HIPAA Photo Violations

HIPAA photo violations occur when healthcare providers release images of a patient without prior authorization. HIPAA requires organizations working with protected health information (PHI) to ensure the confidentiality of the sensitive information. There are 18 HIPAA identifiers that constitute PHI, one of which is full-face photos.

What are HIPAA Photo Violations?

Some organizations may be surprised at what may be considered HIPAA photo violations. It is not permitted to post a patient photo on marketing material (a poster in your office, brochure, etc.), on your organization’s website, or social media without prior written authorization from the patient to do so. Taking pictures of patients without consent is unacceptable. This includes patient images or other individually identifiable health information that may be in the background of a photo.

Similar to HIPAA photo violations, organizations can also be penalized for video violations. In the past, there have been several HIPAA fines levied as a result of photographing or filming patients, and making the image public without prior consent from the patient. These fines can be costly, and may also result in civil fines due to invasion of privacy concerns.

How to Prevent HIPAA Photo Violations

As HIPAA photo violations are the result of human error, the best ways to prevent this type of HIPAA violation are policies and procedures, and employee training. Policies and procedures dictate the proper uses and disclosures of PHI. Within your organization’s policies and procedures should be a section that discusses your social media policy. The social media policy should prohibit the use of social media at work. It should also mandate that no patient information is permitted to be shared without patient authorization. 

Annual employee training must include training on HIPAA standards, as well as your organization’s policies and procedures. HIPAA training enables employees to understand the 18 identifiers of PHI, and how they are permitted to use and disclose PHI. The HIPAA minimum necessary standard requires PHI to only be accessed to perform a specific job function. As such, employees must only access PHI when it is necessary for treatment, payment, or healthcare operation purposes. 

Additionally, employees must be trained to ensure that they adhere to your organization’s policies and procedures. They must legally attest that they have read and understood the training material, and that they agree to abide by HIPAA standards and your organization’s policies and procedures.

Third Party Verification and Validation

Need Help with HIPAA?

Let our complete HIPAA solution handle it.