HRSA’s updated Notice of Award terms put fresh emphasis on something health centers have always had to get right: parental consent and access rules for minors’ care, as defined by applicable state and federal law. In a December 3, 2025 memo, HHS and the Office of Civil Rights reiterated that, under HIPAA, parents are generally a minor child’s “personal representative,” which usually gives them the right to access the child’s medical records and PHI—and OCR has signaled it is seeing providers restrict parental access more than HIPAA requires. At the same time, long-standing HIPAA exceptions still apply when state law allows a minor to consent to certain services, when a court orders it, or when a parent agrees to a confidentiality arrangement. The practical takeaway for HRSA-supported health centers isn’t to abandon minor consent processes, but to ensure record-access and patient portal workflows mirror the legal consent rules: parents should typically have access to non-confidential portions of the record, while minor-consent services may require limiting parental access to those specific services.

Federally Qualified Health Centers (FQHCs) are required under the HIPAA Security Rule to conduct regular Security Risk Assessments (SRAs) to safeguard electronic protected health information (e-PHI). This blog explains what an SRA is, why it’s essential for compliance, and how community health centers can complete one effectively. Learn how to identify where e-PHI is stored, assess risks and vulnerabilities, evaluate current safeguards, and document findings using best-practice frameworks such as NIST SP 800-30 and SP 800-66. The post also offers practical steps to turn assessment results into actionable security improvements. Conducting an annual SRA not only helps maintain compliance with the U.S. Office for Civil Rights (OCR) but also strengthens data protection and patient trust.

In April of 2024, The Department of Health and Human Services (HHS) issued a Final Rule modifying the Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The final rule was effective June 25, 2024, and health centers must be in compliance after December 23, 2024.

This new rule has raised questions with community health centers as to how it applies to Federally Qualified Health Centers (FQHCs) and their privacy practices.