HIPAA Compliance Checklist for Teleradiology: What Imaging Centers Need to Know
Reviewed by board-certified radiologists
When an imaging center outsources radiology reads, it creates a business associate relationship under HIPAA. The teleradiology provider becomes a Business Associate (BA) with legal obligations for PHI (Protected Health Information) security and breach notification. Getting this wrong exposes your center to HIPAA enforcement action — which can include fines up to $1.9 million per violation category per year.
The HIPAA Business Associate Agreement (BAA) Checklist
- BAA must be signed before any PHI transfer: No PHI should ever be transmitted to a teleradiology provider without a fully executed BAA. This is a non-negotiable HIPAA requirement for covered entities.
- BAA must contain all required elements: HIPAA specifies required BAA provisions: permitted uses and disclosures of PHI, obligation to safeguard PHI, breach notification requirements, return or destruction of PHI upon contract termination, and compliance with HIPAA Security Rule.
- BAA must cover subcontractors: If your teleradiology provider uses subcontractors who access PHI (e.g., data hosting, IT support), those subcontractors must also have BAAs in place. Ask for confirmation.
HIPAA Security Rule Requirements for Teleradiology
| Safeguard Category | Specific Requirements | What to Ask Your Provider |
|---|---|---|
| Technical Safeguards | Encryption in transit and at rest, access controls, audit controls | What encryption standards? TLS 1.2+? AES-256 at rest? |
| Physical Safeguards | Data center physical security, workstation controls | Where is PHI stored? US-only? SOC2 certified data center? |
| Administrative Safeguards | Risk analysis, workforce training, incident response | When was last risk assessment? Annual HIPAA training for staff? |
| Organizational Requirements | BAA with all BAs, policies and procedures | Do they have written HIPAA policies? Can you review them? |
Breach Notification: What Your Teleradiology Partner Must Do
Under HIPAA's Breach Notification Rule, your teleradiology provider (as your Business Associate) must notify you of any PHI breach within 60 days of discovering it. They must provide: the date and nature of the breach, the PHI involved, what steps they've taken to mitigate, and what individuals did to cause the breach. You then have notification obligations to affected individuals and potentially to HHS and media depending on breach size.
State Licensing Compliance
HIPAA is federal law, but state medical practice acts govern teleradiology as a medical service. Radiologists must be licensed in the state where the patient is located at the time of the study — not where the radiologist is sitting. Confirm that your teleradiology provider's radiologists hold current, active licenses in your state. Ask for license documentation before go-live.
Natoe AI's HIPAA Compliance Posture
Natoe AI signs BAAs with all imaging center partners, maintains SOC2 Type II certification, stores all PHI in US-based data centers, conducts annual HIPAA risk assessments, and provides breach notification within required timeframes. Our compliance documentation is available for review prior to contract execution.
