Most AED compliance mistakes have nothing to do with the device itself, at least in the audits and reviews we see most often. The AED works fine. What fails is the paperwork, the assigned responsibility, or a state requirement nobody read closely enough on day one. A facility can have a fully functional defibrillator on the wall and still fail a compliance review because no one can produce 18 months of inspection logs, or because the program never set up medical oversight that its specific state model requires.
Here’s the pattern worth knowing before anything else: compliance gaps are almost always invisible until someone asks for proof. The device passes its self-test every day. The cabinet looks fine. Then an insurance auditor, a state PAD program reviewer, or a plaintiff’s attorney after a failed rescue asks a specific question, and the answer doesn’t exist on paper. Below are the 10 mistakes that come up most often, in roughly the order they tend to surface during a real review. Laws and program requirements vary significantly by state and by facility type, so treat the state examples below as illustrations, not a complete list of what applies to your specific situation.
| # | Mistake | Why it gets missed | What it costs you |
|---|---|---|---|
| 1 | No designated AED coordinator | Responsibility is assumed, not assigned | No one is accountable when something lapses |
| 2 | Treating certification as compliance | The terms sound interchangeable | Certified staff, non-compliant program |
| 3 | Skipping medical direction where required | Requirements vary by state and program type | Program fails specific PAD requirements |
| 4 | Inconsistent inspection documentation | Inspections happen, logging doesn’t | No proof of maintenance during audit |
| 5 | Letting pad or battery dates slip | Adult and pediatric pads expire separately | Non-functional device if a component expires |
| 6 | Forgetting EMS/PSAP registration | Few people know this requirement exists | Slower 911 response, potential non-compliance |
| 7 | Non-compliant signage or placement | Assumed cosmetic, actually regulated | Fails state-specific accessibility requirements |
| 8 | No post-incident reporting process | Nobody plans for the day it’s actually used | Missing required incident documentation |
| 9 | Assuming Good Samaritan immunity is unconditional | Immunity often comes with conditions attached | Weakened legal defense after a failed rescue |
| 10 | Records not retained long enough | Retention period varies by state and entity type | Audit finding for missing historical records |
1 No designated AED coordinator
The single most common root cause behind every other mistake on this list. When no specific person is named as responsible for the AED program, every other task — inspections, battery tracking, certification renewals, incident reporting — defaults to “whoever notices.” Nobody notices consistently.
Some state PAD program rules explicitly call for a named individual or department responsible for maintenance and testing. Requirements vary by state, so confirm what your specific state’s PAD guidance asks for rather than assuming a national standard exists. Without a named coordinator on file, the program has a structural gap before anything else even goes wrong.
The fix: name one person per location in writing, document the appointment in the program compliance file, and designate a backup. Rotate the role formally if staff turnover requires it, don’t let it quietly become “nobody’s.”
2 Treating certification as compliance
A fully certified staff doesn’t make a program compliant. CPR/AED certification confirms a person is trained to use the device. It says nothing about whether the device is maintained, whether medical oversight exists where required, or whether records are being kept.
This mistake is common because casual language blurs the difference. “We’re AED certified” gets used to mean “we’re compliant,” and they’re not the same claim. A facility with 20 certified employees and an AED with expired pads is not compliant, regardless of how many wallet cards are current.
The fix: track certification and device compliance as two separate workstreams with two separate sets of expiration dates. Certification answers “is this person trained.” Compliance answers “is this program meeting its specific legal requirements.”
3 Skipping medical direction where the program model requires it
Medical direction — sometimes a written physician agreement, sometimes broader physician oversight — applies to some Public Access Defibrillation (PAD) program models but not others. Requirements vary by state and by the type of facility or program, so it’s inaccurate to say any single state requires it across the board. Some states, for example certain California and New York PAD program models, build medical oversight into specific program types or circumstances, not universally for every AED installation.
The mistake happens because medical direction is easy to overlook. The device works without it. Nothing visibly breaks. Then a state audit or insurance review asks for the physician agreement or oversight documentation, and it doesn’t exist, in cases where the program’s specific model required it.
The fix: check your specific state’s PAD guidance or statute to confirm whether your program model requires medical direction. If required, set up the agreement once and put a renewal reminder on the calendar — most medical direction agreements need periodic review.
4 Inconsistent inspection documentation
The inspection itself usually happens. Someone walks up to the AED, glances at the light, moves on. What doesn’t happen consistently is writing it down. A program that’s been inspecting devices monthly for two years but only has documentation for 8 of those 24 months looks, on paper, identical to a program that skipped 16 months of inspections entirely.
Auditors and insurance reviewers can only evaluate what’s documented, and they generally accept several formats: printed and signed logs, exported digital records (CSV or PDF), or timestamped entries from a tracking system. What matters is that something dated and attributable exists for every month, not which format it takes.
The fix: every inspection gets logged the moment it happens, not at the end of the month from memory. A monthly inspection checklist with a 12-month tracking format on a single sheet per device is one practical template for this, but always follow your specific AED manufacturer’s inspection guidance as the primary source for what to check.
5 Letting pad or battery expiration dates slip
This is the most common device-level compliance failure, and it has a specific structural cause: adult pads, pediatric pads, and batteries all expire on different schedules, and most programs only track “the pads” or “the battery” as a single line item instead of tracking each component separately.
A facility can replace adult pads diligently for years while pediatric pads, used far less often and checked far less carefully, sit expired the entire time. The device passes every visual check because nobody’s looking at the pediatric pad date specifically. If any one component — adult pads, pediatric pads, or battery — is expired or missing when the device is needed, the AED can fail to function as intended.
The fix: track adult pads, pediatric pads, and battery as three separate dates per device, not one combined “supplies” date. Record the lot number and exact expiration date for each component, and set a reminder roughly 90 days ahead of each expiration so there’s time to order and install the replacement before the date arrives.
💡 Adult pads, pediatric pads, batteries, certifications — four cycles, one dashboard. AED Log tracks each separately and alerts you before the gap opens.
6 Forgetting EMS or PSAP registration
Many states and counties require AED locations to be registered with local EMS or the regional Public Safety Answering Point (PSAP), so 911 dispatchers can direct callers to the nearest device during an emergency. Registration rules are set at the state or local level, not federally, so what’s required in one county may not apply in the next. This requirement is also frequently a one-time registration combined with periodic updates whenever device details (location, model, responsible party) change, not a single set-and-forget filing.
What it affects is response time during an actual event, and even where a registry exists, dispatchers may only see that information if the registry is integrated with the local computer-aided dispatch (CAD) system, which varies by jurisdiction. An unregistered AED means a 911 dispatcher may not be able to tell a caller “there’s a defibrillator in the lobby,” even if there is one ten feet away.
The fix: check your state and county requirements specifically, and confirm whether registration needs periodic updates when device information changes. If registration is required, it’s typically a straightforward form through the local EMS authority.
7 Non-compliant signage or device placement
Some states regulate not just whether an AED is present, but where it’s placed and how it’s marked. Requirements can include specific signage language, visibility from a certain distance, mounting height, or proximity to high-traffic areas in buildings of a certain size. These rules differ by state and sometimes by facility type, so a requirement that applies to one building category may not apply to another.
This gets missed because signage feels like a cosmetic decision rather than a compliance requirement. A facility manager picks a spot that seems sensible and never checks whether the state has specific rules about it.
The fix: confirm your state’s specific signage and placement language before final installation, not after. Retrofitting signage is a minor cost. Failing an inspection over it is an unnecessary one.
8 No post-incident reporting process
Most AED programs have never had to use the device, which is good news, but it also means most programs have never tested their own incident reporting process until the day they actually need it. When that day comes, there’s often no clear protocol for who reports the event, to whom, and within what timeframe.
Many manufacturers request notification and retrieval of the device’s event data after any use, both for documentation purposes and for their own product review, though exact policies vary by brand. Check your specific device’s manual and warranty terms for what your manufacturer expects. Some states also have their own incident reporting expectations tied to PAD program participation.
The fix: write the incident reporting process down before it’s needed: who calls 911, who notifies the medical director (if the program has one), who downloads the event data, who replaces the pads, and who files any required report with the state or manufacturer. A 1-page protocol prevents confusion during the worst possible moment to be figuring it out.
9 Assuming Good Samaritan immunity is unconditional
This is the mistake with the highest legal stakes on this list. Good Samaritan laws exist in nearly every state to protect AED users and program owners from civil liability after a good-faith rescue attempt. What gets missed is that this immunity often comes with conditions attached. It’s seldom unconditional.
Conditions commonly include maintaining the device per manufacturer specifications, having trained or certified responders, and in some states, registering the device or maintaining medical oversight. Florida’s statute on AED use and immunity (Fla. Stat. § 401.2915) is one example of a state law in this area, but statutes differ substantially from state to state, and the specific conditions that apply to your program depend on your state’s law. This is general information, not legal advice, so for specifics, consult your state statute or legal counsel.
If a lawsuit follows a failed rescue, the first document request is almost always the maintenance log. A program that assumed immunity was unconditional and skipped documentation may discover, at the worst possible time, that the protection it was counting on had conditions it hadn’t met.
The fix: read your specific state’s Good Samaritan statute, or have legal counsel review it, and confirm what conditions apply to your program. Then make sure your documentation actually supports those conditions.
10 Not retaining records long enough
Retention requirements vary by state and by entity type, generally falling somewhere in a 3 to 7 year range, though some sectors have their own specific rules (for example, certain employer recordkeeping obligations or healthcare-specific requirements can differ from a general business’s PAD recordkeeping). Many programs simply don’t know what their specific requirement is. Records get cleaned out during an office move, an IT migration, or a staff transition, often well before the legally required retention period ends.
This becomes a problem specifically when a review or claim happens years after the maintenance occurred. A program with excellent recent records but no historical data is still exposed for the gap years.
The fix: confirm your state’s specific retention period, and your entity type’s specific rules if applicable, with your state PAD guidance or legal counsel. Set an internal policy that’s longer, not shorter, than the legal minimum. Digital records solve this more reliably than paper, since paper has a way of disappearing during the exact transitions that matter most.
Why these mistakes cluster together
Almost every program that has one of these gaps has several. The reason is structural, not a reflection of carelessness. Each of the 10 items above is a different date, a different document, or a different requirement, and most programs are tracking all of them, if they’re tracked at all, across some combination of memory, a shared drive folder, and a clipboard near the AED cabinet.
Past about 5 to 10 AEDs, or past a handful of certified responders whose CPR/AED cards also expire on staggered dates, this combination stops being manageable by any one person. The mistakes above aren’t really 10 separate problems. They’re 10 symptoms of one underlying issue: nothing forces these dates and requirements into a single place where someone can see all of them at once.
AED Log was built around that specific gap. Every device’s inspection schedule, pad and battery expirations (adult and pediatric tracked separately), responder certification dates, and incident records live in one dashboard instead of scattered across a clipboard, a spreadsheet, and someone’s memory. Alerts fire ahead of every expiration, and every record stays exportable and audit-ready, which is the difference between answering an auditor’s question in 30 seconds and spending a week reconstructing two years of history.
Pricing is tier-based, not per device, so a 15-AED program with the corresponding certification and pad-tracking complexity doesn’t cost more per device than a 2-AED one.
Note: This article provides general information, not legal advice. AED laws and PAD program requirements vary by state and facility type. Confirm specifics with your state’s PAD guidance or legal counsel.
Fix your AED compliance gaps in under 5 minutes
Free forever on 1 AED and unlimited users. No credit card. No trial clock.
✓ Audit-ready records
✓ State-specific tracking
