When I was growing up, my parents had a traditional mailbox in front of their house. It was an aluminum box painted with flowers that sat upon a wooden post. I can still recall looking out the window and knowing that the mail person had come and gone because the outgoing flag was no longer raised. Today, the cutesy mailboxes are a thing of the past. In fact, their mass exodus has led to the influx of boxes that have physical lock and keys. Why? Not to be dramatic, but it’s because your mail is not safe, and if you are sending or receiving medical records and images through that very mailbox, you’re at great risk.
While medical imaging is not the major focus of HIPAA or HITECH, it is important that practitioners be wary of the unique issues associated with this type of protected health information (PHI). Medical images are typically dense data files often much larger than their other medical record counterparts. It’s not unusual to find studies or series of images that exceed one gigabyte in size. Their storage, sharing and archive pose unique challenges for the practitioner. Hence, it is important to understand how best utilize this important diagnostic tool while not running afoul of regulations.
If your practice already has an onsite storage system for your medical images, you might be considering deploying a cloud picture archiving and communication system (PACS) or hybrid (a mix of cloud and onsite storage) to increase the accessibility of your studies.
Apart from being disrespectful of the patient's privacy, sharing medical images in a HIPAA-noncompliant fashion can expose you to large fines and potentially criminal liability. But what exactly constitutes a HIPAA violation? In theory, the nature of HIPAA violations is straightforward: sharing what's considered to be private health information with someone who's not supposed to receive it.
But from this simple definition, HIPAA violations can take many forms: exposing a patient's medical images to a vendor who does not have a Business Associates Agreement (BAA), sharing images with a family member or spouse without the patient's written consent, losing a laptop computer or cell phone containing protected medical information, or even forwarding a medical image to the wrong email address.
So what are the guidelines for not violating HIPAA, and what steps can you take to reduce your risk even further?