What is FQHC HIPAA Compliance?

Federally qualified health centers (FQHCs) include a variety of health centers, such as Community Health Centers, Migrant Health Centers, Health Care for the Homeless, and Health Centers for Residents of Public Housing. These centers provide a variety of services, including pharmacies, dental care, behavioral health care, and pediatric care. As such, federally qualified health centers must comply with the HIPAA regulations. To provide guidance, FQHC HIPAA compliance is discussed below.

FQHC HIPAA Compliance and the Privacy Rule

Under HIPAA, federally qualified health centers are covered entities (providers). As such, FQHC HIPAA compliance consists of following all components of HIPAA including the Privacy Rule.

Therefore, FQHCs must observe Privacy Rule requirements pertaining to:

• Unauthorized disclosure and impermissible use of PHI;
• Business associate agreements;
• Written patient authorization forms;
• Notices of Privacy Practices;
• Accounting of PHI disclosures;
• Amendment of PHI;
• The right of individuals to access their PHI;
• Training of the workforce on the FQHC’s Privacy Rule policies and procedures.

FQHC HIPAA Compliance and the Security Rule

Part of FQHC HIPAA compliance requires adherence to the Security Rule.

Under the HIPAA Security Rule, providers must:

• Conduct security risk analyses;
• Implement risk management;
• Implement Security Rule policies and procedures;
• Provide employees with security awareness training.

Failure to comply may result in investigation by the Office for Civil Rights (OCR). 

FQHC HIPAA Compliance and Fines for Noncompliance

FQHCs have been investigated and fined in the past. In July of 2020, OCR announced that it had settled with Metropolitan Community Health Services (Metro) for $25,000 to settle potential HIPAA Security Rule violations. 

Under the settlement, Metro, a federally qualified health center, was required to implement a corrective action plan (CAP) that includes two years of monitoring. Under a corrective action plan, a provider must submit documentation to OCR demonstrating that the provider has remediated the deficiencies related to a fine. OCR continually monitors a provider’s compliance until the two-year period is over. If a provider fails to abide by the terms of the CAP, the provider risks being fined again.

Metro had been operating in the rural areas of Washington and Williamston, North Carolina since 1999, providing a wide range of healthcare services to local residents. Metro currently employs 43 people and services about 3,100 patients each year. In June of 2011, Metro filed a breach report with HHS, as required by law, indicating that protected health information (PHI) was impermissibly disclosed to an unknown email account. Metro, in its report, indicated that 1,263 patients were affected by the breach.

OCR then investigated Metro, finding long-running, systematic noncompliance with the HIPAA Security Rule. This noncompliance included:

• Failure to conduct security risk an