What You MUST Understand About HIPAA and Patient Photography

You might have patient photographs on your laptop, tablet, and phone right now, but is that the proper control (hint: it's not)? The regulations that govern how photographs are to be stored and used by medical professionals is widely misunderstood.
Everyone in the medical field is --  or certainly should be -- aware of HIPAA, and the importance of protecting patient PHI. But the line gets pretty blurry when it comes to securing patient photos.
What are the requirements? And how can you be sure to remain compliant?

The Designated Record Set

As you know, healthcare providers must identify a Designated Record Set.
The Designated Record Set defines all documents that together create a medical record. This must be clearly defined as it applies to your paper and electronic patient records.
Therefore, for photographs to be properly controlled they must be identified as part of the designated record set. When obtaining photos, the most important thing is to obtain consent prior to taking the photograph.
Be sure to be aware of your state laws, the Joint Commission or institutional policies.

What makes a photo PHI?

Not all patient photos contain PHI but are identified as health information. A patient photo is considered to contain PHI if it has any of the following patient identifiers:
  • Any portion of the face
  • Tattoos
  • Name or Initials
  • Birth Date
  • Social Security
  • Address
  • Date of service
  • Medical Record Number
For patient photos containing PHI, HIPAA does not require a patient release if used in your health care operations (training, teaching, etc.). But photographs used in external settings (conferences, seminars, etc.) cannot be used without patient consent. Patient photos that do not contain any identifiers do not require approval.

But What About Digital Cameras?

Be sure that all patient photos are stored and secured properly. Electronic photo data must follow the DHHS requirements for electronic data security. This includes digital cameras.
Currently, digital camera memory cards do not have encryption abilities. Therefore, photos containing PHI must be deleted off the camera in a timely manner.
Although you may say your camera is “properly secure” under the HITECH Act, it is not considered a reasonable alternative. Many facilities use an EHR or VNA to properly secure their electronic files. If you do not have either of these in place it is your responsibility to find a sufficient resolution for the security of your digital files.
If you have any questions or concerns about your current image storage or are curious about implementing a properly secured vendor-neutral archive, please contact us here.


Interested in using your iOS, Android, or Windows mobile device to document PHI? Learn about our new app for HIPAA-compliant image capture here