Imaging Centers

HIPAA BAA Requirements for Radiology and Imaging Centers

Q: Does a teleradiology vendor require a BAA?

Yes. Teleradiology vendors — services that provide remote radiologist reading of imaging studies — are business associates. They receive DICOM images linked to patient identifiers, interpret those images, and return reports to the covered entity. This constitutes creating and receiving protected health information on behalf of the imaging center. A signed BAA is required before any studies are transmitted to a teleradiology service.

Q: Does AI diagnostic software reading imaging studies need a BAA?

Yes. AI diagnostic tools that analyze medical imaging data — such as tools that detect fractures, flag abnormalities, or assist with radiology reads — receive and process PHI on behalf of the covered entity. This makes them business associates requiring a signed BAA. The fact that the analysis is automated does not change the HIPAA classification; the vendor's systems are still creating and maintaining PHI.

Q: Does cloud DICOM storage require a BAA?

Yes. Cloud platforms that store DICOM imaging files linked to patient identifiers are maintaining PHI on behalf of the covered entity and are business associates. This applies to dedicated medical imaging cloud platforms (Ambra Health, Intelerad cloud) as well as general-purpose cloud storage used to store DICOM files. General-purpose cloud providers (AWS, Azure, GCP) offer HIPAA BAAs for business accounts that must be executed before storing PHI.

By BAA Generator Editorial · Updated Apr 20, 2026 · 5 min read

Key Takeaways

✓ Radiology and imaging centers are HIPAA covered entities — PACS vendors, teleradiology services, and cloud DICOM storage all require BAAs
✓ DICOM images linked to patient identifiers are PHI — any vendor storing or processing them is a business associate
✓ AI diagnostic tools that analyze imaging data are business associates requiring signed BAAs
✓ Teleradiology vendors providing remote reads are classic business associates — execute a BAA before the first study is transmitted

Direct answer: Yes — radiology and imaging centers are HIPAA covered entities. PACS vendors, teleradiology services, cloud DICOM storage platforms, AI diagnostic tools, referring provider portals, and billing companies all require signed BAAs. DICOM images linked to patient identifiers are PHI regardless of whether they are stored locally or in the cloud.

Radiology and imaging centers sit at the intersection of some of the most technically complex and clinically sensitive data in healthcare. A single imaging study — an MRI, CT scan, or mammogram — generates large volumes of data directly linked to a patient's identity and health status. The modern imaging center transmits this data to multiple external parties: PACS systems, cloud storage, teleradiology services, AI platforms, and referring providers. Each of these relationships creates a HIPAA BAA requirement.

Why Imaging Centers Are HIPAA Covered Entities

Radiology and imaging centers are healthcare providers under HIPAA when they transmit health information electronically in connection with covered transactions. This includes submitting claims to Medicare, Medicaid, or commercial insurers for imaging services. Independent imaging centers — whether freestanding or affiliated with a health system — that submit electronic claims are covered entities with the full suite of HIPAA obligations.

Covered imaging center types include:

Outpatient radiology centers (X-ray, fluoroscopy, bone density)
MRI and CT imaging centers
Mammography centers
Nuclear medicine and PET scan facilities
Ultrasound imaging centers
Multi-modality diagnostic imaging groups

What PHI Imaging Centers Handle

Imaging centers handle highly sensitive diagnostic PHI, including:

DICOM imaging files (MRI, CT, X-ray, ultrasound, nuclear medicine scans) linked to patient identifiers
Radiology reports and interpretations with diagnostic findings
Patient demographics, referring provider information, and clinical indications
Insurance and billing data for imaging services
Scheduling and appointment records

A critical compliance point: DICOM images are PHI. The DICOM standard embeds patient demographic data (name, date of birth, patient ID, referring provider) directly into image headers. Any vendor whose system stores, processes, or transmits DICOM files is handling PHI and requires a BAA.

Vendors Imaging Centers Typically Need BAAs With

PACS Vendors

Picture archiving and communication systems (PACS) are the backbone of radiology workflow. Vendors like Sectra, Intelerad, Ambra Health, and Merge Healthcare store and serve imaging studies. Because PACS systems are the primary repository for patient imaging data, the PACS vendor is a business associate — and the BAA should cover both the software platform and any cloud infrastructure components the vendor uses.

Teleradiology Services

Teleradiology vendors provide remote radiologist interpretation of imaging studies — covering overnight reads, subspecialty consultations, or overflow capacity. These vendors receive full DICOM studies linked to patient identifiers and return reports to the imaging center. This is a textbook business associate relationship. Execute a BAA before transmitting the first study, and ensure the BAA addresses turnaround time, data retention, and subcontractor obligations (since teleradiology vendors often use their own cloud infrastructure).

Cloud DICOM Storage

Cloud-based DICOM storage platforms — including Ambra Health, Lifeimage, and cloud object storage from AWS, Azure, or GCP configured for medical imaging — are business associates when they store imaging data linked to patient identifiers. General-purpose cloud providers offer HIPAA BAAs through their enterprise account programs, but these must be explicitly executed rather than assumed.

AI Diagnostic Tools

AI-powered tools that analyze imaging studies — detecting pulmonary nodules, flagging bone fractures, screening mammograms, or triaging strokes — receive and process PHI on behalf of the imaging center. The automated nature of the analysis does not change the classification; the vendor's software is maintaining and processing patient-identified data. All AI diagnostic software vendors used in the reading workflow require signed BAAs.

Referring Provider Portals

Web portals that allow ordering physicians to access their patients' imaging results transmit PHI to external users. The vendor providing the portal technology is a business associate. This applies to both standalone referring provider portals and portal functionality embedded within PACS or RIS systems provided by third-party vendors.

Common Vendor BAA Table for Imaging Centers

Vendor Type	Example Vendors	BAA Required?
PACS vendor	Sectra, Intelerad, Ambra Health, Merge Healthcare	Yes
Teleradiology service	NightHawk, vRad, StatRad	Yes
Cloud DICOM storage	Ambra, Lifeimage, AWS/Azure/GCP (enterprise)	Yes
AI diagnostic software	Aidoc, Nuance AI, Enlitic, Viz.ai	Yes
Referring provider portal	Ambra portal, RIS-based portals	Yes
RIS (radiology information system)	Cerner Radnet, Fujifilm, Philips	Yes
Billing company	Outsourced radiology billing firms	Yes

Common Compliance Gaps in Imaging Centers

The most frequent compliance gaps for imaging centers: (1) using AI diagnostic tools without executing BAAs — vendors may market tools for "clinical decision support" but their access to patient-identified imaging data makes them business associates; (2) using consumer-grade cloud storage for DICOM archiving without enterprise accounts and BAAs; (3) not obtaining BAAs with teleradiology services that are treated as professional relationships rather than vendor relationships; and (4) failing to address PACS vendor subcontractors who provide cloud hosting for the PACS platform.

For guidance on evaluating vendor BAA policies, see our post on does your vendor sign a HIPAA BAA. For a foundational explanation of BAA requirements, see what is a Business Associate Agreement.

Frequently Asked Questions

Do radiology imaging centers need HIPAA BAAs?

Yes. Radiology and imaging centers are HIPAA covered entities. They must sign BAAs with every vendor that creates, receives, maintains, or transmits PHI on their behalf — including PACS vendors, teleradiology services, cloud DICOM storage providers, AI diagnostic tools, referring provider portal vendors, RIS vendors, and billing companies.

Does a teleradiology vendor require a BAA?

Yes. Teleradiology vendors receive DICOM imaging studies containing patient-identified PHI, interpret them, and return radiology reports. This constitutes creating and maintaining PHI on behalf of the imaging center, making the teleradiology vendor a business associate. A signed BAA is required before any studies are transmitted. The BAA should also address data handling by any subcontractors the teleradiology vendor uses.

Does AI diagnostic software reading imaging studies need a BAA?

Yes. AI tools that analyze medical imaging data — whether for fracture detection, nodule flagging, or stroke triage — receive and process PHI. The automated nature of the processing does not change the business associate classification. All AI diagnostic software vendors used in the imaging workflow require signed BAAs before receiving patient-identified studies.

Does cloud DICOM storage require a BAA?

Yes. Cloud platforms storing DICOM files linked to patient identifiers are maintaining PHI and are business associates. Dedicated medical imaging cloud platforms (Ambra, Lifeimage) and general-purpose cloud providers (AWS, Azure, GCP) all offer HIPAA BAAs, but these must be explicitly executed through enterprise account programs before PHI is stored.

Generate a BAA for your imaging center

Create a HIPAA-compliant Business Associate Agreement for your vendors — free to start, no subscription required.

Generate Your BAA Free →