Why HIPAA compliance matters for AI radiology
CT DICOM files contain Protected Health Information (PHI): patient name, date of birth, medical record number, and the images themselves — which can contain identifying features. Any service that receives, processes, or stores these files is a HIPAA Business Associate.
AI radiology reporting services receive DICOM studies containing PHI, process them through AI models and radiologist workflows, and return reports. Every step involves PHI handling — and every step must meet HIPAA safeguards. The fact that AI is involved does not create a compliance exception; it creates additional considerations.
The HIPAA compliance checklist for AI radiology services
Before transmitting patient data to any AI radiology service, verify each of the following:
Signed Business Associate Agreement (BAA)
HIPAA RequiredA BAA is a legal contract required under HIPAA §164.308(b)(1) for all Business Associates who handle PHI. It defines each party's obligations, liability limits, and breach notification procedures. You cannot legally send patient studies to a vendor without a signed BAA. Ask to see it before onboarding — not after.
Technical safeguards: encryption in transit and at rest
HIPAA RequiredHIPAA requires "reasonable and appropriate" technical safeguards. For data in transit, TLS 1.2+ is the accepted standard. For data at rest, AES-256 encryption is expected. Verify that the vendor specifies both — not just "we use HTTPS."
US-based data processing
HIPAA does not technically prohibit international PHI processing, but most healthcare compliance programs require it as a matter of policy. International processing adds regulatory complexity (GDPR, bilateral data agreements) and audit risk. Ask specifically: "Where are DICOM files processed and stored?"
Audit logs and access controls
HIPAA RequiredHIPAA §164.312(b) requires audit controls — hardware, software, or procedural mechanisms that record and examine activity in systems containing PHI. Verify that the vendor maintains access logs, that logs are tamper-resistant, and that you can access log records in the event of an audit or breach investigation.
Breach notification procedures
HIPAA RequiredUnder the HIPAA Breach Notification Rule, Business Associates must notify covered entities within 60 days of discovering a breach. Verify that the vendor's BAA specifies their breach notification obligations and timeline — and that you can reach their security team quickly in a real incident.
ISO 27001 certification
ISO 27001 is an independently audited international standard for information security management. It is not required by HIPAA, but it is the strongest available signal of a mature security program. A vendor with ISO 27001 has had their security controls independently verified — not just self-assessed.
Radiologist review on every report
From a compliance standpoint, autonomous AI diagnosis without physician oversight creates liability exposure under both state practice acts and payor requirements. Autonomous AI radiology reports (no radiologist review) are not billable under most payer contracts and create professional liability risk for the facility. Every xAID report is reviewed by our in-house European radiologist.
Questions to ask every AI radiology vendor
Use these specific questions during vendor evaluation — not after contract signature:
- "Can you provide a signed BAA before we send our first test study?"
- "Where are patient DICOM files physically stored and processed?"
- "What encryption standards do you apply in transit and at rest?"
- "Do you hold ISO 27001 certification? Can you provide the certificate?"
- "What is your breach notification timeline and process?"
- "Is every report reviewed by a licensed radiologist, or are any reports delivered autonomously?"
- "Can we audit access logs for our patient data?"
- "What subprocessors handle patient data, and are they also under BAA?"
xAID Compliance Summary
- ✓HIPAA-compliant — BAA signed before first study
- ✓ISO 27001 certified — independently audited security controls
- ✓All PHI processed in US-based, HIPAA-certified infrastructure
- ✓TLS 1.2+ in transit, AES-256 at rest
- ✓Comprehensive audit logs for all PHI access
- ✓Every report reviewed by our in-house European radiologist
- ✓Breach notification procedures per HIPAA Breach Notification Rule
Frequently asked questions
Is AI radiology reporting HIPAA compliant?
AI radiology reporting can be HIPAA compliant when the service provider has the required safeguards in place: a signed BAA, technical encryption standards, US-based infrastructure, audit logs, and breach notification procedures. The presence of AI in the workflow does not create a HIPAA exception — the same requirements apply as for any healthcare data service.
Do I need a BAA for AI radiology?
Yes. Any service that receives, processes, or stores DICOM files containing patient identifiers is a HIPAA Business Associate — and you must have a signed BAA before transmitting data. A vendor that declines to provide a BAA should not receive PHI from a covered entity, regardless of their security claims.
What is ISO 27001 and does it mean the vendor is HIPAA compliant?
ISO 27001 is an internationally recognized standard for information security management, requiring independent certification audit. It is not the same as HIPAA compliance — HIPAA has specific US healthcare requirements that ISO 27001 does not cover. However, ISO 27001 certified vendors have verified security controls that exceed basic HIPAA technical safeguards, making it a strong quality signal.
Can AI radiology reports be processed outside the US?
HIPAA does not technically prohibit international processing, but most healthcare compliance programs require US-based processing for PHI. International processing creates additional regulatory complexity and audit risk. Always ask vendors where DICOM files are physically stored and processed — not just where the company is headquartered.