HIPAA Security Risk Assessment for Illinois Community Health Centers (2026 Guide)

Q: What's the OCR enforcement risk if our SRA is out of date?

OCR penalties for failure to conduct an accurate and thorough risk analysis routinely run from $50,000 to $1.5 million per category, with willful neglect cases reaching multi-million-dollar resolution amounts. HRSA can separately issue a Chapter 19 condition that affects grant funding.

The short answer

Illinois Community Health Centers (CHCs) must complete a HIPAA Security Risk Assessment (SRA) under 45 CFR 164.308(a)(1)(ii)(A) every year, and the assessment has to cover every site, every workforce role, and every connected system. Layered on top of that, Illinois adds the Personal Information Protection Act (PIPA), the Biometric Information Privacy Act (BIPA), and the Mental Health and Developmental Disabilities Confidentiality Act — each of which extends or amplifies what HIPAA already requires. Medcurity is built for the multi-site, grant-funded CHC reality.

HIPAA requirements specific to Illinois CHCs

Illinois CHCs operate under three compliance regimes at once: HIPAA (federal), HRSA Section 330 grantee requirements (federal), and Illinois state privacy law. The HIPAA Security Rule alone obligates each covered CHC to conduct a thorough, current risk analysis of all electronic protected health information (ePHI). For a multi-site Illinois CHC — and HRSA-funded federally qualified health centers and look-alikes typically operate three to fifteen sites — that means inventorying ePHI at every clinic, mobile unit, and admin office, then assessing administrative, physical, and technical safeguards across the network.

The HRSA Compliance Manual Chapter 19 makes risk assessment a grantee performance requirement, not a suggestion. HRSA Operational Site Visits routinely ask for evidence that the HIPAA SRA is current (within the past 12 months), covers every site, and has produced a corrective action plan with assigned owners and target dates. CHCs that present a generic single-site SRA — or a five-year-old document — frequently receive a Chapter 19 condition.

Beyond the SRA itself, Section 330 grantees must show that workforce training, business associate agreements with all subcontractors (EHR vendors, billing companies, transportation services, dental labs), and breach response procedures are operational at every site.

Illinois state law on top of HIPAA

PIPA (815 ILCS 530). Illinois requires written notification to affected residents and, for breaches affecting more than 500 Illinois residents, notification to the Attorney General. PIPA’s definition of “personal information” includes medical information, health insurance information, and biometric data — a broader sweep than HIPAA’s PHI.

BIPA (740 ILCS 14). Any CHC capturing fingerprints, facial scans, voiceprints, retina scans, or other biometric identifiers — for staff time clocks, patient check-in, or device unlock — must obtain written informed consent, publish a retention schedule, and not sell or profit from the data. BIPA carries a private right of action with statutory damages of $1,000 to $5,000 per violation; the SRA must specifically address biometric data flows.

Illinois Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110). For CHCs providing behavioral health services (most do), this Act imposes stricter consent and disclosure rules than HIPAA. Records cannot be disclosed without specific written consent in most cases, and the rules apply even when HIPAA would permit disclosure for treatment, payment, or operations.

How CHCs typically fail HIPAA audits

OCR enforcement actions and HRSA Operational Site Visit findings against CHCs cluster around the same four failures:

Single-site SRA presented for multi-site operation. The risk analysis covers the main clinic but not satellites, mobile units, or telehealth infrastructure.
Stale risk assessment. A document dated three or four years prior, with no annual update and no corrective action plan tracking remediation.
Missing or unsigned business associate agreements. Billing companies, language interpreter services, transportation partners, and IT consultants often lack current BAAs.
No documented workforce training across all roles. Per-site training logs are incomplete, especially for part-time providers and contracted staff.

The Medcurity approach for Illinois CHCs

Medcurity’s HIPAA SRA platform was designed around the multi-site, grant-funded health center workflow. The assessment scopes every site, every system, and every workforce role from a single dashboard, then produces a Section 330-aligned corrective action plan that HRSA reviewers recognize. Policy templates cover Illinois-specific requirements (PIPA breach response, BIPA consent, Confidentiality Act disclosure rules) so the documentation lines up with both federal and state regulators. Workforce training is per-role and per-site, and the platform tracks completion across satellite clinics and mobile units without manual reconciliation. Pricing starts at $499/year for single-site practices; multi-site CHC pricing is built on the same flat-fee model rather than per-seat enterprise pricing. CHCs that need a Security Officer support tier can move to the SRA + Compliance package ($949/year). See our broader HIPAA compliance guide for community health centers for the program-wide view.

Frequently asked questions

Is HIPAA enough or do I need Illinois-specific compliance?

HIPAA is the floor, not the ceiling. Illinois adds PIPA breach notification rules, BIPA consent and damages for biometric data, and stricter mental health record disclosure rules under the Confidentiality Act. A CHC compliance program must satisfy all four.

How often does a CHC need a HIPAA risk assessment?

At least annually, and after any material change — new site, new EHR module, new business associate, significant workforce shift, or a security incident. HRSA reviewers expect the assessment to be dated within the past 12 months.

Does each CHC site need its own SRA?

The risk analysis must cover every site, but it does not need to be a separate document per site. A single multi-site SRA that scopes each location’s safeguards, systems, and staff is what HRSA reviewers look for.

What does HIPAA compliance cost for a small Illinois CHC?

Medcurity SRA starts at $499/year for single-site practices and $949/year for the SRA + Compliance bundle. Multi-site CHC pricing scales from that baseline.

What’s the OCR enforcement risk if our SRA is out of date?

OCR penalties for “failure to conduct an accurate and thorough risk analysis” routinely run from $50,000 to $1.5 million per category, with willful neglect cases reaching multi-million-dollar resolution amounts. HRSA can separately issue a Chapter 19 condition that affects grant funding.

Schedule a Medcurity CHC-fit walkthrough →