June 1, 2020
News > HIPAA compliance and PHI protection in imaging

HIPAA compliance and PHI protection in imaging

June 1, 2020

HIPAA compliance

HIPAA compliance is an existential issue for medical businesses, especially if they use special-purpose software and mobile applications (e.g. mobile imaging operators). HIPAA (Health Insurance Portability and Accountability Act), adopted in 1996, includes a set of legal requirements for protecting sensitive patient information from unauthorized access or leakage. Medical institutions, their staff, and software they use must meet the criteria of physical, network, and process security. Today we will review a few common security tools used to protect data exchange in imaging diagnostics.

TLS (Transport Layer Security) is an encryption protocol that provides secure data communication between network nodes. It is widely used in web-based applications, as well as email and instant messengers. The primary function of this protocol is to prevent unauthorized access and traffic analyzing via so-called “sniffers.” This protection feature can be used in teleradiology to ensure the secure transmission of sensitive patient data, such as medical images. The DICOM protocol commonly used in medical imaging does not originally use TLS, although the relations between DICOM and TLS are specified in DICOM standards. So, to provide secure communication, you can hire an IT expert to “stream” your DICOM connection through TLS or find a ready-made solution.

SFTP (Security File Transfer Protocol) is a file exchange protocol, which is more secure than basic FTP. The underlying technology, SSH (Secure Shell), is a reliable and secure way of connecting two remote systems to exchange commands and data. The linked systems use authorization to “recognize” each other before they start sharing any information. For example, if two facilities need to exchange medical data, such as reports, progress notes, or images, then using SFTP is a reasonable and simple solution. If the two systems use different standards (e.g. HL7 and DICOM), it may require a lot of data mapping and format conversion work, but SFTP certainly does its job as a file exchange means.

Direct messaging (also known as Direct Exchange or simply Direct) is a special-purpose encrypted protocol for exchanging medical information in the form of text messages and attached files. It is similar to web-based email, however, there are some crucial differences. It is managed by specialized providers – HISP (Health Internet Service Providers), cannot be accessed by non-Direct users, and has some additional tools. Being an integrated feature of modern EHR systems, it is user-friendly, standardized, and HIPAA compliant.

Text messaging is used by many healthcare providers to communicate with each other and their patients. It’s quick, easy, and convenient, however, if text messaging contains a patient’s protected health information (PHI), certain considerations must be taken into account.

VPN (Virtual Private Network) technology is widely used in various industries. As for imaging diagnostics, VPN can provide encrypted links between, for example, a PACS server and a remote client. Currently, a lot of providers claim that their services are secure enough and meet the requirements of the healthcare industry. Some experts consider such networks safe and entirely HIPAA compliant. However, VPN users stay provider-dependent, even if the connection is encrypted strongly enough.

These are the most common tools for keeping protected patient information secure. We could also mention end-to-end encrypted messengers, PGP, and more. Besides, you can get the ultimate solution, which combines multiple protection features and helps you stay 100% HIPAA compliant.

And does HIPAA compliance guarantee complete security? Technically, it doesn’t, although the requirements are strict and sophisticated. However, the damage may be too severe if you ignore them and use open email networks instead. We use those every day for common communication, and the probability of leakage is relatively low. But when it comes to patient information, even a single case of unauthorized access may turn out to be a costly matter. The overall penalties for each violation amount up to $1.5 million per year (while fines typically range from $100 to $50,000). So, you can analyze the financial risks and compare them to the costs of security tools.