Radiology Imaging Safety Program: ACR, MQSA + State Requirements
9 min read · Last reviewed May 23, 2026
A radiology imaging safety program is built on four overlapping authorities: the FDA's Mammography Quality Standards Act at 21 CFR Part 900 for mammography, ACR or another CMS-recognized accreditation organization for advanced imaging billed to Medicare under 42 CFR § 414.68, the state radiation control program for equipment registration and operator credentialing, and CMS imaging-billing rules under Pub. 100-04. A radiology practice that has ACR accreditation but lacks the state radiation-control evidence is exposed. So is one that has state registration but billed Medicare for an advanced modality without an active accreditation.
What the agencies actually require for a radiology practice
MQSA (mammography only): The FDA's Mammography Quality Standards Act framework at 21 CFR Part 900 sets equipment standards, personnel qualifications, QC procedures, and reporting requirements. Every mammography facility must have an FDA-issued MQSA certificate. The FDA delegates inspections to state agencies in most states. MQSA inspections are annual and unannounced. FDA classifies inspection observations from Level 1 (the most serious — a failure of a key MQSA requirement that may compromise mammography quality and triggers immediate corrective action, with potential certificate consequences) down through Level 2 (significant deviations) and Level 3 (minor deviations) — Level 1 is not the "no issues" tier. MQSA also requires lay-summary patient notification of mammography results.
MIPPA accreditation for advanced imaging: CMS requires accreditation by a CMS-approved AO for the technical component of advanced diagnostic imaging services (CT, MRI, nuclear medicine, PET) under 42 CFR § 414.68. The CMS-approved AOs are ACR, IAC, the Joint Commission, and (for some modalities) others. Accreditation covers equipment performance, personnel qualifications, image quality, safety, and quality assurance. Cycles are typically three years; the AO conducts on-site or remote review per its manual.
State radiation control programs: Each state operates a radiation control program under state law, often inside the department of public health, environmental quality, or labor. The Suggested State Regulations for the Control of Radiation (SSRCR) published by the Conference of Radiation Control Program Directors are the template most states adopt with variations. State programs handle equipment registration, technologist licensure, shielding plan review, dose limits, and incident reporting. Most states require equipment registration on installation and renewal annually or biennially.
ACR Technical Standards and Practice Parameters: The ACR Practice Parameters and Technical Standards are not regulatory but are widely treated as the standard of care. ACR accreditation requires compliance with the applicable Technical Standard. Litigation and peer review reference the Practice Parameters as the benchmark for what a competent radiology practice does.
CMS billing rules: Modifier and POS rules for imaging are enforced by the MACs and audited by RAC, UPIC, and SMRC. The 26 modifier (professional component) and TC modifier (technical component) must match the entity that performed each component. Global billing requires the practice to have performed both.
What radiology practices most often miss is that ACR accreditation is the floor for Medicare billing, not the ceiling for state compliance. A practice can be ACR-accredited and out of compliance with the state radiation control program's annual inspection requirement.
The documents you must maintain
A radiology safety program binder should produce on demand:
- MQSA certificate for every mammography facility, with the current expiration date and a copy of the most recent MQSA inspection report
- MIPPA accreditation certificate for every advanced-modality unit billed to Medicare (ACR, IAC, JC), with expiration and most recent survey findings
- State radiation control program registration for every radiation-producing device, with the current registration certificate
- Equipment QA logs per device — daily, weekly, monthly, quarterly, and annual checks per the manufacturer manual and the applicable ACR Technical Standard
- Annual qualified-medical-physicist (QMP) evaluation under 21 CFR § 900.12(e)(10) for mammography and the ACR-required QMP review for CT, MR, and nuclear
- Personnel records — interpreting physician, lead interpreting physician, technologist, medical physicist credentials with continuing education evidence
- Technologist state license in every state where imaging is performed
- Patient dose-tracking records where state law requires (and ACR recommends for CT)
- Shielding plan and inspection record approved by the state radiation control program
- Contrast administration protocol with reaction-response plan, reversal agents on site, and contrast-allergy screening
- Incident reports for every radiation-safety incident, near-miss, or contrast reaction
- EQUIP records for mammography under the FDA's quality enhancement framework
- Patient lay-summary mammography notification records under 21 CFR § 900.12(c)(2)
- CMS-855 enrollment current for every imaging supplier billing Medicare, with the MIPPA accreditation status reflected
How imaging audits actually work
Imaging is audited by five distinct entities:
- FDA / state MQSA inspectors conduct annual MQSA inspections at every mammography facility. Findings drive immediate corrective action; certificate suspension is rare but possible.
- CMS-approved AOs (ACR, IAC, JC) conduct accreditation cycles every three years. AO findings can affect Medicare billing eligibility under MIPPA.
- State radiation control program inspectors conduct equipment inspections on a cycle defined by state rule (annual to triennial depending on state and modality). Findings drive equipment registration suspension or fines.
- CMS contractors (RAC, UPIC, SMRC, TPE) audit imaging claims for documentation, accreditation status at the date of service, and modifier accuracy.
- State medical boards and tort litigants review imaging incidents and adverse events. The ACR Practice Parameters are treated as the standard of care.
What we have seen drive imaging-program findings, in order:
- QA logs incomplete — daily, weekly, monthly checks missing for periods that overlap the inspection window.
- QMP annual evaluation overdue — the medical physicist visit lapsed and was not rescheduled.
- Operator credential gaps — a technologist's state license lapsed or the continuing-education requirement was not met.
- Contrast reaction plan stale — reversal agents expired or the protocol references staff who left the practice.
- MIPPA accreditation gap in claims data — a CT performed during a brief accreditation lapse was billed to Medicare.
- MQSA certificate displayed but expired — the renewal application was filed but not completed before expiration.
- Modifier 26/TC errors in billing data — the technical component billed by an entity that did not own or operate the equipment.
Common gaps unique to radiology
The patterns we see most often:
- A new modality added (e.g., CT installed at an outpatient center) without ACR accreditation initiated. Medicare claims billed during the accreditation-in-progress window deny on review.
- Equipment moved between locations without notifying the state radiation control program. Most states require notification within 30 days of relocation.
- Technologist working at multiple sites where one site holds the technologist's primary state license and the secondary site is in a different state without separate licensure.
- Mammography lay-summary letters batch-generated but not actually mailed; QA spot checks miss this.
- Shielding inspection performed at installation, never re-verified after renovations or use-pattern changes.
- Dose-tracking implemented for CT but not actually reviewed — dose creep over time goes unnoticed.
- Contrast-induced nephropathy screening protocol on the wall but not consistently applied in workflow.
- Outside reads by tele-radiologists in states where the tele-radiologist is not licensed.
Maintenance cadence
- Daily: QA checks per the equipment manufacturer manual and the applicable ACR Technical Standard. Document and address any out-of-range result before the day's clinical use.
- Weekly: Mammography phantom imaging under 21 CFR § 900.12(e)(6); processor QC where applicable; CT phantom checks per ACR.
- Monthly: Mammography processor and viewbox QA; review of any incident or contrast reaction; reversal-agent expiration check.
- Quarterly: Sample chart audits for documentation-to-billed-modifier match; review denied claims for accreditation- or modifier-related patterns.
- Semi-annually: Re-verify ACR or IAC accreditation expiration dates; verify state radiation control program registration is current for every device.
- Annually: QMP evaluation for mammography, CT, MR, and nuclear; technologist credential and CE verification; shielding inspection if state requires; review of the full imaging-safety program with the lead interpreting physician.
- Triennially: ACR or IAC accreditation renewal cycle (start the renewal 6-12 months ahead of expiration depending on AO).
- At every equipment change: Notify state radiation control program, re-survey for the AO if a major equipment change, update CMS-855 if a new supplier number is implicated.
- At every facility location change: Notify FDA for MQSA certificate, state radiation control program, ACR, and CMS.
State preemption to watch
State radiation control rules are the principal regulator for non-mammography imaging:
- California: California Department of Public Health Radiologic Health Branch under 17 CCR § 30100 et seq. — equipment registration, certified radiologic technologist (CRT) licensure, fluoroscopy supervisor permits, mammography inspections.
- New York: NYS Department of Health Bureau of Environmental Radiation Protection under 10 NYCRR Part 16 — equipment registration, technologist certification, mammography certificate via FDA delegation.
- Texas: Texas Department of State Health Services Radiation Control Program under 25 TAC Chapter 289 — medical radiologic technologist certification through TMB, equipment registration, mammography inspections.
- Florida: Florida Bureau of Radiation Control under F.S. § 404 — equipment registration, basic operator and CT technologist certification, fluoroscopy operator licensure.
- Illinois: Illinois Emergency Management Agency Division of Nuclear Safety — equipment registration; technologist licensure through IEMA-DNS.
- Pennsylvania: Pennsylvania Department of Environmental Protection Bureau of Radiation Protection — equipment registration, mammography certificate via FDA delegation.
A multi-state radiology practice tracks technologist license, equipment registration, and accreditation status per state per location. Single-state matrix is not sufficient.
How d3rx fits
The d3rx compliance binder includes a radiology section that names the MQSA certificate, MIPPA accreditation, state radiation control program registration, the QA logs per device, the QMP annual evaluation, the technologist credential matrix, and the contrast-reaction protocol. Each element traces to the underlying federal or state authority. See the compliance binder overview for how the imaging section integrates with HIPAA, OSHA, and billing compliance.
D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Radiology Imaging Safety Program: ACR, MQSA + State Requirements. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Is MQSA only for mammography, or does it cover other modalities?
MQSA covers mammography only. The Mammography Quality Standards Act is codified at [42 USC § 263b](https://www.law.cornell.edu/uscode/text/42/263b) and implemented by FDA at [21 CFR Part 900](https://www.ecfr.gov/current/title-21/chapter-I/subchapter-J/part-900). Other modalities (CT, MR, ultrasound, nuclear, fluoroscopy, plain-film) are not covered by MQSA. They are governed by state radiation-control programs, ACR or other accreditation organization standards if accredited, and CMS imaging-billing requirements where Medicare is billed.
What is the MQSA Enhancing Quality Using the Inspection Program (EQUIP)?
EQUIP is the FDA-required mammography quality program that the lead interpreting physician must oversee. The lead physician evaluates positioning, compression, and image quality on an ongoing basis, documents the evaluation, and responds when image quality falls below the acceptable threshold. EQUIP requirements were integrated into MQSA inspection criteria; inspectors review EQUIP documentation at every annual MQSA inspection.
Does my outpatient imaging center need ACR accreditation?
Only where Medicare reimbursement, payer policy, or state law require it. CMS requires accreditation for the technical component of advanced diagnostic imaging (CT, MRI, nuclear medicine, PET) under [42 CFR § 414.68](https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-414/subpart-B/section-414.68) and the [Medicare Improvements for Patients and Providers Act (MIPPA)](https://www.cms.gov/medicare/quality/accreditation) requirement. ACR, IAC, and the Joint Commission are CMS-recognized AOs for MIPPA. Plain-film imaging is not subject to MIPPA but is often subject to state radiation-control program rules.
What does the state radiation control program actually do?
State radiation control programs register and inspect radiation-producing equipment, license radiologic technologists, set shielding and dose-minimization standards, and respond to incidents. Authority varies by state — most operate under state public health or environmental departments. The CRCPD ([Conference of Radiation Control Program Directors](https://www.crcpd.org/)) coordinates state programs. Federal preemption is minimal; the state program is the operative regulator for most non-mammography imaging.
How often must we calibrate CT and fluoroscopy equipment?
Annually for CT under most state and ACR requirements, with quarterly or monthly QC checks per the manufacturer and ACR Technical Standards. Fluoroscopy requires annual qualified-medical-physicist evaluation under most state radiation control programs and ACR fluoroscopy accreditation requirements. The specific intervals are set in state rule, in the accreditation organization manual, and by the manufacturer. The most stringent of the three controls.
What is the Joint Commission's role versus ACR for imaging?
The Joint Commission accredits hospitals and ambulatory care organizations and includes imaging safety in its standards (the Imaging Services chapter in the Ambulatory Care manual). ACR runs modality-specific accreditation programs (CT, MR, mammography, nuclear, breast MRI, etc.) that focus on equipment performance, personnel qualifications, and clinical image quality. A hospital outpatient imaging department may need both; a freestanding imaging center typically holds ACR by modality and meets state radiation-control requirements directly.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 21 CFR Part 900https://www.ecfr.gov/current/title-21/chapter-I/subchapter-J/part-900
- 42 CFR § 414.68https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-414/subpart-B/section-414.68
- 21 CFR § 900.12(e)(10)https://www.ecfr.gov/current/title-21/chapter-I/subchapter-J/part-900/subpart-B/section-900.12
- 10 NYCRR Part 16https://regs.health.ny.gov/
- F.S. § 404http://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&URL=0400-0499/0404/0404ContentsIndex.html
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- SRAHIPAA Risk Analysis for a Primary Care PracticeWhat a primary care practice owes under 45 CFR 164.308(a)(1)(ii)(A): ePHI scope, threats specific to family medicine and internal medicine workflows, and a Security Rule mapping that holds up to OCR's audit protocol.
- ComplianceThe Medicare 60-Day Overpayment Rule: How to Comply (and What Triggers Worse)The 60-day clock starts at identification. Miss it, and the overpayment becomes a False Claims Act violation. Here is the actual procedure.
- ComplianceOCR Investigation Letter: Your 30-Day Response PlaybookReceived an OCR HIPAA investigation letter? The first 30 days set the trajectory. Confirm the docket, freeze logs, route through counsel, and produce a tabbed response.
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- ComplianceDME Documentation Requirements: Surviving a DMEPOS AuditHow CMS Pub. 100-08 Chapter 5, 42 CFR § 424.57 supplier standards, and UPIC and SMRC audit procedures govern DMEPOS documentation in 2026, with the exact records auditors request.
- CompliancePain Management Compliance: DEA Registration + PDMP RequirementsHow the DEA registration framework at 21 CFR Part 1304, state PDMP query mandates, and the DOJ's pain-practice enforcement posture apply to chronic-pain prescribers in 2026.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- Glossary60-Day Overpayment RuleACA requirement that Medicare and Medicaid overpayments be reported and returned within 60 days of identification.