Providers must use HIPAA compliant emails to send patient imaging results, like X-rays, MRIs, or CT scans, as medical images with identifiable patient information are considered protected health information (PHI).
What is medical imaging?
A review of modern diagnostic imaging techniques defines medical imaging as: “The process of visual representation of different tissues and organs of the human body to monitor the normal and abnormal anatomy and physiology of the body.”
The review lists the following examples:
- “X-rays
- computed tomography (CT)
- positron emission tomography (PET)
- magnetic resonance imaging (MRI)
- single-photon emission computed tomography (SPECT)
- digital mammography
- ·diagnostic sonography”
Protected health information (PHI) in medical imaging
Under HIPAA, medical images containing identifiable patient information are protected health information (PHI). This includes the images and any associated metadata or patient identifiers like patient names, medical record numbers, dates of birth, and examination dates.
HIPAA explicitly states “Protected health information means individually identifiable health information:
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.”
Medical imaging, which often involves electronically transmitted or maintained data, falls under protected health information (PHI) as defined by HIPAA. So, covered entities that deal with medical imaging must adhere to HIPAA regulations to ensure patient privacy.
HIPAA compliance in medical imaging practices
Patient consent: HIPAA guidelines require providers to obtain patient consent before sharing medical images for purposes other than treatment. Additionally, providers should inform patients about how their images will be used and to whom they will be disclosed.
Business associate agreements (BAAs): Providers must enter BAAs if outsourcing medical imaging services to third-party vendors to ensure that the vendors comply with HIPAA regulations. These agreements outline the responsibilities of both parties in protecting patient information and maintaining confidentiality. Failure to have a BAA in place can result in fines and penalties for HIPAA non-compliance.
Data retention and disposal: Healthcare providers must establish policies for the retention and disposal of medical images, under HIPAA requirements. Images should be securely deleted or destroyed once they are no longer needed for patient care or legal purposes.
Secure transmission: Providers must use secure communication channels when sending medical images electronically. Providers can use a secure email platform, like Paubox, or secure file transfer protocols (e.g., HTTPS, SFTP) to prevent unauthorized access to patient data.
Using HIPAA compliant emails to send medical images
Encryption: Emails containing medical images and other PHI should be encrypted both during transmission and while at rest to prevent unauthorized access.
Access controls: Secure email platforms, like Paubox, provide access controls, allowing healthcare providers to manage and restrict access to patient data. These platforms implement user authentication mechanisms so that only authorized recipients, like treating physicians, can access sensitive imaging results.
Auditing and logging: HIPAA compliant emails maintain detailed audit logs of email activity. These audit logs record sender and recipient details, timestamps, and actions performed on emails containing PHI. This allows providers to track who accessed patient imaging results and when, helping detect potential security breaches or unauthorized access attempts.
Go deeper: How to conduct a HIPAA compliance audit
FAQs
Does HIPAA apply to medical imaging?
Yes, HIPAA applies to medical imaging because images containing identifiable patient information are considered protected health information (PHI).
Can medical images be sent via regular email?
No, sending medical images via regular email violates HIPAA regulations. Providers must use a HIPAA compliant email platform, like Paubox, to send medical images securely and protect patient privacy.
Do healthcare providers need patient consent to share medical images?
Yes, providers must obtain patient consent before sharing or disclosing medical images for purposes other than treatment, following HIPAA guidelines.
