How to Keep Your Dermatology Practice HIPAA Compliant: 2026 Checklist and Best Practices

HIPAA Applicability to Dermatology Practices

Most dermatology practices are covered entities under HIPAA because you transmit health information electronically for treatment, payment, or operations. That triggers obligations under the Privacy, Security, and Breach Notification Rules.

What counts as Protected Health Information (PHI) in dermatology

• Clinical photos, lesion maps, pathology reports, and biopsy requisitions.
• Visit notes, teledermatology messages, scheduling data, and billing records.
• Any identifier linked to a patient (name, DOB, medical record number, facial image, tattoos, or unique skin markings).

Common business associates you rely on

Vendors that create, receive, maintain, or transmit PHI on your behalf are business associates. Typical examples include EHR and patient portal vendors, cloud storage, billing and RCM services, telehealth platforms, secure texting tools, IT service providers, and clinical photography apps. Each requires a signed Business Associate Agreement (BAA) before PHI is shared.

Privacy Rule Requirements

The Privacy Rule governs how you may use and disclose PHI and the rights patients have over their information. In dermatology, high-visibility images and cosmetic/medical overlaps make disciplined workflows essential.

Minimum necessary and permitted uses

Use or disclose only the minimum necessary PHI for treatment, payment, and healthcare operations. Role‑based access and need‑to‑know sharing reduce unnecessary exposure—especially for images and pathology attachments.

Authorizations, marketing, and clinical images

Obtain written authorization before using identifiable photos or case details for marketing, websites, or social media. For education outside treatment contexts, de‑identify images or secure a signed authorization that clearly states purpose, scope, and expiration.

Patient rights and practice notices

• Provide a Notice of Privacy Practices (NPP) and honor patient rights to access, amendments, and restrictions where applicable.
• Offer timely access to records, including clinical photography stored in the chart or secure repositories.
• Maintain an accounting of certain disclosures when required.

Breach Notification fundamentals

Have a documented process to evaluate incidents, determine if unsecured PHI was compromised, and deliver Breach Notification to affected individuals and regulators within required timeframes. Your policy should specify internal escalation, investigation steps, and communication templates.

Security Rule Safeguards

The Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). Dermatology practices handle high‑risk media (images, mobile capture), making these controls critical.

Administrative safeguards

• Security Risk Assessment (SRA) at least annually and upon major changes.
• Policies for access management, incident handling, contingency planning, and vendor oversight.
• Workforce security: background checks where appropriate, onboarding/offboarding, and sanctions policy.

Physical safeguards

• Secure server/network rooms, device locking, and clean‑desk protocols.
• Screen privacy in exam rooms; automatic screen locks and workstation placement away from public view.
• Media controls: encrypted disposal of drives and secure shredding for printed outputs.

Technical safeguards, Encryption Standards, and MFA

• Unique user IDs, least‑privilege access, automatic logoff, and audit logging with routine review.
• Encryption Standards for data at rest and in transit (for example, strong AES at rest and modern TLS in transit) on servers, laptops, mobiles, and backups.
• Multi-Factor Authentication (MFA) for EHR, remote access, email, and admin consoles.
• Endpoint protection, timely patching, mobile device management (MDM), and secure configuration baselines.
• Reliable, encrypted backups with periodic recovery testing to meet contingency plan requirements.

Clinical Photography Compliance

Clinical images are often PHI because they can directly or indirectly identify a patient. Treat image capture, transfer, storage, and sharing with the same rigor as the rest of the chart.

Consent, purpose, and scope

• For treatment documentation, inform patients how photos are stored and used in care.
• For education or marketing, obtain explicit authorization; avoid mixing clinical and promotional uses in a single consent.

Capture and storage best practices

• Use practice‑managed, encrypted devices with secure apps that upload directly to the EHR or a controlled repository.
• Disable local camera roll storage and scrub GPS/EXIF data when not clinically necessary.
• Prohibit personal devices for patient images unless enrolled in MDM with enforced encryption and remote wipe.

De‑identification and sharing

When sharing images for teaching or consultation, de‑identify by removing facial features, tattoos, and metadata. If any reasonable likelihood of identification remains, treat the image as PHI and apply HIPAA‑compliant transmission and access controls.

Risk Assessment and Management

A Security Risk Assessment is the backbone of HIPAA compliance. It reveals where ePHI resides, what could go wrong, and how to reduce risk to a reasonable and appropriate level.

How to run a Security Risk Assessment (SRA)

• Inventory systems, data flows, and vendors that handle PHI (EHR, imaging, messaging, backups).
• Identify threats and vulnerabilities (lost devices, misconfigurations, phishing, misdirected messages).
• Rate likelihood and impact; document current controls and residual risk.
• Produce a remediation plan with owners, timelines, and budget.

Incident Response Plan and testing

Create an Incident Response Plan that defines roles, escalation paths, evidence preservation, decision criteria for Breach Notification, and communication steps. Test it with tabletop exercises so staff can execute calmly during real events.

Ongoing risk management

• Track remediation work to completion and verify effectiveness.
• Reassess after major changes like new imaging apps, telederm platforms, or mergers.
• Integrate phishing simulations and log reviews into routine operations.

2026 HIPAA Compliance Checklist for Dermatology

• Confirm HIPAA Applicability and update the data map for PHI, including clinical photography.
• Refresh the NPP, minimum‑necessary rules, and authorization forms for images and marketing.
• Complete your SRA; prioritize fixes; fund and schedule remediation.
• Enforce MFA everywhere; apply strong Encryption Standards on all endpoints and backups.
• Document and test the Incident Response Plan and Breach Notification workflow.
• Review vendor due diligence and renew every Business Associate Agreement (BAA) as needed.
• Train all staff and validate policy adherence with spot checks and audits.

Business Associate Agreements

A BAA is mandatory before a vendor handles PHI. Dermatology practices often overlook photography apps, marketing technologies, and non‑traditional tools that still process identifiers.

Who needs a BAA

• EHR/PM vendors, patient portals, telehealth and secure messaging services.
• Cloud hosting, data backup, email filtering, IT support, and device management providers.
• Billing, collections, transcription, and clinical photography platforms.

What a strong BAA includes

• Permitted uses/disclosures and minimum‑necessary handling of PHI.
• Safeguards consistent with the Security Rule, including Encryption Standards and access controls.
• Breach reporting duties, timelines, and cooperation during investigations.
• Subcontractor requirements, right to audit, termination, and return or destruction of PHI.

Due diligence and monitoring

Evaluate vendor security (MFA, encryption, logging, incident response maturity) before signing. Keep a BAA inventory, renewal dates, and contacts. Reassess vendors annually or when services change.

Staff Training and Policies

People and process make or break compliance. Clear policies and recurring training keep daily operations aligned with HIPAA requirements.

Training cadence and content

• Onboarding plus annual refreshers; updates when policies, systems, or laws change.
• Modules on PHI handling, clinical photography SOPs, phishing awareness, secure messaging, and breach reporting.
• Document attendance, comprehension checks, and sanctions for non‑compliance.

Operational policies to implement

• Access management: role‑based access, periodic access reviews, rapid de‑provisioning.
• Password and MFA standards; device encryption; remote and mobile use rules.
• Secure printing, scanning, and faxing; no PHI on unsecured email or personal apps.
• Verification of patient identity for phone/email requests; standardized disclosure workflows.
• Photography: approved devices/apps only, consent requirements, storage, and sharing rules.

Conclusion and next steps

To keep your dermatology practice HIPAA compliant in 2026, anchor your program in an up‑to‑date SRA, enforce strong technical controls like MFA and encryption, formalize vendor oversight with robust BAAs, standardize clinical photography practices, and invest in practical, recurring staff training. Document everything and test your Incident Response Plan so you are ready before issues arise.

FAQs

What is HIPAA compliance for dermatology practices?

HIPAA compliance means your practice protects PHI through Privacy, Security, and Breach Notification standards. In dermatology, this spans clinical notes, imaging, messaging, and billing—supported by policies, a Security Risk Assessment, technical safeguards (encryption, MFA), vendor BAAs, and trained staff who follow documented procedures.

How do I secure clinical photography under HIPAA?

Use encrypted, practice‑managed devices and apps that send photos directly to your EHR or secure repository; disable local storage; scrub metadata when not clinically needed; restrict access via role‑based permissions and MFA; and obtain written authorization for any identifiable images used beyond treatment (for example, marketing). If an image can identify a patient, treat it as PHI.

What are the requirements for Business Associate Agreements?

A BAA must define permitted PHI uses, require safeguards aligned to the Security Rule (including encryption and access controls), mandate breach reporting and cooperation, bind subcontractors, and address termination with PHI return or destruction. Execute a BAA before sharing any PHI and reassess vendors regularly.

How often should staff be trained on HIPAA policies?

Train at onboarding, at least annually thereafter, and whenever systems, policies, or workflows change. Reinforce with periodic phishing simulations, spot checks, and policy attestations to confirm understanding and consistent practice.