FQHCs and HIPAA Security Risk Assessments
Though there is no HRSA requirement to perform a Security Risk Assessment (SRA), community health centers must conduct a Security Risk Assessment (SRA) to comply with the HIPAA Security Rule (45 CFR § 164.308 - Administrative safeguards) (enforced by the U.S. Office of Civil Rights), which requires healthcare entities (including FQHCs) to:
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
Though we are not aware of any required frequency for this assessment, the best practice recommendation is to complete this Security Risk Assessment at least annually. Some Medicare Programs or other special IT programs will require annual SRAs. But in general, it’s a best practice to do SRAs at least annually.
Key SRA Requirements for Community Health Centers
Scope: The SRA must cover all e-PHI in every electronic medium the center uses, across all locations and systems, including workstations, networks, portable media, and transmission channels.
Data Collection: Centers must identify and document where e-PHI is stored, received, maintained, or transmitted by reviewing projects, using interviews, documentation reviews, or other data-gathering techniques.
Threats and Vulnerabilities: Centers must identify and document reasonably anticipated threats (natural, human, and environmental) and vulnerabilities (technical and non-technical) that could lead to inappropriate access or disclosure of e-PHI.
Current Security Measures: An assessment of existing safeguards for e-PHI is required to determine if they are configured and used properly and adequately address the risks identified.
Likelihood and Impact: The process must include an estimation of the probability of threat occurrence and the magnitude of potential impacts, using qualitative, quantitative, or combination methods.
Risk Level Assignment: For each identified threat/vulnerability combination, centers must assign and document risk levels, using likelihood and impact analyses, and provide a list of corrective actions to mitigate each risk.
Documentation: The SRA process and results must be documented, but HIPAA does not require a specific format—documentation should support subsequent risk management actions.
Periodic Review & Updates: Risk analysis is ongoing and must be revisited regularly; frequency may vary based on organizational changes, new technologies, security incidents, or staff turnovers. Updates to security measures should be made as needed, based on risks identified during periodic reviews.
Use of Standards and Frameworks: While the Security Rule does not mandate a specific SRA methodology, it recognizes NIST standards (e.g., SP 800-30, SP 800-66) as industry best practices and recommends their use for both federal and non-federal entities.
How Community Health Centers Use SRA Findings
Inform personnel screening processes, data backup strategies, encryption policies, data authentication practices, and transmission protections.
Document reasons for not implementing “addressable” specifications if alternatives are adopted.
Develop corrective action plans tailored to the center's size, complexity, and operating environment.
Helpful Resources:
HHS has guidance and an SRA Tool here: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
Here is a video explaining the requirements of a Security Risk Assessment: https://www.youtube.com/watch?v=SbYWQDe1rXI
OCR Webinar: The HIPAA Security Rule Risk Analysis Requirement: https://www.youtube.com/watch?v=hxfxhokzKEU
Security Risk Assessment (SRA): Practical Next Steps for FQHCs
Schedule an Annual SRA – Plan to conduct your Security Risk Assessment at least once per year (or more often if systems, staff, or technologies change). (RegLantern can help with this - contact us today if interested!)
Map All e-PHI – Identify every system, device, and process where electronic PHI is stored, transmitted, or maintained—including remote sites and portable media.
Document Everything – Maintain written or electronic documentation of your SRA process, findings, and mitigation steps to support compliance and audits.
Update Regularly – Revisit your SRA whenever there are system changes, security incidents, or organizational updates.
Turn Findings into Action – Use SRA results to guide security training, backup plans, encryption, authentication, and corrective action plans.
RegLantern can help with your annual Security Risk Assessments (SRAs)! Contact us today for more information.
The information presented in this blog post is provided for general informational and educational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice on specific legal questions or situations. The views and opinions expressed herein are solely those of the author and do not represent the views, policies, or positions of the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), or any other federal agency or organization.
Updated: October 10, 2025
Subscribe to the RegLantern Blog
Get the latest posts delivered right to your inbox
RegLantern provides HRSA compliance services (including mock site surveys) and online tools to assist your health center with continual compliance.