster recovery capabilities as a security control for medical devices. “Data Backup and Disaster Recovery [listed as a security capability in Table 3: Indicative list of security Capabilities for MD]” | MDR Annex I, Section 17.4; MDCG 2019-16 rev.1 §3.3 Table 3 | final |
| EU | EU_MDR | cybersecurity | Implement emergency access controls ensuring medical personnel can access the device without restrictions during emergencies, while strong security measures are maintained under normal conditions. “during an emergency, the medical personnel must be able to access an implanted cardiac device without restrictions, but strong security measures need to be in place under normal operating conditions.” | MDR Annex I, Section 17.4; MDCG 2019-16 rev.1 §2.2 | final |
| EU | EU_MDR | cybersecurity | Put in place a post-market process to gather and evaluate security information (incidents, vulnerabilities in device and third-party components, threat landscape changes) and take appropriate risk control measures throughout the device's support lifetime. [adjacent] “During the support lifetime of the device, the manufacturer should put in place a process to gather post-market information with respect to the security of the device...evaluate the associated security and safety risk and take appropriate measures.” | MDR Annex I, Section 3; MDCG 2019-16 rev.1 §3.8 | final |
| EU | EU_MDR | cybersecurity | Report serious cybersecurity incidents (those resulting in or capable of resulting in patient harm or death) to competent authorities and inform the electronic system on vigilance. [adjacent] “Reporting of serious incidents and field safety corrective actions: Article 87...Inform the Electronic System On Vigilance (Article 92)” | MDR Articles 87, 92; MDCG 2019-16 rev.1 §5.2 | final |
| EU | EU_MDR | cybersecurity | Conduct trend reporting on cybersecurity incidents and non-serious incidents/near-misses that could indicate a systematic issue. [adjacent] “Trend Reporting (Article 88)” | MDR Article 88; MDCG 2019-16 rev.1 §1.4 | final |
| EU | EU_MDR | cybersecurity | Analyse serious cybersecurity incidents and field safety corrective actions and report findings. [adjacent] “Analysis of serious incidents and field safety corrective actions: Article 89” | MDR Article 89; MDCG 2019-16 rev.1 §1.4 | final |
| EU | EU_MDR | cybersecurity | Provide and manage security updates and patches for the medical device in a timely manner, including testing patches for regressions before release. [adjacent] “Security update management...ensure that security updates and security patches associated with the product are tested for regressions and made available to product users in a timely manner.” | MDR Annex I, Section 17.2; MDCG 2019-16 rev.1 §3.1 Practice 7 | final |
| EU | EU_MDR | cybersecurity | Monitor in-field software vulnerabilities and provide device updates (e.g. patches) to ensure continued security of the device, addressing reasonably foreseeable misuse risks. [adjacent] “This may include the infield monitoring of the software's vulnerabilities and the possibility to perform a device update...through, for example delivering patches to ensure the continued security of the device.” | MDR Annex I, Section 3; MDCG 2019-16 rev.1 §2.4 | final |
| EU | EU_MDR | cybersecurity | Provide clear user security guidelines documenting how to integrate, configure, and maintain the device's defence-in-depth strategy, including IT security features and operating environment configuration. [adjacent] “provide and maintain user documentation that describes how to integrate, configure, and maintain the defence in depth strategy of the product in accordance with its product security context.” | MDR Annex I, Section 23.4(ab); MDCG 2019-16 rev.1 §3.1 Practice 8, §3.6 | final |
| EU | EU_MDR | cybersecurity | Ensure modifications to the medical device (including third-party software installation, patching, or firewall changes) are only performed under the manufacturer's explicit published guidance to prevent unvalidated changes that could compromise security or safety. [adjacent] “Modification of a medical device, e.g. the installation or enabling of third-party software including software patching, should always be under explicit published guidance of the manufacturer.” | MDR Annex I, Section 17.2; MDCG 2019-16 rev.1 §2.6 | final |
| EU | EU_MDR | cybersecurity | Integrators must assess the reasonable level of security for the operating environment, securely configure and integrate the system, provide required documentation and training, and provide support for patching and security incident handling. [adjacent] “Assess reasonable level of security for the operating environment; Integrate the system into the environment at the operator site, including secure configuration...Provide support for patching and security incident handling.” | MDCG 2019-16 rev.1 §2.6.1 | final |
| EU | EU_MDR | cybersecurity | Operators must ensure required level of security for the operational environment, ensure personnel are trained for security issues, apply manufacturer-prescribed maintenance and security patches, and notify the manufacturer without delay of any suspected security event. [adjacent] “Ensure required level of security for operational environment...Ensure that prescribed maintenance is done as required, including installation of security patches; Notify the manufacturer without delay of any suspected security event.” | MDCG 2019-16 rev.1 §2.6.2 | final |
| EU | EU_MDR | cybersecurity | Ensure the medical device is designed with a layered defence-in-depth approach and does not solely rely on operating environment security controls, keeping such reliance to a minimum. [adjacent] “A medical device should be designed in a layered defence in depth approach and therefore should not rely on security controls in the operating environment.” | MDR Annex I, Section 17.2; MDCG 2019-16 rev.1 §2.3, §3.6 | final |
| EU | EU_MDR | cybersecurity | Include security incident handling support provisions in the integrator's responsibilities, ensuring the operator can respond to and recover from cybersecurity incidents affecting the medical device. “Provide support for patching and security incident handling.” | MDCG 2019-16 rev.1 §2.6.1 | final |
| EU | EU_NIS2 | cybersecurity | Sector-specific Union legal acts (Art. 4) [adjacent] “shall not apply to such entities.” | Article 4, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | National cyber crisis management frameworks (Art. 9) “shall designate or establish one or more competent authorities responsible for the management of large-scale cybersecurity incidents and crises (cyber crisis management authorities).” | Article 9, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Computer security incident response teams (CSIRTs) (Art. 10) “shall designate or establish one or more CSIRTs.” | Article 10, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Shall cover at least the sectors, subsectors and types of entity referred to in Annexes I and II, and shall be responsible for incident handling in accordance w (Art. 11) “shall cover at least the sectors, subsectors and types of entity referred to in Annexes I and II, and shall be responsible for incident handling in accordance with a well-defined process.” | Article 11, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Shall comply with the following requirements: (a) the CSIRTs shall ensure a high level of availability of their communication channels by avoiding single points (Art. 12) “shall comply with the following requirements: (a) the CSIRTs shall ensure a high level of availability of their communication channels by avoiding single points of failure, and shall have several means for being contacted and for contacting others at all times;” | Article 12, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Cooperation at national level (Art. 13) [adjacent] “shall cooperate with each other with regard to the fulfilment of the obligations laid down in this Directive.” | Article 13, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | CSIRTs network (Art. 15) [adjacent] “shall be composed of representatives of the CSIRTs designated or established pursuant to Article 10 and the computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU).” | Article 15, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | European cyber crisis liaison organisation network (EU-CyCLONe) (Art. 16) [adjacent] “shall be composed of the representatives of Member States’ cyber crisis management authorities as well as, in cases where a potential or ongoing large-scale cybersecurity incident has or is likely to have a significant impact on services and activities falling within the scope of” | Article 16, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Shall include particular policy recommendations, with a view to addressing shortcomings and increasing the level of cybersecurity across the Union, and a summar (Art. 19) [adjacent] “shall include particular policy recommendations, with a view to addressing shortcomings and increasing the level of cybersecurity across the Union, and a summary of the findings for the particular period from the EU Cybersecurity Technical Situation Reports on incidents and cyber” | Article 19, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Governance (Art. 20) [adjacent] “shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with” | Article 20, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Shall ensure that an entity that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropri (Art. 22) “shall ensure that an entity that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropriate and proportionate corrective measures.” | Article 22, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Reporting obligations (Art. 23) “shall ensure that essential and important entities notify, without undue delay, its CSIRT or, where applicable, its competent authority in accordance with paragraph 4 of any incident that has a significant impact on the provision of their services as referred to in paragraph 3 (s” | Article 23, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Use of European cybersecurity certification schemes (Art. 24) [adjacent] “shall encourage essential and important entities to use qualified trust services.” | Article 24, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Registry of entities (Art. 27) [adjacent] “shall create and maintain a registry of DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed secur” | Article 27, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Cybersecurity information-sharing arrangements (Art. 29) [adjacent] “shall ensure that entities falling within the scope of this Directive and, where relevant, other entities not falling within the scope of this Directive are able to exchange on a voluntary basis relevant cybersecurity information among themselves, including information relating t” | Article 29, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Voluntary notification of relevant information (Art. 30) [adjacent] “shall ensure that, in addition to the notification obligation provided for in Article 23, notifications can be submitted to the CSIRTs or, where applicable, the competent authorities, on a voluntary basis, by: (a) essential and important entities with regard to incidents, cyber t” | Article 30, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Supervisory and enforcement measures in relation to essential entities (Art. 32) [adjacent] “shall ensure that the supervisory or enforcement measures imposed on essential entities in respect of the obligations laid down in this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case.” | Article 32, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Supervisory and enforcement measures in relation to important entities (Art. 33) [adjacent] “shall ensure that the competent authorities take action, where necessary, through ex post supervisory measures.” | Article 33, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Shall apply mutatis mutandis to the supervisory and enforcement measures provided for in this Article for important entities. (Art. 34) [adjacent] “shall apply mutatis mutandis to the supervisory and enforcement measures provided for in this Article for important entities.” | Article 34, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Infringements entailing a personal data breach (Art. 35) [adjacent] “shall, without undue delay, inform the supervisory authorities as referred to in Article 55 or 56 of that Regulation.” | Article 35, Directive (EU) 2022/2555 (NIS2) | final |
| EU | EU_NIS2 | cybersecurity | Mutual assistance (Art. 37) [adjacent] “shall cooperate with and assist each other as necessary.” | Article 37, Directive (EU) 2022/2555 (NIS2) | final |
| US | CMS | health it resilience | Eligible hospitals and CAHs must conduct security risk management (in addition to security risk analysis) and attest 'yes' to having done so for the EHR reporting period beginning CY 2026. [adjacent] “modify the Security Risk Analysis measure to require eligible hospitals and CAHs to attest 'yes' to having conducted security risk management in addition to the existing measure requirement to attest 'yes' to having conducted security risk analysis, beginning with the EHR reporti” | 42 CFR 495.4 (as revised); 42 CFR Part 495 (Security Risk Analysis measure, Medicare Promoting Interoperability Program) | final |
| US | CMS | health it resilience | Eligible hospitals and CAHs must complete an annual self-assessment using the eight SAFER Guides (published January 2025) and attest 'yes' to completion, beginning with the EHR reporting period in CY 2026. [adjacent] “modify the SAFER Guides measure by requiring eligible hospitals and CAHs to attest 'yes' to completing an annual self-assessment using the eight SAFER Guides published in January 2025, beginning with the EHR reporting period in CY 2026” | 42 CFR 495.4 (as revised); Medicare Promoting Interoperability Program SAFER Guides measure | final |
| US | CMS | emergency preparedness | Develop and maintain a comprehensive emergency preparedness program using an all-hazards approach that meets all requirements of 42 CFR 482.15. “The hospital must develop and maintain a comprehensive emergency preparedness program that meets the requirements of this section, utilizing an all-hazards approach.” | 42 CFR 482.15 (preamble/root) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness plan reviewed and updated at least every 2 years, based on documented facility-based and community-based all-hazards risk assessment. “The hospital must develop and maintain an emergency preparedness plan that must be reviewed, and updated at least every 2 years. The plan must...Be based on and include a documented, facility-based and community-based risk assessment, utilizing an all-hazards approach.” | 42 CFR 482.15(a) and (a)(1) | final |
| US | CMS | emergency preparedness | Address continuity of operations in the emergency plan, including delegations of authority and succession plans. “Address patient population, including, but not limited to, persons at-risk; the type of services the hospital has the ability to provide in an emergency; and continuity of operations, including delegations of authority and succession plans.” | 42 CFR 482.15(a)(3) | final |
| US | CMS | emergency preparedness | Include in the emergency plan a process for cooperation and collaboration with local, tribal, regional, State, and Federal emergency preparedness officials to maintain integrated response during disasters. “Include a process for cooperation and collaboration with local, tribal, regional, State, and Federal emergency preparedness officials' efforts to maintain an integrated response during a disaster or emergency situation.” | 42 CFR 482.15(a)(4) | final |
| US | CMS | emergency preparedness | Develop and implement emergency preparedness policies and procedures based on the emergency plan, risk assessment, and communication plan, reviewed and updated at least every 2 years. “The hospital must develop and implement emergency preparedness policies and procedures, based on the emergency plan...risk assessment...and the communication plan...The policies and procedures must be reviewed and updated at least every 2 years.” | 42 CFR 482.15(b) | final |
| US | CMS | emergency preparedness | Ensure policies and procedures address provision of subsistence needs (food, water, medical/pharmaceutical supplies) and alternate energy sources for patient safety during emergencies. “The provision of subsistence needs for staff and patients, whether they evacuate or shelter in place, include, but are not limited to the following: (i) Food, water, medical, and pharmaceutical supplies. (ii) Alternate sources of energy...” | 42 CFR 482.15(b)(1) | final |
| US | CMS | emergency preparedness | Maintain alternate energy sources to sustain emergency lighting, fire detection/alarm systems, temperature control, and sewage/waste disposal during emergencies. “Alternate sources of energy to maintain the following: (A) Temperatures to protect patient health and safety....(B) Emergency lighting. (C) Fire detection, extinguishing, and alarm systems. (D) Sewage and waste disposal.” | 42 CFR 482.15(b)(1)(ii) | final |
| US | CMS | emergency preparedness | Implement a system to track the location of on-duty staff and sheltered patients during an emergency, and document name and location of receiving facility if relocated. “A system to track the location of on-duty staff and sheltered patients in the hospital's care during an emergency. If on-duty staff and sheltered patients are relocated during the emergency, the hospital must document the specific name and location of the receiving facility.” | 42 CFR 482.15(b)(2) | final |
| US | CMS | emergency preparedness | Establish policies and procedures for safe evacuation including care needs of evacuees, staff responsibilities, transportation, evacuation locations, and primary/alternate external communications. “Safe evacuation from the hospital, which includes consideration of care and treatment needs of evacuees; staff responsibilities; transportation; identification of evacuation location(s); and primary and alternate means of communication with external sources of assistance.” | 42 CFR 482.15(b)(3) | final |
| US | CMS | emergency preparedness | Establish a means to shelter in place for patients, staff, and volunteers who remain in the facility during an emergency. “A means to shelter in place for patients, staff, and volunteers who remain in the facility.” | 42 CFR 482.15(b)(4) | final |
| US | CMS | emergency preparedness | Implement a system of medical documentation that preserves patient information, protects confidentiality, and secures and maintains availability of records during emergencies. “A system of medical documentation that preserves patient information, protects confidentiality of patient information, and secures and maintains the availability of records.” | 42 CFR 482.15(b)(5) | final |
| US | CMS | emergency preparedness | Develop arrangements with other hospitals and providers to receive patients in the event of limitations or cessation of operations to maintain continuity of services. “The development of arrangements with other hospitals and other providers to receive patients in the event of limitations or cessation of operations to maintain the continuity of services to hospital patients.” | 42 CFR 482.15(b)(7) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness communication plan complying with Federal, State, and local laws, reviewed and updated at least every 2 years. “The hospital must develop and maintain an emergency preparedness communication plan that complies with Federal, State, and local laws and must be reviewed and updated at least every 2 years.” | 42 CFR 482.15(c) | final |
| US | CMS | emergency preparedness | Include primary and alternate means of communicating with hospital staff and Federal, State, tribal, regional, and local emergency management agencies in the communication plan. “Primary and alternate means for communicating with the following: (i) Hospital's staff. (ii) Federal, State, tribal, regional, and local emergency management agencies.” | 42 CFR 482.15(c)(3) | final |
| US | CMS | emergency preparedness | Include in the communication plan a method for sharing patient information and medical documentation with other health care providers to maintain continuity of care during emergencies. “A method for sharing information and medical documentation for patients under the hospital's care, as necessary, with other health care providers to maintain the continuity of care.” | 42 CFR 482.15(c)(4) | final |
| US | CMS | emergency preparedness | Include in the communication plan a means of providing occupancy, needs, and assistance-capability information to the authority having jurisdiction, Incident Command Center, or designee. “A means of providing information about the hospital's occupancy, needs, and its ability to provide assistance, to the authority having jurisdiction, the Incident Command Center, or designee.” | 42 CFR 482.15(c)(7) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness training and testing program, reviewed and updated at least every 2 years, covering the emergency plan, risk assessment, P&Ps, and communication plan. “The hospital must develop and maintain an emergency preparedness training and testing program that is based on the emergency plan...risk assessment...policies and procedures...and the communication plan...reviewed and updated at least every 2 years.” | 42 CFR 482.15(d) | final |
| US | CMS | emergency preparedness | Provide initial and at-least-biennial emergency preparedness training to all staff, individuals under arrangement, and volunteers; maintain training documentation and demonstrate staff knowledge. “Initial training in emergency preparedness policies and procedures to all new and existing staff, individuals providing services under arrangement, and volunteers...Provide emergency preparedness training at least every 2 years. Maintain documentation of the training. Demonstrate” | 42 CFR 482.15(d)(1) | final |
| US | CMS | emergency preparedness | Conduct emergency plan exercises at least twice per year, including one annual full-scale community-based (or functional) exercise and one additional exercise (drill, tabletop, or full-scale). “The hospital must conduct exercises to test the emergency plan at least twice per year...Participate in an annual full-scale exercise that is community-based...Conduct an additional annual exercise that may include...a tabletop exercise or workshop...” | 42 CFR 482.15(d)(2) | final |
| US | CMS | emergency preparedness | Analyze the hospital's response to all drills, tabletop exercises, and emergency events; maintain documentation; and revise the emergency plan as needed based on findings. “Analyze the hospital's response to and maintain documentation of all drills, tabletop exercises, and emergency events, and revise the hospital's emergency plan, as needed.” | 42 CFR 482.15(d)(2)(iii) | final |
| US | CMS | emergency preparedness | Implement emergency and standby power systems consistent with the emergency plan and subsistence P&Ps; locate generators per NFPA 99, NFPA 101, and NFPA 110 when constructing or renovating. “The hospital must implement emergency and standby power systems based on the emergency plan...The generator must be located in accordance with the location requirements found in the Health Care Facilities Code (NFPA 99...Life Safety Code (NFPA 101...and NFPA 110, when a new struc” | 42 CFR 482.15(e) and (e)(1) | final |
| US | CMS | emergency preparedness | Implement emergency power system inspection, testing, and maintenance requirements per NFPA 99, NFPA 110, and NFPA 101 (Life Safety Code). “The hospital must implement the emergency power system inspection, testing, and maintenance requirements found in the Health Care Facilities Code, NFPA 110, and Life Safety Code.” | 42 CFR 482.15(e)(2) | final |
| US | CMS | emergency preparedness | Hospitals with onsite fuel for emergency generators must have a plan to keep emergency power systems operational throughout an emergency, unless evacuating. “Hospitals that maintain an onsite fuel source to power emergency generators must have a plan for how it will keep emergency power systems operational during the emergency, unless it evacuates.” | 42 CFR 482.15(e)(3) | final |
| US | CMS | emergency preparedness | Hospitals in integrated healthcare systems with unified emergency programs must ensure each facility actively participated in program development and is capable of actively using the unified program. “Demonstrate that each separately certified facility within the system actively participated in the development of the unified and integrated emergency preparedness program...Demonstrate that each separately certified facility is capable of actively using the unified and integrate” | 42 CFR 482.15(f)(1) and (f)(3) | final |
| US | CMS | emergency preparedness | Transplant hospitals must include a transplant program representative in emergency preparedness program development and maintain mutually agreed protocols with each transplant program and the relevant OPO for emergency duties. [adjacent] “A representative from each transplant program must be included in the development and maintenance of the hospital's emergency preparedness program; and...The hospital must develop and maintain mutually agreed upon protocols that address the duties and responsibilities of the hosp” | 42 CFR 482.15(g) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness plan reviewed and updated at least every 2 years, based on a documented facility-based and community-based risk assessment using an all-hazards approach. “The HHA must develop and maintain an emergency preparedness plan that must be reviewed, and updated at least every 2 years. The plan must... Be based on and include a documented, facility-based and community-based risk assessment, utilizing an all-hazards approach.” | 42 CFR 484.102(a) | final |
| US | CMS | emergency preparedness | Include in the emergency plan strategies for addressing emergency events identified by the risk assessment and address continuity of operations including delegations of authority and succession plans. “Include strategies for addressing emergency events identified by the risk assessment... continuity of operations, including delegations of authority and succession plans.” | 42 CFR 484.102(a)(2) and (a)(3) | final |
| US | CMS | emergency preparedness | Include in the emergency plan a process for cooperation and collaboration with local, tribal, regional, State, and Federal emergency preparedness officials to maintain an integrated response during a disaster. “Include a process for cooperation and collaboration with local, tribal, regional, State, and Federal emergency preparedness officials' efforts to maintain an integrated response during a disaster or emergency situation.” | 42 CFR 484.102(a)(4) | final |
| US | CMS | emergency preparedness | Develop and implement emergency preparedness policies and procedures based on the emergency plan, risk assessment, and communication plan, reviewed and updated at least every 2 years. “The HHA must develop and implement emergency preparedness policies and procedures, based on the emergency plan... risk assessment... and the communication plan... The policies and procedures must be reviewed and updated at least every 2 years.” | 42 CFR 484.102(b) | final |
| US | CMS | emergency preparedness | Develop individual emergency plans for each patient as part of the comprehensive patient assessment, addressing patient care during a natural or man-made disaster. “The plans for the HHA's patients during a natural or man-made disaster. Individual plans for each patient must be included as part of the comprehensive patient assessment.” | 42 CFR 484.102(b)(1) | final |
| US | CMS | emergency preparedness | Establish procedures to inform State and local emergency preparedness officials about HHA patients needing evacuation based on medical/psychiatric condition and home environment. “The procedures to inform State and local emergency preparedness officials about HHA patients in need of evacuation from their residences at any time due to an emergency situation based on the patient's medical and psychiatric condition and home environment.” | 42 CFR 484.102(b)(2) | final |
| US | CMS | emergency preparedness | Establish procedures to follow up with on-duty staff and patients to determine services needed during an interruption in services, and inform State and local officials of any staff or patients that cannot be contacted. “The procedures to follow up with on-duty staff and patients to determine services that are needed, in the event that there is an interruption in services... The HHA must inform State and local officials of any on-duty staff or patients that they are unable to contact.” | 42 CFR 484.102(b)(3) | final |
| US | CMS | emergency preparedness | Implement a system of medical documentation that preserves patient information, protects confidentiality, and secures and maintains the availability of records during emergencies. “A system of medical documentation that preserves patient information, protects confidentiality of patient information, and secures and maintains the availability of records.” | 42 CFR 484.102(b)(4) | final |
| US | CMS | emergency preparedness | Establish policies and procedures for the use of volunteers and emergency staffing strategies, including integration of State or Federally designated health care professionals to address surge needs. “The use of volunteers in an emergency or other emergency staffing strategies, including the process and role for integration of State or Federally designated health care professionals to address surge needs during an emergency.” | 42 CFR 484.102(b)(5) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness communication plan reviewed and updated at least every 2 years, including staff/entity/patient contact information and alternate communication means. “The HHA must develop and maintain an emergency preparedness communication plan that complies with Federal, State, and local laws and must be reviewed and updated at least every 2 years.” | 42 CFR 484.102(c) | final |
| US | CMS | emergency preparedness | Include in the communication plan primary and alternate means for communicating with HHA staff and Federal, State, tribal, regional, and local emergency management agencies. “Primary and alternate means for communicating with the HHA's staff, Federal, State, tribal, regional, and local emergency management agencies.” | 42 CFR 484.102(c)(3) | final |
| US | CMS | emergency preparedness | Include in the communication plan a method for sharing patient information and medical documentation with other health care providers to maintain continuity of care during emergencies. “A method for sharing information and medical documentation for patients under the HHA's care, as necessary, with other health care providers to maintain the continuity of care.” | 42 CFR 484.102(c)(4) | final |
| US | CMS | emergency preparedness | Include in the communication plan a means of providing information about HHA needs and its ability to provide assistance to the authority having jurisdiction, Incident Command Center, or designee. “A means of providing information about the HHA's needs, and its ability to provide assistance, to the authority having jurisdiction, the Incident Command Center, or designee.” | 42 CFR 484.102(c)(6) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness training and testing program based on the emergency plan, risk assessment, policies, and communication plan, reviewed and updated at least every 2 years. “The HHA must develop and maintain an emergency preparedness training and testing program that is based on the emergency plan... risk assessment... policies and procedures... and the communication plan... reviewed and updated at least every 2 years.” | 42 CFR 484.102(d) | final |
| US | CMS | emergency preparedness | Provide initial emergency preparedness training to all new and existing staff, individuals providing services under arrangement, and volunteers consistent with their expected roles. “Initial training in emergency preparedness policies and procedures to all new and existing staff, individuals providing services under arrangement, and volunteers, consistent with their expected roles.” | 42 CFR 484.102(d)(1)(i) | final |
| US | CMS | emergency preparedness | Provide emergency preparedness training at least every 2 years to staff, contracted individuals, and volunteers. “Provide emergency preparedness training at least every 2 years.” | 42 CFR 484.102(d)(1)(ii) | final |
| US | CMS | emergency preparedness | Maintain documentation of all emergency preparedness training conducted. “Maintain documentation of the training.” | 42 CFR 484.102(d)(1)(iii) | final |
| US | CMS | emergency preparedness | Demonstrate staff knowledge of emergency procedures. “Demonstrate staff knowledge of emergency procedures.” | 42 CFR 484.102(d)(1)(iv) | final |
| US | CMS | emergency preparedness | Conduct training on updated emergency preparedness policies and procedures whenever they are significantly updated. “If the emergency preparedness policies and procedures are significantly updated, the HHA must conduct training on the updated policies and procedures.” | 42 CFR 484.102(d)(1)(v) | final |
| US | CMS | emergency preparedness | Conduct exercises to test the emergency plan at least annually, including participation in a full-scale community-based exercise or a facility-based functional exercise when community-based is inaccessible. “The HHA must conduct exercises to test the emergency plan at least annually... Participate in a full-scale exercise that is community-based; or... conduct an annual individual, facility-based functional exercise every 2 years.” | 42 CFR 484.102(d)(2)(i) | final |
| US | CMS | emergency preparedness | Conduct an additional exercise every 2 years in the alternate year from the full-scale or functional exercise, which may be a mock disaster drill, tabletop exercise, or second full-scale exercise. “Conduct an additional exercise every 2 years, opposite the year the full-scale or functional exercise... is conducted, that may include... A second full-scale exercise... or A mock disaster drill; or A tabletop exercise or workshop.” | 42 CFR 484.102(d)(2)(ii) | final |
| US | CMS | emergency preparedness | Analyze the HHA's response to all drills, tabletop exercises, and emergency events; maintain documentation; and revise the emergency plan as needed. “Analyze the HHA's response to and maintain documentation of all drills, tabletop exercises, and emergency events, and revise the HHA's emergency plan, as needed.” | 42 CFR 484.102(d)(2)(iii) | final |
| US | CMS | emergency preparedness | If participating in an integrated healthcare system emergency preparedness program, demonstrate that each separately certified facility actively participated in developing the unified program and is capable of actively using it. “Demonstrate that each separately certified facility within the system actively participated in the development of the unified and integrated emergency preparedness program... Demonstrate that each separately certified facility is capable of actively using the unified and integrat” | 42 CFR 484.102(e)(1) and (e)(3) | final |
| US | CMS | emergency preparedness | If using an integrated healthcare system program, ensure it includes both a documented community-based risk assessment and a documented individual facility-based risk assessment for each separately certified facility, using an all-hazards approach. “A documented community-based risk assessment, utilizing an all-hazards approach. (ii) A documented individual facility-based risk assessment for each separately certified facility within the health system, utilizing an all-hazards approach.” | 42 CFR 484.102(e)(4)(i) and (e)(4)(ii) | final |
| US | CMS | emergency preparedness | If using an integrated healthcare system program, ensure it includes integrated policies and procedures, a coordinated communication plan, and training and testing programs meeting all requirements of 42 CFR 484.102(b), (c), and (d). “Include integrated policies and procedures that meet the requirements set forth in paragraph (b) of this section, a coordinated communication plan and training and testing programs that meet the requirements of paragraphs (c) and (d) of this section, respectively.” | 42 CFR 484.102(e)(5) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness plan, reviewed and updated at least every 2 years, based on an all-hazards facility- and community-based risk assessment. “The ASC must develop and maintain an emergency preparedness plan that must be reviewed, and updated at least every 2 years.” | 42 CFR 416.54(a) | final |
| US | CMS | emergency preparedness | Base the emergency plan on a documented facility-based and community-based risk assessment using an all-hazards approach. “Be based on and include a documented, facility-based and community-based risk assessment, utilizing an all-hazards approach.” | 42 CFR 416.54(a)(1) | final |
| US | CMS | emergency preparedness | Include in the emergency plan strategies for addressing emergency events identified by the risk assessment. “Include strategies for addressing emergency events identified by the risk assessment.” | 42 CFR 416.54(a)(2) | final |
| US | CMS | emergency preparedness | Address continuity of operations in the emergency plan, including delegations of authority and succession plans, accounting for the patient population and services available during an emergency. “Address patient population, including, but not limited to, the type of services the ASC has the ability to provide in an emergency; and continuity of operations, including delegations of authority and succession plans.” | 42 CFR 416.54(a)(3) | final |
| US | CMS | emergency preparedness | Include in the emergency plan a process for cooperation and collaboration with local, tribal, regional, State, and Federal emergency preparedness officials to maintain integrated response during a disaster. “Include a process for cooperation and collaboration with local, tribal, regional, State, and Federal emergency preparedness officials' efforts to maintain an integrated response during a disaster or emergency situation.” | 42 CFR 416.54(a)(4) | final |
| US | CMS | emergency preparedness | Develop and implement emergency preparedness policies and procedures based on the emergency plan, risk assessment, and communication plan, reviewed and updated at least every 2 years. “The ASC must develop and implement emergency preparedness policies and procedures, based on the emergency plan...The policies and procedures must be reviewed and updated at least every 2 years.” | 42 CFR 416.54(b) | final |
| US | CMS | emergency preparedness | Maintain a system to track the location of on-duty staff and sheltered patients during an emergency, documenting names and locations of receiving facilities if relocated. “A system to track the location of on-duty staff and sheltered patients in the ASC's care during an emergency. If on-duty staff or sheltered patients are relocated during the emergency, the ASC must document the specific name and location of the receiving facility.” | 42 CFR 416.54(b)(1) | final |
| US | CMS | emergency preparedness | Establish policies for safe evacuation of the ASC, covering care needs of evacuees, staff responsibilities, transportation, evacuation locations, and primary/alternate external communications. “Safe evacuation from the ASC, which includes the following: (i) Consideration of care and treatment needs of evacuees. (ii) Staff responsibilities. (iii) Transportation. (iv) Identification of evacuation location(s). (v) Primary and alternate means of communication with external ” | 42 CFR 416.54(b)(2) | final |
| US | CMS | emergency preparedness | Provide a means to shelter in place for patients, staff, and volunteers who remain in the ASC during an emergency. “A means to shelter in place for patients, staff, and volunteers who remain in the ASC.” | 42 CFR 416.54(b)(3) | final |
| US | CMS | emergency preparedness | Maintain a system of medical documentation that preserves patient information, protects its confidentiality, and secures and maintains availability of records during an emergency. “A system of medical documentation that does the following: (i) Preserves patient information. (ii) Protects confidentiality of patient information. (iii) Secures and maintains the availability of records.” | 42 CFR 416.54(b)(4) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness communication plan compliant with Federal, State, and local laws, reviewed and updated at least every 2 years. “The ASC must develop and maintain an emergency preparedness communication plan that complies with Federal, State, and local laws and must be reviewed and updated at least every 2 years.” | 42 CFR 416.54(c) | final |
| US | CMS | emergency preparedness | Include in the communication plan primary and alternate means of communicating with ASC staff and Federal, State, tribal, regional, and local emergency management agencies. “Primary and alternate means for communicating with the following: (i) ASC's staff. (ii) Federal, State, tribal, regional, and local emergency management agencies.” | 42 CFR 416.54(c)(3) | final |
| US | CMS | emergency preparedness | Include in the communication plan a method for sharing patient information and medical documentation with other health care providers to maintain continuity of care during an emergency. “A method for sharing information and medical documentation for patients under the ASC's care, as necessary, with other health care providers to maintain the continuity of care.” | 42 CFR 416.54(c)(4) | final |
| US | CMS | emergency preparedness | Include in the communication plan a means to provide information about the ASC's needs and its ability to provide assistance to the authority having jurisdiction or Incident Command Center. “A means of providing information about the ASC's needs, and its ability to provide assistance, to the authority having jurisdiction, the Incident Command Center, or designee.” | 42 CFR 416.54(c)(7) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness training and testing program based on the emergency plan, risk assessment, policies/procedures, and communication plan, reviewed and updated at least every 2 years. “The ASC must develop and maintain an emergency preparedness training and testing program...The training and testing program must be reviewed and updated at least every 2 years.” | 42 CFR 416.54(d) | final |
| US | CMS | emergency preparedness | Provide initial emergency preparedness training to all new and existing staff, on-site contractors, and volunteers consistent with their expected roles, and repeat training at least every 2 years. “Initial training in emergency preparedness policies and procedures to all new and existing staff, individuals providing on-site services under arrangement, and volunteers...Provide emergency preparedness training at least every 2 years.” | 42 CFR 416.54(d)(1)(i)-(ii) | final |
| US | CMS | emergency preparedness | Maintain documentation of all emergency preparedness training and demonstrate staff knowledge of emergency procedures. “Maintain documentation of all emergency preparedness training. (iv) Demonstrate staff knowledge of emergency procedures.” | 42 CFR 416.54(d)(1)(iii)-(iv) | final |
| US | CMS | emergency preparedness | Conduct additional training on updated emergency preparedness policies and procedures whenever they are significantly updated. “If the emergency preparedness policies and procedures are significantly updated, the ASC must conduct training on the updated policies and procedures.” | 42 CFR 416.54(d)(1)(v) | final |
| US | CMS | emergency preparedness | Conduct exercises to test the emergency plan at least annually, including a full-scale community-based or facility-based functional exercise at least every 2 years. “The ASC must conduct exercises to test the emergency plan at least annually...Participate in a full-scale exercise that is community-based every 2 years; or...conduct a facility-based functional exercise every 2 years.” | 42 CFR 416.54(d)(2)(i) | final |
| US | CMS | emergency preparedness | Conduct an additional exercise at least every 2 years in the alternate year to the full-scale/functional exercise, which may be a mock disaster drill, tabletop exercise, or second full-scale exercise. “Conduct an additional exercise at least every 2 years, opposite the year the full-scale or functional exercise...is conducted, that may include...A mock disaster drill; or...A tabletop exercise or workshop.” | 42 CFR 416.54(d)(2)(ii) | final |
| US | CMS | emergency preparedness | Analyze the ASC's response to all drills, tabletop exercises, and emergency events; maintain documentation; and revise the emergency plan as needed based on findings. “Analyze the ASC's response to and maintain documentation of all drills, tabletop exercises, and emergency events and revise the ASC's emergency plan, as needed.” | 42 CFR 416.54(d)(2)(iii) | final |
| US | CMS | emergency preparedness | If part of an integrated healthcare system, ensure the unified emergency preparedness program is developed with active participation of each separately certified facility and reflects each facility's unique circumstances and patient populations. “Demonstrate that each separately certified facility within the system actively participated in the development of the unified and integrated emergency preparedness program. (2) Be developed and maintained in a manner that takes into account each separately certified facility's un” | 42 CFR 416.54(e)(1)-(2) | final |
| US | CMS | emergency preparedness | If participating in an integrated healthcare system program, demonstrate that the ASC is capable of actively using the unified and integrated emergency preparedness program and is in compliance. “Demonstrate that each separately certified facility is capable of actively using the unified and integrated emergency preparedness program and is in compliance.” | 42 CFR 416.54(e)(3) | final |
| US | CMS | emergency preparedness | Unified integrated system emergency plan must include both a documented community-based risk assessment and a documented individual facility-based risk assessment for each separately certified facility, using an all-hazards approach. “A documented community-based risk assessment, utilizing an all-hazards approach. (ii) A documented individual facility-based risk assessment for each separately certified facility within the health system, utilizing an all-hazards approach.” | 42 CFR 416.54(e)(4)(i)-(ii) | final |
| US | CMS | emergency preparedness | Unified integrated system program must include integrated policies and procedures, a coordinated communication plan, and training and testing programs meeting all requirements of 416.54(b), (c), and (d). “Include integrated policies and procedures that meet the requirements set forth in paragraph (b) of this section, a coordinated communication plan and training and testing programs that meet the requirements of paragraphs (c) and (d) of this section, respectively.” | 42 CFR 416.54(e)(5) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness plan, reviewed and updated at least annually, based on an all-hazards facility- and community-based risk assessment including missing residents. “The LTC facility must develop and maintain an emergency preparedness plan that must be reviewed, and updated at least annually.” | 42 CFR 483.73(a) | final |
| US | CMS | emergency preparedness | Address continuity of operations in the emergency plan, including delegations of authority and succession plans. “continuity of operations, including delegations of authority and succession plans.” | 42 CFR 483.73(a)(3) | final |
| US | CMS | emergency preparedness | Establish a process for cooperation and collaboration with local, tribal, regional, State, or Federal emergency preparedness officials to maintain an integrated disaster response. “Include a process for cooperation and collaboration with local, tribal, regional, State, or Federal emergency preparedness officials' efforts to maintain an integrated response during a disaster or emergency situation.” | 42 CFR 483.73(a)(4) | final |
| US | CMS | emergency preparedness | Develop and implement emergency preparedness policies and procedures based on the emergency plan, risk assessment, and communication plan; review and update at least annually. “The LTC facility must develop and implement emergency preparedness policies and procedures...The policies and procedures must be reviewed and updated at least annually.” | 42 CFR 483.73(b) | final |
| US | CMS | emergency preparedness | Establish policies ensuring provision of subsistence needs (food, water, medical/pharmaceutical supplies) and alternate energy sources for residents and staff during emergencies. “The provision of subsistence needs for staff and residents, whether they evacuate or shelter in place, include, but are not limited to...Food, water, medical, and pharmaceutical supplies. Alternate sources of energy...” | 42 CFR 483.73(b)(1) | final |
| US | CMS | emergency preparedness | Maintain alternate energy sources to sustain safe temperatures, emergency lighting, fire detection/alarm systems, and sewage/waste disposal during emergencies. “Alternate sources of energy to maintain— Temperatures to protect resident health and safety...Emergency lighting; Fire detection, extinguishing, and alarm systems; and Sewage and waste disposal.” | 42 CFR 483.73(b)(1)(ii) | final |
| US | CMS | emergency preparedness | Implement a system to track the location of on-duty staff and sheltered residents during and after an emergency, documenting receiving facility name and location if relocated. “A system to track the location of on-duty staff and sheltered residents in the LTC facility's care during and after an emergency...document the specific name and location of the receiving facility or other location.” | 42 CFR 483.73(b)(2) | final |
| US | CMS | emergency preparedness | Establish policies for safe evacuation including care/treatment needs of evacuees, staff responsibilities, transportation, evacuation locations, and primary/alternate communications with external assistance. “Safe evacuation from the LTC facility, which includes consideration of care and treatment needs of evacuees; staff responsibilities; transportation; identification of evacuation location(s); and primary and alternate means of communication.” | 42 CFR 483.73(b)(3) | final |
| US | CMS | emergency preparedness | Establish policies enabling residents, staff, and volunteers to shelter in place within the facility during emergencies. “A means to shelter in place for residents, staff, and volunteers who remain in the LTC facility.” | 42 CFR 483.73(b)(4) | final |
| US | CMS | emergency preparedness | Implement a medical documentation system that preserves, protects confidentiality of, and maintains availability of resident records during emergencies. “A system of medical documentation that preserves resident information, protects confidentiality of resident information, and secures and maintains the availability of records.” | 42 CFR 483.73(b)(5) | final |
| US | CMS | emergency preparedness | Develop arrangements with other LTC facilities and providers to receive residents in the event of limitations or cessation of operations to maintain continuity of services. “The development of arrangements with other LTC facilities and other providers to receive residents in the event of limitations or cessation of operations to maintain the continuity of services to LTC residents.” | 42 CFR 483.73(b)(7) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness communication plan complying with Federal, State, and local laws, reviewed and updated at least annually. “The LTC facility must develop and maintain an emergency preparedness communication plan that complies with Federal, State, and local laws and must be reviewed and updated at least annually.” | 42 CFR 483.73(c) | final |
| US | CMS | emergency preparedness | Maintain contact information for staff, contracted service entities, residents' physicians, other LTC facilities, volunteers, and emergency management agencies in the communication plan. “Names and contact information for the following: Staff. Entities providing services under arrangement. Residents' physicians. Other LTC facilities. Volunteers. Contact information for...Federal, State, tribal, regional, or local emergency preparedness staff.” | 42 CFR 483.73(c)(1) and (c)(2) | final |
| US | CMS | emergency preparedness | Establish primary and alternate means of communicating with staff and Federal, State, tribal, regional, or local emergency management agencies. “Primary and alternate means for communicating with the following: LTC facility's staff. Federal, State, tribal, regional, or local emergency management agencies.” | 42 CFR 483.73(c)(3) | final |
| US | CMS | emergency preparedness | Establish a method for sharing resident information and medical documentation with other health care providers to maintain continuity of care during emergencies. “A method for sharing information and medical documentation for residents under the LTC facility's care, as necessary, with other health care providers to maintain the continuity of care.” | 42 CFR 483.73(c)(4) | final |
| US | CMS | emergency preparedness | Establish a means to provide information about the facility's occupancy, needs, and ability to provide assistance to the authority having jurisdiction or Incident Command Center. “A means of providing information about the LTC facility's occupancy, needs, and its ability to provide assistance, to the authority having jurisdiction or the Incident Command Center, or designee.” | 42 CFR 483.73(c)(7) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness training and testing program based on the plan, risk assessment, P&Ps, and communication plan; review and update at least annually. “The LTC facility must develop and maintain an emergency preparedness training and testing program...The training and testing program must be reviewed and updated at least annually.” | 42 CFR 483.73(d) | final |
| US | CMS | emergency preparedness | Provide initial emergency preparedness training to all new and existing staff, contracted individuals, and volunteers consistent with their roles, and annual refresher training thereafter. [adjacent] “Initial training in emergency preparedness policies and procedures to all new and existing staff, individuals providing services under arrangement, and volunteers...Provide emergency preparedness training at least annually.” | 42 CFR 483.73(d)(1)(i) and (d)(1)(ii) | final |
| US | CMS | emergency preparedness | Maintain documentation of all emergency preparedness training and demonstrate staff knowledge of emergency procedures. “Maintain documentation of the training. Demonstrate staff knowledge of emergency procedures.” | 42 CFR 483.73(d)(1)(iii) and (d)(1)(iv) | final |
| US | CMS | emergency preparedness | Conduct emergency plan exercises at least twice per year, including unannounced staff drills, and an annual full-scale community-based or facility-based functional exercise. “The LTC facility must conduct exercises to test the emergency plan at least twice per year, including unannounced staff drills using the emergency procedures.” | 42 CFR 483.73(d)(2) | final |
| US | CMS | emergency preparedness | Analyze and document the facility's response to all drills, tabletop exercises, and emergency events, and revise the emergency plan as needed based on findings. “Analyze the LTC facility's response to and maintain documentation of all drills, tabletop exercises, and emergency events, and revise the LTC facility's emergency plan, as needed.” | 42 CFR 483.73(d)(2)(iii) | final |
| US | CMS | emergency preparedness | Implement emergency and standby power systems based on the emergency plan, with generator location compliant with NFPA 99, NFPA 101, and NFPA 110 for new or renovated structures. “The generator must be located in accordance with the location requirements found in the Health Care Facilities Code (NFPA 99...Life Safety Code (NFPA 101...and NFPA 110, when a new structure is built or when an existing structure or building is renovated.” | 42 CFR 483.73(e)(1) | final |
| US | CMS | emergency preparedness | Implement emergency power system inspection, testing, and maintenance requirements per NFPA 99 (Health Care Facilities Code), NFPA 110, and NFPA 101 (Life Safety Code). “The LTC facility must implement the emergency power system inspection, testing, and maintenance requirements found in the Health Care Facilities Code, NFPA 110, and Life Safety Code.” | 42 CFR 483.73(e)(2) | final |
| US | CMS | emergency preparedness | LTC facilities with onsite emergency generator fuel must maintain a plan for keeping emergency power systems operational throughout an emergency unless evacuating. “LTC facilities that maintain an onsite fuel source to power emergency generators must have a plan for how it will keep emergency power systems operational during the emergency, unless it evacuates.” | 42 CFR 483.73(e)(3) | final |
| US | CMS | emergency preparedness | If participating in an integrated healthcare system emergency preparedness program, ensure each separately certified facility actively participated in program development, can actively use the unified program, and has individual facility-based risk assessments. “Demonstrate that each separately certified facility within the system actively participated in the development of the unified and integrated emergency preparedness program...each separately certified facility is capable of actively using the unified and integrated emergency prepa” | 42 CFR 483.73(f) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness plan evaluated and updated at least every 2 years, based on a documented all-hazards facility-based and community-based risk assessment. “The dialysis facility must develop and maintain an emergency preparedness plan that must be evaluated and updated at least every 2 years.” | 42 CFR 494.62(a) | final |
| US | CMS | emergency preparedness | Include in the emergency plan a documented facility-based and community-based risk assessment using an all-hazards approach. “Be based on and include a documented, facility-based and community-based risk assessment, utilizing an all-hazards approach.” | 42 CFR 494.62(a)(1) | final |
| US | CMS | emergency preparedness | Include strategies in the emergency plan for addressing emergency events identified by the risk assessment. “Include strategies for addressing emergency events identified by the risk assessment.” | 42 CFR 494.62(a)(2) | final |
| US | CMS | emergency preparedness | Address continuity of operations, including delegations of authority and succession plans, in the emergency plan. “continuity of operations, including delegations of authority and succession plans.” | 42 CFR 494.62(a)(3) | final |
| US | CMS | emergency preparedness | Include a process for cooperation with local, tribal, regional, State, and Federal emergency preparedness officials and contact the local emergency preparedness agency at least annually. “The dialysis facility must contact the local emergency preparedness agency at least annually to confirm that the agency is aware of the dialysis facility's needs in the event of an emergency.” | 42 CFR 494.62(a)(4) | final |
| US | CMS | emergency preparedness | Develop and implement emergency preparedness policies and procedures, reviewed and updated at least every 2 years, covering fire, equipment/power failures, care emergencies, water supply interruption, and natural disasters. “The dialysis facility must develop and implement emergency preparedness policies and procedures...The policies and procedures must be reviewed and updated at least every 2 years.” | 42 CFR 494.62(b) | final |
| US | CMS | emergency preparedness | Implement a system to track the location of on-duty staff and sheltered patients during and after an emergency, and document the name/location of any receiving facility when patients are relocated. “A system to track the location of on-duty staff and sheltered patients in the dialysis facility's care during and after an emergency...the dialysis facility must document the specific name and location of the receiving facility.” | 42 CFR 494.62(b)(1) | final |
| US | CMS | emergency preparedness | Establish policies and procedures for safe evacuation from the facility, including staff responsibilities and patient needs. “Safe evacuation from the dialysis facility, which includes staff responsibilities, and needs of the patients.” | 42 CFR 494.62(b)(2) | final |
| US | CMS | emergency preparedness | Establish a means to shelter in place for patients, staff, and volunteers who remain in the facility during an emergency. “A means to shelter in place for patients, staff, and volunteers who remain in the facility.” | 42 CFR 494.62(b)(3) | final |
| US | CMS | emergency preparedness | Implement a system of medical documentation that preserves patient information, protects confidentiality, and secures and maintains availability of records during emergencies. “A system of medical documentation that preserves patient information, protects confidentiality of patient information, and secures and maintains the availability of records.” | 42 CFR 494.62(b)(4) | final |
| US | CMS | emergency preparedness | Develop arrangements with other dialysis facilities or providers to receive patients if operations are limited or cease, to maintain continuity of dialysis services. “The development of arrangements with other dialysis facilities or other providers to receive patients in the event of limitations or cessation of operations to maintain the continuity of services to dialysis facility patients.” | 42 CFR 494.62(b)(6) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness communication plan complying with Federal, State, and local laws, reviewed and updated at least every 2 years. “The dialysis facility must develop and maintain an emergency preparedness communication plan that complies with Federal, State, and local laws and must be reviewed and updated at least every 2 years.” | 42 CFR 494.62(c) | final |
| US | CMS | emergency preparedness | Maintain current contact information in the communication plan for staff, arranging entities, patients' physicians, other dialysis facilities, volunteers, and emergency preparedness officials. “Names and contact information for the following: Staff...Entities providing services under arrangement...Patients' physicians...Other dialysis facilities...Volunteers.” | 42 CFR 494.62(c)(1) and (c)(2) | final |
| US | CMS | emergency preparedness | Establish primary and alternate means of communicating with facility staff and Federal, State, tribal, regional, or local emergency management agencies during emergencies. “Primary and alternate means for communicating with the following: Dialysis facility's staff...Federal, State, tribal, regional, or local emergency management agencies.” | 42 CFR 494.62(c)(3) | final |
| US | CMS | emergency preparedness | Include in the communication plan a method for sharing patient medical documentation with other healthcare providers to maintain continuity of care during emergencies. “A method for sharing information and medical documentation for patients under the dialysis facility's care, as necessary, with other health care providers to maintain the continuity of care.” | 42 CFR 494.62(c)(4) | final |
| US | CMS | emergency preparedness | Include in the communication plan a means to provide information about the facility's needs and ability to provide assistance to the authority having jurisdiction or Incident Command Center. “A means of providing information about the dialysis facility's needs, and its ability to provide assistance, to the authority having jurisdiction or the Incident Command Center, or designee.” | 42 CFR 494.62(c)(7) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness training, testing, and patient orientation program, evaluated and updated at least every 2 years. “The dialysis facility must develop and maintain an emergency preparedness training, testing and patient orientation program...evaluated and updated at least every 2 years.” | 42 CFR 494.62(d) | final |
| US | CMS | emergency preparedness | Provide initial emergency preparedness training to all new and existing staff, individuals under arrangement, and volunteers; provide refresher training at least every 2 years; and conduct training when policies are significantly updated. “Provide initial training in emergency preparedness policies and procedures to all new and existing staff...Provide emergency preparedness training at least every 2 years...the dialysis facility must conduct training on the updated policies and procedures.” | 42 CFR 494.62(d)(1)(i), (ii), (vii) | final |
| US | CMS | emergency preparedness | Demonstrate staff knowledge of emergency procedures, including informing patients of what to do, where to go (including evacuation instructions), whom to contact (including alternate emergency phone number), and how to disconnect from dialysis machines. “Demonstrate staff knowledge of emergency procedures, including informing patients of what to do; where to go...whom to contact if an emergency occurs...How to disconnect themselves from the dialysis machine if an emergency occurs.” | 42 CFR 494.62(d)(1)(iii) | final |
| US | CMS | emergency preparedness | Conduct emergency plan exercises at least annually, including a full-scale community-based or facility-based functional exercise at least every 2 years, with exemption if an actual emergency activating the plan occurs. “The dialysis facility must conduct exercises to test the emergency plan at least annually...Participate in a full-scale exercise that is community-based every 2 years.” | 42 CFR 494.62(d)(2)(i) | final |
| US | CMS | emergency preparedness | Conduct an additional exercise every 2 years (opposite year from the full-scale exercise), which may be a full-scale drill, mock disaster drill, or tabletop exercise. “Conduct an additional exercise every 2 years, opposite the year the full-scale or functional exercise...is conducted, that may include...a tabletop exercise or workshop that is led by a facilitator.” | 42 CFR 494.62(d)(2)(ii) | final |
| US | CMS | emergency preparedness | Analyze the facility's response to all drills, tabletop exercises, and emergency events; maintain documentation; and revise the emergency plan as needed. “Analyze the dialysis facility's response to and maintain documentation of all drills, tabletop exercises, and emergency events, and revise the dialysis facility's emergency plan, as needed.” | 42 CFR 494.62(d)(2)(iii) | final |
| US | CMS | emergency preparedness | Provide appropriate emergency preparedness orientation and training to patients, including emergency procedures, evacuation locations, contact information, and how to disconnect from dialysis machines. “The facility must provide appropriate orientation and training to patients, including the areas specified in paragraph (d)(1) of this section.” | 42 CFR 494.62(d)(3) | final |
| US | CMS | emergency preparedness | Develop and maintain a comprehensive emergency preparedness program utilizing an all-hazards approach. “The CAH must develop and maintain a comprehensive emergency preparedness program, utilizing an all-hazards approach.” | 42 CFR 485.625 | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness plan reviewed and updated at least every 2 years. “The CAH must develop and maintain an emergency preparedness plan that must be reviewed and updated at least every 2 years.” | 42 CFR 485.625(a) | final |
| US | CMS | emergency preparedness | Base the emergency plan on a documented facility-based and community-based risk assessment using an all-hazards approach. “Be based on and include a documented, facility-based and community-based risk assessment, utilizing an all-hazards approach.” | 42 CFR 485.625(a)(1) | final |
| US | CMS | emergency preparedness | Include in the emergency plan strategies for addressing emergency events identified by the risk assessment. “Include strategies for addressing emergency events identified by the risk assessment.” | 42 CFR 485.625(a)(2) | final |
| US | CMS | emergency preparedness | Address patient population (including at-risk persons), service capability during emergencies, and continuity of operations including delegations of authority and succession plans. “Address patient population, including, but not limited to, persons at-risk; the type of services the CAH has the ability to provide in an emergency; and continuity of operations, including delegations of authority and succession plans.” | 42 CFR 485.625(a)(3) | final |
| US | CMS | emergency preparedness | Include in the emergency plan a process for cooperation and collaboration with local, tribal, regional, State, and Federal emergency preparedness officials to maintain an integrated disaster response. “Include a process for cooperation and collaboration with local, tribal, regional, State, and Federal emergency preparedness officials' efforts to maintain an integrated response during a disaster or emergency situation.” | 42 CFR 485.625(a)(4) | final |
| US | CMS | emergency preparedness | Develop and implement emergency preparedness policies and procedures based on the emergency plan, risk assessment, and communication plan; review and update at least every 2 years. “The CAH must develop and implement emergency preparedness policies and procedures, based on the emergency plan...The policies and procedures must be reviewed and updated at least every 2 years.” | 42 CFR 485.625(b) | final |
| US | CMS | emergency preparedness | Establish policies and procedures for provision of subsistence needs (food, water, medical/pharmaceutical supplies, alternate energy, lighting, fire systems, sewage) for staff and patients during evacuation or shelter-in-place. “The provision of subsistence needs for staff and patients, whether they evacuate or shelter in place, include, but are not limited to—(i) Food, water, medical, and pharmaceutical supplies; (ii) Alternate sources of energy...” | 42 CFR 485.625(b)(1) | final |
| US | CMS | emergency preparedness | Implement a system to track the location of on-duty staff and sheltered patients during an emergency, and document names and locations of receiving facilities if staff or patients are relocated. “A system to track the location of on-duty staff and sheltered patients in the CAH's care during an emergency. If on-duty staff and sheltered patients are relocated during the emergency, the CAH must document the specific name and location of the receiving facility.” | 42 CFR 485.625(b)(2) | final |
| US | CMS | emergency preparedness | Establish policies and procedures for safe evacuation, including care and treatment needs of evacuees, staff responsibilities, transportation, evacuation locations, and primary and alternate communication with external assistance. “Safe evacuation from the CAH, which includes consideration of care and treatment needs of evacuees; staff responsibilities; transportation; identification of evacuation location(s); and primary and alternate means of communication with external sources of assistance.” | 42 CFR 485.625(b)(3) | final |
| US | CMS | emergency preparedness | Establish a means to shelter in place for patients, staff, and volunteers who remain in the facility during an emergency. “A means to shelter in place for patients, staff, and volunteers who remain in the facility.” | 42 CFR 485.625(b)(4) | final |
| US | CMS | emergency preparedness | Establish a system of medical documentation that preserves patient information, protects confidentiality, and secures and maintains the availability of records during emergencies. “A system of medical documentation that preserves patient information, protects confidentiality of patient information, and secures and maintains the availability of records.” | 42 CFR 485.625(b)(5) | final |
| US | CMS | emergency preparedness | Develop arrangements with other CAHs or providers to receive patients in the event of limitations or cessation of operations to maintain continuity of services. “The development of arrangements with other CAHs or other providers to receive patients in the event of limitations or cessation of operations to maintain the continuity of services to CAH patients.” | 42 CFR 485.625(b)(7) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness communication plan compliant with Federal, State, and local laws, reviewed and updated at least every 2 years. “The CAH must develop and maintain an emergency preparedness communication plan that complies with Federal, State, and local laws and must be reviewed and updated at least every 2 years.” | 42 CFR 485.625(c) | final |
| US | CMS | emergency preparedness | Include in the communication plan names and contact information for staff, entities providing services under arrangement, patients' physicians, other CAHs and hospitals, and volunteers. “Names and contact information for the following: (i) Staff. (ii) Entities providing services under arrangement. (iii) Patients' physicians. (iv) Other CAHs and hospitals. (v) Volunteers.” | 42 CFR 485.625(c)(1) | final |
| US | CMS | emergency preparedness | Include in the communication plan contact information for Federal, State, tribal, regional, and local emergency preparedness staff and other sources of assistance. “Contact information for the following: (i) Federal, State, tribal, regional, and local emergency preparedness staff. (ii) Other sources of assistance.” | 42 CFR 485.625(c)(2) | final |
| US | CMS | emergency preparedness | Establish primary and alternate means of communicating with CAH staff and Federal, State, tribal, regional, and local emergency management agencies. “Primary and alternate means for communicating with the following: (i) CAH's staff. (ii) Federal, State, tribal, regional, and local emergency management agencies.” | 42 CFR 485.625(c)(3) | final |
| US | CMS | emergency preparedness | Include a method for sharing patient information and medical documentation with other health care providers to maintain continuity of care during emergencies. “A method for sharing information and medical documentation for patients under the CAH's care, as necessary, with other health care providers to maintain the continuity of care.” | 42 CFR 485.625(c)(4) | final |
| US | CMS | emergency preparedness | Include in the communication plan a means to provide information about the CAH's occupancy, needs, and ability to provide assistance to the authority having jurisdiction, Incident Command Center, or designee. “A means of providing information about the CAH's occupancy, needs, and its ability to provide assistance, to the authority having jurisdiction or the Incident Command Center, or designee.” | 42 CFR 485.625(c)(7) | final |
| US | CMS | emergency preparedness | Develop and maintain an emergency preparedness training and testing program based on the emergency plan, risk assessment, policies/procedures, and communication plan; review and update at least every 2 years. “The CAH must develop and maintain an emergency preparedness training and testing program that is based on the emergency plan...The training and testing program must be reviewed and updated at least every 2 years.” | 42 CFR 485.625(d) | final |
| US | CMS | emergency preparedness | Provide initial emergency preparedness training to all new and existing staff, individuals under arrangement, and volunteers consistent with their expected roles. [adjacent] “Initial training in emergency preparedness policies and procedures, including prompt reporting and extinguishing of fires, protection, and where necessary, evacuation of patients, personnel, and guests...to all new and existing staff, individuals providing services under arrangem” | 42 CFR 485.625(d)(1)(i) | final |
| US | CMS | emergency preparedness | Provide emergency preparedness training to all applicable personnel at least every 2 years. “Provide emergency preparedness training at least every 2 years.” | 42 CFR 485.625(d)(1)(ii) | final |
| US | CMS | emergency preparedness | Maintain documentation of all emergency preparedness training. “Maintain documentation of the training.” | 42 CFR 485.625(d)(1)(iii) | final |
| US | CMS | emergency preparedness | Demonstrate staff knowledge of emergency procedures. “Demonstrate staff knowledge of emergency procedures.” | 42 CFR 485.625(d)(1)(iv) | final |
| US | CMS | emergency preparedness | Conduct training on updated emergency preparedness policies and procedures when they are significantly revised. “If the emergency preparedness policies and procedures are significantly updated, the CAH must conduct training on the updated policies and procedures.” | 42 CFR 485.625(d)(1)(v) | final |
| US | CMS | emergency preparedness | Conduct exercises to test the emergency plan at least twice per year, including one annual full-scale community-based (or facility-based functional) exercise and one additional exercise. “The CAH must conduct exercises to test the emergency plan at least twice per year.” | 42 CFR 485.625(d)(2) | final |
| US | CMS | emergency preparedness | Participate in an annual full-scale community-based exercise or, when unavailable, conduct an annual individual facility-based functional exercise. “Participate in an annual full-scale exercise that is community-based; or (A) When a community-based exercise is not accessible, conduct an annual individual, facility-based functional exercise.” | 42 CFR 485.625(d)(2)(i) | final |
| US | CMS | emergency preparedness | Conduct an annual additional exercise (full-scale, functional, mock disaster drill, or tabletop exercise). “Conduct an annual additional exercise, that may include, but is not limited to the following: (A) A second full-scale exercise...or (B) A mock disaster drill; or (C) A tabletop exercise or workshop...” | 42 CFR 485.625(d)(2)(ii) | final |
| US | CMS | emergency preparedness | Analyze and document the CAH's response to all drills, tabletop exercises, and actual emergency events, and revise the emergency plan as needed. “Analyze the CAH's response to and maintain documentation of all drills, tabletop exercises, and emergency events, and revise the CAH's emergency plan, as needed.” | 42 CFR 485.625(d)(2)(iii) | final |
| US | CMS | emergency preparedness | Implement emergency and standby power systems based on the emergency plan. “The CAH must implement emergency and standby power systems based on the emergency plan set forth in paragraph (a) of this section.” | 42 CFR 485.625(e) | final |
| US | CMS | emergency preparedness | Locate emergency generators in accordance with NFPA 99, NFPA 101, and NFPA 110 requirements when constructing new structures or renovating existing ones. [adjacent] “The generator must be located in accordance with the location requirements found in the Health Care Facilities Code (NFPA 99...Life Safety Code (NFPA 101...) and NFPA 110, when a new structure is built or when an existing structure or building is renovated.” | 42 CFR 485.625(e)(1) | final |
| US | CMS | emergency preparedness | Implement emergency power system inspection and testing requirements per NFPA 99, NFPA 110, and NFPA 101. “The CAH must implement emergency power system inspection and testing requirements found in the Health Care Facilities Code, NFPA 110, and the Life Safety Code.” | 42 CFR 485.625(e)(2) | final |
| US | CMS | emergency preparedness | Maintain a plan for keeping emergency power systems operational during an emergency when an onsite fuel source is used, unless the facility evacuates. “CAHs that maintain an onsite fuel source to power emergency generators must have a plan for how it will keep emergency power systems operational during the emergency, unless it evacuates.” | 42 CFR 485.625(e)(3) | final |
| US | CMS | emergency preparedness | For integrated healthcare systems, demonstrate that each separately certified facility within the system actively participated in developing the unified emergency preparedness program. “Demonstrate that each separately certified facility within the system actively participated in the development of the unified and integrated emergency preparedness program.” | 42 CFR 485.625(f)(1) | final |
| US | CMS | emergency preparedness | For integrated healthcare systems, develop and maintain the unified program accounting for each facility's unique circumstances, patient populations, and services offered. “Be developed and maintained in a manner that takes into account each separately certified facility's unique circumstances, patient populations, and services offered.” | 42 CFR 485.625(f)(2) | final |
| US | CMS | emergency preparedness | For integrated healthcare systems, demonstrate that each separately certified facility is capable of actively using the unified emergency preparedness program and is in compliance. “Demonstrate that each separately certified facility is capable of actively using the unified and integrated emergency preparedness program and is in compliance with the program.” | 42 CFR 485.625(f)(3) | final |
| US | CMS | emergency preparedness | For integrated healthcare systems, include in the unified plan a documented community-based risk assessment and individual facility-based risk assessments for each separately certified facility, all utilizing an all-hazards approach. “The unified and integrated emergency plan must also be based on and include—(i) A documented community-based risk assessment, utilizing an all-hazards approach. (ii) A documented individual facility-based risk assessment for each separately certified facility within the health sy” | 42 CFR 485.625(f)(4) | final |
| US | FDA | supply chain resilience | Manufacturer must quarantine suspect product and promptly investigate to determine if it is illegitimate, coordinating with trading partners. [adjacent] “a manufacturer shall— (I) quarantine such product within the possession or control of the manufacturer from product intended for distribution until such product is cleared or dispositioned; and (II) promptly conduct an investigation in coordination with trading partners” | 21 U.S.C. § 360eee-1(b)(4)(A)(i) | final |
| US | FDA | supply chain resilience | Manufacturer must notify FDA and all immediate trading partners within 24 hours of determining a product is illegitimate. [adjacent] “the manufacturer shall notify the Secretary and all immediate trading partners that the manufacturer has reason to believe may have received such illegitimate product of such determination not later than 24 hours after making such determination.” | 21 U.S.C. § 360eee-1(b)(4)(B)(ii)(I) | final |
| US | FDA | supply chain resilience | Manufacturer must notify FDA and trading partners within 24 hours upon determining there is a high risk that a product is illegitimate. [adjacent] “A manufacturer shall notify the Secretary and immediate trading partners…not later than 24 hours after determining or being notified by the Secretary or a trading partner that there is a high risk that such product is an illegitimate product.” | 21 U.S.C. § 360eee-1(b)(4)(B)(ii)(II) | final |
| US | FDA | supply chain resilience | Manufacturer must provide transaction information, history, and statement to FDA within 48 hours of a request related to a recall or suspect/illegitimate product investigation. [adjacent] “a manufacturer shall, not later than 1 business day, and not to exceed 48 hours, after receiving the request…provide the applicable transaction information, transaction history, and transaction statement for the product.” | 21 U.S.C. § 360eee-1(b)(1)(B) | final |
| US | FDA | supply chain resilience | Manufacturer must maintain a secure electronic database (or use a third-party one) to respond to product verification requests. [adjacent] “A manufacturer may satisfy the requirements of this paragraph by developing a secure electronic database or utilizing a secure electronic database developed or operated by another entity…shall not relieve a manufacturer of the requirement…to respond to a request for verification ” | 21 U.S.C. § 360eee-1(b)(4)(D) | final |
| US | FDA | supply chain resilience | Wholesale distributor must provide transaction records to FDA within 48 hours of a request related to a recall or suspect/illegitimate product investigation. [adjacent] “a wholesale distributor shall, not later than 1 business day, and not to exceed 48 hours, after receiving the request…provide the applicable transaction information, transaction history, and transaction statement for the product.” | 21 U.S.C. § 360eee-1(c)(1)(C) | final |
| US | FDA | supply chain resilience | Dispenser must notify FDA and all immediate trading partners within 24 hours of determining a product is illegitimate. [adjacent] “the dispenser shall notify the Secretary and all immediate trading partners that the dispenser has reason to believe may have received such illegitimate product of such determination not later than 24 hours after making such determination.” | 21 U.S.C. § 360eee-1(d)(4)(B)(ii) | final |
| US | FDA | supply chain resilience | Dispenser must provide transaction records to FDA within 2 business days of a request related to a recall or suspect/illegitimate product investigation. [adjacent] “a dispenser shall, not later than 2 business days after receiving the request or in another such reasonable time as determined by the Secretary…provide the applicable transaction information, transaction statement, and transaction history which the dispenser received from the pre” | 21 U.S.C. § 360eee-1(d)(1)(D) | final |
| US | FDA | supply chain resilience | Repackager must quarantine suspect product and promptly investigate to determine if it is illegitimate, coordinating with trading partners. [adjacent] “a repackager shall— (I) quarantine such product within the possession or control of the repackager from product intended for distribution until such product is cleared or dispositioned; and (II) promptly conduct an investigation in coordination with trading partners, as applicabl” | 21 U.S.C. § 360eee-1(e)(4)(A)(i) | final |
| US | FDA | supply chain resilience | Repackager must notify FDA and all immediate trading partners within 24 hours of determining a product is illegitimate. [adjacent] “the repackager shall notify the Secretary and all immediate trading partners that the repackager has reason to believe may have received the illegitimate product of such determination not later than 24 hours after making such determination.” | 21 U.S.C. § 360eee-1(e)(4)(B)(ii) | final |
| US | FDA | supply chain resilience | Repackager must provide transaction records to FDA within 48 hours of a request related to a recall or suspect/illegitimate product investigation. [adjacent] “a repackager…shall, not later than 1 business day, and not to exceed 48 hours, after receiving the request…provide the applicable transaction information, transaction history, and transaction statement for the product.” | 21 U.S.C. § 360eee-1(e)(1)(C) | final |
| US | FDA | supply chain resilience | All entities must have systems to facilitate gathering full transaction information back to manufacturer upon FDA request or trading-partner request for suspect/illegitimate product investigations. [adjacent] “The systems and processes necessary to promptly facilitate gathering the information necessary to produce the transaction information for each transaction going back to the manufacturer, as applicable, shall be required— (i) in the event of a request by the Secretary…on account o” | 21 U.S.C. § 360eee-1(g)(1)(E) | final |
| US | FDA | supply chain resilience | Dispenser may delegate transaction record maintenance to a third party under a written agreement but remains responsible for all compliance obligations. [adjacent] “A dispenser may enter into a written agreement with a third party…under which the third party confidentially maintains the transaction information, transaction history, and transaction statements…the dispenser shall maintain a copy of the written agreement and shall not be reliev” | 21 U.S.C. § 360eee-1(d)(1)(B) | final |
| US | FDA | cybersecurity | Submit to the FDA a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures. [adjacent] “submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures” | 21 U.S.C. § 360n-2(b)(1) | final |
| US | FDA | cybersecurity | Design, develop, and maintain processes and procedures to provide reasonable assurance that the cyber device and related systems are cybersecure. [adjacent] “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure” | 21 U.S.C. § 360n-2(b)(2) | final |
| US | FDA | cybersecurity | Make available postmarket updates and patches on a reasonably justified regular cycle to address known unacceptable vulnerabilities. [adjacent] “make available postmarket updates and patches to the device and related systems to address— (A) on a reasonably justified regular cycle, known unacceptable vulnerabilities” | 21 U.S.C. § 360n-2(b)(2)(A) | final |
| US | FDA | cybersecurity | Deploy out-of-cycle critical security patches as soon as possible to address critical vulnerabilities that could cause uncontrolled risks. “as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks” | 21 U.S.C. § 360n-2(b)(2)(B) | final |
| US | FDA | cybersecurity | Comply with any additional cybersecurity requirements the Secretary prescribes by regulation to ensure reasonable assurance that the cyber device and related systems are cybersecure. [adjacent] “comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure” | 21 U.S.C. § 360n-2(b)(4) | final |
| US | FDA | supply chain resilience | Notify FDA in writing of a permanent discontinuance of manufacture or an interruption in manufacturing likely to lead to a meaningful disruption in supply of a life-supporting, life-sustaining, or debilitating-disease drug in the United States. “An applicant of a prescription drug product must notify FDA in writing of a permanent discontinuance of manufacture of the drug product or an interruption in manufacturing...that is likely to lead to a meaningful disruption in supply” | 21 CFR 314.81(b)(3)(iii)(a) | final |
| US | FDA | supply chain resilience | Submit the manufacturing discontinuance or interruption notification to FDA electronically at least 6 months prior to the date of the permanent discontinuance or interruption in manufacturing. [adjacent] “Notifications required by paragraph (b)(3)(iii)(a) of this section must be submitted to FDA electronically in a format that FDA can process, review, and archive: At least 6 months prior to the date of the permanent discontinuance or interruption” | 21 CFR 314.81(b)(3)(iii)(b)(1) | final |
| US | FDA | supply chain resilience | If 6 months' advance notice is not possible because the discontinuance or interruption was not reasonably anticipated, notify FDA as soon as practicable but no later than 5 business days after the discontinuance or interruption occurs. “If 6 months' advance notice is not possible because the permanent discontinuance or interruption in manufacturing was not reasonably anticipated 6 months in advance, as soon as practicable thereafter, but in no case later than 5 business days” | 21 CFR 314.81(b)(3)(iii)(b)(2) | final |
| US | FDA | supply chain resilience | Include in the manufacturing disruption notification: drug name and NDC, applicant name, whether notification relates to permanent discontinuance or interruption, reason for discontinuance or interruption, and estimated duration of interruption. [adjacent] “Notifications required by paragraph (b)(3)(iii)(a) of this section must include the following information: The name of the drug...the name of the applicant; Whether the notification relates to a permanent discontinuance...A description of the reason...The estimated duration” | 21 CFR 314.81(b)(3)(iii)(c) | final |
| US | HHS_OCR | cybersecurity | PROPOSED: Conduct a technology asset inventory identifying all technology assets that create, receive, maintain, or transmit ePHI. [adjacent] “require a regulated entity to inventory its technology assets and map the movement of ePHI through its information systems would illuminate considerations to be included in the regulated entity's risk analysis” | 45 CFR 164.308 (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Conduct an accurate and thorough risk analysis identifying reasonably anticipated threats and vulnerabilities to ePHI confidentiality, integrity, and availability. [adjacent] “regulated entities are already required to conduct an accurate and thorough risk analysis...an accurate and thorough risk analysis requires a regulated entity to perform an inventory of its technology assets” | 45 CFR 164.308(a)(1) (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Implement administrative safeguards including documented security management processes to protect against reasonably anticipated threats to ePHI security. [adjacent] “regulated entities must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit; protect against reasonably anticipated threats or hazards to the security or integrity of the information” | 45 CFR 164.308 (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Implement physical safeguards to protect electronic information systems and related equipment and data from unauthorized physical access, tampering, and theft. “regulated entities must implement administrative, physical, and technical safeguards to protect ePHI” | 45 CFR 164.310 (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Implement technical safeguards including access controls, audit controls, integrity controls, and transmission security for all relevant electronic information systems. [adjacent] “regulated entities must implement administrative, physical, and technical safeguards to protect ePHI” | 45 CFR 164.312 (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Deploy multi-factor authentication (MFA) for access to electronic information systems containing ePHI. [adjacent] “Adding a Definition of 'Multi-factor Authentication' (MFA)” | 45 CFR 164.312 (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Implement security incident response procedures to identify, respond to, and recover from security incidents affecting ePHI. “protect against reasonably anticipated threats or hazards to the security or integrity of the information and reasonably anticipated impermissible uses or disclosures” | 45 CFR 164.308(a)(6) (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Establish and maintain written documentation of all security policies, procedures, and practices required under the Security Rule. [adjacent] “The proposed modifications would explicitly codify those activities that are critical to protecting the security of ePHI as requirements and provide greater detail for such requirements in the regulatory text” | 45 CFR 164.316 (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Ensure business associate agreements require business associates to implement Security Rule administrative, physical, and technical safeguards and documentation requirements. [adjacent] “The HITECH Act extends the application of the Security Rule's provisions on administrative, physical, and technical safeguards and documentation requirements to business associates of covered entities” | 45 CFR 164.314(a)(1) (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Business associates must directly comply with Security Rule administrative, physical, and technical safeguard requirements to protect ePHI. [adjacent] “The HITECH Act extends the application of the Security Rule's provisions on administrative, physical, and technical safeguards and documentation requirements to business associates of covered entities, making those business associates subject to civil and criminal liability” | 45 CFR 164.314(a)(1) (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Implement malicious software protection controls across relevant electronic information systems that create, receive, maintain, or transmit ePHI. [adjacent] “Modifying the Definition of 'Malicious software'” | 45 CFR 164.308 (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Implement workforce security measures including training on security responsibilities and procedures for protecting ePHI. [adjacent] “otherwise ensure compliance with HIPAA by the officers and employees of covered entities” | 45 CFR 164.308(a)(5) (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Implement audit controls to record and examine activity in electronic information systems that contain or use ePHI. [adjacent] “The value of audit trails in computerized record systems” | 45 CFR 164.312(b) (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Conduct ongoing vulnerability management including identification, assessment, and remediation of vulnerabilities in relevant electronic information systems. “Adding a Definition of 'Vulnerability'...protect against reasonably anticipated threats or hazards to the security or integrity of the information” | 45 CFR 164.308(a)(1) (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Implement workstation security controls specifying proper use, physical attributes, and protection for workstations that access ePHI. [adjacent] “Clarifying the Definition of 'Workstation'” | 45 CFR 164.310(b) (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Develop and implement written policies and procedures that address all required Security Rule standards and implementation specifications, and update them as required. [adjacent] “The proposed modifications would explicitly codify those activities that are critical to protecting the security of ePHI as requirements and provide greater detail for such requirements in the regulatory text” | 45 CFR 164.316(a) (proposed) | proposed |
| US | HHS_OCR | cybersecurity | PROPOSED: Implement security measures to ensure the integrity of ePHI is not improperly altered or destroyed, including electronic mechanisms to corroborate that ePHI has not been altered. [adjacent] “ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit” | 45 CFR 164.312(c) (proposed) | proposed |
| US | HHS_OCR | health it resilience | Actors claiming the Health IT Performance Exception for maintenance or improvement activities that interfere with EHI access must meet all applicable exception conditions. [adjacent] “Health IT Performance Exception--When will an actor's practice that is implemented to maintain or improve health IT performance and that is likely to interfere with the access, exchange, or use of EHI not be considered information blocking?” | 45 CFR 171.205 | final |
| US | HHS_OCR | disaster recovery | Establish and implement a contingency plan with policies and procedures for responding to emergencies or occurrences (fire, vandalism, system failure, natural disaster) that damage systems containing ePHI. “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” | 45 CFR 164.308(a)(7)(i) | final |
| US | HHS_OCR | disaster recovery | Establish and implement a data backup plan creating retrievable exact copies of ePHI. “Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.” | 45 CFR 164.308(a)(7)(ii)(A) | final |
| US | HHS_OCR | disaster recovery | Establish and implement an emergency mode operation plan enabling continuation of critical business processes protecting ePHI while operating in emergency mode. “Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.” | 45 CFR 164.308(a)(7)(ii)(C) | final |
| US | HHS_OCR | disaster recovery | Implement procedures for periodic testing and revision of contingency plans. “Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.” | 45 CFR 164.308(a)(7)(ii)(D) | final |
| US | HHS_OCR | disaster recovery | Assess the relative criticality of specific applications and data to support contingency plan components. “Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.” | 45 CFR 164.308(a)(7)(ii)(E) | final |
| US | HHS_OCR | disaster recovery | Implement policies and procedures to identify and respond to security incidents, mitigate harmful effects, and document incidents and their outcomes. “Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.” | 45 CFR 164.308(a)(6)(ii) | final |
| US | HHS_OCR | disaster recovery | Establish and implement emergency access procedures for obtaining necessary ePHI during an emergency. “Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.” | 45 CFR 164.312(a)(2)(ii) | final |
| US | HHS_OCR | disaster recovery | Conduct a risk analysis to assess potential risks and vulnerabilities to confidentiality, integrity, and availability of ePHI. [adjacent] “Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” | 45 CFR 164.308(a)(1)(ii)(A) | final |
| US | HHS_OCR | disaster recovery | Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. [adjacent] “Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).” | 45 CFR 164.308(a)(1)(ii)(B) | final |
| US | HHS_OCR | disaster recovery | Perform periodic technical and non-technical evaluations of security policies and procedures in response to environmental or operational changes affecting ePHI security. [adjacent] “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information.” | 45 CFR 164.308(a)(8) | final |
| US | HHS_OCR | disaster recovery | Ensure ePHI availability: covered entities and business associates must ensure that ePHI is accessible and useable upon demand by authorized persons. “Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.” | 45 CFR 164.306(a)(1) | final |
| US | HHS_OCR | disaster recovery | Review and modify security measures as needed to continue reasonable and appropriate protection of ePHI, and update documentation accordingly. [adjacent] “A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information.” | 45 CFR 164.306(e) | final |
| US | HHS_OCR | disaster recovery | Require business associates, via written contract, to report to the covered entity any security incident of which they become aware, including breaches of unsecured PHI. [adjacent] “Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.” | 45 CFR 164.314(a)(2)(i)(C) | final |
| US | HHS_OCR | disaster recovery | Review and update security documentation periodically and whenever environmental or operational changes affect ePHI security. [adjacent] “Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.” | 45 CFR 164.316(b)(2)(iii) | final |
| US | HHS_OCR | disaster recovery | Protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. “Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.” | 45 CFR 164.306(a)(2) | final |
| US | HHS_OCR | disaster recovery | Group health plan sponsors must implement administrative, physical, and technical safeguards to protect ePHI, and report security incidents to the group health plan. [adjacent] “Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information...Report to the group health plan any security incident of which it becomes aware” | 45 CFR 164.314(b)(2)(i) and 164.314(b)(2)(iv) | final |
| US | HHS_OCR | disaster recovery | Implement procedures for creating a retrievable exact copy of ePHI before movement of equipment (data backup and storage for device/media controls). “Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.” | 45 CFR 164.310(d)(2)(iv) | final |
| US | HHS_OCR | health it resilience | QHINs must meet and maintain qualification requirements for Designation to participate in trusted exchange under the Common Agreement, including requirements supporting reliability, privacy, security, and trust within TEFCA. [adjacent] “The finalized 45 CFR part 172 establishes the processes associated with the qualifications necessary for an entity to receive and maintain Designation as a Qualified Health Information Network (QHIN) capable of trusted exchange under the Common Agreement.” | 45 CFR Part 172, Subpart B | final |
| US | HHS_OCR | health it resilience | QHINs must comply with suspension procedures established under 45 CFR Part 172 Subpart D, which may be triggered by failures in reliability, security, or trust obligations under the Common Agreement. [adjacent] “The final provisions codified in part 172 also establish the procedures governing Onboarding (as defined in Sec. 172.102) of QHINs and Designation of QHINs, suspension, termination, and administrative appeals to ASTP/ONC.” | 45 CFR Part 172, Subpart D | final |
| US | HHS_OCR | health it resilience | QHINs must comply with termination procedures under 45 CFR Part 172 Subpart E, including orderly cessation of TEFCA exchange activities if Designation is terminated. [adjacent] “The final provisions codified in part 172 also establish the procedures governing Onboarding (as defined in Sec. 172.102) of QHINs and Designation of QHINs, suspension, termination, and administrative appeals to ASTP/ONC.” | 45 CFR Part 172, Subpart E | final |
| US | HHS_OCR | health it resilience | Health IT Modules certified to the decision support interventions criterion (45 CFR 170.315(b)(11)) must also be certified to emergency access criterion (45 CFR 170.315(d)(6)) as part of the Privacy and Security Certification Framework. [adjacent] “we proposed to add the 'decision support interventions' certification criterion (Sec. 170.315(b)(11)) to the list of certification criteria in Sec. 170.550(h)(3)(ii)... 'emergency access' in Sec. 170.315(d)(6)” | 45 CFR 170.550(h)(3)(ii) | final |
| US | HHS_OCR | health it resilience | QHINs and actors must operate in compliance with the Common Agreement's trust policies and practices to maintain the reliability, privacy, security, and trust required for continued TEFCA Designation and exchange. [adjacent] “We believe establishing these provisions in regulation support reliability, privacy, security, and trust within TEFCA, which furthers our obligations to 'support' TEFCA under sections 3001(c)(9)(A) and (B) of the PHSA and TEFCA's ultimate success.” | 45 CFR 172.100(c)(1) | final |
| US | ONC | health it resilience | When a security practice interferes with EHI access, it must be directly related to safeguarding the confidentiality, integrity, and availability of electronic health information. [adjacent] “The practice must be directly related to safeguarding the confidentiality, integrity, and availability of electronic health information.” | 45 CFR 171.203(a) | final |
| US | ONC | health it resilience | Organizational security policy must be in writing, based on assessed security risks, aligned with consensus-based standards, and provide objective timeframes for identifying, responding to, and addressing security incidents. “Provide objective timeframes and other parameters for identifying, responding to, and addressing security incidents.” | 45 CFR 171.203(d) | final |
| US | ONC | health it resilience | When health IT is made temporarily unavailable or performance is degraded for maintenance/improvements, the unavailability must last no longer than necessary and must be implemented consistently and non-discriminatorily. [adjacent] “Implemented for a period of time no longer than necessary to complete the maintenance or improvements for which the health IT was made unavailable or the health IT's performance degraded; Implemented in a consistent and non-discriminatory manner.” | 45 CFR 171.205(a)(1)-(2) | final |
| US | ONC | health it resilience | Planned health IT unavailability initiated by a health IT developer, HIE, or HIN must be consistent with existing service level agreements with the affected entity. “Planned. Consistent with existing service level agreements between the individual or entity to whom the health IT developer of certified health IT, health information exchange, or health information network supplied the health IT.” | 45 CFR 171.205(a)(3)(i) | final |
| US | ONC | health it resilience | Unplanned health IT unavailability initiated by a health IT developer, HIE, or HIN must be consistent with existing SLAs or agreed to by the affected entity. “Unplanned. Consistent with existing service level agreements between the individual or entity; or agreed to by the individual or entity to whom the health IT developer of certified health IT, health information exchange, or health information network supplied the health IT.” | 45 CFR 171.205(a)(3)(ii) | final |
| US | ONC | health it resilience | Action taken against a third-party application negatively impacting health IT performance must last no longer than necessary to resolve the negative impacts and be implemented consistently and non-discriminatorily. [adjacent] “For a period of time no longer than necessary to resolve any negative impacts; Implemented in a consistent and non-discriminatory manner.” | 45 CFR 171.205(b)(1)-(2) | final |
| US | ONC | health it resilience | Action taken against a third-party application negatively impacting health IT performance must be consistent with existing service level agreements where applicable. “Consistent with existing service level agreements, where applicable.” | 45 CFR 171.205(b)(3) | final |
| US | ONC | health it resilience | If health IT is made unavailable in response to a patient harm risk, the actor must comply with all requirements of the preventing-harm exception (§171.201), not merely the health IT performance exception. [adjacent] “If the unavailability of health IT for maintenance or improvements is initiated by an actor in response to a risk of harm to a patient or another person, the actor does not need to satisfy the requirements of this section, but must comply with all requirements of § 171.201 at all” | 45 CFR 171.205(c) | final |
| US | ONC | health it resilience | If health IT is made unavailable in response to a security risk to EHI, the actor must comply with all requirements of the security exception (§171.203), not merely the health IT performance exception. “If the unavailability of health IT for maintenance or improvements is initiated by an actor in response to a security risk to electronic health information, the actor does not need to satisfy the requirements of this section, but must comply with all requirements of § 171.203 at ” | 45 CFR 171.205(d) | final |
| US | ONC | health it resilience | An actor unable to fulfill an EHI request due to uncontrollable events (e.g., natural disaster, telecom outage, public health emergency) must notify the requestor in writing within 10 business days stating why the request is infeasible. “The actor cannot fulfill the request for access, exchange, or use of electronic health information because of a natural or human-made disaster, public health emergency, public safety incident, war, terrorist attack, civil insurrection, strike or other labor unrest, telecommunicat” | 45 CFR 171.204(a)(1) and 171.204(b) | final |
| US | ONC | health it resilience | Organizational security policy must be prepared on the basis of, and be directly responsive to, security risks identified and assessed by or on behalf of the actor. [adjacent] “Have been prepared on the basis of, and be directly responsive to, security risks identified and assessed by or on behalf of the actor.” | 45 CFR 171.203(d)(2) | final |
| US | ONC | health it resilience | Organizational security policy must align with one or more applicable consensus-based standards or best practice guidance. [adjacent] “Align with one or more applicable consensus-based standards or best practice guidance.” | 45 CFR 171.203(d)(3) | final |
| US | ONC | health it resilience | When action is taken against a third-party application negatively impacting health IT performance, the practice must comply with applicable SLAs. “Consistent with existing service level agreements, where applicable.” | 45 CFR 171.205(b)(3) | final |
Knowing which rules bind you is step one. WSquare Advisory builds the operating capability behind compliance — the continuity, third-party, and recovery disciplines these regimes expect. If that's your challenge, let's talk.
Start a Conversation →