HIPAA and Photography

Photography can be a great marketing tool... and it can also land your medical practice in hot water. Here are the do's and don't of photography when it comes to HIPAA.
It may not be the first tool that you think of, but photography can be very useful for treatment within the healthcare industry, especially for certain disciplines like dermatology, dentistry, and plastic surgery. Although photography has the ability to increase the quality of care, just as we saw with social media and HIPAA, photography presents great risks for noncompliance. 

HIPAA Compliant Medical Photography

This specific type of photography is used for documentation purposes in many avenues of the healthcare industry. Medical photographers can take on many forms like a full-time staff person that is specifically trained to document medical procedures or just an additional resource that all medical personnel can utilize. 

Here are two of the main ways that medical photography is utilized: 

  • For documentation of areas of concern like lesions, acne, etc  
  • To keep track of before & after pictures of treatment for detailed patient info 

What type of pictures are considered Protected Health Information (PHI)?

Any photo with identifying information such as: 

  • Patients face, name or initials
  • Date of birth or date of service 
  • Birthmarks, moles or tattoos 

If patient photos that are solely used for healthcare operations like training or teaching they do not need express consent but photos for external use like conferences, seminars do need explicit patient consent/release. For any use, only photos where all the potential identifiers have been entirely removed are considered to be safe from exposing PHI. 

What kind of Photo would be a HIPAA Violations?

Common forms of HIPAA photo violations: 

  • Disclosing photos without proper encryption and protection 
  • Sharing unauthorized photos of patients on social media 
  • Using photos in marketing campaigns without consent 
  • Taking patient photos out of the practice on devices 

Since most of the HIPAA violations that occur relating to photography are due to human error, it is important for organizations to set clear policies and training for their employees. Staff should be trained on the organization’s policy regarding photography and potential consequences, both personal and organizational, of violating it. In order to prevent employees from making a costly mistake, companies should dictate all of the proper ways to handle photo PHI on social media and otherwise. 

Areas to prevent HIPAA photo violations

Storage

  • Prevent photos from staying on devices indefinitely 
  • Wipe devices of photos before it leaves the office each time 
  • If using a DSLR, upload pictures to a computer regularly & then wipe SD card 
  • Encrypt all photos and information that is stored 
  • Utilize HIPAA compliant services, like RxPhoto, that help store photos in a proper way 
  • Only take photos on a facility-owned or approved equipment
  • Ensure that photos are never taken on employee’s personal phones 

Communications

  • Do not email or text any protected health information without proper encryption software, make sure to use HIPAA compliant email provider
  • Ensure that patients have given consent for their photos to be shared, with the knowledge of what is being shared & with whom it is being shared 
  • Comply with the minimum necessary standard in sharing PHI 

Social Media

  • Do not speak on social media in any way that can confirm or recognize a person as a patient of that practice 
  • This can be as simple as saying “Glad you enjoyed your visit.” or comment on a treatment “We’re glad you’re happy with your treatment.”
  • Keep specific recommendations for treatment that can be taken as medical advice off of social media
  • Be careful to keep photos of patients off of social media in any form that has not been explicitly consented to by that patient 

Educate your staff 

  • To account for human error, clearly train all employees on utilizing photography but maintaining HIPAA compliance 

Marketing 

  • Must have clear consent for any patient identifiable information or their likeness to be used in any form of marketing - whether for a product or a service. 
  • If any photo is used without consent, verify that all identifiable information has been removed from the picture
  • Simply blurring the face of an individual is not a guarantee that all PHI has been protected


When it comes to guaranteeing that your practice or organization is properly protecting photos that contain PHI, it may seem complex or confusing. That is why Accountable works to simplify all the steps that are necessary for ensuring that you are HIPAA compliant. If you are wondering where your organization stands in terms of the level of risk for noncompliance, take our short, free risk assessment test to see where you might need to adjust your HIPAA compliance.

Need HIPAA help?

Accountable can help you achieve HIPAA compliance for your company.

More Articles