Healthcare Compliance
HEALTHCAREEMERGENCY MANAGEMENTCMS

Hazard Vulnerability Assessment
HVA for Healthcare Facilities

Systematic risk evaluation for all-hazards emergency planning

By Stanislav Samek, Samektra · 12 min read · Last updated April 23, 2026

What Is a Hazard Vulnerability Assessment?

A Hazard Vulnerability Assessment (HVA) is a systematic process used to evaluate the potential hazards that could affect a healthcare facility, the likelihood of those hazards occurring, and the facility's current ability to respond to and recover from them. The HVA is the foundation of any all-hazards emergency management program CMS Emergency Preparedness Rule.

Unlike a simple risk list, the HVA assigns numerical scores to each hazard across multiple dimensions — probability, human impact, property damage, business continuity, and the organization's preparedness and response capabilities. This quantitative approach allows leadership to prioritize planning efforts and allocate resources to the highest-risk scenarios rather than trying to prepare equally for everything.

An HVA should never be conducted in a vacuum. It requires a multidisciplinary team that includes facility management, nursing leadership, security, IT, clinical engineering, administration, and local emergency management partners. Each perspective brings unique insight into both the likelihood of specific hazards and the organization's preparedness gaps.

Key HVA Principles
1.Comprehensive — evaluate natural, technological, human, hazmat, and IT hazards
2.Quantitative — use a consistent scoring model so hazards can be compared objectively
3.Collaborative — involve clinical, operations, IT, security, and community partners
4.Annual — must be reviewed and updated at least once per year
5.Actionable — results drive the Emergency Operations Plan (EOP) and exercise program

Who Requires an HVA?

Multiple regulatory bodies and accreditation organizations require healthcare facilities to perform an HVA as part of their emergency preparedness program. The requirement is not optional for any facility that participates in Medicare or Medicaid.

CMS Emergency Preparedness Rule42 CFR 482.15REQUIRED

Mandatory for all 17 Medicare/Medicaid provider types. Requires a risk assessment using an "all-hazards" approach, updated annually. Enforced through surveys — non-compliance can result in conditions of participation deficiencies.

The Joint Commission (TJC)EM.01.01.01REQUIRED

Emergency Management standards require hospitals to conduct an HVA to identify potential emergencies. Results must inform the Emergency Operations Plan. Must be reviewed and updated annually at minimum.

NFPA 99 — Health Care Facilities CodeChapter 12REQUIRED

Requires healthcare facilities to have an emergency management program that includes hazard identification and risk assessment as a foundational element.

NFPA 101 — Life Safety CodeChapter 12 & 18/19REQUIRED

Healthcare occupancy chapters reference emergency planning requirements. CMS enforces the 2012 edition for Medicare providers.

AAAHC (Ambulatory Accreditation)Chapter 9RECOMMENDED

Recommends but does not specifically require a formal HVA. However, accredited facilities must demonstrate emergency preparedness planning that implicitly requires hazard identification.

Annual Update Required: All regulatory bodies expect the HVA to be reviewed and updated at least annually. Additionally, it should be revisited whenever a significant event occurs (e.g., a new pandemic, a nearby industrial incident, or major facility construction) or when the community risk profile changes.

The Kaiser Model (Most Widely Used)

The Kaiser Permanente Hazard Vulnerability Analysis Tool, developed by Kaiser Permanente and later refined by John Stover, is the most widely recognized and adopted HVA methodology in healthcare. It provides a structured scoring matrix that produces a relative risk percentage for each hazard Kaiser/Stover HVA Model.

The Formula

RISK = PROBABILITY x (SEVERITY - MITIGATION)
Where SEVERITY = Human Impact + Property Impact + Service Impact
And MITIGATION = Preparedness + Internal Response + External Response

Seven Scoring Columns

Each column is scored on a 0-3 scale. Note that the three mitigation columns use reversed scoring — a higher score means less capability, which increases risk.

ColumnMeasuresScale
ProbabilityHow likely is this event to occur?0=N/A, 1=Low, 2=Moderate, 3=High
Human ImpactDeaths, injuries, displacement of patients/staff0=N/A, 1=Low, 2=Moderate, 3=High
Property ImpactPhysical damage, replacement cost, downtime0=N/A, 1=Low, 2=Moderate, 3=High
Service ImpactInterruption to operations, lost revenue, reputation0=N/A, 1=Low, 2=Moderate, 3=High
PreparednessPlans, drills, training for this specific event0=N/A, 1=High, 2=Moderate, 3=Low (REVERSED)
Internal ResponseStaffing, supplies, equipment to respond0=N/A, 1=High, 2=Moderate, 3=Low (REVERSED)
External ResponseCommunity resources, mutual aid, 911 response0=N/A, 1=High, 2=Moderate, 3=Low (REVERSED)

Risk Percentage Bands

0-25%
Low Risk
26-50%
Medium Risk
51-75%
High Risk
76-100%
Critical Risk

Five Hazard Categories

A comprehensive HVA evaluates hazards across five categories. Each category should include events specific to your geographic location, facility type, and patient population. Below are common events for each category, with emphasis on hazards relevant to Georgia healthcare facilities CMS Emergency Preparedness Rule.

Natural

HurricaneTornadoSevere ThunderstormSnow / Ice StormEarthquakeTemperature Extremes (Heat / Cold)DroughtFlood / Flash FloodWildfireEpidemic / Pandemic

Technological

Electrical FailureGenerator FailureWater / Sewer FailureFire Alarm FailureHVAC FailureCommunications FailureMedical Gas / Vacuum FailureInternal FireInternal FloodSupply Shortage

Human

Mass Casualty (Trauma)Mass Casualty (Medical)Terrorism (Bio / Chem / Rad)VIP SituationInfant AbductionHostage SituationCivil DisturbanceBomb Threat

Hazardous Materials

Mass Casualty HazMat IncidentChemical Exposure (External)Internal Chemical SpillRadiologic Exposure

Information Technology

Cyber Attack / RansomwareMalware / VirusData Center FailureUnauthorized Access / Data BreachWorkstation / Mobile Device Failure

Georgia-Specific Context

Healthcare facilities in Georgia should tailor their HVA to reflect the state's specific hazard profile. Georgia is particularly vulnerable to tornadoes, severe thunderstorms, ice storms, flooding, and extreme heat. The state averages 20-30 tornadoes annually, primarily during spring and fall, and the metro Atlanta area (including Gwinnett County) experiences significant severe thunderstorm activity GEMA/HS.

Georgia Emergency Management Resources
GEMA/HS (State Agency)
Georgia Emergency Management and Homeland Security Agency
Phone: (404) 635-7200 or (800) 879-4362
https://gema.georgia.gov
Gwinnett County EMA
800 Hi Hope Road, Lawrenceville, GA 30043
Phone: (770) 513-5600

Georgia facilities should also consider ice storms (the January 2014 "Snowmageddon" paralyzed metro Atlanta), drought conditions affecting water supply, and extreme summer heat with heat index values regularly exceeding 105 degrees F. Facilities near major highways (I-85, I-285, I-20) should score hazardous materials transportation incidents higher due to proximity to freight corridors.

Conducting the HVA: Step by Step

1

Assemble the Team

Include facility management, nursing, security, IT, clinical engineering, risk management, and administration. Invite local EMA and fire department representatives when possible.

2

Identify Hazards

Review all five categories (natural, technological, human, hazmat, IT). Include hazards specific to your geography, patient population, and facility type. Use GEMA/HS and FEMA data for your county.

3

Score Each Hazard

Using the Kaiser model or your chosen tool, score each hazard on all seven columns. Have each team member score independently first, then discuss and reach consensus scores.

4

Calculate Risk Percentages

Apply the formula: Probability x (Severity - Mitigation). Rank hazards from highest to lowest risk percentage.

5

Analyze Results

Identify the top 5-10 hazards. Look for patterns — are your mitigation scores consistently high (meaning low capability) in certain areas? Are there quick wins?

6

Develop or Update the EOP

The Emergency Operations Plan should have specific annexes for your highest-risk hazards. Ensure exercise and drill schedules address top risks.

7

Document and Distribute

The completed HVA must be documented, dated, and available for regulatory surveys. Share results with leadership and the safety committee.

8

Annual Review

Revisit the HVA at least annually. After any significant event, near-miss, or community change, update the assessment.

Available HVA Tools & Resources

Several established tools and resource collections are available to help healthcare facilities conduct their HVA. The Kaiser tool remains the most widely recognized, but other options may better suit specific facility types or state requirements.

📋
Kaiser Permanente HVA Tool
The most widely used HVA model in healthcare. Excel-based with automatic risk calculation. Accepted by CMS and TJC surveyors.
📋
ASHE HVA Tool
American Society for Healthcare Engineering version — streamlined for facility managers with built-in mitigation tracking.
📋
FEMA THIRA (Threat and Hazard Identification & Risk Assessment)
Federal framework primarily for community-level planning. Useful for understanding regional risk context.
📋
ASPR TRACIE Resources
HHS Technical Resources, Assistance Center, and Information Exchange — curated HVA templates, case studies, and guidance documents.

Interactive HVA Scoring Tool

Use this tool to practice scoring hazards using the Kaiser model. The tool is pre-populated with Natural Hazards relevant to Georgia. Adjust the scores and watch the risk percentage calculate automatically. You can add custom hazards and print the results.

Note: This tool demonstrates one hazard category. A complete HVA should cover all five categories (Natural, Technological, Human, HazMat, IT) with 30-50+ hazard events total.

Common Survey Findings

CMS and TJC surveyors frequently cite the following deficiencies related to HVAs during healthcare facility surveys:

HVA not updated annually — still using 2-3 year old assessment
HVA does not include all five hazard categories (IT hazards often missing)
No evidence of multidisciplinary team involvement — completed by one person
HVA results not reflected in the Emergency Operations Plan
No community-specific hazards identified — generic template used without customization
Mitigation strategies not documented for high-risk hazards
No evidence the HVA informed the annual exercise program
Facility unable to produce the HVA document during survey

Frequently Asked Questions

What is a Hazard Vulnerability Analysis (HVA)?
An HVA is a systematic assessment of the threats a healthcare facility may face — natural hazards (hurricane, tornado, earthquake), technological hazards (utility loss, cyberattack, IT failure), human hazards (active shooter, hostage situation), and hazmat events. Each hazard is scored by probability and impact to produce a prioritized risk profile that drives the Emergency Operations Plan. Required annually by CMS 42 CFR 482.15 and TJC EM.01.01.01.
What is the Kaiser Permanente HVA model?
The Kaiser Permanente HVA tool (sometimes called the Kaiser/Stover model) is the most widely adopted scoring framework in healthcare emergency management. It scores each hazard across three axes — probability, human impact, property impact, business impact, preparedness, and internal response — to produce a weighted risk percentage. Free templates are available from Kaiser Permanente and are industry-standard for TJC and CMS survey purposes.
How often must an HVA be updated?
At minimum annually. CMS and TJC both expect the HVA to be reviewed and revised whenever the facility experiences a significant change — new services, new facility, post-incident lessons learned, regional hazard changes (new industrial facility nearby, updated flood maps). A stale HVA that hasn't been touched in 3 years will not survive a survey.
Who should participate in the HVA process?
A multidisciplinary team: emergency management, facilities, nursing leadership, medical staff, security, IT, risk management, infection prevention, pharmacy, and administration. Each department perceives risks differently, and the discussion around scoring disagreements is where the real value emerges. A single-author HVA misses departmental blind spots and rarely satisfies surveyor scrutiny.
Must the HVA drive the Emergency Operations Plan?
Yes. CMS surveyors specifically check whether the EOP addresses the highest-risk hazards identified in the HVA. If your HVA identifies severe weather as your top risk but your EOP annexes don't address severe weather response, the disconnect will generate a deficiency. The HVA is the foundation; the EOP is the structure built on it.
Should cybersecurity be included in the HVA?
Yes. After the CMS Emergency Preparedness Rule and multiple ransomware incidents that shut down hospital operations, cybersecurity incidents should be scored alongside traditional hazards. A ransomware attack on the EHR system has the same operational impact as a regional power outage — loss of clinical systems, manual paper charting, diversion of ambulances. Supply chain disruption is another emerging category worth including.

References

1. CMS Emergency Preparedness Rule: 42 CFR 482.15 — Conditions of Participation for Hospitals.

2. The Joint Commission: Emergency Management (EM) Standards, EM.01.01.01.

3. NFPA 99: Health Care Facilities Code, Chapter 12 — Emergency Management.

4. NFPA 101: Life Safety Code, Chapter 12 — New Healthcare Occupancies.

5. Kaiser Permanente: Hazard and Vulnerability Analysis Tool (Kaiser/Stover Model).

6. ASPR TRACIE: Hazard Vulnerability / Risk Assessment Resources.

7. Georgia Emergency Management and Homeland Security Agency (GEMA/HS): gema.georgia.gov.

DISCUSSION
Be the first to contribute.

Open the discussion panel to comment, flag an inaccuracy, add field experience, or ask a question. Approved contributions earn SRP and may be incorporated into the article.