The HIPAA Security Rule protects electronic protected health information held by covered entities. A diagnostic imaging or radiology center is a covered health care provider: it schedules studies, acquires images on connected modalities, stores them in a PACS archive, bills payers, and shares images and reports with referring physicians and reading radiologists. That work sits squarely inside what HIPAA protects, so the Security Rule, the Privacy Rule, and the Breach Notification Rule all apply to your center.
Imaging centers concentrate sensitive health data in the image itself.
Every study generates a rich clinical and financial record: patient demographics and Social Security numbers, insurance and payment details, the ordering diagnosis, the radiologist report, and the images themselves. DICOM image files carry patient identifiers embedded in their metadata, so the study is protected health information, not just the report attached to it. That is precisely the electronic protected health information the Security Rule is written to protect.
Imaging datasets are large and kept for years. State record-retention requirements and clinical need mean studies live in the PACS archive long after the visit, so a single center can hold a deep history of identifiable imaging on tens of thousands of patients. Ransomware and business email compromise target health care providers directly, and that concentrated, long-lived archive is an attractive target. The safeguards HIPAA requires, which are access controls, encryption, and monitoring, are the same controls that defend against those attacks.
PACS and DICOM archives are exposed when misconfigured, and modality workstations often cannot be patched.
A PACS server and the DICOM services around it are built to move studies between systems, and left with default or missing authentication they will answer requests from anyone who can reach them. Unauthenticated and misconfigured PACS and DICOM servers reachable from the internet are a known, repeatedly documented real-world exposure that has left large volumes of medical images publicly retrievable. The fix is not exotic: require authentication on DICOM and PACS services, keep those services off the public internet, restrict which systems can query and retrieve, and monitor the archive for unusual access.
The imaging modalities create a second, harder problem. CT, MRI, ultrasound, and X-ray units are driven by acquisition workstations that frequently run embedded or legacy operating systems the manufacturer controls, and they often cannot be patched or updated the way an office laptop can. You cannot simply install this month's update on an MRI console. Because you cannot always patch the device, you protect it by controlling the network around it. We segment the imaging network so modality workstations and the PACS are isolated from general office traffic and from the internet, restrict which systems can talk to them, keep an inventory of every device that touches ePHI, and monitor those segments for unusual activity. Segmentation and monitoring are how an imaging center reduces the risk a legacy modality carries without waiting on a patch that may never come, and it is exactly the kind of reasonable and appropriate safeguard the Security Rule expects you to document in your risk analysis.
Sharing images is routine, and the HIPAA relationship depends on who is receiving them.
An imaging center sends studies and reports outward constantly: to the referring physician who ordered the exam, to the radiologists who read the images, and often to a teleradiology group for overnight or subspecialty reads. HIPAA treats these relationships differently, and getting the distinction right matters. A referring physician, and an independent radiologist who reads your studies as a provider in their own right, are generally covered entities, and sharing protected health information with them for treatment is permitted under the Privacy Rule without a Business Associate Agreement.
A teleradiology service or reading group that handles your images on your behalf, rather than as an independent treating provider, can be a business associate, and then a BAA is required before your studies flow to them. Cloud PACS hosts, archive and image-exchange platforms, and IT and managed security providers are business associates as well. Putting a BAA where a treatment relationship exists, or missing one where a true business associate handles your ePHI, are both compliance gaps. We map these relationships during onboarding and put BAAs where the rule actually requires them.
A Security Risk Analysis is the foundation, and required is not the same as addressable.
The Security Rule requires a documented Security Risk Analysis, and it is the single element OCR asks for most often after a breach. It has to cover the ePHI everywhere it lives, including the modality workstations, the PACS and DICOM archive, the RIS, the reading and billing systems, and the connections that carry studies to outside readers.
The rule's implementation specifications are labeled either required or addressable. Addressable does not mean optional. It means you either implement the specification, or document why it is not reasonable and appropriate for your environment and put an equivalent alternative in place. Encryption of ePHI, for example, is addressable, which does not let you skip it. We run the risk analysis, make those determinations with you, and record the reasoning so the program stands up to scrutiny rather than reading as boilerplate.