HIPAA & medical imaging — duties of doctors and data providers

Medical data is regulated by HIPAA (US), GDPR (EU) and local frameworks. A single mistake = civil + criminal sanctions. This guide is mandatory before annotating or verifying any medical content on OraData.

1. What is PHI?

PHI = Protected Health Information. HIPAA defines 18 identifiers. If any is present in a file, the file contains PHI and falls under the strict regime:

• Names (patient, family, physicians)
• Geographic details finer than state (street, city, ZIP < 3 leading digits)
• Dates tied to the person (birth, death, admission, discharge)
• Phone / fax numbers
• Email addresses
• Social security numbers
• Medical record numbers (MRN)
• Health plan beneficiary numbers
• Account numbers
• Certificate / license numbers
• VIN / license plate numbers
• Medical device serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (fingerprints, voice)
• Full-face photos
• Any other unique identifier
• And: anything that combined with other data enables re-identification

2. De-identification — two legal methods

1. Safe Harbor: remove the 18 identifiers above + roll ages ≥ 89 to "90+". Automatable. OraData runs this pass before client delivery by default.
2. Expert Determination: a certified statistician attests re-identification risk is "very small". Used when Safe Harbor breaks scientific utility (longitudinal studies). Pricier, required for some research protocols.

3. Responsibilities by role

Provider / Collector (DICOM / radiology upload)

• Patient consent signed BEFORE capture. Form validated by your institution + archived 10 years.
• Pre-upload anonymization: DICOM anonymizer tools (dcm4che, gdcm, RSNA) strip personal headers.
• You can upload without being a doctor, provided you are medical-vertical qualified + HIPAA training passed.
• You CAN NOT annotate or diagnose, even on your own files. OraData RLS enforces this technically.
• Spot residual PHI in a file → Submissions → Flag PHI. Admin pulls the file + refunds your time.

Doctor annotator / verifier

• Mandatory credential verified by OraData admin before access to medical items.
• All annotations + medical decisions pass double-blind (OraData Golden Rule + medical convention).
• Spot a critical pathology (aggressive cancer, aneurysm, open fracture) in an anonymized dataset where the patient could still benefit → "Incidental Finding Escalation" button. OraData relays to the client; the client retraces the patient via their own systems.
• You NEVER communicate the diagnosis directly to the patient (you don't know their identity) — only the client (source hospital) can.
• Your annotation report becomes dataset data — make it factual, timestamped, signed.

4. Patient consent and authorization

For medical data to enter an OraData dataset, one of the three following conditions must be established by the client (producer):

1. Patient-signed HIPAA authorization specifying research + AI use.
2. IRB exception (ethics committee): institutional approval attesting minimal risk.
3. Complete de-identification: no PHI leaves the source hospital → outside strict HIPAA scope.

5. BAA — Business Associate Agreement

HIPAA requires a BAA between every covered entity (hospital, insurer) and any business associate handling PHI (OraData, you as a reviewer).

• OraData has signed a BAA with every US hospital client.
• OraData signs a BAA with every medical reviewer before their first mission. It extends your generic NDA.
• Key BAA terms: protect PHI, notify any breach within 60d, return or destroy data at engagement end.
• Without a signed BAA, you don't access medical missions — even if you passed the HIPAA test.

6. Breach notification

Breaches counting as "notifiable":

• Accidental share of a non-anonymized file to a colleague without BAA
• Leak via social-network screenshot
• Loss / theft of the device used for review
• Unauthorized third-party access (family, roommate) to your OraData account
• Malware exfiltration

7. Penalties (reality of risk)

• Civil violation (no intent): $100 to $50k per violation, annual cap $1.9M.
• Violation with knowledge (knew but no negligence): $1k to $50k per violation.
• Willful neglect corrected < 30d: $10k to $50k per violation.
• Willful neglect uncorrected: $50k per violation + criminal prosecution (fine ≤ $250k + up to 10 years prison).
• Criminally, the responsible party is the negligent reviewer AND/OR OraData (causal chain apportioned).

8. International frameworks — outside the US

• EU / CEMAC: GDPR applies — health data = special category, explicit legal basis required (consent or public interest). Penalty: up to €20M or 4% global turnover.
• Canada: PIPEDA + PHIPA (Ontario) + provincial laws.
• Brazil: LGPD (Lei Geral de Proteção de Dados).
• Japan: APPI amended (2022).
• Sub-Saharan Africa: emerging framework laws (Malabo Convention, local DPAs). OraData applies the strictest standard applicable to the client.

9. Special cases

Children (minors)

• Parental consent + minor assent (age-appropriate — typically ≥7).
• Strengthened requirements: mandatory de-identification before any OraData share.
• No public named pediatric imaging dataset — ever.

Genetic data

GINA (Genetic Information Nondiscrimination Act, US) + special GDPR provisions. Genetic samples are PHI by nature — any sequence can technically re-identify the donor. OraData does NOT process raw genetic data today. Should future datasets include it, a dedicated migration and guide section will follow.

Mental health

Psychiatric records + psychotherapy notes carry an even stricter regime (HIPAA § 164.508(a)(2)). Distinct consent required for each disclosure. Cannot be covered by a generic authorization.

10. How OraData enforces HIPAA technically

• Private `uploads` bucket (migration 0030 + Phase 2). No PHI accessible via public URL.
• RLS on raw_data: non-doctors NEVER access medical items, even via direct DB query (migration 0034).
• 15-min TTL signed URLs for every viewing.
• Admin audit log on every admin action + flag_risk on any anomaly.
• Ban system auto-triggers on critical flag (virus, PHI leak).
• EXIF strip on every uploaded photo (migration 0032) — removes GPS + camera serials.
• Admin-grade encryption at rest (Supabase vault) for email / phone / diplomas.
• GDPR delete route: immediate anonymization + wallet payout within 7d.
• BAA signed between OraData and medical reviewer before first mission.

11. Your concrete workflow

1. Pass Foundation (20 MCQs).
2. Pass Medical Imaging vertical test (30 MCQs).
3. Submit medical license + diploma + board cert via Settings → Credentials.
4. Wait for admin verification (~48 business hours).
5. Pass the internal HIPAA test (30 MCQs — requires verified credentials).
6. Sign the OraData BAA (PDF emailed, electronic signature).
7. You can now accept medical missions. Dashboard unlocks Medical items tab.
8. Every annotation carries a factual timestamped signed report.
9. HIPAA refresher every 12 months (auto-notification).

12. Pay

• Medical tasks pay 1.5× to 3× other verticals based on complexity.
• Full MRI / PET-CT: high unit price due to read time (30-60 min).
• Simple chest X-ray: flat lower price.
• Kappa > 0.9 quality bonus: +15%.
• Relevant incidental-finding escalation: +$50 flat (time reimbursement + ethical gesture).

13. Ethos

14. When in doubt — who to contact

• Clinical question (borderline case, protocol) → medical-lead@oradata.ai (licensed MD, <24h response).
• PHI suspicion / breach → security@oradata.ai + "PHI incident" button in Submissions (immediate).
• Administrative question (pay, BAA, credential) → support@oradata.ai.
• Mental health / emotional load → Settings → Doctor wellbeing → free consultation with peer / partner psychologist.

Must remember

• PHI = 18 identifiers + anything re-identifying.
• Safe Harbor or Expert Determination — never "it'll be fine".
• Medical collector: you can upload, not annotate.
• Medical annotator: verified credential + BAA + HIPAA test mandatory.
• DICOM anonymization = active step, not an assumption.
• Incidental finding → escalation button, never direct to the patient.
• Suspected breach → stop, email security@, within 60 days.
• Annual HIPAA refresher.
• Primum non nocere: when in doubt, pass.

OraData · guide public · révisé 2026

Photo de couverture : National Cancer Institute · Unsplash