Apart from being disrespectful of the patient's privacy, sharing medical images in a HIPAA-noncompliant fashion can expose you to large fines and potentially criminal liability. But what exactly constitutes a HIPAA violation? In theory, the nature of HIPAA violations is straightforward: sharing what's considered to be private health information with someone who's not supposed to receive it.
But from this simple definition, HIPAA violations can take many forms: exposing a patient's medical images to a vendor who does not have a Business Associates Agreement (BAA), sharing images with a family member or spouse without the patient's written consent, losing a laptop computer or cell phone containing protected medical information, or even forwarding a medical image to the wrong email address.
So what are the guidelines for not violating HIPAA, and what steps can you take to reduce your risk even further?
If you must use tangible media such as CDs, DVDs and thumb drives for the purposes of medical image sharing, rather than a more secure method of cloud-based or server-based storage, then the only way to avoid HIPAA violations is through improving your people processes. Everyone who handles medical imaging data needs to be vigilant in order to avoid doing something stupid or negligent. Double checking mailing addresses, keeping clear authorization records and avoiding making extraneous copies of protected information are all important.
Having a mobile computing device, like a smart phone or a laptop computer, get lost or stolen is a common occurrence and hard to protect against. That said, any copies of protected health information that are copied to one of these devices need to be carefully encrypted.
You must have these best practices in place to begin with, because no technology can overcome human error. However, even with these guidelines in place, you will always be vulnerable and on edge, because it only takes one error to commit a violation, and no one person is infallible.
Managing Protected Health Information
To minimize the risk of a HIPAA violation, you should try to minimize the number of actual copies of protected health information (PHI) that you create. The more copies that you make of an image, the greater the chance that the image will get into the wrong hands.
We estimate that if you have only one copy you are in the best position to avoid unlawful disclosure. With two copies you are four times as likely. With three, nine times, and so on, in an exponential manner based on the increased number of possible connections and opportunities for this information to be copied or shared without your control.
You must keep close track of where copies of your patients' PHI is located at all times. If there are tangible copies on printouts or removable media, such as CDs and thumb drives, or HIPAA noncompliant file sharing services, such as Dropbox, then keeping track of where they are and keeping a paper trail of who has been given access at what times can be a real nightmare.
Dropbox has no audit trail for where your files have traveled. Without this, you are subject to your own faulty memory or ensuring your security controls are always current to avoid transmitting protected information to someone without the appropriate privilege to receive this information.
Although burning a CD or DVD remains the predominant choice today for sharing medical imaging studies, from a HIPAA standpoint, it's probably the worst of all worlds. It wastes time, costs too much money and puts you at risk for that disc to get into the wrong hands, just too easily.
Once you put the images on a CD, you no longer know where all of the tangible copies are; the CD could be copied, lost or mailed incorrectly. You might even inadvertently place the wrong patient info on the CD and mail it to the right patient.
The same is true if you copy or transmit copies of images to other computing devices like cell phones or tablets. Keeping track of the location of these images and the location of these devices is very difficult.
The goal of minimizing the number of image copies therefore seems to be at odds with the goal of making images available to those with the authority to view them. Reconciling these two goals will likely require using cloud storage technology, which provides users with a window into a single copy of the information rather than making duplicate copies of the data itself each time it needs to be shared.
Instead of sending a copy of an image on a CD or even in a file transmitted electronically through email or Dropbox, which might be lost, stolen or misdirected, HIPAA compliant cloud services enable you to provide an authorized person with the opportunity to view the image stored in a single location, where it remains secure and protected.
In the event of a potential violation, access logs allow you to determine who has viewed a particular image at what time, making remediation much more practical and limiting damage.
While HIPAA compliance regulations specifically apply only within the United States, there are plenty of other similar or even more restrictive privacy laws in jurisdictions around the world. Countries such as Australia and the member countries of the European Union have very specific privacy laws that are often favorable to the patient or client making the provider's task more difficult.
If you're uncertain about how your local laws apply to your situation, it's always a good idea to consult with your legal counsel. Your vendors should also be able to tell you about how they practice effective compliance within their systems.