Digital Images Meet the Law

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon

As hospitals, imaging centers and group practices implement digital imaging technology, radiologists and specialists reading images and administrators and IT folks managing them tackle dozens of issues - from finances to IT decisions to staffing and training. The law also occupies a key place on that list. Leonard Berlin, MD, chairman of radiology at Rush North Shore Medical Center (Skokie, Ill.), notes, "It takes a while for the legal system to catch up with medical technology. The law hasn't caught up with digital radiology yet, but eventually it will."

One of the first areas where digital radiology and the law intersect is HIPAA. The HIPAA privacy rule that went into effect in 2003 did not specify any differences between conventional analog and digital images. The security rule, which goes into effect next April, will establish requirements for digital images and data (a.k.a. Electronic Protected Health Information or EPHI).

And the legal maneuvers don't end with HIPAA. Digital images present an entirely new breed. They don't degrade, and they can be manipulated to aid diagnosis. Consequently, conventional legal thinking about medical images and how they might apply in a lawsuit will change, predicts Berlin. Jeffery Drummond, a partner in the healthcare section of Jackson Walker LLP (Dallas), says digital image storage could come into play in some personal injury or medical malpractice lawsuits. Finally, there are contractual concerns to consider; contractual specifications and warranties can simplify the transition to digital.

Ultimately, healthcare facilities that understand and anticipate the legal ramifications of digital images can proactively plan for their impact, possibly avoiding lawsuits or costly fines.


HIPAA requirements are only beginning; a number of hospitals, imaging centers and private practitioners truly scrambled to meet the 2003 privacy rule. While meeting the next phase of HIPAA, the security rule, won't be a snap, it should be less arduous than coming up to speed on the privacy rule. For starters, the security rule is short, specific and easy to understand (unlike the privacy rule), says Jane Langdell, antitrust and trade regulation attorney with Sheppard, Mullin, Richter and Hampton LLP (Los Angeles). In a mere four pages, the security rule spells out administrative, technical and physical security safeguards and appropriate sanctions against healthcare providers that fail to comply with the rule. The rule also takes the size of an enterprise into account; requirements vary depending on the size of the provider.

Langdell recommends healthcare facilities prepare for the security rule by hiring a security officer. Depending on the size of the facility, the privacy officer might also serve as the security officer. The security officer's initial duties include:

  • Gathering information about the security rule and its requirements
  • Meeting with IT staff, security personnel and medical staff to brainstorm where electronic information resides and where it travels. This group will guide development of policies and procedures.
  • Making a detailed map of where images go and dealing methodically with each location. This includes storage processes, controlled access and password management.
  • Brainstorming catastrophic events such as earthquakes, theft and hackers - and developing contingency plans for catastrophic events.

Being sure the staff fully understands policies and procedures is key. "I can't stress enough the importance of not only training staff in policies and procedures, but also enforcing those policies and procedures," Langdell notes. "The best first line of defense if the Feds come knocking on your door is a great set of policies and procedures. But if your staff doesn't understand the policies and procedures and tapes passwords to computers [or commits other security breaches], your policies and procedures won't be very helpful."

The security rule stresses reasonable and appropriate measures, says Paul Smith, a partner with Davis, Wright and Tremaine LLP (San Francisco). For example, a radiology group transmitting images to outside specialists will need to credential that specialist into its system.

Most security requirements apply to radiologists reading images from home. A home workstation should be password-protected, and a professional quality firewall should be in place.

Smith concludes, "Mistakes and technical glitches, like sending an email with patient addresses in