HRSA operational site visits assess health center compliance with the Health Center Program Requirements — and increasingly, that includes a review of how the health center manages health information security. While the Health Center Compliance Manual does not have a cybersecurity chapter, the Program Requirements around administrative capacity, EHR use, and regulatory compliance create direct expectations for cybersecurity governance.
Health centers that have experienced breaches or that lack basic security documentation are increasingly cited for compliance deficiencies related to administrative capacity and HIPAA compliance obligations. Preparing for an HRSA site visit in 2026 requires having the right documentation organized and ready.
What HRSA Reviewers May Request Related to Cybersecurity
HRSA site visit reviewers do not conduct technical penetration tests or examine firewall configurations. They review documentation and interview leadership. The cybersecurity-adjacent documents they may request include:
Governance Documentation
Board minutes or resolutions regarding health information security. HRSA Program Requirements (Section 6) require the governing board to exercise oversight of the organization's operations. Evidence that the board has reviewed, discussed, or approved a cybersecurity or health information security program demonstrates governance-level awareness and accountability.
What to have ready: Board minutes from the past two years that reference cybersecurity, health information security, HIPAA compliance, or the organization's risk management program. A board-approved information security policy is the strongest evidence.
HIPAA compliance program documentation. Evidence that the health center has an active HIPAA compliance program — including Security Rule compliance — demonstrates that HIPAA obligations are being actively managed. This includes the risk analysis, the written security program, and the designated HIPAA security officer documentation.
Workforce Training Documentation
HIPAA training records. HRSA Program Requirements reference staff training as a component of organizational capacity. HIPAA requires annual security awareness training for all workforce members. The combination creates a clear expectation: every staff member at your health center should have documented annual HIPAA and security awareness training completion.
What to have ready: A training completion report showing every staff member's name, training date, and training content for the most recent annual cycle. Include training content outlines to demonstrate that security was substantively covered, not just acknowledged.
Electronic Health Record Documentation
EHR use policies and access controls. HRSA expects health centers to use their EHR systems effectively for care delivery and quality improvement. Evidence that EHR access is appropriately controlled — role-based access, audit logging, MFA for access — demonstrates that the EHR is being managed in accordance with HIPAA and sound operational practices.
What to have ready: EHR access control policy, documentation of most recent access review, confirmation that MFA is enforced for EHR access.
Downtime procedures. If the EHR is unavailable due to a technical incident, how does the health center maintain care delivery? HRSA expects that health centers have continuity procedures for operational disruptions — including IT outages.
What to have ready: Written downtime procedures for EHR unavailability, including who is notified, how patient care is documented manually, and how clinical information is transferred to the EHR when systems restore.
Incident History
Prior breach notifications or security incidents. HRSA reviewers may ask whether the health center has experienced any reportable HIPAA breaches. If a breach has occurred, they will assess whether the health center responded appropriately — timely notification, remediation, and updated security program.
What to have ready: Documentation of any prior breach response, including OCR breach notification confirmation, individual notification evidence, and remediation actions taken.
The Pre-Visit Checklist: Cybersecurity Documentation to Organize
Two weeks before an HRSA site visit, confirm the following are current, organized, and accessible:
- [ ] Board minutes or resolutions referencing cybersecurity/HIPAA (past 2 years)
- [ ] Approved organizational information security policy
- [ ] Designation of HIPAA Security Officer (name and documented responsibilities)
- [ ] Current HIPAA Security Rule risk analysis (within past 12 months)
- [ ] Written information security program or policies document
- [ ] Staff HIPAA/security training completion records (all staff, past 12 months)
- [ ] EHR access control policy and most recent access review documentation
- [ ] Confirmation of MFA enforcement on EHR and email accounts
- [ ] Downtime procedures for EHR unavailability
- [ ] Business Associate Agreement list and confirmation of current BAAs
- [ ] Any prior breach notification documentation and remediation evidence
If any of these are missing, they represent both HRSA compliance gaps and HIPAA Security Rule gaps — and the HRSA visit preparation window is the right time to close them.
Framing Cybersecurity in the Site Visit Narrative
During leadership interviews, HRSA reviewers ask open-ended questions about organizational capacity and management. When the conversation touches on health information management, technology, or data security, health center leadership should be able to articulate:
- Who is responsible for health information security at the organization
- What the organization has done to assess and address cybersecurity risks
- How the organization ensures that staff follow security policies
- What would happen if the EHR were unavailable
A leader who can answer these questions confidently — with documentation to support each answer — demonstrates the administrative capacity HRSA expects. A leader who is uncertain or who defers entirely to an IT vendor for all answers signals potential capacity concerns.
Get your FQHC HRSA-ready and HIPAA-compliant with one managed service. ShieldForce provides all the cybersecurity documentation that HRSA and OCR look for — organized, current, and ready for review.
Explore Community Health Center Solutions →
Start with a free HIPAA risk assessment to identify your documentation gaps.