What makes DICOM files high-risk for breach?

DICOM files embed patient identifiers, study information, and detailed imaging data. High-resolution images are large files that are often transmitted multiple times and stored in multiple locations. Loss of a single DICOM file can expose thousands of imaging studies and patient identifiers.

Are CDs and USBs of images HIPAA-compliant?

Only if encrypted and verified as reaching correct recipient. Many practices distribute unencrypted CDs/USBs causing frequent misdirection and patient data exposure. Patients often receive CDs with unencrypted images that can be accessed by anyone with the disc.

What are teleradiology transmission risks?

Teleradiology transmits high-volume DICOM data over networks. Many systems use inadequate encryption, lack audit logging, and don't verify recipient radiologist credentials. International teleradiology adds data sovereignty and privacy law complications.

Top 10 HIPAA Risks for Radiology Practices

Comprehensive guide to protecting high-volume imaging data and specialized diagnostic information

Unencrypted DICOM Files and Image Storage

Critical

DICOM files contain embedded patient identifiers, study metadata, and high-resolution imaging data. Files are frequently stored without encryption on PACS systems, backup drives, or cloud storage. Large file sizes mean single DICOM exposure affects multiple imaging studies. Many practices lack encryption implementation or verification.

LikelihoodVery Likely

Penalty Range$240,000 - $400,000

Mitigation Steps

Implement AES-256 encryption for all DICOM storage at rest; enforce TLS 1.2+ for DICOM transmission in transit
Configure PACS systems with encryption by default; conduct quarterly encryption verification and security assessments
Use encrypted backup systems with separated encryption key storage; test restoration procedures annually

OCR Enforcement Reference:

OCR fined radiology practice $350,000 for unencrypted DICOM storage breach affecting 50,000+ imaging studies.

Insecure Teleradiology Transmission

Critical

Teleradiology transmits high-volume DICOM files over networks without adequate encryption or authentication. Many teleradiology systems use inadequate security, lack audit logging, and don't verify radiologist identity. International teleradiology introduces data sovereignty complications. Files may be transmitted over insecured internet connections.

LikelihoodVery Likely

Penalty Range$280,000 - $450,000

Mitigation Steps

Use HIPAA-compliant teleradiology platforms with end-to-end encryption and radiologist authentication; verify Business Associate Agreements
Configure VPN for all teleradiology transmission; implement audit logging showing what images were transmitted to which radiologists
Verify radiologist credentials and licensing before transmission; maintain records of all teleradiology transmissions

Real-World Example:

Teleradiology service transmitted unencrypted DICOM files; transmission intercepted; 15,000 imaging studies from 5 practices exposed; settlement: $350,000 per practice.

Unencrypted CD/USB Image Distribution

Critical

Radiology practices distribute DICOM images to patients and referring providers on unencrypted CDs or USBs containing patient identifiers. Discs/drives frequently become lost, stolen, or misdirected. Patients receive unencrypted media accessible to family members. No verification that recipients received correct media.

LikelihoodVery Likely

Penalty Range$200,000 - $350,000

Mitigation Steps

Encrypt all CDs/USBs with AES-256; require password protection and use individual encryption keys for each distribution
Use secure online portal or encrypted email for image transfer; minimize CD/USB distribution to only patients without portal access
Document delivery tracking and recipient verification; maintain records of delivered media and confirmation of receipt

OCR Enforcement Reference:

Radiology practice lost unencrypted CD with 200+ patient imaging studies; CD discovered in mailroom belonging to different patient; settlement: $285,000.

Inadequate PACS Access Controls

High

PACS systems with poor access controls allow radiologists and staff to access all imaging studies regardless of clinical need. Shared login credentials prevent proper audit trails. Technicians access diagnostic images without justification. No automatic logout or session timeout configured.

LikelihoodVery Likely

Penalty Range$150,000 - $260,000

Mitigation Steps

Implement role-based PACS access limiting technicians to prep/QA functions; restrict diagnostic review to authorized radiologists
Require unique login credentials for each user; configure automatic logout after 15 minutes inactivity
Monitor access logs daily for unusual patterns; investigate and document access outside normal scope

Real-World Example:

PACS audit revealed technician accessed 5,000+ diagnostic studies without clinical need; settlement: $190,000.

Unsecured Radiologist Workstation Access

High

Radiologist workstations frequently lack proper authentication, encryption, or automatic logout. Workstations are left unattended with active sessions. Multiple radiologists share workstations. Workstation screens are visible to clinic staff and visitors. Patient images remain displayed on unattended screens.

LikelihoodLikely

Penalty Range$130,000 - $230,000

Mitigation Steps

Configure automatic logout for all workstations after 5 minutes inactivity; require password re-entry to resume work
Install privacy screens on radiologist workstations; position screens to prevent visibility from hallways and non-clinical areas
Implement workstation access logging; conduct quarterly audits of access patterns and unusual logins

Real-World Example:

Clinic staff member viewed unattended radiologist workstation showing patient imaging; discovered sensitive oncology diagnoses; privacy complaint and settlement: $155,000.

Unverified Cloud-Based Image Storage

High

Radiology practices increasingly use cloud-based image storage without verifying HIPAA compliance or security controls. Cloud vendors may lack encryption, audit logging, or security certifications. Data residency and access controls by cloud providers are unclear. Vendor breaches expose images across multiple practices.

LikelihoodLikely

Penalty Range$160,000 - $280,000

Mitigation Steps

Verify HIPAA compliance before cloud vendor selection; require signed Business Associate Agreements with liability provisions
Conduct annual vendor security assessments; verify SOC 2 Type II certifications and encryption implementation
Maintain local backup copies of all imaging data; establish procedures for rapid vendor breach response

Real-World Example:

Cloud imaging vendor experienced breach affecting 30 radiology practices; 2 million imaging studies exposed; OCR held each practice liable for vendor oversight inadequacy; average settlement: $220,000.

Inadequate Image Archiving and Retention

Medium

Radiology archives often retain images indefinitely without documented retention policies or deletion procedures. Old images remain accessible long after clinical need. Archive media may not be encrypted or properly secured. No procedures exist for secure disposal of archived imaging data.

LikelihoodPossible

Penalty Range$110,000 - $190,000

Mitigation Steps

Establish written image retention policy aligned with state law and clinical requirements; implement automatic deletion timelines in PACS
Encrypt all archived imaging data; maintain separate encrypted archive storage with restricted access
Conduct quarterly archive reviews and deletion verification; maintain certificates of destruction for deleted imaging data

Real-World Example:

Radiology archive stored images from closed patients for 15+ years without retention justification; settlement: $125,000.

Misdirected Radiology Reports and Image Transmission

High

Radiology reports are frequently faxed to referring providers without encryption, verification of recipient numbers, or delivery confirmation. Reports contain patient identifiers and detailed diagnostic findings. Faxes are frequently misdirected to wrong providers. Electronic report transmission to portals or email lacks encryption.

LikelihoodLikely

Penalty Range$120,000 - $210,000

Mitigation Steps

Use secure fax services with encryption and delivery confirmation; maintain verified provider fax number directory
Transmit reports via encrypted email or secure portal when possible; verify recipient identity before transmission
Confirm successful delivery of all reports; investigate and document all misdirected fax incidents

Real-World Example:

Radiology report faxed to wrong provider; patient cancer diagnosis exposed; settlement: $165,000.

Inadequate Staff Training on Imaging Data Sensitivity

Medium

Radiology staff often lack training on appropriate imaging data handling, confidentiality obligations, and security protocols. Technicians don't understand access restrictions. Staff discuss patient imaging findings casually. CD/USB distribution procedures are followed without understanding privacy implications.

LikelihoodLikely

Penalty Range$100,000 - $175,000

Mitigation Steps

Develop imaging-specific HIPAA training addressing DICOM sensitivity, PACS access controls, and report distribution procedures
Include competency assessment with quiz; conduct annual refresher training with documentation
Implement role-specific training for technicians, radiologists, and administrative staff

Real-World Example:

Technician discussed patient's oncology imaging results in break room within patient earshot; privacy complaint and settlement: $115,000.

Inadequate Vendor and Third-Party Risk Management

Medium

Radiology uses multiple vendors (PACS, teleradiology, archiving, cloud storage) often without proper Business Associate Agreements or security verification. Vendors may lack HIPAA compliance. Vendor breaches expose images from multiple practices. No vendor monitoring procedures exist.

LikelihoodLikely

Penalty Range$130,000 - $220,000

Mitigation Steps

Execute Business Associate Agreements with all vendors accessing imaging data; verify HIPAA liability and breach notification obligations
Conduct annual vendor security assessments; verify SOC 2 certifications and encryption implementations
Monitor vendor security announcements; maintain contacts for breach notifications

Real-World Example:

PACS vendor experienced breach affecting 40 radiology practices; 5 million imaging studies exposed; OCR investigated all practices for vendor oversight; average settlement: $200,000 per practice.

Inadequate Incident Response for Imaging Data Breaches

Medium

Radiology practices often lack documented incident response procedures for imaging data breaches. When DICOM breaches occur, investigation is ad-hoc. Affected patients may not be timely notified. No procedures exist for HHS/media notification. Scale of imaging data breaches is often underestimated.

LikelihoodPossible

Penalty Range$110,000 - $190,000

Mitigation Steps

Develop written incident response plan addressing imaging data breach investigation and patient notification procedures
Conduct annual breach simulation exercises; test notification timelines and documentation procedures
Notify HHS and affected patients within required timelines; maintain documentation of all notifications

Real-World Example:

Radiology practice discovered DICOM breach but delayed notification 6 months; OCR assessed additional penalties for delayed notification; total settlement: $280,000.