HIPAA Compliance Checklist for Mammography Centers (2024)

HIPAA Compliance Overview

Running a mammography center means you routinely handle protected health information (PHI) and electronic protected health information. A strong HIPAA program safeguards that data while keeping care efficient and patient‑centered.

This checklist aligns your operations with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. It focuses on governance, repeatable processes, and controls tailored to imaging environments so you can demonstrate due diligence and day‑to‑day compliance.

• Establish governance and accountability for privacy and security.
• Complete and maintain risk analysis documentation; manage risk continuously.
• Adopt policies and procedures that implement physical and technical safeguards.
• Deliver role‑based workforce training with documented completion.
• Ensure business associate agreement compliance across all vendors.
• Operationalize incident response and breach notification requirements.
• Maintain complete documentation and a clear record‑retention schedule.

Conduct Risk Assessments

The Security Rule requires an “accurate and thorough” assessment of risks to the confidentiality, integrity, and availability of ePHI. Your risk analysis must be documented, current, and actionable.

Scope and data mapping

• Inventory systems touching ePHI: mammography units, PACS/VNA, RIS/EHR, modality workstations, AI/CAD, image sharing portals, billing, backup, and mobile mammography units.
• Diagram data flows (DICOM, HL7, FHIR, email, secure portals, removable media) from acquisition through reporting, release, and archival.

Threats, vulnerabilities, and risk ratings

• Identify threats (ransomware, lost media, misdirected faxes/emails, unauthorized access, insider error) and vulnerabilities (unpatched OS, weak authentication, open ports, screens visible to the public).
• Rate likelihood and impact, then assign risk levels to prioritize remediation.

Controls and documentation

• Select controls: encryption in transit and at rest, MFA for remote/admin access, endpoint protection, network segmentation, backup/restore testing, least‑privilege, and audit logging.
• Create risk analysis documentation, a risk register, and a time‑bound risk management plan with owners and milestones.

Frequency and triggers

• Reassess at least annually and whenever you add technology, change vendors, move locations, modify workflows, experience an incident, or deploy a mobile unit.

Develop Policies and Procedures

Policies translate legal requirements into daily practice. Keep them concise, role‑specific, and easy to follow. Review annually and whenever risks or operations change.

Privacy Rule essentials

• Permitted uses/disclosures, minimum necessary, and authorization requirements for releasing images and reports.
• Notice of Privacy Practices distribution and acknowledgment tracking.
• Patient right of access, including timelines and secure delivery options for images and results.
• Identity verification before disclosures (in‑person, phone, portal, or third‑party requests).

Security Rule policies and safeguards

• Administrative safeguards: risk management, workforce clearance, sanctions, and contingency planning with tested backups and disaster recovery.
• Physical safeguards: facility access controls, visitor logs, device and media controls, secure storage for printed schedules and QC records, and privacy screens for public‑facing workstations.
• Technical safeguards: unique IDs, automatic logoff, role‑based access, encryption, secure configurations, patching, and monitoring with audit log review.
• Secure transmission: TLS for DICOM where supported; VPN/HTTPS for portals and remote reading.

Imaging‑specific procedures

• Image export and media handling (prefer secure portals; if CDs/USBs are used, encrypt and log chain of custody).
• Downtime and emergency operations so screening and diagnostics continue safely during outages.
• De‑identification standards for teaching, ACR accreditation submissions, and quality programs.
• Vendor service access to modalities and PACS with time‑bound, auditable credentials.

Provide Staff Training

Training builds a culture of privacy and security. Make it practical, scenario‑based, and tailored to each role. Document completion and comprehension.

• New‑hire and annual refresher training on PHI handling, minimum necessary, and reporting suspected incidents immediately.
• Role‑specific modules: front desk (verification, call‑backs, sign‑in privacy), technologists (workstation security, image labeling, media controls), radiologists (remote access, secure reporting), billing (use/disclosure limits), and IT (patching, logging, backups).
• Micro‑learning on phishing, secure messaging, misdirected results, and social media do’s and don’ts.
• Maintain rosters, dates, curricula, and test scores as defensible training records.

Manage Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits ePHI for your center is a business associate. Ensure business associate agreement compliance before sharing data.

Identify common business associates

• PACS/VNA and cloud image platforms, teleradiology groups, AI/CAD vendors, EHR/RIS providers, billing and clearinghouses, IT managed service providers, secure messaging/portal providers, shredding/recycling, and off‑site storage/backup.

Contract essentials

• Permitted uses/disclosures and minimum necessary clauses.
• Security obligations mirroring the HIPAA Security Rule, including physical and technical safeguards and subcontractor flow‑down.
• Clear breach notification requirements, reporting timelines, and incident cooperation terms.
• Right to audit/assess controls, evidence of safeguards (e.g., encryption, logging), and termination with data return or certified destruction.

Maintain an inventory of BAAs, track renewal dates, and perform risk‑based vendor reviews. Document evidence of oversight activities.

Implement Incident Response Plan

Incidents happen. A tested plan limits harm, speeds recovery, and supports compliant notifications. Keep steps concise, assign roles, and rehearse regularly.

Core response steps

• Detect and triage: confirm the event, classify severity, and start an incident ticket.
• Contain: isolate affected devices or accounts; preserve logs and forensic evidence.
• Eradicate and recover: remove malware, close vulnerabilities, and restore from known‑good backups.
• Assess breach risk: analyze the nature and extent of PHI involved, unauthorized person, whether PHI was acquired/viewed, and mitigation applied.
• Notifications: follow breach notification requirements to individuals, regulators, and—if applicable—the media; consider state law timelines in addition to HIPAA.

Ransomware and downtime considerations

• Maintain offline, immutable backups and verify restorations through periodic tests.
• Use downtime procedures for registration, imaging, and reporting until systems are restored.
• Coordinate with law enforcement and cyber insurance where appropriate.

After‑action

• Document the incident end‑to‑end, update policies and controls, retrain staff, and track corrective actions to closure.

Maintain Documentation and Record Retention

Good records prove good compliance. Centralize artifacts, control access, and keep them audit‑ready. Align HIPAA documentation with imaging‑specific record rules.

• Risk analysis documentation, risk registers, and risk management plans.
• All policies/procedures with revision history and approvals.
• Training rosters, curricula, dates, and assessments.
• Business associate agreements and vendor due‑diligence evidence.
• Audit logs and reviews, access authorization/change records, and user provisioning/deprovisioning logs.
• Incident and breach files: investigation notes, risk assessments, and notification records.
• Device and media inventory, encryption attestations, maintenance, and disposal certificates.
• Contingency plan tests, backup/restore results, and facility access logs.
• Patient privacy complaints, responses, and sanctions (if any).

Retain HIPAA‑related documentation for at least six years from creation or last effective date. Coordinate with state laws and mammography program requirements to ensure image/report retention meets or exceeds those timelines.

FAQs.

What are the key HIPAA requirements for mammography centers?

You must protect PHI and electronic protected health information through policies implementing the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. That means conducting risk analyses, enforcing physical and technical safeguards, training your workforce, managing business associates, responding to incidents, and keeping complete documentation.

How often should mammography centers conduct risk assessments?

Perform a formal assessment at least annually and any time you add new technology, change vendors, move locations, or experience an incident. Update your risk analysis documentation and risk management plan after each assessment and track remediation to completion.

What documentation is required to prove HIPAA compliance?

Maintain current policies and procedures, risk analyses and risk registers, training rosters and materials, business associate agreements, access and audit logs, incident/breach files, contingency plan tests, device/media inventories, encryption and disposal records, and documentation of patient rights (access requests, authorizations, and complaints) with outcomes.

How should mammography centers handle data breaches?

Activate your incident response plan: contain and investigate, perform a breach risk assessment, and follow breach notification requirements for individuals and regulators within required timeframes. Remediate root causes, retrain staff as needed, and keep a complete, auditable record of actions taken.