Federally Qualified Health Centers (FQHCs) are required under the HIPAA Security Rule to conduct regular Security Risk Assessments (SRAs) to safeguard electronic protected health information (e-PHI). This blog explains what an SRA is, why it’s essential for compliance, and how community health centers can complete one effectively. Learn how to identify where e-PHI is stored, assess risks and vulnerabilities, evaluate current safeguards, and document findings using best-practice frameworks such as NIST SP 800-30 and SP 800-66. The post also offers practical steps to turn assessment results into actionable security improvements. Conducting an annual SRA not only helps maintain compliance with the U.S. Office for Civil Rights (OCR) but also strengthens data protection and patient trust.

In April of 2024, The Department of Health and Human Services (HHS) issued a Final Rule modifying the Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The final rule was effective June 25, 2024, and health centers must be in compliance after December 23, 2024.

This new rule has raised questions with community health centers as to how it applies to Federally Qualified Health Centers (FQHCs) and their privacy practices.