What is FQHC HIPAA Compliance?

Federally qualified health centers (FQHCs) include a variety of health centers, such as Community Health Centers, Migrant Health Centers, Health Care for the Homeless, and Health Centers for Residents of Public Housing. These centers provide a variety of services, including pharmacies, dental care, behavioral health care, and pediatric care. As such, federally qualified health centers must comply with the HIPAA regulations. To provide guidance, FQHC HIPAA compliance is discussed below.

FQHC HIPAA Compliance and the Privacy Rule

Under HIPAA, federally qualified health centers are covered entities (providers). As such, FQHC HIPAA compliance consists of following all components of HIPAA including the Privacy Rule.

Therefore, FQHCs must observe Privacy Rule requirements pertaining to:

• Unauthorized disclosure and impermissible use of PHI;
• Business associate agreements;
• Written patient authorization forms;
• Notices of Privacy Practices;
• Accounting of PHI disclosures;
• Amendment of PHI;
• The right of individuals to access their PHI;
• Training of the workforce on the FQHC’s Privacy Rule policies and procedures.

FQHC HIPAA Compliance and the Security Rule

Part of FQHC HIPAA compliance requires adherence to the Security Rule.

Under the HIPAA Security Rule, providers must:

• Conduct security risk analyses;
• Implement risk management;
• Implement Security Rule policies and procedures;
• Provide employees with security awareness training.

Failure to comply may result in investigation by the Office for Civil Rights (OCR). 

FQHC HIPAA Compliance and Fines for Noncompliance

FQHCs have been investigated and fined in the past. In July of 2020, OCR announced that it had settled with Metropolitan Community Health Services (Metro) for $25,000 to settle potential HIPAA Security Rule violations. 

Under the settlement, Metro, a federally qualified health center, was required to implement a corrective action plan (CAP) that includes two years of monitoring. Under a corrective action plan, a provider must submit documentation to OCR demonstrating that the provider has remediated the deficiencies related to a fine. OCR continually monitors a provider’s compliance until the two-year period is over. If a provider fails to abide by the terms of the CAP, the provider risks being fined again.

Metro had been operating in the rural areas of Washington and Williamston, North Carolina since 1999, providing a wide range of healthcare services to local residents. Metro currently employs 43 people and services about 3,100 patients each year. In June of 2011, Metro filed a breach report with HHS, as required by law, indicating that protected health information (PHI) was impermissibly disclosed to an unknown email account. Metro, in its report, indicated that 1,263 patients were affected by the breach.

OCR then investigated Metro, finding long-running, systematic noncompliance with the HIPAA Security Rule. This noncompliance included:

• Failure to conduct security risk analyses;
• Failure to implement any HIPAA Security Rule policies and procedures; and
• Failure to provide workers with security awareness training until 2016. 

OCR had planned to fine Metro (currently doing business as Agape Health Services) for these multiple HIPAA Security Rule violations. Metro decided to settle in early March of 2020, in lieu of being issued a civil monetary penalty (CMP), or fine, by OCR.

OCR, in reaching the agreement, noted that the relatively small fine of $25,000 took into account Metro’s status as a federally qualified health center. 

In 2017, a Denver-based FQHC Metro Community Provider Network (MCPN), which provided medical, dental, and behavioral care to approximately 43,000 patients per year (a large majority of whom had incomes at or below the poverty level) agreed to settle with OCR for $400,000 and to implement a corrective action plan, for failure to conduct a risk analysis and failure to conduct risk management. 

In a statement accompanying the fine, OCR acknowledged the special status of MCPN as an FQHC, stating that OCR “considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care.” In other words, OCR is not seeking to put FQHCs out of business with costly fines; however, OCR will not hesitate to fine FQHCs (albeit in lesser amounts than for-profit providers) for the same HIPAA violations other providers commit. 

What Are Federally Qualified Health Centers?

Federally Qualified Health Centers (FQHCs) are community-based healthcare providers that receive funds from the HRSA Health Center Program. The Health Resources and Services Administration (HRSA), an agency of the U.S. Department of Health and Human Services (HHS), is the primary federal agency for providing healthcare to people who are geographically isolated, economically, or medically vulnerable. FQHCs, as nonprofit and tax-exempt organizations, in addition to Medicare and Medicaid funding, also receive grants from the government, the private sector, and donations. 

FQHCs use these various income sources to provide primary care services in underserved areas. To retain FQHC status, an FWHC provider must meet a stringent set of requirements. They must, for example, provide care on a sliding fee scale, based on ability to pay. FQHCs must also operate under a governing board that includes patients in the FQHC community.