HIPAA Business Associate Agreement for FQHCs

By BAA Generator Editorial  ·  Updated Apr 19, 2026  ·  5 min read

Federally Qualified Health Centers serve some of the most vulnerable patient populations in the U.S. — uninsured and underinsured patients, migrant workers, homeless individuals, and low-income families. This mission creates both a heightened ethical obligation around patient privacy and a complex operational environment with many vendor relationships, some of which are unique to the FQHC model and may not appear in typical HIPAA compliance checklists.

Why FQHCs Are HIPAA Covered Entities

FQHCs are healthcare providers under HIPAA. Those that transmit health information electronically in connection with covered transactions — including Medicare and Medicaid claims — are covered entities. This applies to all Section 330-funded health centers, look-alike health centers, and Ryan White-funded AIDS clinics that meet FQHC criteria.

Federal funding from HRSA does not create any exception to HIPAA compliance. FQHCs must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and must execute BAAs with vendors who handle PHI — exactly as private practices must.

FQHC-Specific Vendors and BAA Requirements

FQHC EHR Systems

eClinicalWorks, Greenway Health, NextGen, and Athenahealth are commonly deployed at FQHCs. These systems hold the full scope of patient clinical records. All major EHR vendors provide BAAs. Confirm that BAAs are executed and on file for each EHR relationship, including any patient portal modules that may be separately contracted.

340B Program Vendors

The 340B Drug Pricing Program allows eligible health centers to purchase outpatient drugs at reduced costs. Operating a 340B program typically involves software platforms (such as Macro Helix, Sentry Data Systems, or Apexus) that track patient eligibility and prescription dispensing. When these platforms receive patient-linked prescription records to verify 340B eligibility, they are processing PHI and are business associates requiring BAAs.

Contract pharmacies operating under 340B programs also receive patient prescription records from FQHCs — those relationships require BAAs as well.

Health Information Exchanges (HIEs)

Many FQHCs participate in regional or statewide HIEs to coordinate care across providers. HIE participation agreements should be reviewed to confirm they include adequate BAA terms. Some HIE agreements function as trading partner agreements rather than traditional BAAs, and the distinction matters for HIPAA compliance documentation.

Grants Management and Federal Reporting Software

FQHCs submit Uniform Data System (UDS) reports and other federal performance reports to HRSA. Software platforms used to aggregate patient encounter data for UDS reporting may process PHI during the data preparation phase. Review whether your grants management or reporting software receives individually identifiable data before UDS submission — if so, a BAA is required.

Revenue Cycle Management and Billing

Outsourced billing companies and RCM vendors that process FQHC claims handle patient names, diagnosis codes, and insurance records. BAAs are required before sharing any claim data with these vendors. See our guide on when you need a HIPAA BAA for a decision framework.

Telehealth Platforms

Many FQHCs expanded telehealth services significantly in recent years. Each telehealth platform used for patient visits requires a BAA. Consumer video tools (standard Zoom, FaceTime, Skype) are not appropriate for FQHC telehealth — only HIPAA-compliant platforms with signed BAAs should be used.

Patient Portal and Communication Vendors

Standalone patient portal vendors, SMS notification platforms, and interpreter services accessed through third-party platforms all may handle PHI and require BAAs. FQHCs serving multilingual populations often use third-party interpretation services — if those services are accessed through a platform that receives patient information, that platform requires a BAA. See our checklist on whether your vendor signs BAAs.

Frequently Asked Questions

Are FQHCs covered entities under HIPAA?

Yes. FQHCs are healthcare providers and covered entities under HIPAA. Federal HRSA funding does not modify HIPAA applicability — FQHCs have the same BAA obligations as private practices and must execute BAAs with vendors that access patient PHI under 45 CFR § 164.504(e).

Do 340B program vendors require a BAA?

Yes, when they access patient-level PHI. 340B software platforms like Macro Helix and Sentry Data Systems that process patient-linked dispensing records for 340B eligibility verification are business associates requiring BAAs. Contract pharmacies operating under 340B programs also require BAAs when they receive prescription records from your FQHC.

What are common FQHC BAA gaps?

Common gaps include 340B software and contract pharmacy vendors, HIE agreements that lack full BAA terms, grants management software that processes encounter data for UDS reporting, interpretation service platforms, and telehealth vendors added during rapid program expansion. Annual BAA audits are recommended given the breadth of FQHC vendor relationships.

Does FQHC federal funding affect HIPAA BAA requirements?

No. HRSA Section 330 funding does not reduce or replace HIPAA BAA requirements. FQHCs are subject to the full HIPAA Privacy Rule, Security Rule, and Breach Notification Rule regardless of funding source.