PHI in Photographs: What It Is, Examples, and How to Stay HIPAA Compliant

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

PHI in Photographs: What It Is, Examples, and How to Stay HIPAA Compliant

Kevin Henry

HIPAA

February 26, 2026

7 minutes read
Share this article
PHI in Photographs: What It Is, Examples, and How to Stay HIPAA Compliant

Photographs can be powerful clinical tools—and high-risk if they reveal protected health information (PHI). This guide explains what counts as PHI in images, how to de-identify photos under HIPAA, when Patient Authorization is required for marketing, considerations unique to Behavioral Health HIPAA Compliance, and the safeguards—Access Controls and Encryption of PHI included—that keep images secure.

Definition of PHI in Photographs

Under HIPAA, PHI is individually identifiable health information relating to a person’s health, care, or payment that identifies the individual or could reasonably be used to identify them. In photographs, PHI may appear in the image itself, the context around the image, or embedded metadata.

Examples of identifiers that can make a photo PHI include:

  • Direct identifiers: full face, recognizable profile, or “full-face photographs and comparable images.”
  • Unique features: tattoos, scars, birthmarks, distinctive jewelry, or rare conditions that could single out a person.
  • Environment clues: name badges, wristbands, room or bed numbers, chart labels, whiteboards, prescription bottles, device serial numbers, or visible EHR/monitor screens.
  • Contextual signals: facility signage, parking permits, family members with name tags, or a known event time visible on clocks.
  • Metadata: file names with patient identifiers, EXIF geolocation, device identifiers, and time stamps that link to a specific encounter.

A clinical close‑up (for example, a wound) can still be PHI if the image or its metadata reasonably ties it to a particular patient, visit, or account—even when the face is not visible.

De-Identification of Patient Photographs

Two HIPAA-approved pathways

Safe Harbor De-Identification. Remove all 18 HIPAA identifiers, which include full-face and comparable images, names, geographic details below state level (except certain ZIP code rules), dates related to the individual (except year), and device or record numbers. After removal, you must have no actual knowledge that the remaining data could identify the individual.

Expert Determination Method. A qualified expert applies accepted statistical or scientific principles and documents that the risk of re-identification is very small. This approach may preserve more utility but requires formal analysis, documentation, and periodic review if risk factors change.

Practical de-identification steps for photos

  • Crop or mask faces and comparable features; use strong pixelation or solid blocks rather than light blur.
  • Obscure unique marks, tattoos, or jewelry; remove background elements like whiteboards, wristbands, and labels.
  • Scrub metadata: delete EXIF geotags, device IDs, author fields, and exact timestamps; use neutral file names.
  • Standardize backgrounds or use neutral backdrops to avoid location clues.
  • Check reflections in windows, eyeglasses, monitors, and stainless surfaces that may reveal identifiers.
  • Document which method you used (Safe Harbor De-Identification or Expert Determination Method) and retain evidence of the review.

Common pitfalls

  • Assuming a face crop alone is sufficient; unique features or context can still identify the person.
  • Overlooking metadata and thumbnails that persist in cloud services, backup systems, or messaging apps.
  • Using “before-and-after” sequences where timing and context can re-link to a patient.
  • Publishing rare-case images that remain uniquely identifying even after masking common identifiers.

Use of Patient Photographs for Marketing

Using patient images for external promotions—websites, social media, ads, brochures, or testimonials—constitutes marketing in most scenarios. Except for narrow treatment or operations communications, HIPAA generally requires a valid written Patient Authorization before any marketing use.

  • Specific description of the image(s), purpose, and the recipients/medium (e.g., website, social channels, print).
  • Expiration date or event, the right to revoke in writing, and how to exercise that right.
  • Statement that treatment, payment, enrollment, or eligibility is not conditioned on signing.
  • Disclosure if any third party provides financial remuneration related to the communication.
  • Signatures: the patient or authorized personal representative (parent/guardian, health care proxy), with date.

De-identified images may be used without authorization if they meet Safe Harbor De-Identification or are validated under the Expert Determination Method. However, ensure no residual risk of re-identification through context, captions, tags, or user comments on social media.

When in doubt, obtain explicit authorization even for “anonymous” marketing assets. Retain authorizations per your records policy and honor revocation requests prospectively.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

HIPAA Compliance in Behavioral Health Practices

Behavioral Health HIPAA Compliance demands heightened caution due to stigma, safety concerns, and additional federal confidentiality rules that may apply to certain programs (e.g., substance use disorder treatment under 42 CFR Part 2). Public use of patient imagery in these settings is rarely appropriate without robust authorization and risk review.

Prefer de-identified or simulated imagery for public-facing content. If images are clinically necessary (e.g., documenting injury patterns or therapeutic progress), limit distribution to the minimum necessary, apply Access Controls, and store within HIPAA-compliant systems with Encryption of PHI in transit and at rest.

For marketing, use layered review: verify Medical Records policies, confirm Marketing Consent Requirements are met, ensure any applicable Part 2 consent language is included, and evaluate whether alternatives (illustrations, stock images) achieve the goal without patient images.

Safeguarding Patient Photographs

Technical safeguards

  • Encryption of PHI at rest and in transit; use device-level encryption and secure transfer (e.g., SFTP, HTTPS within approved apps).
  • Harden endpoints: mobile device management (MDM), screen lock, biometric/PIN, remote wipe, and disable auto‑upload to personal clouds.
  • Store images in your EHR or approved content repository; avoid personal devices and messaging platforms for PHI.
  • Maintain audit logs for access, export, and deletion; monitor anomalous activity.

Access and operational controls

  • Role-based Access Controls aligned to job duties; apply the minimum necessary standard.
  • Define capture workflows: who may photograph, on which devices, with what consent, and where images are uploaded.
  • Retention and disposal: keep only as long as required; securely delete residual copies, caches, and backups when permissible.
  • Business Associate Agreements with cloud storage, telehealth, media, and analytics vendors that may handle images.

Administrative safeguards

  • Written policies covering consent/authorization, de-identification, marketing approvals, and breach response.
  • Training and periodic drills; refresh staff on social media risks and photo hygiene (background scans, metadata scrubs).
  • Risk analysis and regular reassessment of your image workflows, including new apps and devices.

Conclusion

PHI in photographs is broader than visible faces. If an image or its context could identify a patient, treat it as PHI. De-identify carefully using Safe Harbor De-Identification or the Expert Determination Method, and obtain a written Patient Authorization for marketing uses that don’t qualify as de-identified. In behavioral health, elevate scrutiny. Finally, protect images end‑to‑end with Access Controls, Encryption of PHI, and disciplined governance.

FAQs.

What constitutes PHI in photographs?

Any image that directly shows an identifiable person (full face or comparable image) or reasonably links to a specific individual through context or metadata—names, wristbands, room numbers, unique marks, EHR screens, geotags, or timestamps—constitutes PHI when it relates to health, care, or payment.

How can photographs be de-identified under HIPAA?

Use one of two methods: remove all 18 identifiers under Safe Harbor De-Identification, including faces and comparable features, or obtain an Expert Determination Method assessment documenting a very small re-identification risk. Also scrub metadata, neutralize backgrounds, and validate that no contextual clues remain.

Yes. Marketing generally requires a written Patient Authorization that meets HIPAA Marketing Consent Requirements, unless the image is truly de-identified under Safe Harbor or validated by Expert Determination. The authorization should specify purpose, recipients/media, expiration, revocation rights, and that care is not conditioned on signing.

What safeguards protect patient photographs from disclosure?

Apply layered protections: Encryption of PHI at rest and in transit; role-based Access Controls; secure capture and upload workflows; retention/deletion rules; audit logging; and Business Associate Agreements for any vendor handling images. Train staff and periodically reassess risks to keep controls effective.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles