HIPAA Security Risk Assessment for California FQHCs

Quick answer: California Federally Qualified Health Centers must conduct an annual HIPAA Security Risk Analysis covering all administrative, physical, and technical safeguards across every site. Because California layers the Confidentiality of Medical Information Act (CMIA) and CCPA-era privacy expectations on top of federal HIPAA, a California FQHC’s risk analysis has to account for state-specific disclosure and breach-notification obligations that go beyond the federal floor.

Why California FQHCs Are a Distinct Compliance Case

California has the largest Federally Qualified Health Center footprint in the United States (see HRSA’s live data grid for current counts), high multi-site and satellite-clinic density, and HRSA Operational Site Visit (OSV) review against the Health Center Program Compliance Manual. On top of that federal layer, California’s Confidentiality of Medical Information Act (CMIA) imposes patient-privacy duties that go beyond HIPAA — including stricter consent rules for releasing medical information and a broader definition of who is considered a custodian of patient data.

OCR’s 2026 enforcement record makes the documented Security Risk Analysis non-negotiable: every Security Rule settlement closed this year traced back to an inadequate or missing risk analysis. For a California FQHC operating across multiple satellite locations, an undocumented assessment is the single largest exposure surface.

The Multi-Site “Parent-Child” SRA Model

An FQHC parent organization with five clinic sites cannot satisfy HIPAA with a single org-wide checkbox. The defensible pattern is a parent-child model: one governing risk analysis at the entity level with per-site physical-safeguard walkthroughs documented separately. Each clinic location needs evidence of physical access controls, workstation security, device and media controls, and facility security plans tailored to its setting. The parent layer covers the shared administrative and technical safeguards — workforce training, audit logs, transmission security, contingency planning — while child layers capture the realities of each site.

See our broader HIPAA compliance guide for FQHCs for the full HRSA + Security Rule overview, and the what is a HIPAA risk assessment primer for the underlying framework.

What the SRA Must Cover for a California FQHC

ePHI inventory across EHR + satellite sites: a complete map of where electronic protected health information lives, including remote-care platforms, scheduling systems, and any sliding-fee or 330-grant program data systems.
CMIA-aware disclosure controls: safeguards that reflect California’s stricter consent and disclosure rules, not just the HIPAA minimum.
Vendor and Business Associate inventory: the 2026 wave of business-associate breaches made this category one of the most-cited findings — every BAA in place must be reviewed for current safeguards and breach-notification language.
Contingency planning: the 2025 HIPAA Security Rule NPRM signals stricter expectations around backup, disaster recovery, and emergency-mode operation; a 2026 SRA should already reflect that direction.
Workforce training documentation: dated records that workforce members received role-appropriate HIPAA + CMIA training.

How Medcurity Fits

Medcurity’s HIPAA SRA platform is built around a 222-question risk-assessment workflow with citations to the HIPAA Security Rule and the NIST 800-66 implementation guidance. For a California FQHC, the platform supports per-location walkthroughs, OSV-readiness documentation, BAA tracking, and worklist-based remediation — the same evidence chain OCR auditors look for. Pricing starts at $499/year for small-practice deployments, with multi-site configurations scaled to the number of clinics under the parent entity.

See if Medcurity fits your FQHC. Talk to our team about a California FQHC deployment.

Frequently Asked Questions

Do California FQHCs need a HIPAA risk assessment?

Yes. Every covered entity under HIPAA must perform a Security Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A), and FQHCs additionally face HRSA Operational Site Visit review against the Health Center Program Compliance Manual. California FQHCs also fall under CMIA, which adds state-level privacy duties on top of HIPAA.

How does CMIA change HIPAA compliance in California?

The Confidentiality of Medical Information Act imposes stricter consent requirements for releasing medical information than HIPAA, defines a broader set of entities that can be considered custodians of patient data, and creates a private right of action for patients in some circumstances. A California FQHC’s risk assessment should explicitly document CMIA-aware disclosure controls.

How does a multi-site FQHC handle one SRA across clinics?

The standard approach is a parent-child model: one governing entity-level risk analysis covering administrative and technical safeguards, paired with per-site physical-safeguard walkthroughs. Each clinic location documents its own facility security plan, device and media controls, and workstation security — feeding back into a single consolidated risk register.

What does HRSA’s OSV check for security?

HRSA’s Operational Site Visit reviews health centers against the Health Center Program Compliance Manual. Chapter 21 covers privacy and security, and reviewers expect evidence of a current Security Risk Analysis, documented policies and procedures, workforce training records, and a current Business Associate inventory. A well-documented SRA is the foundation for OSV readiness.