HIPAA Compliance for Elective Ultrasound Studios: What Actually Matters

TL;DR — Even though elective ultrasound is not "medical care," the moment you collect a client's name, date of birth, or imaging tied to a pregnancy, you are handling Protected Health Information (PHI). Most studios unknowingly violate HIPAA every week through USB drives, personal Dropbox folders, and unencrypted email. Fines start at $141 per record and can scale to $2.1M per violation category per year. The fix is straightforward: a HIPAA-aligned delivery platform, a signed BAA, and seven concrete process changes.

There's a myth floating around the elective ultrasound industry that goes like this: "We're not a medical practice, so HIPAA doesn't apply to us." It's wrong, it's been wrong for years, and the Office for Civil Rights (OCR) — the federal body that enforces HIPAA — has been steadily clarifying the point since 2019.

If you collect a client's identifying information and tie it to an image of their unborn child, you are holding PHI. Full stop.

What HIPAA actually says (in plain English)

HIPAA has two main rules that apply to your studio:

The Privacy Rule

Restricts how you can use and disclose PHI. In practice, this means:

• You can't post a client's scan on Instagram with their name attached without written authorization.
• You can't email a scan to a grandparent without the client's documented consent.
• You can't share imaging with a marketing vendor (including an AI portrait service) unless they've signed a Business Associate Agreement (BAA).

The Security Rule

Requires that electronic PHI (ePHI) be protected with:

• Administrative safeguards — written policies, training, designated security officer
• Physical safeguards — locked devices, secured workstations
• Technical safeguards — encryption at rest and in transit, access controls, audit logs

Where elective studios actually get caught

In the studios we audit every year, the same six failures show up in 80%+ of cases:

1. Personal Dropbox / Google Drive folders

A "free" Dropbox account is not HIPAA-eligible. Google Workspace requires a paid business plan plus a signed BAA. Most studios have neither. Every scan you've ever delivered through a personal Drive folder is a documented violation.

2. USB drives without encryption

Hand a client an unencrypted USB stick, and the moment it leaves your studio, you've lost control of unencrypted PHI. If that USB shows up in a lost-and-found, you have a reportable breach.

3. Personal email accounts

Gmail, Yahoo, Outlook.com — none are HIPAA-eligible by default. Forwarding a scan to "mybabyscans@gmail.com" because the office computer is "slow" is a violation, even if you delete it after.

4. SMS / iMessage

Text messaging is not HIPAA-compliant out of the box. Most studios send "here's the link to your photos!" via SMS without realizing the link itself is unauthenticated and indexable.

5. Shared workstations without unique logins

If three sonographers all sign in as "admin" on the same machine, your audit log is meaningless and your access-control safeguard fails.

6. No signed BAAs with vendors

If your scheduling software, your photo enhancer, or your cloud backup has access to client data, you need a BAA on file. Most studios have zero on file.

The breach math: what a violation actually costs

The OCR penalty tiers (current as of 2026):

| Tier | Description | Per-record fine | Annual cap |

|---|---|---|---|

| 1 | Unknowing violation | $141 – $71,162 | $2,134,831 |

| 2 | Reasonable cause | $1,424 – $71,162 | $2,134,831 |

| 3 | Willful neglect (corrected) | $14,232 – $71,162 | $2,134,831 |

| 4 | Willful neglect (uncorrected) | $71,162 – $2,134,831 | $2,134,831 |

A single lost USB containing 50 client scans, prosecuted at the Tier-2 minimum, is $71,200. A studio doing 1,200 scans a year that breaches its entire database is looking at numbers that close the business.

State-level breach notification laws stack on top. California's CMIA, Texas HB 300, and New York SHIELD Act all add their own penalties and notification requirements.

The seven-item compliance checklist

Here's the realistic minimum-viable HIPAA program for an elective ultrasound studio:

1. Designate a HIPAA Security Officer. This can be the owner. Document it in writing.
2. Sign BAAs with every vendor that touches PHI. Scheduling software, delivery platform, cloud backup, AI portrait service. No BAA, no PHI.
3. Move all delivery to a HIPAA-aligned platform. No more USBs, no more personal Dropbox, no more Gmail. This is non-negotiable.
4. Encrypt every device. FileVault on Mac, BitLocker on Windows, lock screen + biometric on every tablet and phone with access to client data.
5. Run annual workforce training. A 45-minute training every January, with sign-off documentation. There are vendors that sell turn-key HIPAA training for $79/person/year.
6. Maintain a breach response plan. A one-page written document covering: who you call, what you log, when you notify clients (60 days max), when you notify OCR (60 days max for breaches affecting 500+ records, annually for smaller breaches).
7. Keep audit logs for six years. Every access to PHI must be loggable on demand.

Why studios switch to integrated platforms

The reason most studios eventually consolidate onto a HIPAA-aligned delivery platform isn't paranoia — it's economics. Running USBs, signing one-off BAAs, training staff on three disconnected systems, and writing your own breach response plan is a full part-time job.

[Bomee Core](/bomee-core) ships as a HIPAA-aligned delivery platform out of the box: a signed BAA, encryption at rest and in transit, role-based access controls, six-year audit logs, and a documented breach response process. You plug it into your ultrasound machine, your team uses a two-click workflow they already know, and your compliance posture upgrades overnight.

For an in-the-trenches view, our [USB and Dropbox risk breakdown](/insights/the-hidden-risks-of-usbs-dropbox-why-your-studio-needs-a-hipaa-compliant-platform) walks through the dollar math of the old workflow.

The bottom line

HIPAA isn't a technicality. It's the single most overlooked existential risk in the elective ultrasound industry, and OCR enforcement against small healthcare-adjacent businesses has climbed steadily since 2023. The studios that survive the next five years will be the ones who treat compliance as core infrastructure, not as a checkbox.

Want a free 20-minute compliance audit of your current workflow? [Schedule a call with our team](/contact-us) — we'll tell you exactly which of the seven items above you're already passing, and which need attention before your next scan.