HIPAA Compliance for Radiology and Imaging Centers

Q: How often should an imaging center redo its SRA?

At least annually, and whenever you make a material change such as a new modality, a new PACS or cloud archive, or a new teleradiology partner.

Radiology and imaging centers handle some of the most data-rich protected health information (PHI) in healthcare. A single CT or MRI study can contain thousands of individual images, and every one of them carries patient identifiers embedded directly in its DICOM metadata header — name, date of birth, accession number, referring physician, and often the study indication. That makes imaging a distinctive HIPAA challenge: the PHI is not just in your scheduling system, it is baked into the image files themselves, copied to your PACS archive, transmitted to referring providers, and sometimes burned to CDs or shared through patient portals.

What makes imaging centers different

Most compliance programs are built around databases and email. Imaging centers have to extend the same protections to a Picture Archiving and Communication System (PACS), modality worklists, DICOM nodes, and teleradiology connections that move studies to off-site radiologists. Each of these is a place where PHI lives or travels, and each is a potential breach point. Common exposure areas include unencrypted DICOM transfers between modalities and the PACS, image-sharing portals with weak access controls, third-party teleradiology vendors operating without a Business Associate Agreement (BAA), and legacy archives that retain studies far longer than the retention policy requires. De-identifying images for research or marketing is its own task — stripping the visible patient banner does nothing if the DICOM header still carries identifiers.

Start with a Security Risk Analysis

The HIPAA Security Rule requires every covered entity and business associate to conduct an accurate, thorough Security Risk Analysis (SRA) under 45 CFR § 164.308(a)(1)(ii)(A). For an imaging center, that means inventorying every system that creates, receives, maintains, or transmits PHI — the PACS server, the modalities, the RIS, teleradiology links, the image-sharing portal, backup storage, and any cloud archive — and then assessing the threats and vulnerabilities to each. The SRA is not a one-time checkbox; it has to be reviewed whenever you add a new modality, switch teleradiology partners, or migrate your archive. It is also the single document the Office for Civil Rights (OCR) asks for first in any investigation.

The proposed 2026 Security Rule update

In December 2024, HHS published a Notice of Proposed Rulemaking (NPRM) that would significantly strengthen the HIPAA Security Rule. It is a proposed rule — not finalized — but imaging centers should track it closely because several provisions hit them directly: a mandatory, current asset inventory and network map (exactly the PACS-and-modality mapping above), encryption of PHI at rest and in transit, multi-factor authentication, and regular vulnerability scanning. If finalized as written, organizations would have roughly a 240-day window to comply once the final rule is published. Building an accurate asset inventory now is the most useful step you can take regardless of the final outcome.

How Medcurity helps

Medcurity gives imaging centers a guided platform to complete and maintain the Security Risk Analysis, track remediation of identified gaps, store policies and BAAs, and keep the documentation OCR expects in one place. Pricing is $499/year (about $42/month) for a single organization; larger or multi-location imaging groups can request a quote. For more on the full scope of work, see our HIPAA compliance checklist and our overview of the best HIPAA SRA software.

Frequently asked questions

Is DICOM metadata considered PHI?

Yes. DICOM headers routinely contain patient name, date of birth, accession and medical record numbers, and the referring physician — all identifiers that make the image PHI under HIPAA. De-identifying an image means scrubbing the header, not just the visible on-screen banner.

Do we need a BAA with our teleradiology provider?

Yes. An off-site radiology group or teleradiology platform that receives your studies to interpret them is a business associate, so a signed Business Associate Agreement is required before any PHI is transmitted.

How should we handle patient image CDs and USB drives?

Portable media holding studies should be encrypted, logged when released, and given to patients under your minimum-necessary and access policies. Many centers are moving to encrypted patient portals to retire physical media entirely.

How often should an imaging center redo its SRA?

At least annually, and whenever you make a material change — a new modality, a new PACS or cloud archive, or a new teleradiology partner. The SRA must reflect your environment as it actually is today.