You probably have patient photographs on your laptop, tablet and phone right now, but is that the proper control?
The regulations that govern how photographs are to be stored and used by medical professionals is widely misunderstood. Everyone in the medical field is (or certainly should be) aware of HIPAA, and the importance of protecting patient PHI. But the line gets pretty blurry when it comes to securing patient photos. What are the requirements? And how can you be sure to remain compliant?
The Designated Record Set
As you know, healthcare providers must identify a Designated Record Set. The Designated Record Set defines all documents that together create a medical record.
This must be clearly defined as it applies to your paper and electronic patient records. Therefore, for photographs to be properly controlled they must be identified as part of the designated record set.
When obtaining photos, the most important thing is to obtain consent prior to taking the photograph. Be sure to be aware of your state laws, the Joint Commission or institutional policies.
What makes a photo PHI?
Not all patient photos contain PHI but are identified as health information. A patient photo is considered to contain PHI if it has any of the following patient identifiers:
- Any portion of the face
- Name or Initials
- Birth Date
- Social Security
- Date of service
- Medical Record Number
For patient photos containing PHI, HIPAA does not require a patient release if used in your health care operations (training, teaching, etc.). But photographs used in external settings (conferences, seminars, etc.) Cannot be used without patient consent. Patient photos that do not contain any identifiers, do not require approval.
But What About Digital Cameras?
Be sure that all patient photos are stored and secured properly. Electronic photo data must follow the DHHS requirements for electronic data security. This includes digital cameras. Currently digital camera memory cards do not have encryption abilities. Therefore, photos containing PHI must be deleted off the camera in a timely manner.
Although you may say your camera is “properly secure” under the HITECH act, it is not considered a reasonable alternative. Many facilities use an EHR or VNA to properly secure their electronic files. If you do not have either of these in place it is your responsibility to find a sufficient resolution for the security of your digital files.