As phones turned into cameras, HIPAA created national standards to protect a patient’s sensitive health information, including their image, from being disclosed without consent. We can capture anything easily…but are we allowed to, and how can we use it?

HIPAA lists 18 identifiers of PHI, including “full face photographic images and any comparable images.” A photograph that does not include the patient’s full face could still include something like a distinctive tattoo, a nameplate necklace, or a T-shirt with a business name that permits identification of the patient and converts the photograph to PHI. A photograph that would itself not be PHI can become such if it includes patient material or other medical identifiers. It is prudent to consider any photograph that is not fully anonymous as PHI. If you intend to take it outside the confines of an office or hospital file, treat it as material that presumptively requires authorization from the patient to be released.

For a photograph that is PHI, the exceptions for sharing with a co-treater or in curbside or consult, with a payor asking for the image as a claim verification, or for use in healthcare operations all apply. So does the exception for “training and teaching,” so photographs that are PHI can be used in lectures and case presentations on-site without specific authorization. is does not extend to publication in a journal, presentations at professional meetings, or lay presentations. Posting on a physician chat site is outside the exceptions. Any posted image must be completely de-identified, and the text should not reveal information that personalizes it.

HIPAA requires that only the least PHI needed should be released. Photographs should be tightly tailored to only the medical issue. Authorization should always specify the particular use so there is no question later that the patient understood what they were consenting to. Authorization for photography during surgery should be just for taking the pictures. Limit any mention of intra-operative photography in the consent to the recording of the image and get a separate consent later for its use.

You should also take archiving under HIPAA into account. To favor the portability of patient records, a covered entity must identify the “designated record set” for a patient.

Note that your phone is most likely not capable of the level of encryption needed for a photograph, and it can be lost, so it is best to download it as soon as possible. There must be a clear statement at your facility that any images of patients taken in the course of their care are the sole property of the facility, even if maintained on a staff member’s private device.

Author