HIPAA Compliance Checklist for PET Scan Centers

Designate a Privacy Officer

Assign a Privacy Officer with clear authority to build, oversee, and continuously improve your HIPAA program. This leader coordinates compliance with the HIPAA Privacy Rule, the HIPAA Security Rule, and the Breach Notification Rule across clinical, technical, and administrative teams.

Core responsibilities

• Maintain the compliance roadmap, policies, and required documentation for Protected Health Information (PHI).
• Oversee Risk Assessment activities and track remediation to closure.
• Lead the Incident Response Plan, including breach triage, investigation, and notifications.
• Manage Business Associate Agreement (BAA) inventory and vendor due diligence.
• Coordinate workforce training, sanctions, complaints, and internal audits.
• Report metrics and material risks to senior leadership on a defined cadence.

Action steps

• Formally appoint a primary and a backup Privacy Officer; define decision rights and escalation paths.
• Create an annual compliance calendar covering audits, training, vendor reviews, and policy updates.
• Document roles and maintain contact lists for legal, IT, radiology leadership, and vendors.

Develop Policies and Procedures

Establish written, version-controlled policies that reflect how your PET center collects, uses, discloses, and safeguards PHI in daily operations. Align procedures to the HIPAA Privacy Rule and HIPAA Security Rule, and map each to accountable owners.

Required policies

• Uses/disclosures of PHI, minimum necessary, and authorization management.
• Patient rights: access, amendments, restrictions, confidential communications, and accounting of disclosures.
• Notice of Privacy Practices, complaint handling, and sanctions.
• Security: access management, encryption, media disposal, remote access, and change management.
• Contingency planning: backup, disaster recovery, and emergency operations.
• De-identification/re-identification and data retention schedules.

PET-specific procedures

• DICOM image workflows, modality worklists, and PACS/RIS data flows.
• Handling of dose tracking logs, injection records, patient prep forms, and imaging requests containing PHI.
• Request fulfillment for images/reports via portals or encrypted media; chain-of-custody for CDs/USBs.
• Voice dictation, report distribution to referring providers, and secure fax/print processes.
• Observer/student access rules and privacy in uptake/waiting rooms.

Conduct Regular Risk Assessments

Perform a formal Risk Assessment to identify threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Use results to prioritize safeguards and document risk decisions.

Scope for PET centers

• PACS/RIS/EHR systems, modality consoles (PET/CT), image viewers, and diagnostic workstations.
• Cloud services, patient portals, teleradiology platforms, and offsite backups.
• Network infrastructure, remote support tools, and any device storing or transmitting ePHI.
• Operational processes: scheduling, registration, dose logging, and results delivery.

Frequency and triggers

• Conduct at least annually and whenever major changes occur (new modality, software upgrade, relocation, or new vendor).
• Reassess after security incidents, audit findings, or significant workflow changes.

Method and outputs

• Catalog assets, identify threats/vulnerabilities, rate likelihood and impact, and evaluate existing controls.
• Produce a risk register with owners, due dates, and mitigation strategies (reduce, transfer, accept).
• Deliver an executive summary, remediation roadmap, and metrics for ongoing tracking.

Implement Administrative Safeguards

Administrative safeguards translate policy into daily practice. They set expectations for access, workforce behavior, vendor oversight, and continuity measures that protect PHI.

Key controls

• Role-based access authorization, periodic access reviews, and timely termination of accounts.
• Security awareness, phishing defense, and documented sanctions for noncompliance.
• Risk management program tied to the Risk Assessment results and corrective actions.
• Vendor management, BAAs, and performance monitoring.
• Contingency plans: data backup, disaster recovery, and emergency mode operations testing.
• Incident Response Plan with clear triage, escalation, and decision criteria.

PET center examples

• Console access rules for technologists, radiologists, and service engineers; least-privilege profiles.
• After-hours scanning procedures and escort requirements for visitors or students.
• Protocols to avoid displaying full patient lists in public view and to verify identity before disclosures.

Implement Physical Safeguards

Physical safeguards prevent unauthorized physical access to systems, spaces, and media that store PHI. Tailor protections to imaging environments where consoles, printers, and waiting areas are in daily use.

Facility and workstation controls

• Controlled access to control rooms and server closets; visitor logs and escort procedures.
• Privacy screens, workstation placement away from public sightlines, and automatic screen locks.
• Secure printing and faxing with release codes or attended devices near clinical staff.

Device and media controls

• Asset inventories for laptops, removable media, and portable drives; disable unneeded USB ports.
• Encrypted media for image export; documented chain-of-custody for CDs/USBs provided to patients.
• Sanitized disposal of devices and paper records; locked shred bins and certified destruction.

Nuclear medicine specifics

• Secure storage of dose logs and injection records containing PHI; limit access to authorized staff.
• Private check-in and prep processes to reduce overheard PHI; avoid open sign-in sheets.
• Ensure uptake rooms and hot labs prevent inadvertent viewing of patient information.

Implement Technical Safeguards

Technical safeguards protect ePHI across modalities, networks, and applications. Emphasize strong authentication, encryption, monitoring, and secure configurations.

Access controls

• Unique user IDs, multi-factor authentication for remote and privileged access, and automatic logoff on consoles.
• Eliminate shared accounts; implement break-glass procedures with enhanced auditing.

Audit and integrity

• Centralized logs for PACS/RIS, modality access, DICOM queries, image exports, and report viewing.
• Regular audit reviews, alerting for anomalous activity, and integrity checks for stored studies.

Transmission and storage security

• Encrypt data in transit (TLS/VPN) and at rest on servers, backups, and portable media.
• Harden DICOM services; disable unsecured protocols; segment imaging networks from guest or office networks.
• Patch management for workstations and servers; apply vendor security bulletins for modalities.
• Data loss prevention on egress points; prefer patient portals over unencrypted media.

Legacy modality considerations

• For unsupported systems, apply compensating controls such as network isolation, jump hosts, and strict logging.
• Document risk acceptance and timelines for upgrade or replacement.

Establish Business Associate Agreements

Execute a Business Associate Agreement before sharing PHI with any vendor that creates, receives, maintains, or transmits PHI on your behalf. BAAs clarify obligations under the HIPAA Security Rule and Breach Notification Rule.

Typical business associates for PET scan centers

• PACS/RIS/EHR vendors, cloud hosting, and offsite backup providers.
• Teleradiology, dictation/voice recognition, and report distribution platforms.
• Billing/coding services, printing/scanning contractors, and IT managed service providers.
• Device service vendors with remote access to modalities or consoles.

BAA essentials

• Permitted uses/disclosures, safeguard requirements, and breach reporting timeframes.
• Subcontractor flow-down clauses, right to audit, and termination/return-or-destroy provisions.
• Evidence of security controls and insurance appropriate to data volumes and risk.

Oversight practices

• Maintain a vendor inventory with risk ratings, BAA status, and data flows.
• Review BAAs and security documentation annually or upon material changes.
• Test vendor Incident Response Plan touchpoints through tabletop exercises.

Provide Staff Training

Train all workforce members on the HIPAA Privacy Rule and HIPAA Security Rule at onboarding and at least annually. Reinforce role-specific scenarios common in imaging to reduce human error.

Core topics

• PHI handling, minimum necessary, and verification before disclosures.
• Secure messaging, safe texting, and prohibition of personal email for PHI.
• Phishing awareness, password hygiene, and incident reporting expectations.

PET-specific practices

• Discreet discussions of prep instructions and results in waiting/uptake areas.
• Identity verification prior to injection or imaging; handling escorts and observers.
• Proper use of portals or encrypted media when providing images to patients or providers.

Reinforcement and measurement

• Short, periodic micro-learnings and simulated phishing to measure effectiveness.
• Training attestations, quizzes, and targeted refreshers after incidents or audits.

Develop Breach Notification Procedures

Define how you detect, investigate, and notify affected parties when unsecured PHI is compromised, as required by the Breach Notification Rule. Integrate these steps into your Incident Response Plan.

Assess and classify

• Use a four-factor risk assessment: nature/extent of PHI, unauthorized recipient, whether the PHI was actually acquired or viewed, and the extent of mitigation.
• Document decisions and evidence supporting whether an incident is a breach requiring notification.

Notification timelines and content

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Notify the federal regulator within required timeframes; for larger incidents, notify media in affected jurisdictions as applicable.
• Include what happened, types of PHI involved, protective steps individuals should take, what you are doing, and contact methods.

Response playbook

• Intake and triage, immediate containment, forensics, and root cause analysis.
• Coordinate with business associates per BAA terms; track all actions and decisions.
• Remediate controls, provide patient support, and perform post-incident reviews.

PET-specific scenarios

• Lost or misdirected image CDs/USBs; unencrypted portable media.
• Misdirected reports or schedules faxed/emailed to the wrong recipient.
• Unauthorized vendor access to a modality console through remote tools.
• Exposure of dose logs or prep forms in public areas.

Review and Update Compliance Measures

Treat HIPAA as a continuous improvement program. Regularly evaluate safeguards, test plans, and refresh documentation to keep pace with technology and workflow changes.

Governance cadence

• Hold quarterly privacy/security meetings; review KPIs such as access reviews, patch status, audit results, and incident trends.
• Track remediation progress from the Risk Assessment and vendor risk reviews.

Testing and validation

• Run tabletop exercises for your Incident Response Plan and downtime procedures.
• Test backups and restoration of PACS/RIS and modality configurations.
• Revalidate safeguards after upgrades, relocations, or vendor changes.

Documentation upkeep

• Maintain current policies, BAAs, training records, risk registers, and architecture diagrams.
• Keep your Notice of Privacy Practices and patient-facing materials aligned with actual workflows.

Conclusion

By appointing capable leadership, documenting clear procedures, managing risks, and reinforcing safeguards through technology, training, and vendor oversight, your PET center can meet HIPAA requirements with confidence. Consistent execution of this HIPAA Compliance Checklist for PET Scan Centers protects patients, reduces operational risk, and strengthens trust with referring providers.

FAQs

What is the role of a Privacy Officer in PET scan centers?

The Privacy Officer builds and oversees the HIPAA program, ensuring alignment with the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule. They coordinate policies, Risk Assessments, training, vendor BAAs, audits, and lead the Incident Response Plan, reporting risks and progress to leadership.

How often should risk assessments be conducted for HIPAA compliance?

Perform a comprehensive Risk Assessment at least annually, and additionally whenever major changes occur—such as adding a new modality, upgrading PACS/RIS, relocating, onboarding a new vendor, or after a security incident. Update the risk register and remediation plan after each review.

What are the key components of breach notification procedures?

Effective procedures cover detection and triage, a four-factor risk assessment, timely notifications to affected individuals and regulators, clear content describing the event and protective steps, coordination with business associates, remediation, documentation, and post-incident improvements.

How does staff training impact HIPAA compliance?

Training equips your workforce to handle PHI correctly, recognize threats like phishing, and respond to incidents quickly. Role-specific refreshers reduce human error at scanners, consoles, and front desks, driving consistent compliance and measurably lowering breach risk.