HIPAA and Photographs: What are the Rules?

Now more than ever physicians are using patient photographs to help them make diagnoses. But did you know that medical images, even if they are taken by a patient, fall under HIPAA’s jurisdiction? To clear up how medical photos can and cannot be used or disclosed, HIPAA and photographs is discussed.

HIPAA and Photographs: When is a Photo Considered PHI?

Protected health information (PHI) is an individually identifiable health information used for the past, present, or future provision of healthcare. Examples of such images may include images sent to a dermatologist that include birthmarks or skin conditions, full facial photos sent to a plastic surgeon, x-rays, or any other image that contains any of the 18 PHI identifiers.

HIPAA and Photographs: How are Medical Images Used?

Medical images are used in a variety of ways. The most common use of medical photographs include treatment and diagnosis, patient testimonials, and social media.

HIPAA and Photographs

Patient Treatment and Diagnosis. Healthcare providers use medical images for a variety of treatment purposes. This is particularly true for dermatologists, plastic surgeons, and dentists.

Patient Testimonials. A good way to build trust with prospective patients is by showcasing patient testimonials from your existing patients. However, before it is permitted to include patient images, or other PHI on, your website, you must obtain written patient consent.

Social Media. The use of social media has become an integral way to promote businesses. However, just as you need patient consent to share patient information on your website, you also need consent before sharing it on social media.

Let’s Simplify Compliance

Avoid HIPAA violations, become HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

HIPAA and Photographs: How to Secure Medical Images

Healthcare organizations have an obligation to ensure the confidentiality, integrity, and availability of PHI, and this includes medical photographs. So how can you ensure the security of your medical images?

Encryption. Whether you are storing medical images on a laptop or USB drive, it is important to encrypt the images. Encryption prevents unauthorized access to data by allowing only users possessing a decryption key to access encrypted data.

Access Controls. Only employees that require access to medical images should have access to the files. As such, each employee must have unique login credentials to access patient data, and employees should only be granted access to the files that they need to perform their job.

Policies and Procedures. To ensure that PHI is used and disclosed in a HIPAA compliant manner, it is important to have policies and procedures that dictate the proper uses and disclosures of PHI, including medical images. 

Employee Training. Training employees is an important aspect of HIPAA compliance. Employees must be trained on the proper uses and disclosures of PHI, among other things, to ensure that employees are aware of their HIPAA obligations.

HIPAA and Photographs: HIPAA Photo and Video Violations

There are several instances in which sharing patient photos, or videos or patients, would constitute a HIPAA violation. Common occurrences for HIPAA photo violations include:

Use or disclosure of unencrypted medical images

Posting a patient testimonial to your website without patient authorization

Including patient images, or other PHI, in marketing material without patient authorization, such as a brochure

Sharing PHI on social media without patient authorization, even if the PHI is in the background of a photo or video