HIPAA Compliance and Photography
HIPAA Compliant Photography
It may not be the first tool that you think of, but photography can be very useful for treatment within the healthcare industry, especially for certain disciplines like dermatology, dentistry, and plastic surgery. Although photography has the ability to increase the quality of care, just as we saw with social media and HIPAA, photography presents great risks for noncompliance.
This specific type of photography is used for documentation purposes in many avenues of the healthcare industry. Medical photographers can take on many forms like a full-time staff person that is specifically trained to document medical procedures or just an additional resource that all medical personnel can utilize.
There are two main ways that medical photography is utilized. The first is for documentation of areas of concern like lesions or acne and the second is to keep track of before & after pictures of treatment for detailed patient info. These two purposes are commonly used together to deliver the highest quality of care for patients.
What Pictures Qualify as Protected Health Information (PHI)?
Any photo that shows individually identifiable information is considered PHI. This can be something such as a patient’s face, name or initials, their date of birth, the date of their treatment or photos of any birthmarks, moles or tattoos.
If patient photos are solely used for healthcare operations like training or teaching, then they do not need express consent but photos for external use like conferences or seminars do need explicit patient consent or release. For any use, only photos where all the potential identifiers have been entirely removed are considered to be safe from exposing PHI.
HIPAA Photo Violations
Common forms of HIPAA photo violations:
- Disclosing photos without proper encryption and protection
- Sharing unauthorized photos of patients on social media
- Using photos in marketing campaigns without consent
- Taking patient photos out of the practice on devices
Since most of the HIPAA violations that occur relating to photography are due to human error, it is important for organizations to set clear policies and training for their employees. Staff should be trained on the organization’s policy regarding photography and potential consequences, both personal and organizational, of violating it. In order to prevent employees from making a costly mistake, companies should dictate all of the proper ways to handle photo PHI on social media and otherwise.
Areas to prevent HIPAA photo violations
One important way to prevent a HIPAA violation from occurring via photography is by taking all the necessary steps in the ways that these PHI photos are stored. This type of photography should not be stored on any device for an indefinite amount of time and all devices should be wiped of PHI photos before it ever leaves the office. If your organization uses a DSLR camera, make sure that photos are promptly uploaded to approved devices and the SD card is regularly wiped. In order to hold onto these photos beyond their temporary storage on a device, it is important to use a software that is able to store them in a safe, encrypted manner. There are HIPAA compliant services, like RxPhoto, that are able to guarantee that these PHI photos are stored properly according to HIPAA.
A major risk for HIPAA compliance is the way that PHI is shared between people and organizations as this process presents a higher chance of hacking or interference. With photography just as with other forms of protected health information, employees must be careful to never email, text or otherwise send this information without proper encryption software. Patients should also be asked to give their consent before their photos are shared, giving them the knowledge of what is being shared and with whom it is being shared. Photography also falls under the minimum necessary standard of HIPAA, meaning that PHI should be shared in minimum amounts to the minimum amount of people who truly need that information to do their jobs. Following this standard is another step for an organization to closely follow HIPAA compliance.
Educate your staff
An important piece of protecting PHI, especially in photograph form, is to educate your staff on all of the best practices and steps that they must take to maintain HIPAA compliance. Employees should be trained on how to take useful photographs but also to only take these images on facility-owned and approved equipment. In order to avoid a breach in health information, a PHI photo should not be taken on a personal phone or computer under any circumstances. Human error has been the cause of many data breaches in the past, which is why educating staff on all of the aspects of HIPAA compliance will help to prevent the potential costly penalties.
In many instances, social media has been the cause of HIPAA violations especially as it relates to photography. To prevent this, employees should be trained and reminded that they are not able to post any photograph that contains PHI to their social media accounts without direct consent from the patient. Beyond this, employees and organization channels should also be careful to not speak on social media in any way that confirms or recognizes a person as a patient of their practice or organization. This may seem harmless enough, but saying “We’re glad you enjoyed your visit” or “We hope you are happy with your treatment” is confirmation of their status as a patient. It is also best for healthcare organizations to not make specific treatment related recommendations on social media as they can be taken as medical advice in lieu of seeing a physician.
Photography has a clear and important use for those that work in marketing for healthcare organizations. It is important to be able to showcase the high quality care that patients will be receiving at your facility, however, it is also important that these marketing images do not violate HIPAA compliance. Before any image can be used for marketing, there must be clear consent from the patient that they are aware that their identifiable information or likeness will be used to advertise for a product or service. In order for a photo to be used without this consent, a marketer must verify that all identifiable information has been removed from the picture. This includes any direct information about the patient and their likeness as well as seemingly smaller details such as a tattoo or birthmark. It must be guaranteed that the person in the photograph could not be identified by the image in order for it to be used without that patient’s consent.
HIPAA Compliance - Simplified
When it comes to guaranteeing that your practice or organization is properly protecting photos that contain PHI, it may seem complex or confusing. That is why Accountable works to simplify all the steps that are necessary for ensuring that you are HIPAA compliant. If you are wondering where your organization stands in terms of the level of risk for noncompliance, take our short, free risk assessment test to see where you might need to adjust your HIPAA compliance.