Federally Qualified Health Centers operate under a unique dual compliance framework: HIPAA, as covered entities transmitting ePHI in standard electronic transactions; and HRSA's Health Center Program requirements, which include conditions tied to the Section 330 grant that funds FQHC operations.
The 2026 HIPAA Security Rule update matters for FQHCs on both dimensions. As covered entities, FQHCs must comply with the updated mandatory requirements. And HRSA's Program Requirements — which include requirements for adequate administrative and quality infrastructure — increasingly align with the cybersecurity standards the 2026 HIPAA update now mandates.
This guide explains the 2026 HIPAA update's requirements for FQHCs, how they interact with HRSA Program Requirements, and what a compliant FQHC security program looks like.
The 2026 HIPAA Security Rule Updates: FQHC Impact
Encryption: Now Mandatory
Under the original HIPAA Security Rule, encryption was "addressable" — FQHCs could document a reasonable alternative if encryption wasn't implemented. The 2026 update removes this flexibility: encryption is now required.
What this means for FQHCs: every workstation at your health center that contains ePHI must be encrypted. Every laptop used by clinical staff — including laptops used in satellite sites, mobile health clinics, and school-based health programs — must be encrypted. Every mobile device used by care coordinators, case managers, and outreach workers to access patient records must be encrypted.
For FQHCs operating across multiple sites — which is the norm for larger health centers — this creates a compliance obligation across every location and every device type in the organization.
The practical compliance step: Conduct a full device inventory. Verify encryption status on every device type. Enable BitLocker (Windows), FileVault (Mac), or verified Android/iOS encryption. Document the verification.
Multi-Factor Authentication: Now Required
MFA is now required for every account with access to ePHI. For FQHCs, this means:
- All EHR user accounts (eClinicalWorks, Greenway, NextGen, Epic, Athenahealth — whatever your health center uses)
- All Microsoft 365 or Google Workspace accounts used by staff who access or communicate patient information
- All remote access methods — VPN, RDP, any system through which staff access the health center's network from outside
- Any third-party portals (Medicaid portals, lab results portals, referral coordination systems) that contain ePHI
For FQHCs using Microsoft 365, MFA via Conditional Access is available in Business Basic and higher plans. The implementation is a configuration change, not a new software purchase in most cases.
Biannual Vulnerability Scanning: Now Required
The 2026 update specifies biannual automated vulnerability scanning — twice per year. Results must be documented. Identified vulnerabilities must have a remediation timeline.
For a multi-site FQHC, vulnerability scanning covers the network infrastructure at each site, the workstations at each location, and the VPN or remote access infrastructure used to connect sites.
Without a managed security provider, this requires either purchasing vulnerability scanning tools and training someone to use them, or engaging a security firm for each scan. With a managed provider, scanning is included in the service.
Annual Penetration Testing: Now Required
Annual penetration testing by a qualified internal or external party is required. For FQHCs, this typically means engaging an external cybersecurity firm annually. The test simulates an attacker attempting to breach your environment — it goes beyond scanning to test whether vulnerabilities can actually be exploited.
Pen test results and remediation actions must be documented. The 2026 HIPAA enforcement focus on risk management means OCR will ask not just whether you tested, but what you found and what you did about it.
HRSA Program Requirements and Cybersecurity
HRSA's Health Center Program Requirements (outlined in the Health Center Compliance Manual) establish the operational standards health centers must meet as a condition of Section 330 funding. While the Program Requirements do not use the language of cybersecurity explicitly, several requirements have direct cybersecurity implications.
Required Organizational Infrastructure (Section 6)
HRSA requires that health centers maintain adequate administrative and management capacity to accomplish the organization's mission. A health center that experiences a ransomware attack resulting in weeks of care disruption — because it lacked basic cybersecurity infrastructure — is arguably failing this requirement.
HRSA site reviewers have increasingly flagged health information security as a component of organizational infrastructure adequacy. A health center with no risk analysis, no security policies, and no staff training in cybersecurity may face HRSA findings related to administrative capacity.
Electronic Health Record Use and Health IT (Section 9)
HRSA requires health centers to maintain an electronic health record system capable of supporting quality improvement activities. A health center whose EHR is disrupted by ransomware — or whose EHR access is compromised by a phishing attack — cannot meet the continuous EHR use and data quality requirements that HRSA expects.
HIPAA Compliance as a Program Requirement
HRSA's compliance manual explicitly states that health centers must comply with all applicable federal laws, including HIPAA. HIPAA Security Rule compliance — including the 2026 update's mandatory requirements — is therefore a condition of Section 330 grant compliance.
What a 2026-Compliant FQHC Security Program Looks Like
A Federally Qualified Health Center that satisfies the 2026 HIPAA Security Rule requirements and HRSA Program Requirements has:
Documentation: - Current written risk analysis (all ePHI systems and processes, updated within 12 months) - Written information security program or policies document - Incident response plan with 72-hour internal notification procedures - Business Associate Agreements with all ePHI vendors (EHR, billing, IT services, cloud providers) - Staff training completion records (annual, all staff with ePHI access)
Technical Controls: - Encryption at rest and in transit (all systems and devices) - MFA enforced on all ePHI-connected accounts - Behavioral EDR on all endpoints - Advanced email security (anti-phishing, anti-impersonation, malicious link scanning) - Biannual vulnerability scans (documented results) - Annual penetration test (documented results and remediation) - 24/7 monitoring (or equivalent alerting with defined after-hours response procedures) - Immutable backups tested for restoration
Governance: - Board-level awareness and approval of the security program - Designated security or HIPAA security officer with documented responsibilities - Regular security risk review (annual minimum)
Funding the 2026 Requirements
Section 330 Grant Allowable Costs. HIPAA compliance is an operational requirement for health centers. Security controls required for HIPAA compliance — including managed cybersecurity services — are generally allowable costs under Section 330 grant terms as administrative and compliance infrastructure. Document the compliance purpose in your budget justification.
HRSA's Quality Improvement Funding. Security infrastructure that protects the EHR and data systems used for quality reporting may qualify as quality improvement infrastructure.
State PCA Group Purchasing. State Primary Care Associations negotiate group purchasing agreements on behalf of member health centers. Cybersecurity services are increasingly included in these negotiations. Contact your state PCA for current group purchasing options.
ShieldForce delivers 2026-compliant cybersecurity for FQHCs — with Section 330-aligned documentation. Our service includes HIPAA risk analysis, written security program, MFA enforcement, EDR, and 24/7 monitoring — everything your health center needs.
Explore Community Health Center Solutions →
Start with a free HIPAA assessment for your FQHC.