Two Compliance Signals for FQHCs: HRSA's FY2026 340B Manufacturer-Audit Results Go Live, and OCR's Ransomware Settlements Preview a Tougher HIPAA Security Rule

Two federal compliance developments worth a calendar note. First, HRSA published its FY2026 340B Manufacturer Audit Results page (updated May 28, 2026) — the companion to the already-tracked FY2025 cycle (49% adverse findings); results are partially finalized, with corrective-action plans and any sanctions to be posted as HRSA approves them, and the agency advises covered entities not to contact audited manufacturers until CAPs post. FQHCs are the largest class of 340B covered entities, so this is a standing reference to monitor in OPAIS. Second, OCR's Risk Analysis Initiative has now completed 19 ransomware investigations with six 2026 settlements, and a June 1 Sidley analysis frames the recent settlements as a direct preview of the forthcoming HIPAA Security Rule amendments (which would make annual risk analyses, documented asset inventories, and demonstrated remediation mandatory rather than 'addressable'). No FQHC has been named, but FTCA-covered health centers are full HIPAA covered entities — meaning a center that hasn't completed a documented Security Risk Analysis is accumulating enforcement exposure ahead of a rule change, not just theoretical risk. (Affordable FQHC SRA tooling like Medcurity, added to our tech stack this cycle, exists precisely for this gap.)