The Health Insurance Portability and Accountability Act (HIPAA) represents one of the most challenging operational initiatives most radiology professionals will encounter in their careers. HIPAA is often vague, primarily because the regulations were written for such a broad spectrum of health care entities: from insurance companies and the largest health care systems in the country to small medical or dental practices.

With compliance deadlines now weeks away (in terms of Privacy Standards) and months away for the Transactions and Code Sets Standards (TCS), HIPAA is no longer something that will eventually have to be dealt with, but has risen to priority status.


HIPAA is about information, specifically protected health information (PHI), and how it is created, secured, shared (between entities, departments, and other health care professionals, and for non-health care purposes), stored, and destroyed. As health care providers, radiology groups are covered entities and, therefore, held responsible for adequately protecting PHI, although there are allowances for “reasonable” variations in implementation. While the concept of reasonable is intended to provide flexibility, the definition of what is reasonable will vary with practice size and configuration, often making the task of defining how HIPAA should be implemented in various operational processes more difficult to determine.

Unlike fraud and abuse compliance programs, which are voluntary, HIPAA is mandatory for groups using electronic data transmissions, with strict time frames and penalties for noncompliance. While many groups filed applications for extensions with the Centers for Medicare & Medicaid Services (CMS) and were granted a 1-year reprieve in terms of the Transactions and Code Sets Standards, the government has been firm with the April 14, 2003, deadline for implementation of the Privacy Standards.


There is no definition of a typical radiology group and, therefore, no cookie cutter solution for compliance. The complexity of implementation will vary with the size and configuration of the particular practice and the radiology professional is left with the challenge of working through a complicated series of processes and determining how and where they must be adapted to comply with HIPAA.

HIPAA impacts virtually every aspect of the radiology practice, including:

  • Hospital/radiology group interactions
  • Imaging center operations
  • Patient interactions, including those via the practice web site
  • Billing and collections
  • Facility design
  • Documentation
  • Teleradiology coverage

Because of a radiology group’s various contractual relationships, it is often difficult to determine who assumes primary responsibility for HIPAA compliance in particular situations or processes. Who leads and who follows?

One of the first tasks then is to define the group’s configuration and begin to communicate with the other entities to clarify expectations and responsibilities as follows:

  • When is the group in charge of developing the compliance plan and when will it instead be expected to comply with elements of another entity’s plan?
  • In which cases is primary responsibility for HIPAA not clear?
  • What kinds of communications mechanisms need to be established between the parties for HIPAA-related problems?
  • When does a business associates relationship exist between the parties?


An example of a simple radiology practice might involve a hospital-based group serving one hospital and using a billing service. If the group is in compliance with the hospital’s plan and the billing service covers the security of PHI during billing and collection processes, does the group still need its own HIPAA compliance plan? According to legal experts, the answer is yes, since the group still needs to demonstrate its compliance with the HIPAA regulations.

Again, HIPAA requires the documentation of formal policies and procedures so the group cannot simply state it works within the compliance plans of the other entities. Operationally, the practice must confirm how and when it is expected to work within hospital procedures. It would also need to work with the hospital to develop a joint Notice of Privacy Practices, which is allowed when covered entities are part of an Organized Health Care Arrangement (OHCA). (However, the group cannot automatically assume its inclusion in the notice and needs to work with the hospital to identify the scope of PHI uses and disclosures.)

On the other hand, the billing service is responsible for complying with the HIPAA standards for electronic transactions, along with the privacy and security of the information used in the billing process. Questions arise, however, in terms of which procedures are included in the scope of the billing service contract and which will not be covered. A number of billing services have announced they do not plan to include the group’s HIPAA compliance in their normal scope of services. In some cases, the billing service may charge an additional fee for HIPAA compliance services and, in others, will expect the practice to assume responsibility. It is important to determine and document each of these details in the HIPAA plan.


Rather than assume only the largest radiology groups in the country would classify as complex practices, the designation instead focuses on the number of locations, contractual relationships, and processes involved. For example, a complex group often covers multiple hospitals, sometimes in different health care systems, and, to further complicate things, those hospitals may be in different states. It is also not unusual for coverage to encompass a broad geographic area, as in a rural regional health care setting, with coverage provided via teleradiology for smaller hospital sites that cannot justify a full-time radiologist.

The group may own its own imaging center(s) or partner with a hospital or other entity in ownership, maintaining contracts for both professional interpretation and management. In other cases, the group provides professional services for an independent diagnostic testing facility (IDTF) and may have medical director or management roles in these situations.

The complex group may also have an in-house billing department and, occasionally, provide billing services to other health care entities as well.

As expected, the flow of PHI and responsibility for ensuring its protection become more difficult as the configuration of the practice expands to include multiple legal entities, sites of services, and functional areas. In some cases, multiple parties are responsible for overlapping processes and it will not always be clear who should take the lead. For example, assume the IDTF has an on-site transcriber but contracts to use the radiology group’s dictation system. Reports are sent to the radiologists for approval and electronic signature on remote workstations since their schedule rotates them through facilities. Preliminary and final report copies are autofaxed to referring physicians by the transcriber. Responsibility for ensuring the protection of PHI is therefore shared by the two legal entities and various employees involved. Rather than each assuming the other has taken care of HIPAA compliance, it will be important for them to meet, walk through the processes, agree on procedures, and document their assumptions and conclusions in their respective HIPAA plans.

Because the communications needs of these practices are more complex, they are more likely to rely upon communications networks that link radiology information systems, billing software, and image transmission technology (PACS/teleradiology). The group is also more likely to rely upon hospital demographic downloads, electronic claims submission and remittance, autofax capabilities, and remote referring physician (reports and images) or patient access (billing records) to information via a web site. When addressing the challenges of maintaining qualified employees and controlling administrative overhead, they also tend to seek innovative staffing solutions by outsourcing functions and/or offering employees the opportunity to work from home.

In the complex practice configuration, the process of documenting information flow alone can be daunting as PHI moves between legal entities, sites of service, and departments. HIPAA becomes not only an intellectual exercise, but a test of will.


In all radiology practices, those with administrative responsibilities (those who will also be held responsible for HIPAA) wear multiple hats, so the implementation committee is more about ensuring the representation of functional areas rather than job titles or even employee status. For example, a billing service may provide contracting, credentialing, and records retention functions for a group that has no non-physician employees. The group may also outsource management functions and lease employees for an imaging center or to provide certain support services.

Beginning with our early assumption that there is no typical radiology group, the HIPAA team will be gathered from a variety of resources, but should ensure the inclusion of key functional areas that include, but are not limited to, the following:

Administration/operations. This category includes a broad range of functions, such as contracting, human resources, operational oversight, and regulatory compliance. These various positions may be covered by one person in some practices and by multiple management layers in others. In some cases, one or more aspects may be outsourced so the exact composition of representation at the HIPAA planning table will vary. However, examples of administrative functional areas to be included involve contracting (for the identification and coordination of Business Associate agreements) and human resources in terms of the modification of job descriptions (to include access authorization and security responsibilities), hiring and firing procedures, and training.

Billing and collections. From the point of information acquisition, which will require coordination with the hospital, to electronic claims submission and remittance, which will involve working with the software vendor, clearinghouse, payors, collection agency, and outsourced vendors, there are numerous tasks and nuances involved in billing and collections functions. Whether billing functions are handled in-house or through a billing service, the group has a responsibility to ensure that PHI is adequately secured and needs to document the players, as well as policies and procedures.

Site managers. Managers of imaging center sites will be responsible for patient flow, including policies and procedures specific to patient scheduling, registration, and completion of the examination. These processes will, along the way, involve communications between staff members, with patients, with referring physicians, and among other health care professionals (technologists and radiologists at a minimum). In terms of the outpatient imaging center, HIPAA will impact the communication of PHI in all forms, whether electronic, on paper, or oral. Patients are likely to know they have new rights, but will not know the details, so there will be new on-site situations to resolve.

Technologists. Technologists frequently have the most one-on-one time with patients, along with extensive communications responsibilities that include other staff members, the patients themselves, radiologists, and, often, referring physicians. They are apt to be the most knowledgeable regarding problems and bottlenecks in patient flow and, therefore, are on the front lines of key risk areas.

Medical directors. While medical directors are more apt to provide oversight rather than assuming direct responsibility for many HIPAA functions, their involvement is critical since they are likely to be assigned liability if processes fail. Assuming the medical director also is likely to be a radiologist, there will be a number of PHI communications functions under his or her purview. In addition, obtaining the support of and correcting the behavior of colleagues will be critical.

Information services. Whether information services functions are in-house or outsourced, this is one of the most logical areas for inclusion, not only for networks, teleradiology/PACS, firewalls, virus protection, and related security issues, but also for input regarding hospital downloads, off-site system access (to and from remote locations), and development and implementation of policies and procedures. The latter need to include password management, email policies, access, and authorization and termination of access rights, to name a few.

Nonmanagement staff members. HIPAA is not a “management thing,” and attempts to develop a plan without including input from people who perform key data-related functions are apt to fail. Those involved in such tasks as data acquisition, patient scheduling and registration, medical records/film tracking, answering patient billing questions, and private pay collections need to be involved at least in meetings when their areas are under discussion. This group should also include those involved in support areas such as transcription and courier services. Those who actually do the work on a daily basis need to help develop documentation of work flow, should review proposed procedures and training materials, and should be asked, “What could go wrong here?” or “What did we miss?” at regular intervals.

Again, depending on the practice configuration and specific problems presented, the list of participants on the HIPAA team will vary.


The expectations of HIPAA are vast and the consequences for failure to comply go far beyond associated financial penalties. Achieving the required level of cultural change is likely to be HIPAA’s greatest challenge as approximately 200 new policies and procedures are introduced and a new way of thinking about our work is demanded.

HIPAA Resources

Additional information regarding the Health Insurance Portability and Accountability Act can be found at the following Web sites.

1. HIPAA General Information (CMS home page). (Sponsored by HIMSS and Phoenix Health Systems)

2. The Privacy Rule (Original regulations) (Office of Civil Rights) (Revised and final regulations) (HHS fact sheet) (HHS fact sheet) Privacy Officer)

3. Transactions and Code Sets Rule (AHIMA Transactions and Code Sets article) (HHS/CMS) (CMS) (WEDi/SNIP) (Tips for the Physicians Office)

For those practices that have not yet begun working on their compliance plans, the weeks and months ahead will be stressful and taxing to staff morale. The introduction of the Privacy Standards promises to be especially challenging, since they represent the first introduction to the new world of HIPAA and they are complex, not well suited to radiology operations, and will be difficult for the staff to remember.

Groups that have begun work on their compliance plans have also discovered the frustration that accompanies solving one question only to uncover three more in the process. As a specialty, we must continue an ongoing dialogue to identify what is reasonable for radiology as well as to share solutions for common problems.

In conclusion, here are some final recommendations to facilitate HIPAA implementation:

A. Encourage the staff to “practice” HIPAA by letting them know what is ahead and making them more observant of their work, interactions with patients, and where they see problems occurring. Make sure comments and observations are included in regular staff meetings and begin the educational process well before the compliance date.

B. Begin introducing aspects of the plan as they are completed. Waiting until the plan is “done” and introducing it all at once at or near the compliance deadline will increase staff frustration and increase the risk of errors and patient complaints.

C. Make sure those assigned responsibility for plan development have the resources they need, whether that means scheduling uninterrupted blocks of time each day, hiring additional personnel, approving the purchase of resource materials, or outsourcing aspects of the plan that require particular expertise and/or provide for the addition of temporary staff support.

D. Recognize that HIPAA will continue to evolve. Solutions that make sense today may be changed by new guidelines tomorrow. HIPAA compliance will demand that we are students of the regulations and emerging interpretations, so the need for appropriate resources does not end once the plan is written and in place.

E. Ensure open lines of communications once the plan has been introduced. We are facing several years of change and it is human nature to resist and seek solace in the “old way” of doing things. Everyone in the practice will need to be able to discuss their frustrations, introduce new questions, and receive support.


As a medical specialty, radiology is quicker than others to embrace new technology and diagnostic advancements. Radiology has been a world of change for many years and, in that respect, should be better prepared to deal with HIPAA than many other colleagues in the health care profession. Some of us will be paying a price for procrastination at this moment, but we have met and accomplished the need for change in other areas so there is no reason to believe that HIPAA is beyond our mastery.

Patricia Kroken, FACMPE, is involved with the development of radiology-specific HIPAA information for the Radiology Business Management Association (RBMA) and is the author of numerous articles on radiology management topics. She is employed by Healthcare Resource Providers, LLC in Albuquerque, NM.