Sharing medical images in a HIPAA-noncompliant fashion is a violation of patient privacy that can expose you to large fines and potentially criminal liability. But what exactly constitutes a HIPAA violation? In theory, the actions that constitute HIPAA violations are straightforward: sharing what's considered to be private health information (PHI) with someone who's not supposed to receive it.
But from this simple definition, HIPAA violations related to medical images in particular, can take many forms, including exposing a patient's medical images to a vendor who does not have a Business Associates Agreement (BAA), sharing images with a family member or spouse without the patient's written consent, losing a laptop computer or cell phone containing protected medical information, or even mailing a medical image to the wrong address.
This blog will present guidelines for remaining HIPAA compliant, sharing images, protecting patient privacy, and reducing your risk of violating HIPAA rules and regulations.
How Do You Ensure HIPAA Compliance?
If you use tangible media such as CDs, DVDs or thumb drives to share a medical image, the best way to avoid HIPAA violations is through improving your people processes. Everyone who handles medical imaging data needs to be vigilant to avoid incorrectly sharing a disc. Standard processes should include double-checking mailing addresses and keeping clear authorization records.
Assuming you have access or copies of your images on a mobile computing device, like a smartphone or a laptop computer, you should be sure that device is secured with a password. Any apps that access your medical records should have its own login credentials.
Emailing private health information without using a specially secured email program is one of the most common HIPAA violations. Your typical popular email program is not secure and should never be used to transmit medical records.
To minimize the risk of a HIPAA violation, a good strategy should always include minimizing the number of actual copies of protected health information (PHI) that you create. The more copies you make of an image, the greater the chance that the image will get into the wrong hands.
Is File Sharing HIPAA Compliant?
Private health information (PHI) and record files should only be shared with authorized parties. Typically, an authorized recipient is another physician or physician’s office. Sharing medical images with other family members can itself be a HIPAA violation unless there is a clear authorization or a custodial relationship.
Whenever practical, we suggest you limit the number of copies of your images to only that which is necessary. We estimate that if you have only one copy of an image, you are in the best position to avoid unlawful disclosure. With multiple copies, the network effect occurs. This means that with two copies you are four times as likely to have a disclosure that violates HIPAA. With three, nine times, and so on, in an exponential manner based on the increased number of possible connections and opportunities for this information to be copied or shared without your control. You should keep close track of where these copies of your patients' PHI are located at all times – items like tangible printed copies or removable media, such as CDs and thumb drives.
Be especially careful when using file sharing services, such as Dropbox. Although some file sharing services can be set up to be HIPAA compliant, it requires that you remove or restrict replication functions, to avoid copies showing up on unrestricted devices. This means that burning a CD or DVD remains the predominant choice today for sharing medical imaging studies. However, from a HIPAA standpoint, it's probably the worst of all worlds. Not only does burning a disc waste time, resources and money. It puts you at risk for that disc to get into the wrong hands, just too easily.
How Can I Share Without Violating HIPAA?
The idea and need to sharing images seems to be at odds with security. You can reconcile these two goals by using secure cloud storage technology. Cloud storage enables a single copy of the information to be shared with multiple parties, while never creating duplicate copies or having to mail or share the image itself.
Instead of sending a copy of an image on a CD or even in a file transmitted electronically through email or Dropbox, HIPAA-compliant cloud services enable an authorized person with the opportunity to view the image stored in the single location, where it remains secure and protected.
While HIPAA compliance regulations specifically apply only within the United States, there are plenty of other similar or even more restrictive privacy laws in jurisdictions around the world. For example, countries such as Australia and the member countries of the European Union have very specific privacy laws that can make a provider's task very difficult.
If you're uncertain about how your local laws apply to your situation, it's always a good idea to consult with your legal counsel. Your vendors should also be able to tell you about how they practice effective compliance within their systems.