One thing to keep in mind here is that DICOM and HIPAA are two completely different animals and don't have much to do with one another. An instrument being DICOM compliant doesn't mean it will be HIPAA-fied. DICOM is a "standardised" data structure that means an instrument that is DICOM compliant "should" be able to exchange data with other DICOM compliant systems. Be aware that DICOM isn't a silver bullet for data/system integration; there are varying "flavors" or dialects of DICOM. If the 2 pieces don't speak the same dialect then things get much more complicated. HIPAA deals with keeping Protected Health Information safe and has multiple facets. Some of which are as simple as Password protecting systems that contain PHI, individual log-ins to such systems, and audit trails for data access i.e. who is looking at what data. While DICOM-izing an instrument may ultimately push your data into a HIPAA compliant system, it doesn't make the instrument itself or the data it can access HIPAA compliant. If it were my project, i'd ask my HIPAA expert to come to clinic and look at the instrument with me so they understand how it is used and then generate a specific list of concerns and pose that to the vendor. That said, i think this is a GREAT thread and am also VERY curious if someone out there has gone thru the process from the perspective of a large institutional hospital, because it's going to be very interesting. Unfortunately i don't know that there will be one absolute answer; i think the way HIPAA has been constructed, it leaves much open to the interpretation. j-