Reduce risk with a strategic approach to digital pathology governance


In the emerging field of digital pathology, labs and other healthcare organizations can take these steps towards compliance with shifting regulations.

Brian Grant, Managing Director, Global Industries - Healthcare
Brian Grant
Managing Director, Global Accounts, Iron Mountain
August 2, 202312 mins
Reduce risk with a strategic approach to digital pathology governance

The nascent practice of digital pathology offers tremendous advantages. However, it can come with risks (perceived or actual) for healthcare organizations. Consider the impact of a patient data security breach or a costly compliance violation. Imagine the effects of losing patient and stakeholder trust.

While digital pathology enhances medical research and advances professional collaboration, guidelines must be put in place to protect patients and their data. Roles and responsibilities must be assessed and defined. Experts must be enlisted, along with technology solutions and services. In other words, the situation calls for a governance strategy.

At this stage, executives and clinicians need to assess the risks and adopt prudent approaches to regulatory compliance. Here we uncover five crucial considerations for organizations developing their own digital pathology governance strategies.

1. Stay updated on changing laws and regulations

There is no permanent state of compliance. Laws and regulations continue to change along with risks and reporting requirements. In considering an innovation such as digital pathology, decision-makers should start by identifying all applicable laws and regulations. Healthcare professionals are already familiar with the multiple directives governing their work, included here for reference. 

Health Insurance Portability and Accountability Act (HIPAA): Digital pathology systems in the United States must comply with HIPAA regulations governing the privacy and security of protected health information (PHI). This includes secure data transmission, risk assessments, audit logs, and other safeguards.

General Data Protection Regulation (GDPR): If operating in the European Union (EU) or processing residents’s data, healthcare organizations must comply with the GDPR. It places strict requirements on data processing, storage, and transfer and emphasizes the need for consent, encryption, and security to protect personal information.

Clinical Laboratory Improvement Amendments (CLIA): CLIA regulations in the US govern quality standards for lab testing and apply to digital pathology laboratories. Compliance involves ensuring the accuracy, reliability, and confidentiality of lab test results, as well as maintaining records and quality control measures.

Food and Drug Administration (FDA) Regulations: In certain cases, digital pathology systems may require FDA approval or clearance, particularly if they involve the primary diagnosis and/or the use of algorithms or artificial intelligence for diagnostic purposes. 

International Organization for Standardization (ISO) Standards: ISO standards guide quality management systems in medical laboratories. Digital pathology systems in ISO compliance adhere to internationally-recognized best practices for quality and accuracy.

Data Privacy and Security Regulations: General data privacy and security regulations may apply to digital pathology systems. This includes personal data protection, data encryption, secure storage and transmission, regular risk assessments, and appropriate access controls.

In addition to the regulations, standards, and advisories listed above, healthcare organizations must adhere to local regulations. It’s best to consult with legal and compliance specialists to avoid negative consequences.

2. Carefully vet technology platforms

When vetting technology platforms for digital pathology, organizations should consider crucial factors such as functionality, security, scalability, and interoperability with existing systems. They should prioritize user experience while ensuring compliance with regulations and certifications. And they should evaluate vendor reputation, support quality, and data backup capabilities, as well as costs and training provisions. These considerations guide organizations toward selecting a platform that meets their needs and fosters successful digital pathology integration. 

The ideal technology implementation will allow authorized access to digital pathology data so colleagues can securely search, annotate, and share images. would support storing and retrieving whole slides and digital images. It would include management tools and use established methods for asset preservation and data protection. That’s a tall order, but one that must also leave room to expand via scalable infrastructure and cloud storage. 

3. Develop effective policies and procedures

After assessing applicable regulations and establishing a plan to monitor changes to those regulations, it’s time to develop institution-wide and department-specific policies and procedures. Experts advise involving human resources to encourage and enable employee cooperation. Policies and standard operating procedures (SOPs) should readily adapt to existing and new workflows, saving the organization time and money. Policies shown to be effective are precisely applicable to the work being performed, aligning with current laws and rules. And they are written in plain language that’s concise and clear about what employees should and should not do.

Governance information should be available and accessible to all employees. Care should be taken to answer questions and provide training on what’s changed, what’s expected, and why. 

4. Safeguard data transmission and storage

Healthcare organizations can and should partner with internal and external experts in data security to help protect patient information and meet compliance objectives. Recommended techniques include: 

  • An auditable chain of custody: a complete, documented, chronological history of the possession and handling of a piece of information or a record from its creation through its destruction.

  • Data encryption: one of the most popular and effective data security methods whereby data is translated into an unreadable code so that only those with a decryption key or password can read it.

  • Access restrictions: identifying, authenticating, and authorizing users through evaluating required login and other credentials and limiting connections to computer networks, system files, and data.

  • Role-based permissions: user controls applied at the role level that can be enhanced by adding criteria based on content metadata to further restrict access to sensitive information.

In one related industry example, the American Telehealth Association (ATA) recently mandated the use of data encryption and recommended only secure data storage locations for PHI and other confidential data. As such, secure technology platforms are becoming essential among many medical associations and for digital pathology programs.

The goal is end-to-end security for time-sensitive digital pathology data and image retrievals. Ultimately, this foundation will enable rapid collaboration among pathologists in hospitals, clinics, and clinical laboratories, as well as clinical and academic researchers. 

Leaders can assess how their security programs compare with others in their market sector by reviewing the latest Security 500 Survey.

5. Provide sufficient and ongoing training

Research published in 2021 details the results from surveying a cross-section of histopathologists, including those with experience in digital pathology research. Nearly half of the respondents reported a lack of understanding of the key issues of consent, legislation, and ethical guidelines for digital pathology. The study determined a “need for specific training in these areas.” 


In the context of digital pathology, staying current with evolving laws and regulations and adhering to directives, regulations, standards, and data privacy rules are essential–along with seeking advice from legal and compliance experts.

When evaluating technology platforms for digital pathology, organizations should consider functionality, security, scalability, and system compatibility. Knowledge of user experience, regulatory compliance, vendor reputation, support quality, data backup, costs, and training should guide decision-making.

Organizations must develop effective policies and procedures. Involving human resources fosters employee cooperation, while clear, adaptable policies aligned with current laws ensure adherence.

Collaborating with data security experts is crucial for patient information protection and regulatory adherence. Methods such as auditable chains of custody, data encryption, access restrictions, and role-based permissions enhance security efforts.

Ongoing training is essential to address knowledge gaps among histopathologists regarding consent, legislation, and ethical guidelines in digital pathology. Specialized training is vital to ensure the seamless integration of digital pathology into healthcare practices.

Elevate the power of your work

Get a FREE consultation today!

Get Started


To learn more about the benefits of a digital pathology program from a trusted source,
explore the brochure or solution briefs.

Reach out to an Iron Mountain expert