FQHCs and HIPAA Security Risk Assessments

Though there is no HRSA requirement to perform a Security Risk Assessment (SRA), community health centers must conduct a Security Risk Assessment (SRA) to comply with the HIPAA Security Rule (45 CFR § 164.308 - Administrative safeguards) (enforced by the U.S. Office of Civil Rights), which requires healthcare entities (including FQHCs) to:

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

Though we are not aware of any required frequency for this assessment, the best practice recommendation is to complete this Security Risk Assessment at least annually. Some Medicare Programs or other special IT programs will require annual SRAs. But in general, it’s a best practice to do SRAs at least annually.

Key SRA Requirements for Community Health Centers

  • Scope: The SRA must cover all e-PHI in every electronic medium the center uses, across all locations and systems, including workstations, networks, portable media, and transmission channels.

  • Data Collection: Centers must identify and document where e-PHI is stored, received, maintained, or transmitted by reviewing projects, using interviews, documentation reviews, or other data-gathering techniques.

  • Threats and Vulnerabilities: Centers must identify and document reasonably anticipated threats (natural, human, and environmental) and vulnerabilities (technical and non-technical) that could lead to inappropriate access or disclosure of e-PHI.

  • Current Security Measures: An assessment of existing safeguards for e-PHI is required to determine if they are configured and used properly and adequately address the risks identified.

  • Likelihood and Impact: The process must include an estimation of the probability of threat occurrence and the magnitude of potential impacts, using qualitative, quantitative, or combination methods.

  • Risk Level Assignment: For each identified threat/vulnerability combination, centers must assign and document risk levels, using likelihood and impact analyses, and provide a list of corrective actions to mitigate each risk.

  • Documentation: The SRA process and results must be documented, but HIPAA does not require a specific format—documentation should support subsequent risk management actions.

  • Periodic Review & Updates: Risk analysis is ongoing and must be revisited regularly; frequency may vary based on organizational changes, new technologies, security incidents, or staff turnovers. Updates to security measures should be made as needed, based on risks identified during periodic reviews.

  • Use of Standards and Frameworks: While the Security Rule does not mandate a specific SRA methodology, it recognizes NIST standards (e.g., SP 800-30, SP 800-66) as industry best practices and recommends their use for both federal and non-federal entities.

How Community Health Centers Use SRA Findings

  • Inform personnel screening processes, data backup strategies, encryption policies, data authentication practices, and transmission protections.

  • Document reasons for not implementing “addressable” specifications if alternatives are adopted.

  • Develop corrective action plans tailored to the center's size, complexity, and operating environment.

Helpful Resources:

Security Risk Assessment (SRA): Practical Next Steps for FQHCs

  1. Schedule an Annual SRA – Plan to conduct your Security Risk Assessment at least once per year (or more often if systems, staff, or technologies change). (RegLantern can help with this - contact us today if interested!)

  2. Map All e-PHI – Identify every system, device, and process where electronic PHI is stored, transmitted, or maintained—including remote sites and portable media.

  3. Document Everything – Maintain written or electronic documentation of your SRA process, findings, and mitigation steps to support compliance and audits.

  4. Update Regularly – Revisit your SRA whenever there are system changes, security incidents, or organizational updates.

  5. Turn Findings into Action – Use SRA results to guide security training, backup plans, encryption, authentication, and corrective action plans.

RegLantern can help with your annual Security Risk Assessments (SRAs)! Contact us today for more information.

The information presented in this blog post is provided for general informational and educational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice on specific legal questions or situations. The views and opinions expressed herein are solely those of the author and do not represent the views, policies, or positions of the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), or any other federal agency or organization.

Updated: October 10, 2025

Subscribe to the RegLantern Blog

Kyle Vath

Kyle Vath, BSN, MHA, RN: Kyle Vath is the CEO and co-founder of RegLantern, a company that provides tools and services to health centers that help them move to continual compliance. These services include mock site surveys and web-based tools that allow health centers to organize their compliance documentation. Kyle has served in a wide range of healthcare settings including serving as the Director of Operations for Social Ministries for a large health system, Provider Relations for a health system-owned payer, the Director of Operations for a Federally-Qualified Health Center, long-term care (as a nursing manager, director of nursing, and licensed nursing home administrator), in acute care (as a critical care nurse), and in Tanzania, East Africa as a hospital administrator of a rural mission hospital.

Next
Next

Creating an FTCA Risk Management Training Plan for the Coming Year