All patients in the healthcare enterprise have the right to privacy and to have their records, including medical images, private. Security is not something that any given vendor or healthcare faculty and medical personnel has as a sole responsibility. Rather, security is something that all parties in the enterprise must embrace and each part of the equation must do its part at implementing. HIPAA is a driving force behind the security paradigm and Images-on-Call is actively assuring its customers of compliance.
Images-on-Call Teleradiology products will meet the technical requirements of HIPAA concerning the security of patient information and will include features that assist in meeting requirements to keep records of access to patient information
It is anticipated that our customers security requirements will evolve over time as have other aspects of the Images-on-Call Teleradiology product. Historically, most changes to the product have been implemented as standard features that are available to all customers free of charge. However, since many details of HIPAA compliance are left to individual institutions to implement, Images-on-Call cannot guarantee that future requests for custom upgrades to the product can be provided free of charge.
We encourage prospective customers to evaluate Images-on-Calls approach to meeting HIPAA requirements to make sure that it is compatible with their compliance efforts.
Regarding HIPAA Business Associate Agreements, IOC will provide an agreement between a Covered Entity (CE) and ourselves (BA) if asked. IOC will sign a CE generated B.A.A. if, after review, it is acceptable. It is not generally necessary for BA’s to enter into B.A.A.’s with Radiology Groups, unless the group produces PHI (Protected Health Information) (or, images) as might be the case at free-standing imaging centers that are Radiology Group owned.
IOC’s use of PHI, primarily medical images, is limited to the installation, service and support of Teleradiology and Image Distribution Systems. This information is not stored permanently and is deleted shortly after it is used. IOC also does not disclose PHI to a third party for any purpose other than as required by law. Under the Business Associate Agreement and according to IOC Policies and Procedures, any accidental or improper disclosure, or any disclosure that is required by law, will be documented and reported to the Covered Entity. These provisions and policies cover all disclosures by IOC and ensure that the Covered Entity is notified. For this reason, IOC believes that it is not necessary for the Covered Entity to separately request information from IOC in response to a request by an individual for an accounting of disclosures. We strongly recommend that customers use this additional information and exclude IOC from the list of Business Associates that must be contacted in the event of a request for an accounting of disclosures.