HIPAA security: compliance in radiology--an academic radiology department's plan contrasted with a small private practice.

In complying with the HIPAA security regulations, the large, multi-site academic radiology department is quite different from the small, private radiology practice. This article compares and contrasts the methods each of these two model organizations use to achieve compliance. In common between the two organizations is that complete documentation of the procedures and processes involved in data management must be prepared and reviewed. Although not required in the regulations, having the documentation conform to the regulation allows for easy monitoring, auditing, and certification of compliance by future independent bodies. The level to which each organization must secure their data, perform threat assessments, and implement security procedures and intrusion detection systems are very different. The regulations do not specify what level of due diligence is required. This must be determined by each organization using their own common-sense dictum. Although the solutions used by these two types of organizations may not be the same as those adopted by other radiology departments and practices, the approaches may still serve as useful templates to guide compliance efforts by others.