Federally Qualified Health Centers (FQHCs) are very different from large hospital systems with a CISO and a dedicated security team. They are reliant on federal grants and process a large volume of patients every day, who are mostly from an impoverished background with no insurance.
As the primary care, FQHCs act as a medical clinic, a dental practice, a behavioral health provider, and a pharmacy, all together.
This brings some unique challenges. Most FQHCs are too understaffed and underfunded to have a robust IT team. And yet, they handle thousands of private health information (PHI) every day, while relying heavily on third-party solutions for billing and maintaining electronic health records (EHRs).
Thus, applying the same frameworks and vendor solutions as private healthcare providers does not work for FQHCs. The violations of HIPAA for FQHC are different from the violations of HIPAA for hospitals.
So, let’s take a deeper dive into the issues they face to understand where their HIPAA compliance violations stem from.
Where Does HIPAA Compliance Break Down in Federally Qualified Health Centers?
FQHCs sometimes underestimate how widely patient data moves through their system. PHIs are not simply confined to EHR as they also live in emails, shared folders, billing tools, AI transcription software, and many other tools.
Most of these are from third-party vendors as FQHCs don’t usually have the manpower for billing patients, scheduling their visits, analytics, and even IT support.
Meanwhile, weak governance and incomplete risk analysis opens up FQHCs for more HIPAA compliance violations far more than errors from staff.
FQHCs deal with a lot of things, if not more than other healthcare providers. Let’s take a deeper look to get a better understanding.
The FQHC PHI Problem Is Bigger Than It Looks
In 2020, the Metropolitan Community Health Services reached a $25,000 settlement with the HHS’ Office for Civil Rights (OCR). They were found in violation of HIPAA Security Rule 45 C.F.R. §164.316, which mandates implementation of policies and procedures to protect ePHI, and 45 C.F.R. § 164.308(a)(I)(ii)(A), which mandates a risk analysis.
A data breach of 1,263 patients was reported to the OCR.
Similarly, in 2017, the Metro Community Provider Network (MCPN) in Denver suffered a phishing attack. The ePHIs of 3,200 patients were exposed.
MCPN agreed to pay OCR $400,000, while also agreeing to adopt an action plan that included two years of monitoring. OCR’s report shows that the security breach happened due to a lack of risk analysis.
It is clear that PHI data breach in Federally Qualified Health Centers is not only due to organizational gaps in security but also due to staff practices.
And the more concerning part is that caregivers are increasingly relying on third-party AI tools in their daily work. Research conducted by cybersecurity firm, Netskope, reveals 71% of healthcare workers use personal unregulated AI accounts, where uploading sensitive PHI data is becoming common.
With FQHC’s operating as a medical clinic, a dental practice, a behavioral health provider, and a pharmacy parallelly, it becomes harder to keep track of where PHIs are being created, shared, and stored. FQHC IT services rarely have the ability to map the dataflow of PHIs.
The Third-Party Vendor Exposure That Most FQHCs Underestimate
An FQHC‘s digital environment is not a closed system. It’s a network of platforms, vendors, and integrations, with many of them made by third-party vendors.
Imagine everything from EHR, dental management software, and pharmacy records to patient portals, billing clearinghouses, and other third-party apps, all connected to each other.
Every one of those connections raises the potential of a data breach.
Third-party apps frequently need access (often privileged access) to the covered entity’s systems and networks. Providing that access creates new risks for the organizations, as third parties are a frequent target of bad actors.
Although the mandate of HIPAA for hospitals is to sign a BAA with every third party, the healthcare provider’s work doesn’t end there. FQHC with five to ten active vendors touching ePHI have to review whether their vendor’s security controls also fall under their scope.
The Resource Gap Is Constant for FQHCs
In a letter to the OCR by the National Association of Community Health Centers (NACHC) in March 2025, only 78.9% of health centers have between one and ten full-time equivalents supporting IT, and only two-thirds report having a cybersecurity committee or leader at all.
What this means is sometimes the same person is responsible for running the EHR, HIPAA compliance, device management, and vendor oversight. When OCR comes asking for documentation of a risk analysis or an incident response plan, that’s the same person who must produce it.
As per the Health Sector Coordinating Council, over 50% FQHCs say they need more IT personnel, and 30% say they are understaffed or severely understaffed.
For resource-constrained healthcare providers like FQHCs, the security program must be designed in such a way that it enforces the same OCR standards as any other healthcare system without a 24/7 security officer.
What the Proposed 2025 HIPAA Security Rule Updates Mean for FQHCs
HHS published a Notice of Proposed Rulemaking in January 2025 that represents the most significant proposed update to the HIPAA Security Rule in over two decades. Several changes hit Federally Qualified Health Centers directly.
Multi-factor authentication would become mandatory. So will penetration testing on an annual basis.
NACHC, representing FQHCs nationwide, has formally asked OCR to reconsider the penetration testing frequency, acknowledging that the combined annual cost of pentesting, security assessments, and compliance audits is a significant burden for smaller centers.
“NACHC understands the intent behind updating the HIPAA security standards. However, we have concerns about the difficulty health centers, which operate on financially slim margins and staff, will face in fully implementing these standards as proposed,” reads the official statement.
The cost concerns are legitimate. But with data breaches becoming more regular, HIPAA compliance is becoming more stringent.
What HIPAA Actually Requires - The Necessary Security Measures
The HIPAA Security Rule categorizes its requirements into three types of safeguards. Here’s what it means for FQHC compliance.
1. Administrative Safeguards
The Security Risk Assessment (SRA) must identify and document potential threats and vulnerabilities that could lead to improper access or disclosure of ePHI.
An SRA is not a one-time task. It should be conducted whenever systems change, incidents occur, or an organization changes structure, which is frequent in an FQHC.
In addition to the SRA, training programs for workforce security are a necessity, along with a sanctions policy and a documented Incident Response Plan. These are key items OCR requests first during an investigation.
2. Physical Safeguards
Physical safeguards relate to where ePHI is stored in the physical environment. For FQHCs operating across various locations, including mobile health units, maintaining physical control is challenging.
For example, a device used for patient intake at a community health fair must have the same level of physical and technical security as a workstation at the primary care desk in the main facility.
3. Technical Safeguards
HHS’s January 2025 update for HIPAA Security Rule proposes mandatory requirements, including comprehensive security risk assessments, multi-factor authentication, and encryption of PHI both at rest and in transit.
Even before these become set in stone in HIPAA for FQHC, health centers should look to implement them regardless as they are best practices in the healthcare industry.
Access controls often present gaps for FQHCs. Role-based access is essential, ensuring that different staff members. For example, a front desk staff member does not have the same access as a periodontist and so on.
Audit logging is equally crucial. HIPAA mandates the ability to review system activity to track who accessed what, when, and from where. Without this capability, an FQHC is unable to identify unusual access, investigate incidents, or demonstrate that it has an effective security management process.
What Other Measures Can Help FQHCs? - Pentesting and Compliance Programs
The financial concern behind the proposed annual penetration testing is legitimate. But the underlying logic of the requirement is sound.
An SRA gives an overview of your security posture. A pentest exploits vulnerabilities in real-time while emulating a real-world cyberattack. From a misconfiguration in the EHR API integration to a credential that remained active after a staff departure, pentesting finds vulnerabilities that aren’t on anyone’s radar.
This is particularly important for FQHC compliance when a health center has previously never had a professional pentest.
Not to mention, a pentest finding gives credibility to your SRA and gives you evidence of whether your security controls are working as intended.
But compliance is not just a checklist exercise. FQHCs need to have a documented, sustainable program calibrated to precisely what they require. Here’s what FQHCs can do:
- Start with a complete Security Risk Assessment conducted by a qualified external party with specific knowledge of the HIPAA Security Rule and the FQHC operating environment. Not a self-assessment tool but a manual, documented analysis of every system, every location, every vendor with access to ePHI.
- Build a Risk Management Plan that shows you have worked on your vulnerabilities as reported in the SRA. OCR wants proof that you have addressed your risks and not just documented them.
- Build a vendor management program that checks whether every vendor that touches an ePHI has a signed BAA, their security documentation has been reviewed, and that their access rights have been validated.
- Implement role-based access controls and MFA across every system, both clinical and administrative.
- Train staff against phishing attacks, proper and improper AI usage, and the privacy requirements around PHIs.
- Conduct a penetration test via a firm that not only understands what OCR and external auditors need to see in the output but also secures your security controls.
Federally Qualified Health Centers need a compliance structure that is not borrowed from a playbook designed for someone else as their challenges are uniquely their own.
How Can KLEAP Help?
KLEAP has been working with healthcare organizations that carry real regulatory exposure but can’t absorb enterprise-level overhead. FQHCs are exactly who we are built for.
Kleap’s concierge model ensures that you get a dedicated expert who scopes your organizational needs, manually conducts risk assessment, and explains every finding to your compliance officer or your board without any handovers in the middle.
We map every location where ePHI lives across your service footprint. We assess threats and vulnerabilities specific to your environment, assign documented risk levels, and deliver a Risk Management Plan tied directly to findings so that your team can act on it.
We perform manual penetration tests scoped to your actual environment: web applications, APIs, network infrastructure, active directory, EHR integrations, and remote access points. We map the report to HIPAA Security Rule, making it easier when OCR or an external auditor asks to see for evidence.
And as your FQHC adds service lines, satellite locations, or new vendor integrations, Kleap works with your team to update policies and procedures that reflect what’s happening in the organization.
If you still do not know where to start, give us a call and we will take it from there.
