Every DICOM file stored in your PACS contains protected health information. That means your imaging infrastructure sits squarely inside HIPAA’s scope, and as a compliance officer, you own every control that keeps it there. This HIPAA compliance checklist field guide translates the Security Rule into operational language for imaging environments, covering the three safeguard categories, 14 imaging-specific compliance touchpoints, BAA obligations with PACS vendors, audit log retention requirements, and your breach notification obligations when imaging data is involved.
This is not an evaluation guide for purchasing decisions. It is a day-to-day operations reference for the compliance officer who already has a PACS in place and needs a practical HIPAA Security Rule framework tailored to the realities of radiology workflows.
How the HIPAA Security Rule Applies to Medical Imaging
The Security Rule governs electronic protected health information (ePHI). Medical images fall under ePHI: every CT scan, MRI series, X-ray, and ultrasound study that can be linked to a patient is covered. That includes images stored in your PACS, transmitted via DICOM to referring providers, archived to cloud storage, or cached on a radiologist’s reading workstation.
The rule organizes its requirements into three safeguard categories. Understanding how each one maps to imaging-specific systems is the first step in building a defensible compliance posture.
Administrative Safeguards in an Imaging Environment
Administrative safeguards govern the policies, procedures, and workforce practices that underpin your security program. For imaging compliance officers, the most operationally demanding requirements are:
Risk Analysis
You must conduct a thorough, documented risk analysis of all systems that create, receive, transmit, or maintain imaging ePHI. This includes your PACS, RIS, VNA, DICOM routers, reading workstations, and any third-party teleradiology platforms. The Office for Civil Rights consistently cites inadequate risk analysis as the leading deficiency in HIPAA investigations.
Security Management Process
You need documented policies for identifying security violations, a sanctions policy for workforce members who violate imaging security rules, and an information system activity review process. Reviewing PACS audit logs is part of this.
Workforce Training
Training must address imaging-specific risks: proper access credential management, DICOM transmission security, and what to do if a reading workstation is lost or stolen.
Contingency Planning
Your imaging department needs a documented plan for maintaining access to critical studies during system outages. This is especially important if your PACS is cloud-hosted, since network-dependent access means your contingency plan must address both local failures and upstream provider failures.
OmniPACS supports administrative compliance by providing customers with documentation packages that align with OCR audit expectations, including pre-built policy templates and risk assessment frameworks.
Physical Safeguards in an Imaging Environment
Physical safeguards govern access to facilities and hardware where ePHI is stored or processed. For imaging environments, this translates to:
Workstation Access Controls
Reading workstations must have screen-lock policies and be positioned so that unauthorized viewers cannot see patient images. Workstations in hallways or shared spaces require physical barriers or privacy screens.
Device and Media Controls
Any removable media used to export imaging studies, including CDs, DVDs, and USB drives, must be tracked. Policies must address the destruction of media containing imaging data before disposal.
Server Room Access
If you host on-premise imaging servers, access must be limited to authorized personnel, and access logs must be reviewed regularly.
Mobile Device Policies
Radiologists who access studies on personal tablets or smartphones must consider physical safeguards. Policies must address remote wipe capability and session timeout requirements.
Technical Safeguards in an Imaging Environment
Technical safeguards are the system-level controls that protect ePHI during storage and transmission. The Security Rule distinguishes between required and addressable implementation specifications, and compliance officers need to understand which controls are mandatory versus which require documented risk-based decisions.
Access Control
Every user who accesses imaging systems must have a unique identifier. Shared PACS login credentials are a direct violation. Role-based access should limit radiologists, technologists, and administrative staff to the studies relevant to their function.
Audit Controls
Your PACS must log every access to imaging data, including who viewed a study, when, from which IP address, and whether the study was downloaded or transmitted. These logs must be reviewed on a defined schedule.
Integrity Controls
Mechanisms must exist to verify that imaging data has not been altered or corrupted. Digital signatures and hash verification in DICOM transmission serve this function.
Transmission Security
All DICOM transmissions must use encrypted channels. Unencrypted DICOM over open networks is a direct violation. TLS-secured DICOM and VPN-based access for remote radiologists are standard requirements.
Platforms like OmniPACS implement these technical controls at the infrastructure level, but compliance officers remain responsible for verifying that those controls are active and correctly configured, and that workforce behavior does not undermine them.
The 14 Imaging-Specific HIPAA Compliance Touchpoints
The following checklist covers the operational areas where imaging environments most commonly fail HIPAA audits. Use this as a recurring self-assessment framework.
- Risk analysis completed and documented for all imaging systems within the past 12 months
- PACS, RIS, and VNA access credentials are unique per user, with no shared accounts
- Role-based access controls are configured and reviewed at least annually
- Workforce members whose roles have changed or who have departed have had imaging access revoked within 24 hours of the change
- Automatic session timeouts are configured on reading workstations and any browser-based PACS viewers
- All DICOM transmissions use encrypted channels (TLS or DICOM TLS)
- Imaging audit logs are reviewed on a documented schedule, no less than monthly
- Audit log retention policy meets or exceeds your state’s requirements (minimum 6 years under HIPAA)
- Business Associate Agreements are in place with all PACS vendors, teleradiology platforms, and cloud storage providers handling imaging ePHI
- BAAs are reviewed annually and upon contract renewal
- Removable media used for image exports is tracked and destroyed per policy
- A contingency plan for imaging system outages is documented, tested, and current
- Workforce security training includes imaging-specific content and is completed annually, with records retained
- Breach notification procedures have been reviewed, and your workforce knows the reporting chain for suspected imaging data incidents
BAA Requirements with PACS Vendors
A Business Associate Agreement is not a courtesy document. It is a legal requirement whenever a vendor creates, receives, maintains, or transmits imaging ePHI on your behalf. That includes your PACS vendor, your cloud storage provider, your teleradiology service, and any AI-assisted diagnostic platform that processes your studies.
The BAA must include specific provisions: permitted uses and disclosures of ePHI, obligations to safeguard ePHI, requirements for reporting breaches, obligations of subcontractors, and procedures for returning or destroying ePHI upon contract termination.
Compliance officers should maintain a BAA register that tracks each agreement, its effective date, renewal date, and the specific systems or data flows it covers. An expired or unsigned BAA at the time of a breach dramatically increases OCR enforcement exposure.
What to Look for in a PACS BAA
When evaluating BAA terms with PACS vendors, focus on three areas. First, verify that the vendor’s obligations extend to subcontractors, because a cloud PACS vendor typically stores data with an infrastructure provider that becomes a downstream business associate. Second, confirm breach notification timelines, as HIPAA requires business associates to notify covered entities within 60 days of discovery, while many BAA templates include shorter windows aligned with OCR enforcement patterns.
Third, verify data return or destruction obligations upon termination so you are not leaving imaging ePHI with a former vendor after a contract ends.
OmniPACS provides customers with compliant BAA templates and supports BAA execution during onboarding, removing the ambiguity that often delays the completion of formal compliance documentation.
Audit Log Retention for Imaging Systems
HIPAA requires covered entities to retain documentation of policies and procedures for a minimum of 6 years from the date they were created or last in effect, whichever is later. That six-year floor applies to your security policies. Your audit logs themselves must be retained long enough to support compliance investigations and breach investigations.
For imaging systems specifically, retention requirements compound: audit logs documenting access to imaging studies may also be subject to state medical records retention laws, which in many states extend to 10 years or longer for certain record types. Compliance officers should confirm the longer of HIPAA’s minimum and the applicable state medical records law.
The operational challenge is volume. A mid-size radiology practice processing 200 studies per day generates thousands of DICOM access events daily. Audit log management requires a system that can efficiently store, index, and retrieve log data. Cloud-hosted PACS platforms like OmniPACS typically include centralized audit logging with configurable retention periods, so compliance officers can set retention rules at the system level rather than managing logs manually.
What Your Log Review Should Look For
Your audit log review process should look for specific patterns: access from unfamiliar IP addresses or locations, bulk downloading of studies, access to high-profile patient records, and access attempts outside normal operating hours. These patterns are the imaging analog of the “information system activity review” required under the Security Rule’s administrative safeguards. Documenting your review methodology and its outcomes is as important as the reviews themselves.
For guidance on HIPAA-compliant image storage requirements, including the technical controls that should accompany audit logging, the post covers the required implementation details.
Breach Notification for Imaging Data
Imaging data breaches occupy a specific operational zone that compliance officers need to understand. The unauthorized acquisition, access, use, or disclosure of imaging ePHI constitutes a breach unless one of three narrow exceptions applies: the unauthorized person who received the information could not reasonably retain it; the violation was an unintentional access by a workforce member acting in good faith; or the disclosure was inadvertent between authorized persons at the same covered entity.
When a potential breach involves imaging data, the first task is determining whether it falls within one of these exceptions. If none of the above applies, the 60-day breach notification clock starts running from the date you discover the breach, not the date it occurred.
For breaches affecting 500 or more individuals in a single state or jurisdiction, notification to HHS must occur within 60 days of discovery. Notification to affected individuals must also occur within 60 days. Breaches affecting fewer than 500 individuals are logged and reported to HHS annually, but individual notification remains subject to the 60-day window.
Common Imaging Breach Scenarios
Imaging breaches commonly involve the following scenarios that compliance officers should plan for explicitly:
- A teleradiology platform transmits studies to an unauthorized recipient due to a routing misconfiguration. This is a disclosure breach. If the recipient cannot reasonably retain the images, the exception may apply. If not, notification is required.
- A PACS system is accessed by a former employee whose credentials were not revoked. This is an access breach. The scope assessment must determine how many studies were accessed and for which patients.
- Cloud-stored imaging archives are exposed in a ransomware incident. This is an impermissible access event. HIPAA’s presumption is that an exposure is a breach unless your forensic analysis can demonstrate that ePHI was not actually accessed or acquired.
Building Your Breach Response Escalation Path
Your breach notification procedure for imaging incidents should designate a specific escalation path: who identifies the potential incident, who conducts the initial scope assessment, who makes the breach determination, and who manages notifications to HHS and affected individuals.
Platforms with strong security controls to protect patient data in the cloud reduce the likelihood of these scenarios, but no technical control eliminates the compliance officer’s obligation to maintain a tested breach response plan.
For those evaluating whether an existing PACS meets baseline requirements, reviewing the blog about PACS HIPAA compliance requirements is a useful starting point before layering in the operational protocols above.
Frequently Asked Questions
What is the minimum retention period for HIPAA audit logs?
HIPAA requires that documentation of security policies and procedures be retained for at least 6 years. The Security Rule does not specify a separate retention period for audit logs themselves, but regulators expect logs to be retained long enough to support breach investigations, which, in practice, means a minimum of 6 years, aligned with the policy documentation standard. State medical records laws may require longer retention periods and take precedence when they are stricter.
Does HIPAA require a BAA with every PACS vendor?
Yes. Any vendor that creates, receives, maintains, or transmits imaging ePHI on behalf of your covered entity is a business associate under HIPAA. That includes cloud PACS vendors, teleradiology services, AI diagnostic platforms, and cloud storage providers.
A BAA is required before any ePHI is shared or processed. Facilities that have purchased PACS systems without executing a BAA are operating out of compliance, regardless of the technical safeguards in place.
What counts as a breach for imaging data specifically?
Any unauthorized acquisition, access, use, or disclosure of imaging ePHI that is not covered by one of HIPAA’s three exceptions. Common imaging breach scenarios include misrouted DICOM transmissions, unauthorized access by former employees or unauthorized users, and ransomware incidents that expose archived imaging studies. The covered entity is responsible for determining whether a breach occurred and, if so, for notifying HHS and affected individuals within 60 days of discovery.
How often should imaging HIPAA compliance be reviewed?
The Security Rule does not specify review frequency for most controls, but requires that your security management process be ongoing. Industry practice for imaging compliance officers is to conduct a formal risk analysis at least annually, review access controls following any significant system or workforce change, review PACS audit logs at least monthly, and audit BAA currency at least annually. OCR’s audit program evaluates whether organizations have an ongoing and proactive compliance program, not just point-in-time documentation.
How does a cloud PACS affect HIPAA compliance obligations?
A cloud PACS shifts some technical controls to the vendor, but does not shift your compliance obligations. Your covered entity remains responsible for ensuring that the vendor has executed a valid BAA, that the vendor’s infrastructure meets HIPAA technical safeguard requirements, and that your workforce is trained on cloud-specific security practices. The compliance officer’s job expands to include vendor oversight: confirming that the vendor has conducted its own risk analysis, reviewing their SOC 2 or equivalent audit reports, and ensuring that breach notification obligations in the BAA align with HIPAA timelines. Facilities that want to simplify this vendor oversight process can explore OmniPACS Solutions for a cloud PACS with built-in compliance officer visibility.