What You MUST Understand About HIPAA and Patient Photography

Updated: Mar 12

You might have patient photographs on your laptop, tablet, and phone right now, but is that the proper control (hint: it's not)? The regulations that govern how photographs are to be stored and used by medical professionals is widely misunderstood.


Everyone in the medical field is (or certainly should be) aware of HIPAA, and the importance of protecting patient PHI. But the line gets pretty blurry when it comes to securing patient photos. What are the requirements? And how can you be sure to remain compliant?


The Designated Record Set


As you know, healthcare providers must identify a Designated Record Set. The Designated Record Set defines all documents that together create a medical record. This must be clearly defined as it applies to your paper and electronic patient records.


Therefore, for photographs to be properly controlled they must be identified as part of the designated record set. When obtaining photos, the most important thing is to obtain consent prior to taking the photograph. Be sure to be aware of your state laws, the Joint Commission or institutional policies.



What makes a photo PHI?


Not all patient photos contain PHI but are identified as health information. A patient photo is considered to contain PHI if it has any of the following patient identifiers:


  1. Any portion of the face

  2. Tattoos

  3. Name or Initials

  4. Birth Date

  5. Social Security

  6. Address

  7. Date of service

  8. Medical Record Number


For patient photos containing PHI, HIPAA does not require a patient release if used in your health care operations (training, teaching, etc.). But photographs used in external settings (conferences, seminars, etc.) cannot be used without patient consent. Patient photos that do not contain any identifiers do not require approval.


But What About Digital Cameras?


Be sure that all patient photos are stored and secured properly. Electronic photo data must follow the DHHS requirements for electronic data security. This includes digital cameras. Currently, digital camera memory cards do not have encryption abilities. Therefore, photos containing PHI must be deleted off the camera in a timely manner.


Although you may say your camera is “properly secure” under the HITECH Act, it is not considered a reasonable alternative. Many facilities use an EHR or VNA to properly secure their electronic files. If you do not have either of these in place it is your responsibility to find a sufficient resolution for the security of your digital files.


If you have any questions or concerns about your current image storage or are curious about implementing a properly secured vendor-neutral archive, please contact us here.


Interested in using your iOS, Android, or Windows mobile device to document PHI? Learn about our new app for HIPAA-compliant image capture here.

#iOSdevice #security #compliance #PHI #HIPAA #patientinformation #imagesecurity #EHR #APP #pacs #radiology #regulation #images #iphone #photos

Novarad EHS Logo Full Color (1) (3).png
Novarad EHS Logo Full Color (1) (3).png

CORPORATE HEADQUARTERS

752 East 1180 South, Suite 200

American Fork, Utah  84003

(877) 668-2723 phone

UNITED KINGDOM

12 Kingsbury Trading Estate Church Lane

Kingsbury London United Kingdom

NW9 8AU

+44 (0) 208 205 9500 phone

+44 (0) 208 205 0585 fax

LATIN AMERICA

2 Calle A 6-28 zona 10 Edificio Verona, Oficina 502
Edificio Verona, Oficina 502
Guatemala, Guatemala

ASIA - PACIFIC

407 Prestige Tower F. Ortiga Jr. Road
Ortigas Center, Pasig City Philippines, 1605
Phone: +632.661.6161
Fax: +632.661.4334

© 2020 Novarad®