Mammography Quality Standards Act (MQSA) – FDA Changes Effective 9/10/2024

On March 10, 2023, the FDA announced the final rule amending the MQSA regulations. Physicians and hospitals have had 18 months to adopt the FDA’s changes going into effect on September 10, 2024. These requirements are outlined below.

Breast Density Notification: Mammography reports must now include a classification of breast density using one of four categories. Depending on the density, patient lay summaries must consist of specific notification statements explaining breast density’s implications for cancer detection and risk.

Mammography Reports: Breast density refers to the proportion of fibrous and glandular tissue compared to fatty tissue in the breast. The four breast density classifications defined by the American College of Radiology’s Breast Imaging Reporting and Data System (BI-RADS) have changed from numerical to alpha categories. One of these categories must be documented in the report.

1. Category A – Almost entirely fatty.

2. Category B – Scattered areas of fibroglandular density.

3. Category C – Heterogeneously dense.

4. Category D – Extremely dense.

Post-Biopsy Mammography:

Billable: If different modalities are used for biopsy guidance and post-biopsy mammography, the mammography is billable.

Non Billable: If the same modalities are used for biopsy guidance and post-mammography, the post-procedure mammography is not billable.

Examples:

  • MRI-guided breast biopsy with post-biopsy mammography = Yes
  • Stereotactic-guided breast biopsy with post-biopsy mammography = No

When post-biopsy mammography is performed and dictated in the same report as biopsy, a separate paragraph describing the post-biopsy mammogram technique and findings should be clearly stated.

Based on carrier policy, some plans may require a separate report.

Post-biopsy mammography is not required to have BI-RADS categories documented.

FDA Inspections for MQSA will now include the following requirements

Patient Lay Summaries: At a minimum, the reports must include the facility’s name, city, zip code, and telephone number. If there is more than one facility within a healthcare organization, the facility where the imaging took place must be listed on the report.

Depending on whether the patient’s breast density is dense or not dense, as indicated by the mammography report, the patient lay summary must include one of the following notification statements. The FDA strongly recommended adhering to this specific wording.

  • “Breast tissue can be either dense or not dense. Dense tissue makes it harder to find breast cancer on a mammogram and also raises the risk of developing breast cancer. Your breast tissue is not dense. Talk to your healthcare provider about breast density, risks for breast cancer, and your individual situation.” 
  • “Breast tissue can be either dense or not dense. Dense tissue makes it harder to find breast cancer on a mammogram and also raises the risk of developing breast cancer. Your breast tissue is dense. In some people with dense tissue, other imaging tests in addition to a mammogram may help find cancers. Talk to your healthcare provider about breast density, risks for breast cancer, and your individual situation.”

Communication of Results: If a mammogram is assessed as “Suspicious” or “Highly Suggestive of Malignancy,” the healthcare provider and patient must be notified within 7 days.

If the exam has an assessment of “Incomplete: Need prior mammograms for comparison,” the facility issues a follow-up report with a final overall assessment within 30 calendar days of the initial report, regardless of whether comparison views are obtained.

Medical Outcomes Audit: Facilities must conduct an annual audit, tracking predictive values, cancer detection rates, and recall rates for each interpreting physician and the facility as a whole.

Accreditation and Equipment: Facilities failing three consecutive accreditation attempts will face a one-year ban from reapplying. All mammography devices must possess the applicable FDA premarket authorization standards.

Personnel Records: Facilities must maintain training and qualification records for current and former personnel, making these records available for review during MQSA inspections.

Records of personnel no longer employed by the facility must be maintained for no less than 24 months from the date of the departure of the employee, and these records must be available for review at the time of any annual inspection occurring during those 24 months.

The facility shall provide copies of these personnel records to current interpreting physicians, radiologic technologists, and medical physicists, upon request. Facilities must provide personnel records to former employees if the former employees communicate their request within 24 months of their departure date.

Recordkeeping and Transfer: Transfers of mammogram imaging and reports, or release of copies, must take place within 15 calendar days of the facility receiving the request. For digital mammograms or digital breast tomosynthesis, if the examination is being transferred or released for final interpretation purposes, the facility must be able to provide the recipient with original digital images electronically.

Before a facility closes or terminates mammography services, it must make arrangements for patients and healthcare providers to access those mammographic records. The facility must notify its accreditation body and certification agency in writing of the arrangements it has made and must make reasonable efforts to notify all affected patients.

Self-Referred Patients: Facilities must have a system for referring patients without healthcare providers, especially when findings are potentially malignant.

Failure to comply with these regulations could result in enforcement actions by the FDA. Also important, the FDA may take action regardless of whether noncompliance is found by means other than an inspection.

Failure to meet the MQSA standards can cause the following actions.

  • Warning Letters: The FDA may issue warning letters to facilities not complying with MQSA standards, detailing the specific violations and requiring corrective actions within a specified timeframe.
  • Suspension or Revocation of Certification: The FDA can suspend or revoke the certification of a facility, which would prevent them from performing mammography services until compliance is achieved.
  • Fines and Penalties: Non-compliant facilities may face monetary penalties or fines for failing to meet MQSA requirements.
  • Legal Action: In severe cases, the FDA may pursue legal action, including seeking injunctions or other judicial remedies to enforce compliance.
  • Patient Notification: Facilities may be required to inform patients and their physicians if the quality of mammograms is substandard due to non-compliance.
  • Onsite Inspections: The FDA might conduct more frequent and rigorous inspections to ensure corrective actions are implemented and maintained.
  • Mandatory Corrective Action Plans: Facilities could be required to submit and follow a detailed corrective action plan to address the deficiencies identified during inspections

Additional Information Excerpts

For the entire Federal Register :: Mammography Quality Standards Act

To read the entire FDA article; Important Information: Final Rule to Amend the Mammography Quality Standards Act (MQSA) | FDA

Questions for MQSA: Hotline MQSAhotline@versatechinc.com or 1-800-838-7715

Resources: FDA, Federal Register

StreamlineMD provides Revenue Cycle Solutions to Radiology & Interventional Specialists. Our Mission is to Improve Healthcare for All Americans.  Our Core Values that guide us on our mission are Service Quality, Teamwork, Accountability, Efficiency, Adaptability, Communication, and Integrity. Proud winner of the Great Place To Work award. Learn more about us at streamlineMD.com.

Share the Post:

Related Posts

Notice

Cyber Incident Update – 9/28/25 at 6:00 pm EST:

StreamlineMD applications are up and live!

Access Client Portal Here

We are pleased to inform you that, following clearance from our cybersecurity experts, client access to our system has been restored. You may begin accessing the system starting at 6:00 PM EST today, Sunday, September 28, 2025.

Please note that while core functionality is fully restored, the following features are currently unavailable as we continue working to bring all components back online:

1. SMD Mobile App (viewing PDF chart)
2. Patient Portal
3. RxPhoto (inside the EHR)

We are working to restore these remaining services as quickly and securely as possible.

We will continue to monitor system performance closely and will provide updates as additional components become available.

If you experience any issues or require support, please contact our support team directly at 330-564-2641.

Thank you once again for your continued patience, understanding, and trust.

Cyber Incident Update – 9/28/25 at 2:00 pm EST:

Following our scheduled call with the cybersecurity team earlier today, we have been advised that additional security measures must be implemented before client access can be restored. Specifically, changes to our VPN configuration are required to ensure a more secure connection environment.

Our internal teams are actively working on these adjustments and will move as quickly and carefully as possible to complete the necessary changes.

Our next update will be at 4:00 PM EST.

Cyber Incident Update – 9/28/25 at 12:00 pm EST:

We are pleased to share that our internal teams currently have access to the system environment. In the interim, if needed, we are able to assist by running your patient appointment schedules for the week. Please contact our support team or email at smdhelpdesk@prcmedicalllc.zohosupport.com if you require this service.

We are scheduled to meet with our cybersecurity team at 1:00 PM EST today to review final clearance for restoring client access. We will provide another update following that discussion.

We appreciate your continued patience and partnership as we work to bring services back online safely and securely.

Cyber Incident Update – 9/27/25 at 10:00 pm EST:

We are pleased to report that our routine nightly processes have completed successfully, and the system environment remains stable and fully operational.

At this stage, we are awaiting final clearance from our cybersecurity partner before restoring client access.

However, our partner informed us that they need more time and so this clearance will not be available until after 1:00 PM EST tomorrow, Sunday, September 28, 2025.

Thank you for your patience while we maintain the highest standards of security and system integrity. 

Cyber Incident Update – 9/27/25 at 7:00 pm EST:

We are continuing to move forward with final preparations for restoring system access. Our internal teams have completed their validation processes, and the environment remains fully operational.

At this time, we are running our routine nightly processes to further confirm system stability and readiness. We continue to await final clearance from our cybersecurity experts to bring services fully back online.

We remain optimistic that systems will be accessible to clients by tomorrow morning, Sunday, September 29, 2025, at 7:00 AM EST.

As always, we are taking every measure to ensure a secure and controlled restoration.

Thank you again for your continued patience and support. Our next update will be provided by 10:00 PM EST.

Cyber Incident Update – 9/27/25 at 11:00 am EST:

We are pleased to share that our team has gained access to the system environment and is actively conducting testing—an important step toward the full restoration of services.

As part of this process, we have completed testing of the Practice Management (PM) and Coding software and are pleased to report that no issues have been identified with the software. Testing will continue across all system components to ensure overall stability and reliability.

Our teams will continue working throughout the day to validate all aspects of the system before bringing it back online.

We are deeply grateful for your continued patience, support, and trust as we proceed with restoration in a safe and controlled manner.

We will provide another update at 2:00 pm EST.

Cyber Incident Update – 9/26/25 at 7:00 pm EST:

We are pleased to share that our team is now gaining access to the system environment and actively conducting testing. This is an important step toward full restoration of services.

We again want to reassure you that there is no evidence of any compromise of Protected Health Information (PHI) or damage to our systems.

Our teams will continue to work throughout the evening and into the weekend to validate all aspects of the system before bringing it back online.

Thank you for your continued patience, support, and trust as we move forward with restoration in a safe and controlled manner.

We will provide another update at 10:00 am EST on Saturday, September 27, 2025.

Cyber Incident Update – 9/26/25 at 3:00 pm EST:

We continue to make steady progress in our restoration efforts. At this time, 95% of servers have been cleared; however, they remain behind protective firewalls as we work closely with our team of experts toward full restoration.

The StreamlineMD systems will remain unavailable for the rest of today, Friday, September 26, 2025. Our teams will begin comprehensive testing of all aspects of the system as soon as possible, likely this evening and over the weekend.

Importantly, there is no evidence of any compromise of Protected Health Information (PHI) or damage to our systems.

We truly appreciate your support and understanding during this process. You are important to us, and we remain committed to restoring services safely and securely.

We will provide another update at 6:00 pm EST.

Cyber Incident Update – 9/26/25 at 2:00 pm EST:

We continue to work diligently this afternoon with our cybersecurity team and are making steady progress.   

We anticipate the StreamlineMD systems will remain inaccessible for the remainder of today, Friday, September 26, 2025.  

We will provide another update at 6:00 pm EST.

We appreciate your continued patience and understanding as we work to restore services in a secure and controlled manner.

Cyber Incident Update – 9/26/25 at 11:00 am EST:

We continue to work throughout the day with our cybersecurity team and continue to make progress.  

We anticipate the StreamlineMD systems will not be accessible before 3:00 pm EST on Friday, September 26, 2025

We will provide another update at 2:00 pm EST.

We appreciate your continued patience and understanding as we work to restore services in a secure and controlled manner.

Cyber Incident Update – 9/26/25 at 09:00 am EST:

We continue to work this morning with our cybersecurity team and continue to make progress.   

We still don’t anticipate StreamlineMD systems to be fully operational before 12:00 pm EST on Friday, September 26, 2025.  

We will provide another update at 12:00 pm EST.

We appreciate your continued patience and understanding as we work to restore services in a secure and controlled manner.

Cyber Incident Update – 9/26/25 at 07:00 am EST:

We have continued to work through the night with our cybersecurity team and continue to make progress.  

We will continue restoring servers to service and testing internally. 

We still don’t anticipate StreamlineMD systems to be fully operational before 12:00 pm EST on Friday, September 26, 2025. 

We will provide another update at 9:00 am EST.

We appreciate your continued patience and understanding as we work to restore services in a secure and controlled manner.

Cyber Incident Update – 9/25/25 at 11:00 pm EST:

So far, we are making great progress, and our systems are internally coming back online. At this time, there is no evidence of system damage or PHI compromise.

Throughout the night, we will continue restoring servers to service and testing internally.

We don’t anticipate StreamlineMD systems to be fully operational before 12:00 pm EST on Friday, September 26, 2025.

We will provide another update on Friday, September 26, at 6:00 am EST


Cyber Incident Update –9/25/25 at 7:00 pm EST:

We are currently in the process of restoring our servers and anticipate determining a timeline for resuming full operations by 10:00 PM EST this evening, September 25, 2025.

Our team continues to work diligently and in close coordination with our security partners in response to the cybersecurity incident that occurred during the overnight hours of September 24, 2025. As a precaution, our systems remain offline to prevent any potential data compromise. We continue to follow our established cybersecurity protocols to ensure the protection and integrity of your data.

We will provide our next update by 10:00 PM EST today.

We appreciate your continued patience and understanding as we work to bring our systems back online safely.

Incident Update – 9/25/25 at 12:00 pm EST:

StreamlineMD is currently working closely with our security team to address a cybersecurity incident that occurred during the overnight hours of September 24, 2025. As a precautionary measure, we proactively shut down our systems to prevent any potential data compromise.

Our team is actively following established cybersecurity protocols to ensure the continued protection of your data. At this time, the software will remain inaccessible for the remainder of the day, September 25, 2025.

We understand the impact this may have on your operations and sincerely appreciate your patience and understanding. We are committed to providing updates as frequently as possible and will keep you informed of our progress.

StreamlineMD is experiencing a cyber incident

Our security software detected malicious behavior and our team of internal and external experts are working to resolve the issue. The security team has made it clear that we need to shut down our services altogether, pending a more detailed analysis.