It's not uncommon for doctors, nurses and healthcare physicians to take photos of patients and their respective injuries. In some cases, these photos are restricted to the practice's network, with doctors using them for research and reference purposes later. In other cases, however, patient photos are published on publicly accessible networks, such as the facility's website or social media account.
This may create a conflict with the Health Insurance Portability and Accountability Act (HIPAA) in 1996, which is why it's important for covered entities to familiarize themselves with the do's and don'ts of patient photos.
Protected Health Information
HIPAA prevents covered entities from disclosing the Protected Health Information (PHI) of a patient without first obtaining that patient's written consent via an authorization form. Granted, there are certain exceptions to this rule, such as instances involving perceived child abuse and to facilitate the treatment of a disease or condition. In most cases, however, the covered entity must obtain the patient's consent before it can disclose PHI to other people or parties.
Are Patient Photos Considered PHI?
This is a question that many doctors and covered entities ask. If patient photos are PHI, then doctors cannot post or otherwise disclose them without the patient's consent. If they aren't, however, doctors are free to use them as they please.
The truth is that patient photos may or may not be classified as PHI. The Office for Civil Rights (OCR) – a branch of the HHS that's responsible for enforcing HIPAA – defines PHI as any personally identifiable health information that is stored, transmitted and/or maintained. This includes electronic, oral and paper forms of personally identifiable health information.
Now back to the question at hand: are patient photos considered PHI? It depends on the what exactly is contained within the photo. If it's a close-up photo of a patient's injury with no other information attached to it, then it's not classified as a PHI, assuming the patient's face is not revealed. But if this same photo contains personally identifiable data like the patient's name, birthdate, address, Social Security number, etc., then it is PHI.
Before posting or otherwise using patient photos, ask yourself whether or not it contains personally identifiable information. This is one instance in which it's best to err on the side of caution. If you believe that a photo could be construed as PHI, do not use it without first obtaining the patient's consent via an authorization form.