Anneal Initiative, Inc.

Morgan Chilson, from the Topeka Capital-Journal, recently interviewed us on the innovative approaches we take to help businesses become more competitive, innovative, and resilient. The article can be found here.

Our primary goal is to bring resiliency to Kansas businesses. Developing this resiliency comes in the form of helping businesses strategize on how to minimize vulnerabilities in networks and be prepared for emerging threats, as well as build adaptive business continuity plans and programs that foster an agile culture within a business.

The Department of Defense has passed the first set of acquisition regulations that require their contractors to meet cybersecurity standards listed in NIST SP 800-171, but other agencies and industries will soon follow. For a consultation on how your business might be impacted by cybersecurity regulations or how it might benefit from a stronger continuity program, contact info@annealinitiative.com.

Anneal Initiative, Inc. is a Women Owned and Veteran Owned Small Business (WOSB & VOSB) focused on designing, developing and operating innovative intelligence analysis capabilities (primarily for national security), and providing businesses with customized cybersecurity analysis, cyber regulatory compliance, and business continuity planning.

A few weeks ago, we posted on the background behind the new Medicare and Medicaid Emergency Preparedness regulation. Now we would like to provide more detail on the specific requirements. Again, these requirements very slightly between the different providers, but these four are common to all 17 providers and suppliers.

A Plan

While each of the 17 providers and suppliers have their own specific guidelines to follow, many of the rules are common to them all. To start with, the affected facilities must have an annually reviewed and updated emergency preparedness plan that is developed from a facility-based and community-based risk assessment. These can be challenging and burdensome tasks to undertake, and may require outside help and guidance.

Two components of COOP planning that must be included are delegations of authority and succession plans. These are essential to maintaining continuity in emergency situations.

Policies and Procedures

Affected suppliers and providers must also develop policies and procedures, that also must be reviewed and updated annually, addressing the following items:

• Provision of subsistence (including food, water, medical and pharmaceutical supplies and alternate sources of energy – that can protect patient health and safety – emergency lighting, fire detection systems, sewage and waste disposal)
• A system to track the location of on-duty staff and sheltered patients
• Procedures for safely evacuating the facility
• Means to shelter in place
• A documentation system that preserves records and protects confidentiality
• The development of arrangements with other hospitals and providers in the event of a limitation or cessation of operations

Communication Plan

The communication plan must include a method for sharing information and medical documentation for patients under the facility’s care as necessary with other health care providers, in order to maintain continuity of care. It must also include a means for releasing patient information in the event of an evacuation.

One of the major issues that could make the communication plan more complicated is that privacy violations are not given any leniency just because a disaster strikes. The HIPAA Privacy Rule is not suspended during a public health or other emergency.

Training and Testing

The training and testing piece of the Emergency Preparedness regulation will likely be one of the most challenging aspects of the regulation. The training and testing program, that is required to be reviewed and updated annually, must be provided to all staff, to include those providing services under arrangement and volunteers and must be documented. Two types of exercises must be provided to test the emergency plan and must also take place annually:

1. A full-scale exercise that is community-based

• When a community-based exercise is not accessible, an individual, facility-based exercise can suffice

2. An additional exercise must be conducted that is either:

• A second full-scale community-based or facility-based exercise
• A tabletop exercise

These can be waived if the supplier or provider experiences an actual natural or man-made emergency that requires activation of the emergency plan and can be exempt for 1 year.

Conclusion

This can be a lot to take in, and can often be a struggle for those trying to balance tasks required to operate a business or organization. However, this is a time when compliance can actually aide an organization in building a more adaptive culture, if approached thoughtfully and strategically. Anneal Initiative’s approach is to build stronger organizations while at the same time bring them into compliance. If interested, do not hesitate to reach out to us with any questions.

For more information on any of these requirements or for help executing them, contact continuity@annealinitiative.com.

In 2016, a new requirement was issued that affects Medicare and Medicaid providers and suppliers resulting in more stringent guidelines of their emergency preparedness plans. Centers for Medicare and Medicaid Services (CMS) recognize that emergency preparedness requirements already exist, but claim they do not go far enough in comprehensively addressing preparedness needs. They also do not address inconsistencies among various healthcare providers. As a result, this regulation went into effect on November 16, 2017 establishing national emergency preparedness requirements for seventeen types of Medicare and Medicaid providers and suppliers (see the below list for affected organizations).

This post is intended to raise awareness of this new regulation and is not intended to be a comprehensive report on all of the details of this regulation. For additional information, Anneal Initiative can be contacted directly at continuity@annealinitiative.com or 785-249-5576.

The new rule, Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers, imposes a mixture of business continuity, continuity of operations (COOP), and emergency planning rules that must be followed, and will be inspected. The rules require four main elements to be present in an emergency preparedness plan:

1. A risk-based plan that must be updated annually
2. Policies and procedures customized to fit the plan
3. A communication plan
4. A training and testing program

These elements focus on certain aspects of emergency preparedness, and CMS claims they focus on continuity planning, but it is important to keep in mind that not all aspects of business continuity/continuity of operations are covered by this regulation. The rule does not cover matters of recovery of operations, which is an important aspect of a comprehensive business continuity or continuity of operations plan. There are also other items such as determining an organizations’ essential functions or critical business functions that are crucial to having a plan that will work.

Here are some notable highlights from the rule:

1. While there are more requirements for setting up an emergency preparedness plan, there has been no new funding allocated to offset those costs.
2. It focuses on an all-hazards approach. While this might introduce more burden, it is actually a helpful approach. When a continuity plan is flexible by taking a broad approach to hazards, it is also likely to be more successful. Continuity planning should focus on dealing with the unavailability of people, resources, or facilities. If a plan is focused on adapting to those three problems, it will significantly increase the ability of an organization to survive unforeseen events or disasters, even if those disasters were not specifically written into the plan.

If you’re questioning whether or not your affected, here is the list of suppliers and providers covered by the new CMS requirements:

1. Hospitals
2. Religious Nonmedical Health Care Institutions (RNHCIs)
3. Ambulatory Surgical Centers (ASCs)
4. Hospices
5. Psychiatric Residential Treatment Facilities (PRTFs)
6. All-Inclusive for the Elderly (PACE)
7. Transplant Centers
8. Long-Term Care (LTC) Facilities
9. Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF//IID)
10. Home Health Agencies (HHAs)
11. Comprehensive Outpatient Rehabilitation Facilities (CORFs)
12. Critical Access Hospitals (CAHs)
13. Clinics, Rehabilitation Agencies, and Public Health Agencies as Providers of Outpatient Physical Therapy and Speech-Language Pathology Services
14. Community Mental Health Centers (CMHCs)
15. Organ Procurement Organization (OPOs)
16. Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs)
17. End-Stage Renal Disease (ESRD) Facilities

See our next blog post for more details on these requirements.

“The real problem is that the activities and processes involved in creating business continuity programs are too often seen as something different, foreign, and almost mutually exclusive of other practices businesses engage in to enhance their productivity and relevance.”

At the October 4^th Wichita Cyber Security Forum, Anneal Initiative participated in a general session panel on cyber and business continuity issues and offered some impressions on what difficulties and concerns small business owners face regarding business continuity planning. Here are some of the issues we felt were most likely to keep businesses from starting or persisting in the process of building a business continuity program:

• The difficulty in finding the time to start and continue development of a continuity program
• Figuring out where and how to start in developing a continuity program
• Evaluating an organization’s continuity planning approach to understand if they are on the right path
• Executives’ uncertainty that the time and resources dedicated to continuity planning will generate the desired results in the wake of a disaster

We offered ideas to help overcome those individual difficulties. We talked about how to start small, explore available low-cost resources, seek multi-discipline internal and external input, and test and exercise plans to judge how effectively and easily they can be executed. Those specific solutions are valid, but they don’t really address a significant overarching problem that the list of common difficulties and concerns highlights. The real problem is that the activities and processes involved in creating business continuity programs are too often seen as something different, foreign, and almost mutually exclusive of other practices businesses engage in to enhance their productivity and relevance.

Some of this disconnect may be due to the unique nature of continuity plans in comparison to other plans. However, the continuity plan is only a framework for the continuity program. The continuity plan must be accompanied by an organizational culture that empowers its members to see that framework as a starting point from which to adapt to change and solve the problems at hand. This “business continuity culture” in conjunction with a continuity plan is what constitutes a true business continuity program.

The disconnect may also result from the focus of continuity planning on disasters. Business continuity planners know that there are more incidents and events that can push a business into a continuity scenario than fit into what people normally consider disasters. Cyber-attacks prove daily that it doesn’t take a tornado, flood, ice storm or fire to disrupt business operations in a potentially fatal (for the business) way. Unintentional outcomes of technology changes, regulatory changes, market changes, and many other variables can also have the similar effect of pushing a business into scenarios where practiced and routine methods of operation won’t keep a business running anymore. History is littered with examples of businesses, organizations, governments, cultures, and nations that failed, and sometimes disappeared, because they couldn’t learn how to deal with changes in the world around them. Sometimes those changes occurred over a long time and sometimes they occurred very quickly. In either case they were disasters for those who couldn’t adapt.

If we consider the disasters, disruptions, incidents, attacks, and contingencies that business continuity programs focus on in the context of all other types of change that businesses must navigate then it is possible to see that the efforts involved in building those programs aren’t dissimilar from other efforts to keep businesses ahead in a rapidly changing world. There is a notable exception in that disasters may happen much more rapidly, violently, and dangerously, but they still constitute change that must be dealt with to persist as a viable business. This is where business continuity planning and programs present a significant opportunity to grow and enhance a business instead of just preparing for what is sometimes a hypothetical catastrophe. When business continuity planning is integrated into and helps to enhance a business’s overall culture of learning it stands to not only help businesses prepare for hazards but also prepare to seize on opportunities presented by new trends in markets, technology, government, politics, and culture.

So, when the term business continuity culture is used, it should be considered a complimentary element in an overall learning culture. Just as a learning culture allows for innovation and creative problem solving across an organization to keep a business progressing forward, so does a business continuity culture utilize those traits among employees to deal with disasters. When the learning culture and the business continuity culture are viewed as mutually supporting, tightly linked efforts then it becomes much more apparent that business continuity efforts can help prepare people to deal with not only disasters but also deal with opportunities. Finding the time to start and how to start is much less of a mystery when you are already engaging in the right activities and can modify them to address a different type of change. When business continuity becomes part of the learning culture, then the evaluation of the progress and results can be supported by how well the organization and employees adapt to any change.