RadAssistPro

Compliance

HIPAA Compliance in Teleradiology: What Facilities Must Know

By RadAssistPro Clinical OperationsUpdated June 27, 20268 min read

Key takeaways

  • Teleradiology handles protected health information (PHI), so HIPAA applies to both the facility and the provider.
  • A teleradiology provider is a business associate and must sign a Business Associate Agreement (BAA) before accessing any PHI.
  • HIPAA requires administrative, physical, and technical safeguards, including access controls, encryption in transit, and audit logging.
  • Reading radiologists must also be licensed in the patient's state and credentialed at the facility.

HIPAA compliance in teleradiology means handling protected health information (PHI), such as images, patient identifiers, and reports, under the safeguards required by the HIPAA Privacy and Security Rules. Because teleradiology providers create, receive, or transmit PHI on behalf of a facility, they are business associates, and HIPAA applies to them directly.

For a facility, the practical takeaway is simple: never grant a teleradiology or PACS-support provider access to PHI without a signed Business Associate Agreement and verified safeguards.

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement is the HIPAA-required contract that defines how a provider may use and protect PHI on the facility's behalf. It establishes permitted uses, safeguard obligations, breach-notification duties, and what happens to PHI when the relationship ends. The BAA must be executed before any PHI access, not after go-live.

What safeguards does HIPAA require in teleradiology?

Safeguard typeExamples in teleradiology
AdministrativeAccess management, workforce training, risk analysis, and documented policies
PhysicalControlled access to workstations and facilities where PHI is viewed
TechnicalUnique user access, encryption of data in transit, and audit logging of activity

How is PHI protected during transmission?

  • Studies and reports are transmitted over secure, encrypted connections
  • Access is limited to authorized users with unique credentials
  • Activity is logged so access and relays can be audited
  • Work is performed inside the facility's PACS using roles the facility's IT team controls

Teleradiology HIPAA compliance checklist

  1. 1Signed BAA executed before any PHI access
  2. 2Radiologists licensed in the state where the patient is located
  3. 3Facility credentialing and privileging (credentialing by proxy for hospitals)
  4. 4Encrypted transmission and unique user access controls
  5. 5Audit logging of study access and critical-results relay
  6. 6Documented breach-notification and incident-response process
  7. 7Work performed inside your PACS with IT-controlled roles

For how these requirements fit into onboarding, see what is teleradiology, and for the operational documentation side, see critical results reporting in radiology.

About the author

RadAssistPro Clinical Operations

PACS Administration & Teleradiology Operations

The RadAssistPro clinical operations team supports U.S. radiology groups, imaging centers, and hospital networks with virtual PACS administration and preliminary teleradiology coverage that runs inside their existing PACS. Guidance below reflects real onboarding, relay, and turnaround-time workflows the team runs across supported facilities.

FAQ

Frequently asked questions

Does HIPAA apply to teleradiology?

Yes. Teleradiology involves creating, receiving, or transmitting protected health information, so HIPAA applies to both the facility and the provider. The provider is a business associate and must comply with the HIPAA Privacy and Security Rules.

Do teleradiology providers need a Business Associate Agreement?

Yes. A teleradiology or PACS-support provider is a business associate and must sign a Business Associate Agreement (BAA) before accessing any protected health information. The BAA defines permitted uses, safeguards, and breach-notification duties.

What security measures are required for HIPAA-compliant teleradiology?

HIPAA requires administrative, physical, and technical safeguards: access management and training, controlled physical access, unique user credentials, encryption of data in transit, and audit logging. Providers should also support licensure, credentialing, and documented critical-results communication.

Is teleradiology safe for patient data?

When a provider operates under a BAA with encrypted transmission, access controls, audit logging, and work performed inside the facility's PACS, teleradiology can be handled securely and in line with HIPAA. Facilities should verify these safeguards before granting access.

Need more reading capacity without adding headcount?

Tell us about your volumes and coverage hours. We will put together a scope and rate card within one business day.