Conducting a Compliance Audit at Your FQHC: Key Areas HRSA and CMS Scrutinize Most

Federally Qualified Health Centers (FQHCs) operate within one of the most heavily regulated healthcare environments in the United States. Because FQHCs receive federal funding, enhanced Medicare and Medicaid reimbursement, and potential Federal Tort Claims Act (FTCA) protections, they are subject to extensive oversight by agencies such as the Health Resources and Services Administration and the Centers for Medicare & Medicaid Services.

Compliance audits are no longer optional risk-management exercises. They are essential operational tools that help health centers:

• Identify regulatory vulnerabilities

• Prevent repayment demands

• Reduce fraud and abuse exposure

• Improve patient safety

• Strengthen HRSA Operational Site Visit readiness

• Protect federal funding eligibility

• Maintain FTCA deeming status

HRSA and CMS closely evaluate governance practices, billing accuracy, quality programs, sliding fee compliance, credentialing systems, and clinical documentation. Deficiencies in any of these areas may result in:

• Corrective action plans

• Repayment obligations

• Program integrity investigations

• Increased oversight

• Grant conditions

• False Claims Act exposure

• Loss of reimbursement

Conducting proactive internal compliance audits allows FQHC leadership to identify and correct problems before regulators do.

This guide explains the key operational areas HRSA and CMS scrutinize most and provides a framework for conducting an effective FQHC compliance audit in 2026.

Why Compliance Audits Are Critical for FQHCs

Compliance audits serve multiple purposes within healthcare organizations.

Risk Reduction

Internal audits help detect:

• Billing inaccuracies

• Documentation deficiencies

• Operational noncompliance

• Policy inconsistencies

• Potential fraud risks

Early detection substantially reduces regulatory exposure.

Regulatory Readiness

Health centers should remain continuously prepared for:

• HRSA Operational Site Visits

• CMS audits

• Medicaid reviews

• Managed care audits

• FTCA deeming reviews

Organizations operating in “survey-ready” mode perform significantly better during external reviews.

Operational Improvement

Compliance audits also strengthen:

• Clinical workflows

• Documentation practices

• Staff accountability

• Financial integrity

• Quality improvement systems

Well-structured audits improve both compliance and operational efficiency.

Understanding HRSA and CMS Oversight Roles

Although HRSA and CMS both oversee aspects of FQHC operations, their focus areas differ somewhat.

HRSA Focus Areas

HRSA primarily evaluates:

• Section 330 program compliance

• Governance

• Sliding fee discount programs

• Scope of services

• Access to care

• Quality improvement

• FTCA compliance

HRSA oversight is guided largely by the:

• Health Center Program Compliance Manual

• Operational Site Visit protocols

• Grant requirements

CMS Focus Areas

CMS focuses heavily on:

• Medicare billing compliance

• Medicaid reimbursement

• Conditions of participation

• Documentation standards

• Program integrity

• Fraud prevention

CMS scrutiny often centers on reimbursement accuracy and medical necessity.

FQHCs must successfully navigate both regulatory frameworks simultaneously.

Governance Compliance Audits

Governance deficiencies are among the most common HRSA findings.

Key Governance Audit Areas

Patient Majority Requirement

At least 51% of board members must be active patients of the health center.

Verify:

• Patient status documentation

• Board eligibility

• Voting records

• Representation demographics

Board Authority

The governing board must retain authority over:

• Budget approval

• CEO selection and evaluation

• Strategic planning

• Policy approval

Review organizational bylaws carefully.

Board Meeting Documentation

Audit board minutes for:

• Attendance

• Quorum verification

• Financial reviews

• Quality oversight

• Policy approvals

• Conflict-of-interest disclosures

Poor board documentation frequently results in HRSA deficiencies.

Sliding Fee Discount Program Audits

The Sliding Fee Discount Program (SFDP) remains one of HRSA’s highest-priority review areas.

Key Audit Components

Income Verification

Ensure patient files include:

• Income documentation

• Family size verification

• Eligibility determinations

Consistent Application

Review whether discounts are:

• Applied uniformly

• Properly documented

• Reassessed periodically

Inconsistent SFDP implementation creates major compliance risk.

Current Poverty Guidelines

Verify use of updated Federal Poverty Guidelines.

Outdated calculations are common audit findings.

Billing and Coding Compliance

CMS heavily scrutinizes billing accuracy.

Common Billing Audit Areas

Medical Necessity

Documentation must support:

• Services billed

• Diagnosis codes

• Treatment rationale

Insufficient medical necessity documentation creates repayment risk.

FQHC Encounter Billing

Review:

• Encounter eligibility

• Same-day billing rules

• Prospective payment system requirements

• Modifier usage

Improper encounter billing is a frequent CMS issue.

Duplicate Billing Risks

Ensure systems prevent:

• Double billing

• Incorrect payer coordination

• Duplicate claims submissions

Clinical Documentation Audits

Clinical documentation deficiencies create both compliance and malpractice exposure.

Key Chart Audit Areas

Signed Provider Notes

Verify:

• Timely signatures

• Complete authentication

• Documentation consistency

Unsigned notes may invalidate claims.

Treatment Plans

Review whether plans include:

• Diagnoses

• Goals

• Interventions

• Follow-up instructions

Medication Reconciliation

Medication reconciliation is a major patient safety and quality focus area.

Ensure records demonstrate:

• Medication reviews

• Updates after transitions of care

• Allergy documentation

Credentialing and Privileging Audits

Credentialing deficiencies are highly scrutinized during HRSA reviews.

Audit Provider Files for:

• State licenses

• DEA registrations

• Board certifications

• NPDB queries

• Privileging approvals

• Background checks

• Immunization records

Recredentialing Compliance

Verify providers are recredentialed at least every two years.

Missed recredentialing deadlines create significant risk.

Privileging Oversight

Ensure privileges:

• Match provider scope

• Are formally approved

• Are reviewed periodically

Quality Improvement and QAPI Audits

Both HRSA and CMS expect active quality management systems.

Review QAPI Structure

Evaluate:

• Performance metrics

• Leadership involvement

• Board oversight

• Improvement projects

• Data monitoring

Analyze Quality Data

Review:

• UDS measures

• Preventive screening rates

• Chronic disease outcomes

• Patient satisfaction data

• Hospital readmission trends

Quality programs should demonstrate measurable improvement efforts.

FTCA Risk Management Audits

Organizations receiving FTCA coverage must maintain strong risk management systems.

Audit Risk Management Activities

Review:

• Incident reporting

• Root cause analyses

• Corrective action plans

• Patient safety initiatives

• Claims management

Infection Prevention Oversight

Audit infection prevention systems for:

• Surveillance activities

• Staff training

• PPE protocols

• Exposure investigations

Post-pandemic regulatory scrutiny remains elevated.

Human Resources Compliance Audits

Human resources deficiencies often create operational vulnerabilities.

Review Personnel Files

Ensure files contain:

• Job descriptions

• Competency evaluations

• Licensure verification

• Background checks

• Orientation documentation

Mandatory Training Compliance

Audit completion of:

• HIPAA training

• OSHA training

• Compliance education

• Emergency preparedness training

• Cultural competency education

Incomplete HR documentation is a common audit weakness.

HIPAA and Cybersecurity Audits

Healthcare cybersecurity risks continue increasing dramatically.

Audit HIPAA Compliance

Review:

• Privacy policies

• Access controls

• Breach response procedures

• Staff education

• Business associate agreements

Review Technical Safeguards

Evaluate:

• Password security

• Multi-factor authentication

• EHR access monitoring

• Backup systems

• Cybersecurity incident response plans

Cybersecurity failures may create both HIPAA and operational exposure.

Financial Compliance Audits

Financial management remains a major HRSA focus area.

Audit Financial Oversight Systems

Review:

• Internal controls

• Segregation of duties

• Budget approvals

• Grant expenditures

• Audit findings

• Revenue reconciliation

Monitor Grant Compliance

Ensure federal funds are:

• Used appropriately

• Tracked accurately

• Supported by documentation

Improper grant management may jeopardize funding eligibility.

Emergency Preparedness Audits

Emergency preparedness requirements remain heavily enforced.

Audit Emergency Plans

Review plans addressing:

• Natural disasters

• Infectious disease outbreaks

• Utility failures

• Cyberattacks

• Communication disruptions

Validate Drill Documentation

Ensure documentation exists for:

• Fire drills

• Tabletop exercises

• Emergency training

• Corrective actions

Preparedness activities must demonstrate ongoing implementation.

Scope of Project Compliance Audits

HRSA closely evaluates whether FQHCs operate within their approved scope of project.

Audit Scope Areas

Review:

• Service sites

• Service lines

• Providers

• Hours of operation

• Approved populations served

Operating outside approved scope may create serious compliance problems.

Managed Care and Contract Compliance

FQHCs increasingly participate in managed care arrangements.

Audit Managed Care Processes

Review:

• Contract compliance

• Authorization tracking

• Claims submissions

• Denial management

• Referral coordination

Poor managed care oversight can impact both revenue and compliance.

Common Compliance Deficiencies Found in FQHC Audits

Some problems appear repeatedly during internal and external reviews.

Frequent Deficiencies Include:

Governance Issues

• Insufficient patient-majority representation

• Missing board approvals

Sliding Fee Problems

• Missing income documentation

• Inconsistent eligibility determinations

Billing Errors

• Unsupported encounters

• Improper coding

• Duplicate billing

Credentialing Gaps

• Expired licenses

• Missing NPDB queries

Documentation Weaknesses

• Unsigned notes

• Incomplete assessments

• Poor care coordination documentation

Understanding common risks helps prioritize audit activities.

Best Practices for Conducting Internal Audits

Create a Formal Audit Schedule

Perform:

• Quarterly chart audits

• Annual governance reviews

• Ongoing billing monitoring

• Credentialing audits

• HR compliance checks

Use Standardized Audit Tools

Develop consistent audit templates for:

• Clinical reviews

• Billing assessments

• Governance evaluations

• Risk management audits

Standardization improves reliability.

Involve Leadership

Executive leadership and the governing board should actively review audit findings.

Strong leadership engagement strengthens organizational accountability.

Develop Corrective Action Plans

Every identified issue should include:

• Root cause analysis

• Assigned responsibility

• Completion timelines

• Follow-up monitoring

Corrective actions must be measurable and documented.

Building a Culture of Compliance

The strongest FQHCs do not treat compliance as a once-yearly exercise.

They build ongoing cultures of:

• Accountability

• Transparency

• Quality improvement

• Continuous monitoring

• Staff education

Organizations with strong compliance cultures experience:

• Fewer deficiencies

• Better patient outcomes

• Reduced financial risk

• Stronger operational stability

Final Thoughts

Conducting regular internal compliance audits is one of the most important operational strategies an FQHC can implement. HRSA and CMS oversight continues to intensify as healthcare organizations face growing scrutiny regarding quality, billing accuracy, patient safety, governance, and operational integrity.

Health centers that proactively audit their systems are far better positioned to:

• Prevent regulatory violations

• Maintain funding eligibility

• Strengthen patient care quality

• Reduce repayment risk

• Improve organizational performance

Compliance auditing should not be viewed as a reactive exercise. It is a critical component of long-term operational success and healthcare risk management.

For organizations seeking assistance with FQHC compliance audits, HRSA Operational Site Visit preparation, FTCA readiness, billing compliance reviews, credentialing audits, policy development, or healthcare management consulting, HealthBridge Consulting provides consulting and management solutions tailored to Federally Qualified Health Centers and healthcare organizations.

References

• HRSA Health Center Program Compliance Manual

• HRSA Operational Site Visit Protocols

• Centers for Medicare & Medicaid Services Federally Qualified Health Center Center Information

• CMS Medicare Claims Processing Manual

• Office for Civil Rights HIPAA Guidance

• Centers for Disease Control and Prevention Infection Prevention Guidance for Outpatient Settings

• HRSA Federal Tort Claims Act Health Center Policy Manual

• National Association of Community Health Centers