Federally Qualified Health Centers

HIPAA Business Associate Agreement for FQHCs

Q: Are FQHCs covered entities under HIPAA?

Yes. Federally Qualified Health Centers are healthcare providers under HIPAA and covered entities. They transmit health information electronically in connection with standard transactions including Medicare and Medicaid claims. Federal HRSA funding does not change HIPAA applicability — FQHCs have the same BAA obligations as private practices and must execute Business Associate Agreements with vendors that access patient PHI under 45 CFR § 164.504(e).

Q: Do 340B program vendors require a BAA?

It depends on whether the 340B vendor accesses patient-level PHI as part of their service. 340B contract pharmacies and auditing vendors that receive prescription records linked to patient identities in order to verify 340B eligibility are handling PHI and require BAAs. 340B software platforms (such as Macro Helix or Sentry Data Systems) that process patient-linked dispensing data are business associates and require BAAs.

Q: What are common FQHC BAA gaps?

Common BAA gaps at FQHCs include: 340B program software and contract pharmacy vendors, health information exchange (HIE) participation agreements that may not include full BAA terms, grants management software that receives patient encounter data for federal reporting, translation and interpreter services accessed through third-party platforms, and telehealth vendors added during rapid expansion. FQHCs should conduct annual BAA audits given their broad vendor ecosystem.

Q: Does FQHC federal funding affect HIPAA BAA requirements?

No. HRSA grants and federal funding do not modify HIPAA compliance obligations. FQHCs receiving Section 330 funding are still subject to the full HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Federal funding may add additional reporting requirements, but it does not reduce or replace HIPAA BAA requirements.

By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read

Key Takeaways

✓ FQHCs are HIPAA covered entities — HRSA funding does not reduce or replace HIPAA obligations
✓ 340B program vendors that access patient-level dispensing data require BAAs
✓ HIE participation agreements should be reviewed for BAA adequacy
✓ Grants management and federal reporting software are common BAA gaps at FQHCs

Direct answer: Yes — FQHCs are HIPAA covered entities with full BAA obligations. Federal Section 330 funding does not change this. FQHCs work with an unusually broad vendor ecosystem — EHR systems, 340B vendors, HIEs, grants reporting platforms — and each PHI-handling relationship requires a signed BAA under 45 CFR § 164.504(e).

Federally Qualified Health Centers serve some of the most vulnerable patient populations in the U.S. — uninsured and underinsured patients, migrant workers, homeless individuals, and low-income families. This mission creates both a heightened ethical obligation around patient privacy and a complex operational environment with many vendor relationships, some of which are unique to the FQHC model and may not appear in typical HIPAA compliance checklists.

Why FQHCs Are HIPAA Covered Entities

FQHCs are healthcare providers under HIPAA. Those that transmit health information electronically in connection with covered transactions — including Medicare and Medicaid claims — are covered entities. This applies to all Section 330-funded health centers, look-alike health centers, and Ryan White-funded AIDS clinics that meet FQHC criteria.

Federal funding from HRSA does not create any exception to HIPAA compliance. FQHCs must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and must execute BAAs with vendors who handle PHI — exactly as private practices must.

FQHC-Specific Vendors and BAA Requirements

FQHC EHR Systems

eClinicalWorks, Greenway Health, NextGen, and Athenahealth are commonly deployed at FQHCs. These systems hold the full scope of patient clinical records. All major EHR vendors provide BAAs. Confirm that BAAs are executed and on file for each EHR relationship, including any patient portal modules that may be separately contracted.

340B Program Vendors

The 340B Drug Pricing Program allows eligible health centers to purchase outpatient drugs at reduced costs. Operating a 340B program typically involves software platforms (such as Macro Helix, Sentry Data Systems, or Apexus) that track patient eligibility and prescription dispensing. When these platforms receive patient-linked prescription records to verify 340B eligibility, they are processing PHI and are business associates requiring BAAs.

Contract pharmacies operating under 340B programs also receive patient prescription records from FQHCs — those relationships require BAAs as well.

Health Information Exchanges (HIEs)

Many FQHCs participate in regional or statewide HIEs to coordinate care across providers. HIE participation agreements should be reviewed to confirm they include adequate BAA terms. Some HIE agreements function as trading partner agreements rather than traditional BAAs, and the distinction matters for HIPAA compliance documentation.

Grants Management and Federal Reporting Software

FQHCs submit Uniform Data System (UDS) reports and other federal performance reports to HRSA. Software platforms used to aggregate patient encounter data for UDS reporting may process PHI during the data preparation phase. Review whether your grants management or reporting software receives individually identifiable data before UDS submission — if so, a BAA is required.

Revenue Cycle Management and Billing

Outsourced billing companies and RCM vendors that process FQHC claims handle patient names, diagnosis codes, and insurance records. BAAs are required before sharing any claim data with these vendors. See our guide on when you need a HIPAA BAA for a decision framework.

Telehealth Platforms

Many FQHCs expanded telehealth services significantly in recent years. Each telehealth platform used for patient visits requires a BAA. Consumer video tools (standard Zoom, FaceTime, Skype) are not appropriate for FQHC telehealth — only HIPAA-compliant platforms with signed BAAs should be used.

Patient Portal and Communication Vendors

Standalone patient portal vendors, SMS notification platforms, and interpreter services accessed through third-party platforms all may handle PHI and require BAAs. FQHCs serving multilingual populations often use third-party interpretation services — if those services are accessed through a platform that receives patient information, that platform requires a BAA. See our checklist on whether your vendor signs BAAs.

Vendor Type	Example Vendors	BAA Required?
FQHC EHR	eClinicalWorks, Greenway, NextGen, Athenahealth	Yes
340B software	Macro Helix, Sentry Data Systems, Apexus	Yes
HIE participation	Regional/state HIEs	Yes (review agreement terms)
Grants management / UDS reporting	HRSA reporting platforms	Yes (if PHI is processed)
RCM / billing	Outsourced billing companies	Yes
Telehealth	Doxy.me, Zoom for Healthcare	Yes
IT support / MSP	Local or remote IT provider	Yes

Generate a BAA for your FQHC

Create a HIPAA-compliant Business Associate Agreement for your billing company, software vendor, or IT provider — free to start, no subscription required.

Generate BAA for Free →

Frequently Asked Questions

Are FQHCs covered entities under HIPAA?

Yes. FQHCs are healthcare providers and covered entities under HIPAA. Federal HRSA funding does not modify HIPAA applicability — FQHCs have the same BAA obligations as private practices and must execute BAAs with vendors that access patient PHI under 45 CFR § 164.504(e).

Do 340B program vendors require a BAA?

Yes, when they access patient-level PHI. 340B software platforms like Macro Helix and Sentry Data Systems that process patient-linked dispensing records for 340B eligibility verification are business associates requiring BAAs. Contract pharmacies operating under 340B programs also require BAAs when they receive prescription records from your FQHC.

What are common FQHC BAA gaps?

Common gaps include 340B software and contract pharmacy vendors, HIE agreements that lack full BAA terms, grants management software that processes encounter data for UDS reporting, interpretation service platforms, and telehealth vendors added during rapid program expansion. Annual BAA audits are recommended given the breadth of FQHC vendor relationships.

Does FQHC federal funding affect HIPAA BAA requirements?

No. HRSA Section 330 funding does not reduce or replace HIPAA BAA requirements. FQHCs are subject to the full HIPAA Privacy Rule, Security Rule, and Breach Notification Rule regardless of funding source.