What are the 19 HRSA program requirements for FQHCs?

HRSA requires FQHCs to meet 19 program requirements covering: needs assessment, required/additional services, clinical staffing, accessible hours/locations, sliding fee scale, quality improvement/assurance, board authority, board composition, governance, financial management, billing/collections, budget, program data reporting, scope of project, federal/state requirements, health center controlled facilities, organizational structure, contracts/subawards, and conflict of interest policies. Noncompliance can result in conditions of award or loss of Section 330 funding.

How often do FQHCs receive HRSA Operational Site Visits (OSV)?

FQHCs receive an Operational Site Visit from HRSA approximately every 3 years. The OSV reviews compliance with all 19 program requirements. FQHCs should maintain continuous readiness by conducting internal audits and keeping documentation current rather than scrambling before a scheduled visit.

What are the HIPAA requirements for FQHCs?

FQHCs must comply with HIPAA Privacy, Security, and Breach Notification Rules including: Business Associate Agreements with all vendors handling PHI, annual security risk assessments (45 CFR § 164.308), workforce training within 30 days of hire and annually, breach notification to affected individuals within 60 days, and maintaining 6 years of HIPAA compliance documentation.

Can FQHCs bill two encounters on the same day?

Under Medicare PPS, FQHCs can bill 2 encounters on the same day if the patient sees two different providers for two different services (e.g., medical + behavioral health). Under Medi-Cal, generally only 1 PPS encounter per day is allowed, though some managed care plans may allow exceptions. FQHCs cannot bill 'incident-to' like private practices.

What is the False Claims Act penalty for FQHCs?

The Federal False Claims Act (31 USC § 3729-3733) imposes penalties of $13,946 to $27,894 per false claim plus treble damages (3× the overpayment). Common FQHC false claims include: billing incident-to, billing without face-to-face encounters, upcoding E/M levels, and 340B duplicate discounts. Whistleblowers receive 15-30% of recovered funds.

What is required in a HIPAA Business Associate Agreement (BAA)?

Every vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) must sign a BAA before receiving any patient data. This includes EHR vendors, clearinghouses, cloud storage providers, billing services, and telehealth platforms. A missing BAA is an automatic HIPAA violation if that vendor experiences a breach.

How quickly must FQHCs report a HIPAA breach?

FQHCs must notify affected individuals within 60 days of discovering a breach. If 500+ individuals are affected in a state, prominent media outlets must also be notified. All breaches must be reported to HHS OCR via their breach portal. Breaches affecting fewer than 500 individuals must be logged and reported annually by March 1.

What is the most common HIPAA violation at FQHCs?

The most common HIPAA violation for FQHCs is failure to conduct an annual Security Risk Assessment as required by 45 CFR § 164.308(a)(1). The assessment must cover all systems containing ePHI, physical security, workforce practices, and encryption status. FQHCs can use the free HHS SRA Tool or hire an external auditor.

← Compliance

HIPAA Compliance for FQHCs

Protect patient data. Avoid $100K+ fines. Know the rules.

Every vendor that creates, receives, maintains, or transmits PHI must sign a BAA before receiving any patient data. This includes EHR vendors (Epic, eClinicalWorks, athenahealth), clearinghouses, cloud storage (AWS, Azure), billing services, and telehealth platforms. Missing BAA = automatic HIPAA violation if that vendor has a breach. Maintain a master BAA tracker with renewal dates. Review annually.

Key HIPAA Risks

CRITICAL (20)L:4 × I:5

Missing HIPAA Risk Assessment

Organization has not conducted HIPAA security risk assessment in 12+ months. Single most common HIPAA violation.

Annual risk assessment on compliance calendar with external auditor

HIGH (16)L:4 × I:4

PHI Exposure via Email

Staff sending unencrypted patient information via personal or unsecured email.

Email encryption enforced for all outbound messages containing PHI

HIGH (15)L:3 × I:5

Missing Business Associate Agreement

Vendor handling PHI without signed BAA. Automatic HIPAA violation if vendor has breach.

Vendor PHI inventory reviewed quarterly

HIGH (15)L:3 × I:5

Unencrypted Device with ePHI

Lost or stolen laptop, phone, or USB drive containing unencrypted patient data.

Full-disk encryption on all devices accessing EHR or ePHI

HIGH (12)L:3 × I:4

Non-Compliant Telehealth Platform

Using video conferencing without BAA (e.g., personal Zoom, FaceTime) for patient visits.

Approved telehealth platform list with verified BAAs

MEDIUM (9)L:3 × I:3

Telehealth Licensing & Supervision Gaps

Telehealth expansion increases risk: out-of-state providers practicing without CA license, NP/PA supervising relationships not clear (HIPAA-compliant platform ≠ clinical supervision), state prescribing laws not followed (DEA requirements for controlled substances).

Provider license verification (CA BBS, BRN, BOP) renewed annually; Telehealth platform BAA and HIPAA audit before deployment

HIPAA Case Studies

Multi-site community health center • Central California • 2025

PHI Breach via Unencrypted Email

Challenge: Care coordinator emailed a spreadsheet containing 847 patient names, DOBs, and diagnoses to a managed care plan using personal Gmail account instead of secure portal.

Resolution: Conducted breach risk assessment. Notified 847 patients within 60 days. Reported to HHS OCR. Implemented email DLP scanning, mandatory encryption for external emails, and retraining.

Cost: $45,000 (remediation costs)

Lesson: Email DLP is essential — staff will use workarounds when systems fail. Build technical controls that prevent PHI exposure regardless of user behavior.

Community health center network • Inland Empire, California • 2025

Ransomware Attack and Recovery

Challenge: Ransomware encrypted all EHR servers and backup systems. 23,000 patient records inaccessible for 11 days. Attackers demanded $500K in cryptocurrency.

Resolution: Did not pay ransom. Restored from off-site backup (10 days of data lost). Reported breach to HHS (23,000 individuals). Implemented air-gapped backups, phishing simulation training, and MFA.

Cost: $890,000+ (total incident costs)

Lesson: Air-gapped backups are non-negotiable. Test disaster recovery quarterly — don't discover your backup doesn't work during a real incident.

Community health center • Los Angeles County • 2025

Unencrypted Laptop Theft — HIPAA Breach

Challenge: Manager's unencrypted laptop stolen from car. Device contained 12,000 patient names, SSNs, diagnoses, and medication lists. No tracking or remote wipe capability. Discovered 3 weeks later when manager tried to log in.

Resolution: Conducted breach risk assessment — determined encryption unlikely, so breach presumed. Notified 12,000 patients within 60 days. Provided 24-month credit monitoring. Reported to HHS OCR. Implemented full-disk encryption on all devices, MDM with remote wipe, and offline data access restrictions.

Cost: $1,300,000 (OCR settlement)

Lesson: Encryption is a HIPAA minimum — no exceptions for 'performance.' Without encryption, any device loss is presumed to be a breach. MDM with remote wipe is essential for mobile workforce.

Multi-site FQHC • Sacramento County • 2025

Business Associate Breach — Vendor Non-Compliance

Challenge: Third-party medical transcription company (Business Associate) suffered a data breach: 45,000 patient records exposed from unsecured FTP server. FQHC client list, notes, diagnoses compromised. BAA required company to notify within 24 hours; they notified after 19 days.

Resolution: FQHC notified affected patients and HHS OCR within 60 days (total 45,000 notifications). Terminated relationship with BA. Switched to HIPAA-compliant alternative vendor. Implemented annual BA compliance audit requirement. Required vendors to carry cyber liability insurance.

Cost: $45,000 (patient notification and credit monitoring)

Lesson: A BAA is not 'set and forget' — vendors' security posture degrades over time. Annual compliance audits are mandatory. Require cyber liability insurance and breach notification within 24 hours. You remain liable for BA breaches even if fault is theirs.

Key Regulations

45 CFR § 164.500-534, 45 CFR § 160.103

HIPAA Privacy Rule (45 CFR Part 160 & 164)

Establishes standards for protected health information (PHI). Defines patient rights to access, amend, and restrict use of their health records.

HHS Office for Civil Rights

45 CFR § 164.308, 45 CFR § 164.310, 45 CFR § 164.312

HIPAA Security Rule (45 CFR § 164.302-318)

Requires administrative, physical, and technical safeguards for electronic PHI (ePHI). Includes risk analysis, workforce training, access controls, and encryption.

HHS Office for Civil Rights

45 CFR § 164.404, 45 CFR § 164.406, 45 CFR § 164.408

HIPAA Breach Notification Rule (45 CFR §§ 164.400-414)

Requires notification to individuals, HHS, and media (if 500+ affected) within 60 days of discovering a PHI breach. Breaches affecting fewer than 500 must be logged and reported annually.

HHS Office for Civil Rights

45 CFR § 164.502(e), 45 CFR § 164.504(e)

Business Associate Agreements (BAA Requirements)

Any entity that creates, receives, maintains, or transmits PHI on behalf of an FQHC must sign a BAA. Includes EHR vendors, clearinghouses, cloud storage, billing services.

HHS Office for Civil Rights

CA Civil Code § 1798.100-199, CPRA effective Jan 2023

California Consumer Privacy Act / CA Privacy Rights Act

California state privacy laws that may apply to FQHC operations beyond HIPAA. CCPA/CPRA covers employee data and non-patient data. More restrictive than HIPAA in some areas.

California Attorney General

Key HIPAA Risks

CRITICAL (20)L:4 × I:5

Missing HIPAA Risk Assessment

Organization has not conducted HIPAA security risk assessment in 12+ months. Single most common HIPAA violation.

Annual risk assessment on compliance calendar with external auditor

HIGH (16)L:4 × I:4

PHI Exposure via Email

Staff sending unencrypted patient information via personal or unsecured email.

Email encryption enforced for all outbound messages containing PHI

HIGH (15)L:3 × I:5

Missing Business Associate Agreement

Vendor handling PHI without signed BAA. Automatic HIPAA violation if vendor has breach.

Vendor PHI inventory reviewed quarterly

HIGH (15)L:3 × I:5

Unencrypted Device with ePHI

Lost or stolen laptop, phone, or USB drive containing unencrypted patient data.

Full-disk encryption on all devices accessing EHR or ePHI

HIGH (12)L:3 × I:4

Non-Compliant Telehealth Platform

Using video conferencing without BAA (e.g., personal Zoom, FaceTime) for patient visits.

Approved telehealth platform list with verified BAAs

MEDIUM (9)L:3 × I:3

Telehealth Licensing & Supervision Gaps

Provider license verification (CA BBS, BRN, BOP) renewed annually; Telehealth platform BAA and HIPAA audit before deployment

HIPAA Case Studies

Multi-site community health center • Central California • 2025

PHI Breach via Unencrypted Email

Challenge: Care coordinator emailed a spreadsheet containing 847 patient names, DOBs, and diagnoses to a managed care plan using personal Gmail account instead of secure portal.

Resolution: Conducted breach risk assessment. Notified 847 patients within 60 days. Reported to HHS OCR. Implemented email DLP scanning, mandatory encryption for external emails, and retraining.

Cost: $45,000 (remediation costs)

Lesson: Email DLP is essential — staff will use workarounds when systems fail. Build technical controls that prevent PHI exposure regardless of user behavior.

Community health center network • Inland Empire, California • 2025

Ransomware Attack and Recovery

Challenge: Ransomware encrypted all EHR servers and backup systems. 23,000 patient records inaccessible for 11 days. Attackers demanded $500K in cryptocurrency.

Cost: $890,000+ (total incident costs)

Lesson: Air-gapped backups are non-negotiable. Test disaster recovery quarterly — don't discover your backup doesn't work during a real incident.

Community health center • Los Angeles County • 2025

Unencrypted Laptop Theft — HIPAA Breach

Cost: $1,300,000 (OCR settlement)

Lesson: Encryption is a HIPAA minimum — no exceptions for 'performance.' Without encryption, any device loss is presumed to be a breach. MDM with remote wipe is essential for mobile workforce.

Multi-site FQHC • Sacramento County • 2025

Business Associate Breach — Vendor Non-Compliance

Cost: $45,000 (patient notification and credit monitoring)

HIPAA Compliance for FQHCs

Business Associate Agreements

Patient Rights (Access, Amendment, Confidentiality)

Breach Notification Protocol

Workforce Training Requirements

Annual Security Risk Assessment

Key HIPAA Risks

Missing HIPAA Risk Assessment

PHI Exposure via Email

Missing Business Associate Agreement

Unencrypted Device with ePHI

Non-Compliant Telehealth Platform

Telehealth Licensing & Supervision Gaps

HIPAA Case Studies

PHI Breach via Unencrypted Email

Ransomware Attack and Recovery

Unencrypted Laptop Theft — HIPAA Breach

Business Associate Breach — Vendor Non-Compliance

Key Regulations

HIPAA Privacy Rule (45 CFR Part 160 & 164)

HIPAA Security Rule (45 CFR § 164.302-318)

HIPAA Breach Notification Rule (45 CFR §§ 164.400-414)

Business Associate Agreements (BAA Requirements)

California Consumer Privacy Act / CA Privacy Rights Act

HIPAA Compliance for FQHCs

Business Associate Agreements

Patient Rights (Access, Amendment, Confidentiality)

Breach Notification Protocol

Workforce Training Requirements

Annual Security Risk Assessment

Key HIPAA Risks

Missing HIPAA Risk Assessment

PHI Exposure via Email

Missing Business Associate Agreement

Unencrypted Device with ePHI

Non-Compliant Telehealth Platform

Telehealth Licensing & Supervision Gaps

HIPAA Case Studies

PHI Breach via Unencrypted Email

Ransomware Attack and Recovery

Unencrypted Laptop Theft — HIPAA Breach

Business Associate Breach — Vendor Non-Compliance

Key Regulations

HIPAA Privacy Rule (45 CFR Part 160 & 164)

HIPAA Security Rule (45 CFR § 164.302-318)

HIPAA Breach Notification Rule (45 CFR §§ 164.400-414)

Business Associate Agreements (BAA Requirements)

California Consumer Privacy Act / CA Privacy Rights Act