Published 10/1/2017
Michael R. Marks, MD, MBA

Medical Imaging and HIPAA Compliance

What orthopaedic surgeons need to know
Last month, I coauthored an article on Health Insurance Portability and Accountability Act (HIPAA) compliance that offered tips on how orthopaedic practices can keep their patients’ information safe (see “Top 10 HIPAA Mistakes to Avoid, AAOS Now, September 2017). In this article, I speak with Les Trachtman, CEO of Purview, a patient-driven healthcare technology company, about medical imaging and HIPAA compliance.

Dr. Marks: Do orthopaedic surgeons need to be concerned about medical imaging and potential HIPAA implications?

Mr. Trachtman: Although medical imaging may not be the primary focus of HIPAA or the Health Information Technology for Economic and Clinical Health Act (HITECH), medical images are considered protected health information (PHI). Often much larger than their medical record counterparts, medical images are typically dense data files that may exceed a gigabyte in size. Because storage, sharing, and archiving of medical images pose unique challenges for practitioners, it is important to understand how to best manage this information without running afoul of regulations.

Dr. Marks: What can you tell us about medical image repositories?

Mr. Trachtman: Medical images most often exist in a Digital Imaging and Communications in Medicine (DICOM) format, which combines sets or series of images with a description of the patient and the modality. Together they are considered PHI. Under federal law, HIPAA-covered entities must implement procedures to protect and secure access to this type of data.

Most of the time, the repository for DICOM data is a picture archiving and communication system (PACS). Think of a PACS as a purpose-built medical imaging database. Not only can a PACS exist on a computer within your facility, it can also be accessed remotely from the Cloud. Either way, the information contained in the PACS must be secure from unwarranted intrusion or access.

Properly secured, the information contained in a PACS should be accessible only to those with authorized security credentials. Often, this implies the encryption of data, both while residing in your PACS as well as while traveling to and from your PACS to protect it against unauthorized access. Encryption can be accomplished by securing the communication conduits, encrypting the digital data structure of these DICOM files, or by encrypting the underlying data within the files.

Dr. Marks: What else do orthopaedic surgeons need to know about securing their PACS?

Mr. Trachtman: While keeping these repositories safe and secure is important, it is equally crucial—and required by federal regulations—to ensure that they remain available, even in the event of a natural or manmade disaster. As such, backups of DICOM data are mandatory. The most effective method is to store data backups on a regular basis at one or more separate geographic locations. It is imperative to have appropriate procedures in place and to regularly test them to ensure their effectiveness.

Dr. Marks: Can you explain the difference between backed-up data and mirrored data?

Mr. Trachtman: Most often, data in a PACS are backed up rather than mirrored. Although a backup may be sufficient to comply with most regulations, it means that in the event of a disaster recovered data must be reloaded onto a live PACS to make the data available. This can be problematic if the data are voluminous or if the need for access is immediate. The alternative is a mirrored PACS, where the information is stored in a duplicate PACS in another location entirely. Therefore, should a disaster arise, the primary system can be redirected to access the live data on that alternative PACS.

An even better solution would be to access the remote PACS via a web-based application. This would ensure that even if onsite systems are disabled, like in a malicious ransomware scenario, medical images could be accessed using alternate systems, tablets, or even smartphones.

Dr. Marks: What advice do you have for orthopaedic surgeons who need to share medical images with patients and other providers?

Mr. Trachtman: Enabling medical imaging transfer, sharing, and collaboration in real time with other healthcare practitioners in different geographies is becoming increasingly important. This often requires the packaging and transport of medical imaging files. Most medical facilities still “burn” medical images onto CDs or DVDs.

When PHI is copied onto CDs or DVDs, healthcare practitioners must ensure that the right information gets into the right hands. Too often the information contained on the CD is not readable or not correct. Sometimes the information is about the wrong patient, rendering the media useless. Burning and sending CDs via overnight mail may be relatively simple, but it is also expensive and time consuming. In addition, leaving CDs or DVDs unprotected in places that are not secure can itself be considered noncompliance. Even mailing a CD to the wrong address or having the CD lost or stolen in transit can become a big problem.

Fortunately, we are in an era with high bandwidth broadband connections, electronic transmission, and access from a centralized Cloud repository. Additionally, electronic access to medical images can be easily controlled and secure. A benefit is that Cloud-based PACS enables central access to confidential information without the need to transport or share physical copies.

Dr. Marks: Does that mean that orthopaedic surgeons can use any file sharing product?

Mr. Trachtman: The short answer is no. When considering electronic access, the healthcare practitioner should avoid using email or file sharing applications like Dropbox or Box.net. What many people forget or don’t know is that systems like these may inadvertently replicate data onto unsecured devices like personal cell phones, tablets, or even shared PCs. The information could even be intercepted during transit. If, despite this warning, electronic files are shared via electronic transmission, they absolutely must each be encrypted to ensure compliance.

Dr. Marks: Is it necessary to have a business associate agreement (BAA) in place with the medical imaging vendor?

Mr. Trachtman: Getting a BAA is a good idea for physicians who work with partners who provide software, storage, and have access to patients’ PHI. BAAs are legal documents that bring these partners into compliance with similar HIPAA and HITECH regulatory requirements. While there is an exception for software entities, it is important that anyone else with access to patients’ PHI sign a BAA to avoid inadvertent unprotected disclosure.

Dr. Marks: Do you have any final thoughts?

Mr. Trachtman: Medical images are an increasingly popular diagnostic tool. Their electronic format and large size often make them burdensome to protect. However, with modern tools, including the Cloud, secure access can be granted whenever and wherever required for effective patient diagnosis and treatment, while providing an extra layer of disaster-proof offsite storage.

Michael R. Marks, MD, MBA,is a member of the AAOS Medical Liability Committee, AAOS Patient Safety Committee, and mentor for the AAOS Communications Skills Mentoring Program.