Risk Assessments: Health Center Requirements and Recommendations | Workshop Day 2

Health centers operate under a complex set risk assessment requirements and recommendations, including:

• FTCA requirements to conduct quarterly risk assessments
• HIPAA Security Rule requirements to conduct regular security risk analyses; and
• The Office of the Inspector General (OIG) expectations to conduct regular compliance risk assessments to identify fraud, waste, and abuse.

This workshop is designed to help health centers understand what’s required, what’s recommended and how to implement a meaningful risk assessment process. In this workshop, attendees will learn:

• Compliance risk assessment essentials: Including how to meaningfully involve senior leadership, design risk assessment document reviews and interview questions, assign risk levels and understand your health center’s risk tolerance
• Risk assessment requirements: Identify current risk assessment requirements for health centers, including how to address common deficiencies identified by the FTCA Division of HRSA in the 2026 FTCA deeming applications and by the Office for Civil Rights (OCR) in recent enforcement actions
• Risk assessment recommendations: Develop a compliance risk assessment process that reflects and prioritizes recommended risk assessment areas based on your health center’s top risk areas

This workshop will cover the requirements and provide practical strategies and tools for collecting and analyzing information about your health center’s compliance risks.

Audience:

• COOs
• Compliance Officers
• Risk Managers
• Clinical Leadership

Agenda Day 2:

• FTCA Risk Assessments: Deeming health centers are required to implement an ongoing risk management program that includes quarterly risk management assessments. In this section, we’ll review the requirements and discuss the warning notices issued by the FTCA Division of HRSA in response to the 2026 FTCA deeming application reviews. We’ll provide strategies for developing risk assessment documentation to ensure continued FTCA coverage.
• HIPAA Security Risk Analysis: Since it was issued in 2003, the HIPAA Security Rule has required covered entities to conduct a security risk analysis. In this section, we’ll review that requirement and how the Office for Civil Rights (OCR) has interpreted the requirement in recent enforcement actions, including OCR’s new security risk analysis initiative. We’ll also discuss the changes OCR proposed to the HIPAA Security Rule in 2025, providing the latest updates the Security Rule requirements and compliance deadlines.
• Developing a Compliance Work Plan: Risk assessment results need a response. In this section, we’ll discuss how to develop activities for your health center’s compliance work plan that reflect and respond to identified risks. We’ll focus on including auditing and monitoring activities, developing policies and procedures, and training and education.

Presenters:

• Dianne Pledgie
• Molly Evans
• Alexander Lipovtsev