While medical imaging is not the major focus of HIPAA or HITECH, it is important that practitioners be wary of the unique issues associated with this type of protected health information (PHI). Medical images are typically dense data files often much larger than their other medical record counterparts. It’s not unusual to find studies or series of images that exceed one gigabyte in size. Their storage, sharing and archive pose unique challenges for the practitioner. Hence, it is important to understand how best utilize this important diagnostic tool while not running afoul of regulations.
If your practice already has an onsite storage system for your medical images, you might be considering deploying a cloud picture archiving and communication system (PACS) or hybrid (a mix of cloud and onsite storage) to increase the accessibility of your studies.
Apart from being disrespectful of the patient's privacy, sharing medical images in a HIPAA-noncompliant fashion can expose you to large fines and potentially criminal liability. But what exactly constitutes a HIPAA violation? In theory, the nature of HIPAA violations is straightforward: sharing what's considered to be private health information with someone who's not supposed to receive it.
But from this simple definition, HIPAA violations can take many forms: exposing a patient's medical images to a vendor who does not have a Business Associates Agreement (BAA), sharing images with a family member or spouse without the patient's written consent, losing a laptop computer or cell phone containing protected medical information, or even forwarding a medical image to the wrong email address.
So what are the guidelines for not violating HIPAA, and what steps can you take to reduce your risk even further?