HIPAA BAA Requirements for Radiology and Imaging Centers

By BAA Generator Editorial  ·  Updated Apr 20, 2026  ·  5 min read

Radiology and imaging centers sit at the intersection of some of the most technically complex and clinically sensitive data in healthcare. A single imaging study — an MRI, CT scan, or mammogram — generates large volumes of data directly linked to a patient's identity and health status. The modern imaging center transmits this data to multiple external parties: PACS systems, cloud storage, teleradiology services, AI platforms, and referring providers. Each of these relationships creates a HIPAA BAA requirement.

Why Imaging Centers Are HIPAA Covered Entities

Radiology and imaging centers are healthcare providers under HIPAA when they transmit health information electronically in connection with covered transactions. This includes submitting claims to Medicare, Medicaid, or commercial insurers for imaging services. Independent imaging centers — whether freestanding or affiliated with a health system — that submit electronic claims are covered entities with the full suite of HIPAA obligations.

Covered imaging center types include:

• Outpatient radiology centers (X-ray, fluoroscopy, bone density)
• MRI and CT imaging centers
• Mammography centers
• Nuclear medicine and PET scan facilities
• Ultrasound imaging centers
• Multi-modality diagnostic imaging groups

What PHI Imaging Centers Handle

Imaging centers handle highly sensitive diagnostic PHI, including:

• DICOM imaging files (MRI, CT, X-ray, ultrasound, nuclear medicine scans) linked to patient identifiers
• Radiology reports and interpretations with diagnostic findings
• Patient demographics, referring provider information, and clinical indications
• Insurance and billing data for imaging services
• Scheduling and appointment records

A critical compliance point: DICOM images are PHI. The DICOM standard embeds patient demographic data (name, date of birth, patient ID, referring provider) directly into image headers. Any vendor whose system stores, processes, or transmits DICOM files is handling PHI and requires a BAA.

Vendors Imaging Centers Typically Need BAAs With

PACS Vendors

Picture archiving and communication systems (PACS) are the backbone of radiology workflow. Vendors like Sectra, Intelerad, Ambra Health, and Merge Healthcare store and serve imaging studies. Because PACS systems are the primary repository for patient imaging data, the PACS vendor is a business associate — and the BAA should cover both the software platform and any cloud infrastructure components the vendor uses.

Teleradiology Services

Teleradiology vendors provide remote radiologist interpretation of imaging studies — covering overnight reads, subspecialty consultations, or overflow capacity. These vendors receive full DICOM studies linked to patient identifiers and return reports to the imaging center. This is a textbook business associate relationship. Execute a BAA before transmitting the first study, and ensure the BAA addresses turnaround time, data retention, and subcontractor obligations (since teleradiology vendors often use their own cloud infrastructure).

Cloud DICOM Storage

Cloud-based DICOM storage platforms — including Ambra Health, Lifeimage, and cloud object storage from AWS, Azure, or GCP configured for medical imaging — are business associates when they store imaging data linked to patient identifiers. General-purpose cloud providers offer HIPAA BAAs through their enterprise account programs, but these must be explicitly executed rather than assumed.

AI Diagnostic Tools

AI-powered tools that analyze imaging studies — detecting pulmonary nodules, flagging bone fractures, screening mammograms, or triaging strokes — receive and process PHI on behalf of the imaging center. The automated nature of the analysis does not change the classification; the vendor's software is maintaining and processing patient-identified data. All AI diagnostic software vendors used in the reading workflow require signed BAAs.

Referring Provider Portals

Web portals that allow ordering physicians to access their patients' imaging results transmit PHI to external users. The vendor providing the portal technology is a business associate. This applies to both standalone referring provider portals and portal functionality embedded within PACS or RIS systems provided by third-party vendors.

Common Vendor BAA Table for Imaging Centers

Common Compliance Gaps in Imaging Centers

The most frequent compliance gaps for imaging centers: (1) using AI diagnostic tools without executing BAAs — vendors may market tools for "clinical decision support" but their access to patient-identified imaging data makes them business associates; (2) using consumer-grade cloud storage for DICOM archiving without enterprise accounts and BAAs; (3) not obtaining BAAs with teleradiology services that are treated as professional relationships rather than vendor relationships; and (4) failing to address PACS vendor subcontractors who provide cloud hosting for the PACS platform.

For guidance on evaluating vendor BAA policies, see our post on does your vendor sign a HIPAA BAA. For a foundational explanation of BAA requirements, see what is a Business Associate Agreement.

Frequently Asked Questions

Do radiology imaging centers need HIPAA BAAs?

Yes. Radiology and imaging centers are HIPAA covered entities. They must sign BAAs with every vendor that creates, receives, maintains, or transmits PHI on their behalf — including PACS vendors, teleradiology services, cloud DICOM storage providers, AI diagnostic tools, referring provider portal vendors, RIS vendors, and billing companies.

Does a teleradiology vendor require a BAA?

Yes. Teleradiology vendors receive DICOM imaging studies containing patient-identified PHI, interpret them, and return radiology reports. This constitutes creating and maintaining PHI on behalf of the imaging center, making the teleradiology vendor a business associate. A signed BAA is required before any studies are transmitted. The BAA should also address data handling by any subcontractors the teleradiology vendor uses.

Does AI diagnostic software reading imaging studies need a BAA?

Yes. AI tools that analyze medical imaging data — whether for fracture detection, nodule flagging, or stroke triage — receive and process PHI. The automated nature of the processing does not change the business associate classification. All AI diagnostic software vendors used in the imaging workflow require signed BAAs before receiving patient-identified studies.

Does cloud DICOM storage require a BAA?

Yes. Cloud platforms storing DICOM files linked to patient identifiers are maintaining PHI and are business associates. Dedicated medical imaging cloud platforms (Ambra, Lifeimage) and general-purpose cloud providers (AWS, Azure, GCP) all offer HIPAA BAAs, but these must be explicitly executed through enterprise account programs before PHI is stored.