HIPAA Compliance & Medical Imaging

While medical imaging is not the primary focus of HIPAA or HITECH, it’s important that practitioners be wary of the issues associated with this type of Protected Health Information (PHI). Data breaches happen, and when they do, health care providers could find themselves in violation of HIPAA. So how can imaging centers adequately protect their practices and patients?

Medical images are your most valuable asset and often much more significant in size than their medical record counterparts. It’s not unusual to find a set or series of images that exceed one gigabyte in size. The storage, sharing and archiving of these pose unique challenges for the practitioner.

Secure Medical Image Repositories

Medical images often exist in a Digital Imaging and Communications in Medicine (DICOM) that combines a set or series of image files along with a description of the patient and modality. These together are considered Protected Health Information (PHI), and under federal law, entities and business associates covered under HIPAA must implement processes and procedures to protect and secure the access to this type of data.

The repository for a DICOM is typically a Picture Archive and Communication System (PACS). PACS may exist on a computer within a facility or in the cloud which can be accessed remotely. The information contained in the stored data must be secure from unwarranted intrusion or access.

The information contained in a PACS should only be accessible to those with the appropriate security credentials. However, beyond user authorized access, it is important to also protect this Personal Health Information (PHI) data against unwarranted intrusion. Often this means encrypting the data to protect it against unauthorized access. Having the appropriate security measures in place ensuring authorized users have access to this information and intruders can't access it will keep your PHI safe.

Data Backup & Archiving

It is crucial to keep these repositories safe and secure but equally as important (and required by these regulations) to ensure this data remains available at all times, including if an event of a natural or man-induced disaster were to occur or cyber attack. Backups of the DICOM information serve for this purpose with the most effective way being to maintain the data at a separate geographic location regularly.

It is essential to have effective procedures in place that ensure this information is available no matter the event. Most often the data in a PACS is backed up rather than mirrored. While a backup is sufficient to comply with most regulations, this means in the event of a disaster; the recovered data must be reloaded onto a live PACS to make it available. This approach could be problematic if the data is voluminous or if immediate access is needed. Another solution to avoid a potential issue is to have a PACS mirrored or stored in a duplicate PACs in another geographic location.

Should a disaster occur, the primary system can be redirected to the live data on the alternative PACS. A secondary approach to this would be a remote PACS available for access via a web-based application. This approach will also ensure your medical images would be accessible using alternate systems, tablets or even smartphones, in the event your onsite systems were to be disabled from a malicious ransomware scenario.

Is your practice HIPAA compliant? Are you protected from possible ransomware or cyber attacks? Quest can help you to evaluate your network to ensure you are compliant and keep your organization secure by developing a data protection plan specific to your organization. Quest offers a variety of industry-based compliance assessments to evaluate your network, as well as overall IT security. By proactively helping you to evaluate and assess your systems, we can help mitigate potential future risks – efficiently and cost-effectively.

Click Here to Learn More About Quest's IT Network, Security & HIPAA Assessments