HIPAA and Photographs: What Are the Rules?
Now more than ever physicians are using patient photographs to help them make diagnoses. But did you know that medical photographic images, even if they are taken by a patient, fall under HIPAA’s policy jurisdiction? To clear up how medical photos can and cannot be used or disclosed, HIPAA and images are discussed.
HIPAA and Photographs: When is a Photo Considered PHI?
Protected health information (PHI) is an individually identifiable health information used for the past, present, or future provision of healthcare. Examples of such images may include images sent to a dermatologist that include birthmarks or skin conditions, full facial photos sent to a plastic surgeon, x-rays, or any other image that contains any of the 18 PHI identifiers.
HIPAA and Photographs: How are Medical Images Used?
Medical images are used in a variety of ways. The most common use of medical photographs include treatment and diagnosis, patient testimonials, and social media.
Patient Treatment and Diagnosis
Healthcare providers use medical images for a variety of treatment purposes. This is particularly true for dermatologists, plastic surgeons, and dentists.
Patient Testimonials
A good way to build trust with prospective patients is by showcasing patient testimonials from your existing patients. However, before it is permitted to include patient images, or other PHI on, your website, you must obtain written patient consent.
Social Media
The use of social media has become an integral way to promote businesses. However, just as you need patient consent to share patient information on your website, you also need consent before sharing it on social media.
HIPAA and Photographs: How to Secure Medical Images
Healthcare organizations have an obligation to ensure the confidentiality, integrity, and availability of PHI, and this includes medical photographs. In regards to HIPAA policy, how can you ensure the security of your medical images?
Encryption
Whether you are storing medical images on a laptop or USB drive, it is important to encrypt the images. Encryption prevents unauthorized access to data by allowing only users possessing a decryption key to access encrypted data.
Access Controls
Only employees that require access to medical images should have access to the files. As such, each employee must have unique login credentials to access patient data, and employees should only be granted access to the files that they need to perform their job.
Policies and Procedures
To ensure that PHI is used and disclosed in a HIPAA compliant manner, it is important to have policies and procedures that dictate the proper uses and disclosures of PHI, including medical images.
Employee Training
Training employees is an important aspect of HIPAA compliance. Employees must be trained on the proper uses and disclosures of PHI, among other things, to ensure that employees are aware of their HIPAA obligations.
HIPAA and Photographs: HIPAA Photo and Video Violations
There are several instances in which sharing patient photos, or videos or patients, would constitute a HIPAA violation. Common occurrences for HIPAA photo violations include:
- Use or disclosure of unencrypted medical images
- Posting a patient testimonial to your website without patient authorization
- Including patient images, or other PHI, in marketing material without patient authorization, such as a brochure
- Sharing PHI on social media without patient authorization, even if the PHI is in the background of a photo or video
