If you manage, design, or maintain a healthcare facility in the United States, the NFPA 99 risk assessment is one of the most consequential compliance exercises you will perform.
It determines what level of protection your building systems must provide, which directly affects design requirements, equipment specifications, inspection frequencies, and maintenance budgets for every system in the facility.
Yet NFPA 99 risk assessments are frequently misunderstood or misapplied. Jensen Hughes, one of the largest fire protection engineering firms in the U.S., notes that the code is one of the most commonly misinterpreted standards in healthcare facility design and construction (Jensen Hughes – NFPA 99 Risk Assessment).
The consequences of getting the categorization wrong range from non-compliant construction that fails CMS survey to unnecessary spending on systems that exceed actual risk requirements.
This article explains what NFPA 99 is, how the risk-based approach works, how to conduct the Chapter 4 risk assessment step by step, and how to avoid the most common mistakes. For foundational background on risk assessment methodology, see our guide on how to conduct a risk assessment.
What Is NFPA 99 and Why Does It Matter?
NFPA 99, the Health Care Facilities Code, is published by the National Fire Protection Association and establishes minimum criteria for the installation, performance, and operation of building systems in healthcare facilities.
It covers medical gas and vacuum systems (Chapter 5), electrical systems (Chapter 6), information technology and communications (Chapter 7), plumbing (Chapter 8), HVAC (Chapter 9), and several other system categories. The code applies to hospitals, ambulatory surgical centers, nursing homes, dental facilities, and other healthcare environments. The only category it explicitly excludes is home care (NFPA – NFPA 99 Health Care Facilities Code).
The critical regulatory context: the Centers for Medicare & Medicaid Services (CMS) requires healthcare facilities participating in Medicare and Medicaid to comply with the 2012 edition of NFPA 99 (with limited exceptions, notably Chapter 7 on IT and communications, and Chapter 13 on security).
CMS adopted this requirement effective July 5, 2016, alongside the 2012 edition of NFPA 101, the Life Safety Code. For any facility that accepts federal reimbursement, NFPA 99 compliance isn’t optional.
The Shift from Occupancy-Based to Risk-Based
Before the 2012 edition, NFPA 99 was organized around occupancy types. Hospitals followed one set of rules, ambulatory care facilities another, and nursing homes yet another. The 2012 edition fundamentally changed this approach.
The code shifted to a risk-based framework built around the concept that the risk to the patient doesn’t change based on what type of building the procedure occurs in. An operating room in a hospital poses the same risks as an operating room in a freestanding surgical center.
This change was driven by a major trend in healthcare delivery: procedures that used to happen only in hospitals were increasingly being performed in office buildings, ambulatory care centers, and other flexible-use facilities.
The occupancy-based approach couldn’t keep up with this shift. The risk-based approach ensures that the same clinical procedures receive the same level of system protection regardless of the building classification.
For more on risk-based approaches to organizational safety, see our article on key components of a risk management policy.
Understanding the Four NFPA 99 Risk Categories
Chapter 4 of NFPA 99 establishes four risk categories based on the consequences of system or equipment failure. These categories are the foundation of the entire code. Every technical requirement in Chapters 5 through 15 is organized by category, so the risk assessment determines which requirements apply to each system in your facility.
| Category | Definition (Consequence of System/Equipment Failure) | Typical Examples |
| Category 1 | Failure is likely to cause major injury or death to patients or caregivers | Operating rooms, intensive care units, cardiac catheterization labs, emergency departments, labor and delivery |
| Category 2 | Failure is likely to cause minor injury to patients or caregivers | Outpatient procedure rooms, some diagnostic areas, endoscopy suites |
| Category 3 | Failure is not likely to cause injury but may cause patient discomfort | Dental operatories, basic examination rooms with no sedation, physical therapy areas |
| Category 4 | Failure would have no impact on patient care | Administrative offices, waiting areas, conference rooms, storage areas |
A critical point that Jensen Hughes emphasizes: these risk categories are applied to systems, not to rooms. A single room can have different risk categories assigned to different systems serving that space.
The medical gas system in a procedure room might be Category 1, while the HVAC system serving the same room might be Category 2 or 3, depending on what the risk assessment determines about the consequence of each system’s failure.
The risk categories also correlate directly to the essential electrical system (EES) requirements in Chapter 6. Category 1 spaces require Type 1 EES services, and Category 2 spaces require Type 2 EES services.
This relationship between the risk assessment and the electrical system design is one reason why the Chapter 4 risk assessment needs to happen early in any design or construction project (MediProducts – NFPA 99 for Healthcare Facilities).
How to Conduct an NFPA 99 Chapter 4 Risk Assessment
NFPA 99 does not mandate a specific risk assessment methodology. Section A.4.2 of the code references several acceptable procedures, including ISO/IEC 31010 (Risk Management – Risk Assessment Techniques), NFPA 551 (Guide for the Evaluation of Fire Risk Assessments), and SEMI S10 (Safety Guidelines for Risk Assessment). The facility can use any documented and defined risk assessment procedure, as long as the process and results are recorded.
Here’s a practical, step-by-step process based on how leading healthcare organizations approach the assessment:
Step 1: Establish a Multidisciplinary Risk Assessment Team
The risk assessment cannot be performed by one person or department in isolation. Jensen Hughes recommends establishing a multidisciplinary team with knowledge of the facility’s space use, patient care services, clinical practices, and building systems.
In a Stanford Health Care case study documented by Reliabilityweb.com, the hospital formed an “NFPA 99 Risk Assessment Task Force” comprising members from the Environment of Care Utility Subcommittee, systems engineering, facilities management, resource management, infection prevention and control, clinical staff, and frontline engineering (Reliabilityweb – A Healthcare Journey to NFPA 99).
The 2018 edition of NFPA 99 made this requirement explicit: the healthcare facility’s governing body must conduct or approve the risk assessment. This isn’t something that can be delegated entirely to an engineering consultant without governing body involvement.
Step 2: Define the Scope and Approach
Determine whether you will conduct the assessment room by room, system by system, or using a hybrid approach. ASHE (the American Society for Healthcare Engineering) recommends a room-by-room assessment, which Stanford Health Care adopted for their process.
This approach evaluates each clinical space and assigns risk categories to the systems serving that space based on the clinical activities that occur there.
Key questions to evaluate for each space include: What patient population uses this space? What is the patient acuity level? What procedures are performed here? Is anesthesia or sedation used that would render a patient incapable of self-preservation?
What equipment is required for patient life support? What would happen to patient safety if each building system (electrical, medical gas, HVAC, plumbing, IT) failed for a short duration? For an extended duration? The Ambulatory Healthcare Design Lab provides a useful framework for organizing these assessment factors (Ambulatory Healthcare Design Lab – NFPA 99 Risk Categories).
Step 3: Use the ASHE Risk Assessment Tool
ASHE provides a free risk assessment tool (available to members at ashe.org) that serves as both a structured methodology and a documentation template. The tool contains three worksheets: Systems, Equipment, and Emergency Management.
The Systems worksheet is used to record each room or area, the systems serving that space (medical gas, electrical, IT, water, HVAC), and the risk category assigned to each system. The Equipment worksheet documents individual pieces of medical and building equipment with their assigned categories. The Emergency Management worksheet covers the building-level categorization required by NFPA 99 Chapter 12 (ASHE – NFPA 99 Risk Assessment Tool).
Even if you use a different methodology, the ASHE tool provides a useful template for ensuring your documentation is complete and organized in a format that CMS surveyors and authorities having jurisdiction (AHJs) can review efficiently.
Step 4: Assign Risk Categories Based on Clinical Consequence
For each system in each space, the team assigns one of the four risk categories based on the clinical consequence of system failure. The key to getting this right is focusing on what actually happens to patients if the system stops working, not on the probability of failure.
Consider an example: a medical gas system serving an operating room where general anesthesia is administered. If the medical gas system fails during surgery, the consequence is immediately life-threatening.
That system gets a Category 1 designation. The same medical gas system serving a dental operatory where only nitrous oxide sedation is used has a different consequence profile: failure would likely cause patient discomfort and procedure interruption, but not a life-threatening emergency. That might warrant Category 2 or 3, depending on the specific clinical protocols.
For background on how risk categories and consequence-based assessments work in other contexts, see our article on risk description examples for project management.
Step 5: Document Everything
CMS has indicated that it will not require facilities to submit risk assessments for advance review. However, if a surveyor raises a question about the construction features or system design in your facility, the documented risk assessment becomes the key defense document.
If you can’t produce a documented assessment that justifies the system categories applied, you have a compliance gap.
Documentation should include the date of the assessment, team members who participated, the methodology used, the risk category assigned to each system in each space, and the rationale for each categorization.
Risk Logic, a healthcare code consulting firm, emphasizes that while CMS won’t review assessments proactively, the documentation becomes critical when questions arise about construction features or system provisions (Risk Logic – Risk-Based Approach of NFPA 99).
Applying NFPA 99 to New Construction vs. Existing Systems
One of the most frequently misunderstood aspects of NFPA 99 is its scoping: the code applies primarily to new construction and new equipment. Section 1.3.2.3 of the 2012 edition states that an existing system not in strict compliance may continue in use unless the authority having jurisdiction determines it constitutes a distinct hazard to life.
This creates important practical distinctions:
New construction and new equipment: A Chapter 4 risk assessment is required. Systems must be designed, installed, and maintained to meet the requirements of their assigned risk category.
Existing systems being altered or renovated: Only the work being performed is required to meet NFPA 99 requirements, unless the alteration adversely affects the performance of existing systems. If it does, those affected systems must also be upgraded.
Existing systems with no modifications: These may continue in use under their existing configuration. However, they must still follow the inspection, testing, and maintenance (ITM) requirements associated with their risk category. The AHJ determines whether an existing system requires a formal risk assessment.
For more on how regulatory frameworks shape compliance requirements across different contexts, see our article on the five steps of the risk management process.
Common Mistakes in NFPA 99 Risk Assessments
Based on guidance from Jensen Hughes, ASHE, and practitioners who have been through the process, these are the pitfalls that most frequently cause problems:
Treating the risk assessment as a one-time exercise. Risk assessments should be reviewed and updated whenever clinical activities in a space change, when systems are modified or renovated, or when the facility adds new services.
A procedure room that was Category 3 when it opened may need reclassification to Category 1 if the clinical programs evolve to include procedures requiring general anesthesia.
Assigning categories to rooms instead of systems. The code requires categories to be assigned to systems and equipment, not to rooms. Different systems serving the same room may receive different categories. Collapsing everything into a single room category either over-designs low-risk systems (wasting money) or under-designs high-risk systems (creating compliance gaps).
Having engineers assign categories without clinical input. The risk assessment requires understanding what clinical activities occur in each space, what the patient acuity levels are, and what happens to patients when systems fail. Engineers understand systems; clinicians understand patient impact. Both perspectives are necessary. The 2018 edition’s requirement for governing body approval was specifically intended to ensure clinical leadership is involved.
Failing to coordinate the assessment with design early enough. The risk assessment determines what systems are required. If the assessment happens after the design is substantially complete, redesign becomes expensive.
Jensen Hughes recommends early coordination to ensure building systems and components are designed to appropriately meet the risk categories that will apply for the life of the building system.
Defaulting everything to Category 1 to be safe. While this avoids under-classifying systems, it dramatically increases construction and maintenance costs. Category 1 requirements for electrical systems, medical gas systems, and HVAC are significantly more demanding (and expensive) than Category 2 or 3. The risk-based approach exists specifically to allow facilities to match protection levels to actual clinical risk, not to default to the highest level everywhere.
NFPA 99 in Emergency and Surge Situations
The risk-based approach of NFPA 99 proved particularly relevant during the COVID-19 pandemic, when hospitals across the country repurposed non-clinical spaces and erected temporary structures to handle patient surges.
NFPA acknowledged that constructing or modifying healthcare spaces in strict code compliance was not feasible under those conditions and urged facilities to use the intent of code documents, including the risk-based approach of NFPA 99, to guide facility decisions.
This flexibility is inherent to the risk-based model. When a conference room is temporarily converted to a patient treatment area during a surge, the facility can assess the specific clinical activities that will occur in that space and provide system protections appropriate to the actual risk, rather than being forced to meet the full requirements that would apply to a permanently constructed clinical space.
The assessment must still be documented, and the AHJ should be involved in the decision-making process.
For more on how organizations handle risk during crisis situations, see our article on business continuity management.
Getting Started with Your NFPA 99 Risk Assessment
The NFPA 99 risk assessment is not a compliance checkbox. It is the foundational document that determines what level of system protection your facility must provide, which directly affects construction costs, maintenance requirements, and most importantly, patient safety. Getting the categories right saves money on systems that don’t need the highest level of protection and ensures that critical systems receive the protection they require.
Start by assembling your multidisciplinary team, downloading the ASHE risk assessment tool, and working through your facility room by room. Engage your AHJ early in the process, document your methodology and decisions thoroughly, and plan to revisit the assessment as clinical programs evolve.
For healthcare facilities navigating this process for the first time, the Jensen Hughes guidance document linked in this article provides detailed technical direction. ASHE’s training programs (available at ashe.org) offer hands-on instruction in applying the code. And the NFPA 99 code itself, available through nfpa.org, is the authoritative source for all requirements.
For more practical guidance on risk assessment methodologies applicable across industries, explore the full library at riskpublishing.com. Our content covers enterprise risk management, quantitative risk analysis tools, and risk register design, all grounded in ISO 31000 and industry best practice.
Sources:
1. Jensen Hughes – NFPA 99 Risk Assessment in Health Care Facilities: jensenhughes.com
2. NFPA – NFPA 99 Health Care Facilities Code: nfpa.org
3. Risk Logic – The Risk-Based Approach of NFPA 99: risklogic.com
4. MediProducts – NFPA 99: What You Need to Know for Your Healthcare Facility: mediproducts.net
5. ASHE – NFPA 99-2021 Risk Assessment Tool: ashe.org
6. Reliabilityweb – A Healthcare’s Journey to the NFPA 99 Risk Assessment: reliabilityweb.com
7. Ambulatory Healthcare Design Lab – How NFPA 99 Risk Categories Impact Facility Design: ambulatoryhealthcaredesignlab.com
8. Creative Safety Supply – NFPA 99: Understanding the Health Care Facilities Code: creativesafetysupply.com
Internal Links Used:
• How to Conduct a Risk Assessment
• Key Components of a Risk Management Policy
• Risk Description Examples for Project Management
• Five Steps of the Risk Management Process
• Understanding Business Continuity Management
• What Is Risk Management Process?
• Quantitative Risk Management Concepts and Tools
• Key Elements of a Risk Register
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.