Digital Images Meet the Law

As hospitals, imaging centers and group practices implement digital imaging technology, radiologists and specialists reading images and administrators and IT folks managing them tackle dozens of issues - from finances to IT decisions to staffing and training. The law also occupies a key place on that list. Leonard Berlin, MD, chairman of radiology at Rush North Shore Medical Center (Skokie, Ill.), notes, "It takes a while for the legal system to catch up with medical technology. The law hasn't caught up with digital radiology yet, but eventually it will."

One of the first areas where digital radiology and the law intersect is HIPAA. The HIPAA privacy rule that went into effect in 2003 did not specify any differences between conventional analog and digital images. The security rule, which goes into effect next April, will establish requirements for digital images and data (a.k.a. Electronic Protected Health Information or EPHI).

And the legal maneuvers don't end with HIPAA. Digital images present an entirely new breed. They don't degrade, and they can be manipulated to aid diagnosis. Consequently, conventional legal thinking about medical images and how they might apply in a lawsuit will change, predicts Berlin. Jeffery Drummond, a partner in the healthcare section of Jackson Walker LLP (Dallas), says digital image storage could come into play in some personal injury or medical malpractice lawsuits. Finally, there are contractual concerns to consider; contractual specifications and warranties can simplify the transition to digital.

Ultimately, healthcare facilities that understand and anticipate the legal ramifications of digital images can proactively plan for their impact, possibly avoiding lawsuits or costly fines.


HIPAA requirements are only beginning; a number of hospitals, imaging centers and private practitioners truly scrambled to meet the 2003 privacy rule. While meeting the next phase of HIPAA, the security rule, won't be a snap, it should be less arduous than coming up to speed on the privacy rule. For starters, the security rule is short, specific and easy to understand (unlike the privacy rule), says Jane Langdell, antitrust and trade regulation attorney with Sheppard, Mullin, Richter and Hampton LLP (Los Angeles). In a mere four pages, the security rule spells out administrative, technical and physical security safeguards and appropriate sanctions against healthcare providers that fail to comply with the rule. The rule also takes the size of an enterprise into account; requirements vary depending on the size of the provider.

Langdell recommends healthcare facilities prepare for the security rule by hiring a security officer. Depending on the size of the facility, the privacy officer might also serve as the security officer. The security officer's initial duties include:

  • Gathering information about the security rule and its requirements
  • Meeting with IT staff, security personnel and medical staff to brainstorm where electronic information resides and where it travels. This group will guide development of policies and procedures.
  • Making a detailed map of where images go and dealing methodically with each location. This includes storage processes, controlled access and password management.
  • Brainstorming catastrophic events such as earthquakes, theft and hackers - and developing contingency plans for catastrophic events.

Being sure the staff fully understands policies and procedures is key. "I can't stress enough the importance of not only training staff in policies and procedures, but also enforcing those policies and procedures," Langdell notes. "The best first line of defense if the Feds come knocking on your door is a great set of policies and procedures. But if your staff doesn't understand the policies and procedures and tapes passwords to computers [or commits other security breaches], your policies and procedures won't be very helpful."

The security rule stresses reasonable and appropriate measures, says Paul Smith, a partner with Davis, Wright and Tremaine LLP (San Francisco). For example, a radiology group transmitting images to outside specialists will need to credential that specialist into its system.

Most security requirements apply to radiologists reading images from home. A home workstation should be password-protected, and a professional quality firewall should be in place.

Smith concludes, "Mistakes and technical glitches, like sending an email with patient addresses in the header, will occur. Occasional breaches don't necessarily violate HIPAA. It is the lack of reasonable and appropriate security procedures that constitutes the breach [and may incur a financial penalty]."


HIPAA may be the first and most pressing legal issue for digital images, but it is not the last. Berlin explains, "Radiologists have always been subject to lawsuits if they miss a diagnosis on a hard-copy radiograph." But an analog x-ray is static; it can't be changed or manipulated. "An electronic image can be changed in a number of ways. Now, we're introducing a whole new litany of potential allegations stemming from a radiologist's failure to manipulate a digital image properly. I'm not aware that this has happened yet, but I suspect it will," continues Berlin.

Diane McKenzie, partner and chair of Neal, Gerber & Eisenberg's information technology group (Chicago), adds, "There's another wave of lawsuits that could come. PACS [and CAD] vendors provide software tools to digitally read films, which leads to a question. If a film is read digitally [with CAD], who is responsible for a missed diagnosis?" Most vendors' purchase agreements specify that the hospital and/or physician is responsible in such cases since CAD is currently not intended as an exclusive image screener, instead it assists radiologists in reading images by alerting them to algorithm-based abnormalities in the images. The best course of action is to understand the contract and avoid overreliance on CAD-assisted reads.


At this point, most state laws don't necessarily differentiate between storage of analog and digital images. While there is tremendous variability in requirements among states, generally Medicare requires hospitals retain images for four to six years. State laws set a statute of limitations on adult images, and pediatric images require lengthy storage periods that can range up to 25 years.

While state laws may not yet spell out specific storage requirements for digital images, digital image storage does present a bit of a legal conundrum. Drummond explains, "Film is inherently degradable. There also are fire risks and significant storage costs." In the digital world, storage is substantially cheaper, and image quality on older images can be near perfect.

This brings hospitals to a legal Catch-22, says Drummond. "If it's not expensive to retain images, a plaintiff's lawyer could question the hospital's failure to hold onto images." Drummond says, "I generally recommend that my clients hold onto both digital and conventional images for two years beyond the statute of limitations. That said, it is worthwhile to do a cost-benefit analysis of digital image storage." If it's economical to store digital images longer, that may be advisable.

McKenzie adds one more image storage and management point-most state laws revolve around the concept of an unalterable image. That is, the saved electronic image should contain some authentication for how it was made and that the saved image is the originally created image. McKenzie says, "For these reasons, many hospitals continue to store both old-fashioned film images as well as electronic images, but that will change in the future [as laws mature and catch up with technology]."

It is important to note that state laws vary widely, and hospitals need to refer to their specific state laws. The state bar association, medical board or health lawyers association can provide guidance, says Langdell. McKenzie adds that technology lawyers also are a good source of information about state laws.


With HIPAA stealing the spotlight, it might be easy for a hospital to overlook contractual issues when it comes to digital technology. That can be a costly error.

"The biggest issue I see is image clarity-what the hospital sees in a product demonstration is not necessarily the quality that will be achieved in a particular hospital on aparticular server. This is not necessarily a vendor problem. It could be a configuration or equipment problem," says McKenzie. The best way to avoid this issue is by writing specifications in RFPs and soliciting warranties; if the hospital installs specific enabling technologies and image quality is not achieved, the vendor must fix the problem. In fact, integration among digital imaging systems is a key contractual issue.

Because digital technology requires a high level of integration among systems, acceptance testing is becoming more popular. McKenzie notes, "This is really critical with digital systems." A contract can specify a post-live test to ensure that the technology works well with other technologies. Typically, a certain percent of the purchase price is held until acceptance is achieved, providing the hospital a pseudo-guarantee.

Sunsetting of technology is another issue. Suppose a vendor decides to halt support for a PACS within a few months of purchase. The hospital is forced to procure a new system or pay a high premium for support. McKenzie says, "We typically put a provision in contracts that protects hospitals by limiting sunsetting."

McKenzie concludes, "A good healthcare technology lawyer will cover the bases. We've secured as many as 28 warranties in a license contract."


It's not quite HIPAA, but it's still critical. The Stark law is a federal statute that prohibits referral arrangements between physicians and hospitals with an economic relationship. The digital connection? Smith says, "Suppose a radiology group decides to implement PACS and give referring physicians a free computer to allow them to access the system. That's a violation of the Stark law." On the flip side, however, hospitals can give radiologists a free computer to tap into PACS because the radiologist does not refer patients to the hospital.


Digital imaging technology is great step forward. While it is easy to focus on the benefits of digital imaging, it is important to understand the legal implications of digital radiography. The best advice?

  • Form a HIPAA security team to develop a thorough plan that addresses the next phase from every angle.
  • Consider potential legal challenges related to digital image storage and diagnosis. Develop a proactive plan to minimize legal risks.
  • Get the most of out of your healthcare counsel by asking about all of the implications of your digital imaging purchase contracts. Ask the lawyer about specifications and warranties that best meet the needs of your site.