🔍

HEALTHCAREEMERGENCY MANAGEMENTCMS

Hazard Vulnerability Assessment
HVA for Healthcare Facilities

Systematic risk evaluation for all-hazards emergency planning

By Samektra · April 2026 · 12 min read

What Is a Hazard Vulnerability Assessment?

A Hazard Vulnerability Assessment (HVA) is a systematic process used to evaluate the potential hazards that could affect a healthcare facility, the likelihood of those hazards occurring, and the facility's current ability to respond to and recover from them. The HVA is the foundation of any all-hazards emergency management program CMS Emergency Preparedness Rule.

Unlike a simple risk list, the HVA assigns numerical scores to each hazard across multiple dimensions — probability, human impact, property damage, business continuity, and the organization's preparedness and response capabilities. This quantitative approach allows leadership to prioritize planning efforts and allocate resources to the highest-risk scenarios rather than trying to prepare equally for everything.

An HVA should never be conducted in a vacuum. It requires a multidisciplinary team that includes facility management, nursing leadership, security, IT, clinical engineering, administration, and local emergency management partners. Each perspective brings unique insight into both the likelihood of specific hazards and the organization's preparedness gaps.

Key HVA Principles

1.Comprehensive — evaluate natural, technological, human, hazmat, and IT hazards

2.Quantitative — use a consistent scoring model so hazards can be compared objectively

3.Collaborative — involve clinical, operations, IT, security, and community partners

4.Annual — must be reviewed and updated at least once per year

5.Actionable — results drive the Emergency Operations Plan (EOP) and exercise program

Who Requires an HVA?

Multiple regulatory bodies and accreditation organizations require healthcare facilities to perform an HVA as part of their emergency preparedness program. The requirement is not optional for any facility that participates in Medicare or Medicaid.

CMS Emergency Preparedness Rule42 CFR 482.15REQUIRED

Mandatory for all 17 Medicare/Medicaid provider types. Requires a risk assessment using an "all-hazards" approach, updated annually. Enforced through surveys — non-compliance can result in conditions of participation deficiencies.

The Joint Commission (TJC)EM.01.01.01REQUIRED

Emergency Management standards require hospitals to conduct an HVA to identify potential emergencies. Results must inform the Emergency Operations Plan. Must be reviewed and updated annually at minimum.

NFPA 99 — Health Care Facilities CodeChapter 12REQUIRED

Requires healthcare facilities to have an emergency management program that includes hazard identification and risk assessment as a foundational element.

NFPA 101 — Life Safety CodeChapter 12 & 18/19REQUIRED

Healthcare occupancy chapters reference emergency planning requirements. CMS enforces the 2012 edition for Medicare providers.

AAAHC (Ambulatory Accreditation)Chapter 9RECOMMENDED

Recommends but does not specifically require a formal HVA. However, accredited facilities must demonstrate emergency preparedness planning that implicitly requires hazard identification.

Annual Update Required: All regulatory bodies expect the HVA to be reviewed and updated at least annually. Additionally, it should be revisited whenever a significant event occurs (e.g., a new pandemic, a nearby industrial incident, or major facility construction) or when the community risk profile changes.

The Kaiser Model (Most Widely Used)

The Kaiser Permanente Hazard Vulnerability Analysis Tool, developed by Kaiser Permanente and later refined by John Stover, is the most widely recognized and adopted HVA methodology in healthcare. It provides a structured scoring matrix that produces a relative risk percentage for each hazard Kaiser/Stover HVA Model.

The Formula

RISK = PROBABILITY x (SEVERITY - MITIGATION)

Where SEVERITY = Human Impact + Property Impact + Service Impact
And MITIGATION = Preparedness + Internal Response + External Response

Seven Scoring Columns

Each column is scored on a 0-3 scale. Note that the three mitigation columns use reversed scoring — a higher score means less capability, which increases risk.

ColumnMeasuresScale

ProbabilityHow likely is this event to occur?0=N/A, 1=Low, 2=Moderate, 3=High

Human ImpactDeaths, injuries, displacement of patients/staff0=N/A, 1=Low, 2=Moderate, 3=High

Property ImpactPhysical damage, replacement cost, downtime0=N/A, 1=Low, 2=Moderate, 3=High

Service ImpactInterruption to operations, lost revenue, reputation0=N/A, 1=Low, 2=Moderate, 3=High

PreparednessPlans, drills, training for this specific event0=N/A, 1=High, 2=Moderate, 3=Low (REVERSED)

Internal ResponseStaffing, supplies, equipment to respond0=N/A, 1=High, 2=Moderate, 3=Low (REVERSED)

External ResponseCommunity resources, mutual aid, 911 response0=N/A, 1=High, 2=Moderate, 3=Low (REVERSED)

Risk Percentage Bands

0-25%

Low Risk

26-50%

Medium Risk

51-75%

High Risk

76-100%

Critical Risk

Five Hazard Categories

A comprehensive HVA evaluates hazards across five categories. Each category should include events specific to your geographic location, facility type, and patient population. Below are common events for each category, with emphasis on hazards relevant to Georgia healthcare facilities CMS Emergency Preparedness Rule.

Natural

HurricaneTornadoSevere ThunderstormSnow / Ice StormEarthquakeTemperature Extremes (Heat / Cold)DroughtFlood / Flash FloodWildfireEpidemic / Pandemic

Technological

Electrical FailureGenerator FailureWater / Sewer FailureFire Alarm FailureHVAC FailureCommunications FailureMedical Gas / Vacuum FailureInternal FireInternal FloodSupply Shortage

Human

Mass Casualty (Trauma)Mass Casualty (Medical)Terrorism (Bio / Chem / Rad)VIP SituationInfant AbductionHostage SituationCivil DisturbanceBomb Threat

Hazardous Materials

Mass Casualty HazMat IncidentChemical Exposure (External)Internal Chemical SpillRadiologic Exposure

Information Technology

Cyber Attack / RansomwareMalware / VirusData Center FailureUnauthorized Access / Data BreachWorkstation / Mobile Device Failure

Georgia-Specific Context

Healthcare facilities in Georgia should tailor their HVA to reflect the state's specific hazard profile. Georgia is particularly vulnerable to tornadoes, severe thunderstorms, ice storms, flooding, and extreme heat. The state averages 20-30 tornadoes annually, primarily during spring and fall, and the metro Atlanta area (including Gwinnett County) experiences significant severe thunderstorm activity GEMA/HS.

Georgia Emergency Management Resources

GEMA/HS (State Agency)

Georgia Emergency Management and Homeland Security Agency

Phone: (404) 635-7200 or (800) 879-4362

https://gema.georgia.gov

Gwinnett County EMA

800 Hi Hope Road, Lawrenceville, GA 30043

Phone: (770) 513-5600

Georgia facilities should also consider ice storms (the January 2014 "Snowmageddon" paralyzed metro Atlanta), drought conditions affecting water supply, and extreme summer heat with heat index values regularly exceeding 105 degrees F. Facilities near major highways (I-85, I-285, I-20) should score hazardous materials transportation incidents higher due to proximity to freight corridors.

Conducting the HVA: Step by Step

Assemble the Team

Include facility management, nursing, security, IT, clinical engineering, risk management, and administration. Invite local EMA and fire department representatives when possible.

Identify Hazards

Review all five categories (natural, technological, human, hazmat, IT). Include hazards specific to your geography, patient population, and facility type. Use GEMA/HS and FEMA data for your county.

Score Each Hazard

Using the Kaiser model or your chosen tool, score each hazard on all seven columns. Have each team member score independently first, then discuss and reach consensus scores.

Calculate Risk Percentages

Apply the formula: Probability x (Severity - Mitigation). Rank hazards from highest to lowest risk percentage.

Analyze Results

Identify the top 5-10 hazards. Look for patterns — are your mitigation scores consistently high (meaning low capability) in certain areas? Are there quick wins?

Develop or Update the EOP

The Emergency Operations Plan should have specific annexes for your highest-risk hazards. Ensure exercise and drill schedules address top risks.

Document and Distribute

The completed HVA must be documented, dated, and available for regulatory surveys. Share results with leadership and the safety committee.

Annual Review

Revisit the HVA at least annually. After any significant event, near-miss, or community change, update the assessment.

Available HVA Tools & Resources

Several established tools and resource collections are available to help healthcare facilities conduct their HVA. The Kaiser tool remains the most widely recognized, but other options may better suit specific facility types or state requirements.

📋

Kaiser Permanente HVA Tool

The most widely used HVA model in healthcare. Excel-based with automatic risk calculation. Accepted by CMS and TJC surveyors.

📋

ASHE HVA Tool

American Society for Healthcare Engineering version — streamlined for facility managers with built-in mitigation tracking.

→

📋

FEMA THIRA (Threat and Hazard Identification & Risk Assessment)

Federal framework primarily for community-level planning. Useful for understanding regional risk context.

→

📋

ASPR TRACIE Resources

HHS Technical Resources, Assistance Center, and Information Exchange — curated HVA templates, case studies, and guidance documents.

→

Interactive HVA Scoring Tool

Use this tool to practice scoring hazards using the Kaiser model. The tool is pre-populated with Natural Hazards relevant to Georgia. Adjust the scores and watch the risk percentage calculate automatically. You can add custom hazards and print the results.

Note: This tool demonstrates one hazard category. A complete HVA should cover all five categories (Natural, Technological, Human, HazMat, IT) with 30-50+ hazard events total.

Common Survey Findings

CMS and TJC surveyors frequently cite the following deficiencies related to HVAs during healthcare facility surveys:

•HVA not updated annually — still using 2-3 year old assessment

•HVA does not include all five hazard categories (IT hazards often missing)

•No evidence of multidisciplinary team involvement — completed by one person

•HVA results not reflected in the Emergency Operations Plan

•No community-specific hazards identified — generic template used without customization

•Mitigation strategies not documented for high-risk hazards

•No evidence the HVA informed the annual exercise program

•Facility unable to produce the HVA document during survey

References

1. CMS Emergency Preparedness Rule: 42 CFR 482.15 — Conditions of Participation for Hospitals.

2. The Joint Commission: Emergency Management (EM) Standards, EM.01.01.01.

3. NFPA 99: Health Care Facilities Code, Chapter 12 — Emergency Management.

4. NFPA 101: Life Safety Code, Chapter 12 — New Healthcare Occupancies.

5. Kaiser Permanente: Hazard and Vulnerability Analysis Tool (Kaiser/Stover Model).

6. ASPR TRACIE: Hazard Vulnerability / Risk Assessment Resources.

7. Georgia Emergency Management and Homeland Security Agency (GEMA/HS): gema.georgia.gov.

Was this article helpful?

Rate this article to help us improve

Discussion (2)

You

Mike R.Fire Inspector· 3 days ago

Great breakdown of the technical details. The NFPA 25 maintenance table is exactly what I needed for my ITM schedule.

▲ 8Reply

Sarah L.Safety Officer· 1 week ago

Really clear explanation. Would love to see a companion video walkthrough of the inspection process.

▲ 5Reply