
Compliance
HIPAA Compliance in Teleradiology: What Facilities Must Know
Key takeaways
- Teleradiology handles protected health information (PHI), so HIPAA applies to both the facility and the provider.
- A teleradiology provider is a business associate and must sign a Business Associate Agreement (BAA) before accessing any PHI.
- HIPAA requires administrative, physical, and technical safeguards, including access controls, encryption in transit, and audit logging.
- Reading radiologists must also be licensed in the patient's state and credentialed at the facility.
HIPAA compliance in teleradiology means handling protected health information (PHI), such as images, patient identifiers, and reports, under the safeguards required by the HIPAA Privacy and Security Rules. Because teleradiology providers create, receive, or transmit PHI on behalf of a facility, they are business associates, and HIPAA applies to them directly.
For a facility, the practical takeaway is simple: never grant a teleradiology or PACS-support provider access to PHI without a signed Business Associate Agreement and verified safeguards.
What is a Business Associate Agreement (BAA)?
A Business Associate Agreement is the HIPAA-required contract that defines how a provider may use and protect PHI on the facility's behalf. It establishes permitted uses, safeguard obligations, breach-notification duties, and what happens to PHI when the relationship ends. The BAA must be executed before any PHI access, not after go-live.
What safeguards does HIPAA require in teleradiology?
| Safeguard type | Examples in teleradiology |
|---|---|
| Administrative | Access management, workforce training, risk analysis, and documented policies |
| Physical | Controlled access to workstations and facilities where PHI is viewed |
| Technical | Unique user access, encryption of data in transit, and audit logging of activity |
How is PHI protected during transmission?
- Studies and reports are transmitted over secure, encrypted connections
- Access is limited to authorized users with unique credentials
- Activity is logged so access and relays can be audited
- Work is performed inside the facility's PACS using roles the facility's IT team controls
Teleradiology HIPAA compliance checklist
- 1Signed BAA executed before any PHI access
- 2Radiologists licensed in the state where the patient is located
- 3Facility credentialing and privileging (credentialing by proxy for hospitals)
- 4Encrypted transmission and unique user access controls
- 5Audit logging of study access and critical-results relay
- 6Documented breach-notification and incident-response process
- 7Work performed inside your PACS with IT-controlled roles
For how these requirements fit into onboarding, see what is teleradiology, and for the operational documentation side, see critical results reporting in radiology.
About the author
RadAssistPro Clinical Operations
PACS Administration & Teleradiology Operations
The RadAssistPro clinical operations team supports U.S. radiology groups, imaging centers, and hospital networks with virtual PACS administration and preliminary teleradiology coverage that runs inside their existing PACS. Guidance below reflects real onboarding, relay, and turnaround-time workflows the team runs across supported facilities.



