HIPAA and Wound Care: Photos Matter!

Most medical “photography” falls under the umbrella of radiology.
While that isn’t likely to change, Wound Care has emerged as a prominent player in the capture of patient images, mostly photographs -– and for the Wound Care department, this means that HIPAA rules are more important than ever.
When you take photos to track the treatment you give patients, confidentiality and privacy concerns arise that could easily leave you in violation of HIPAA rules.
In fact, the quick click of a Wound Care clinician’s iPhone or camera shutter could raise as many concerns as the images captured by body cameras as officers walk through hospital emergency rooms during investigations.
In short, where HIPAA and photos are concerned, safe is always better than sorry.

Protected Health Information (PHI): photographs are relevant!

PHI is defined as individually identifiable health information that is transmitted or maintained by either a “covered entity” or its business associates in any form or medium; of course, photography is a medium.
There are 18 identifiers relative to individually identifiable health information. These include:
  1. All subdivisions that are geographically smaller than states, including a patient’s street address.
  2. Elements of dates (except the year) that are directly related to an individual, including a patient’s birth and admission dates.
  3. Phone numbers, including mobile ones
  4. Email addresses
  5. Social Security numbers
  6. Medical record identifiers
  7. Photographic images of full patient faces.
It’s important to underscore that full-face photos and other images of patients are considered protected health information and are thus covered by HIPAA protections if it’s possible to associate them with patients.
In fact, HIPAA stipulates that any identifier related to a patient that identifies that individual or establishes a reasonable basis that someone could use to identify an individual constitutes PHI.

Facts and hints

With that in mind, a key question arises: Are the photos of concern clearly associated with any identifying data, or do they merely hint at that? If a photo can in any way be connected to a patient, the PHI threshold has been reached. If a photo of a wound is not connected to any identifying information and thus cannot be tied to a patient, it is not considered PHI.
Right now, portable devices cause most of the concern regarding medical photos. Consider that:
  1. Loss of devices, including laptop computers, tablets flash drives and mobile devices, are most commonly involved in breaches of patient records.
  2. It is difficult to prevent staff from using mobile devices that aren’t secure.
  3. The use of mobile devices and apps by staff has increased substantially in recent years.
  4. Employee-owned devices that connect to enterprise systems and networks are difficult to track in every instance.
  5. It is hard to determine which employees utilize devices that are not secure.
  6. The use of mobile devices owned by employees is often encouraged by their employers.
The failure of entities to comply with HIPAA rules can have dire consequences for every member of a Wound Care team.
Violations may result in the application of stiff civil penalties:
  1. $100 for each incident up to a maximum of $25,000 per year for each person and for each standard
Criminal penalties are even more foreboding:
  1. Up to $50,000 and a year imprisonment for knowingly obtaining or revealing protected health information in violation of HIPAA rules
Fines up to $100,000 and five years imprisonment may be imposed on staff who obtain protected information under false pretenses; the fine increases to a maximum of $250,000 and 10 years imprisonment if information is obtained and disclosed in violation of rules in order to transfer or use the information for personal or commercial advantage or nefarious harm.

Taking the next step

Physicians are responsible to train their staff regarding HIPAA compliance, and this is done in a discretionary manner.
Larger organizations usually engage in classes that range from one to three hours in length and use written materials in order to standardize training. Wound Care is a bit more challenging, as staff often are not housed in one location. Training should bring those staff members together in a centralized location. Again, specifics of training are up to the presiding physician.
Interested in using your iOS, Android, or Windows mobile device to document PHI? Meet our new app for HIPAA-compliant image capture, SnapView. 
Healthcare workers first take a scan of the patient’s ID wristband, then of the patient. Image files are routed past the device’s memory and transferred directly to our Ncompass Universal Archive®. The process eliminates the threat that patient photographs and other data might be misused, but still allows you the convenience of your mobile device.
Remember: patient photographs are covered by HIPAA rules, physicians are responsible for training their staff in order to achieve protection, and serious penalties apply if violations occur.
If guidelines are followed, undue stress and the threat of stiff monetary and other penalties can be easily avoided.
Good luck, and stay HIPAA compliant!