What are the HIPAA Photography Rules?
The HIPAA photography rules are some of the most complex rules in HIPAA. They vary according to the nature of the photograph, its purpose, and whether it is part of a designated record set. Furthermore, the HIPAA rules for photos may or may not apply depending on who is taking the photos, while the environment in which photos are taken can also influence hospital policies.
Photos are only mentioned twice in HIPAA – once in the Safe Harbor method of de-identifying PHI, and once in the list of individually identifiable health information that has to be removed from a designated record set to make it a limited data set. Because these are the only mentions of photographs in HIPAA, many Covered Entities assume that every photograph should be classified as Protected Health Information (PHI) and subject to Privacy and Security Rule standards. But that is not the case.
Individually identifiable information such as photos and videos only become individually identifiable health information when they are created or received by a Covered Entity and relate to “the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual”. A photo that does not fulfil these criteria is not subject to the HIPAA photography rules.
What HIPAA Photo Rules Apply to Health Information?
When photos and videos are created or received by a Covered Entity and relate to a patient´s healthcare, they are subject to the General Principals for Uses and Disclosures and – when maintained or transmitted electronically – to the Administrative, Physical, and Technical Safeguards of the Security Rule. Business Associates are also required to comply with the Security Rule safeguards when providing a service to, or performing a function on behalf of, a Covered Entity.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
It is important for Covered Entities and Business Associates to be aware that photos which do fulfil the criteria for health information not only include full-face photographs, but also photos of distinctive injuries, jewelry, tattoos, and other identifying features. In addition, any photos of relatives, employers, or household members that could be used to identify an individual – and that are kept in the same designated record set – are also subject to the HIPAA photo rules.
The General Principles of Uses and Disclosures for Health Information
The General Principles for Uses and Disclosures of PHI stipulate when uses and disclosures of photos are required (when access is requested by the patient or a representative of HHS´ Office for Civil Rights), when they are permitted (mainly for treatment, payment, and health care operations, but also for public interest and benefit activities), and when they must be authorized by a patient or the patient´s representative (for any other purpose not required or permitted by the Privacy Rule).
With regards to the HIPAA photography rules, some permitted uses and disclosures exclude photos. For example, §164.512(f) – “Disclosures for Law Enforcement Purposes” – allows Covered Entities to only disclose a limited amount of PHI to law enforcement in response to a request for help to identify or locate a fugitive, suspect, missing person, or material witness. In such circumstances Covered Entities are only allowed to disclose:
- Names and addresses
- Dates and place of birth
- Social security number
- ABO blood type and rh factor
- Type(s) of injury
- Date and time of treatment
- Date and time of death (if applicable)
- A description of distinguishing physical characteristics
The Administrative, Physical, and Technical Safeguards of the Security Rule
While there are no specific HIPAA photography rules in the Administrative, Physical, and Technical Safeguards of the Security Rule, there are factors that Covered Entities and Business Associates may have to take into account to ensure images, pictures, photos, and videos containing PHI are not disclosed accidently, or altered or disposed of improperly. It is also important workforce members are instructed on the compliant use of photography in healthcare environments.
With regards to accidental disclosures, it is often the case that images, pictures, photos, and videos are displayed “full screen”. Workforce members need to be conscious of this to ensure workstations are turned away from public view and mobile devices are used discretely. With regards to improper alterations and disposals, it can be harder to ascertain an image has been altered (compared to text being altered), while videos files are usually the first to be deleted when low on storage space.
Workforce members are allowed to take photos and videos of patients, but only for a use or disclosure required or permitted by the Privacy Rule. Photos taken for any other purpose require a written authorization from the patient which explains why the photo is being taken and who it will be shared with. As patients have the right to revoke authorization, photos, videos, and other images should not be posted on social media as they cannot be permanently and absolutely retracted.
When do the HIPAA Picture Rules Not Apply?
The HIPAA picture rules do not apply when photographs of patients are de-identified to be included in a limited data set, or when they do not contain health information and are not included in a designated record set (because any information included in a designated record set which also includes PHI has to be protected as if it were PHI). This latter exception can lead to compliance issues when unsolicited, but well-meaning, pictures of patients are sent to healthcare professionals.
Many healthcare professionals receive unsolicited and non-health related pictures of patients that would not normally be included in a designated record set. For example, photos sent to an obstetrician for inclusion on a “baby wall”, self-portrait Christmas cards sent to a family practitioner, and Thank You cards sent to a hospice that feature a picture of a deceased relative. In all these cases, the HIPAA picture rules do not apply provided the pictures remain private.
However, once the pictures are put on public display, it could be argued that – without the written authorization of the patient or their legal representative – the Covered Entity is violating the HIPAA picture rules because the images contain individually identifiable information that relates to the “past provision of healthcare to the individual”. While there is a counterargument the sender is giving implied consent, this does not fulfil the authorization requirements of the Privacy Rule.
Are Visitors Allowed to Take Photos Under HIPAA?
Patients and visitors are generally allowed to take photos and videos under the HIPAA photo rules, and many healthcare providers encourage this activity to record happy events such as births, successful surgeries, and recoveries from serious illnesses. Photos and videos taken by patients and visitors are not subject to the HIPAA photography rules because the images are not being created, received, transmitted, or stored by a Covered Entity and therefore HIPAA does not apply.
However, potential privacy issues exist when visitors take photos and videos that include other patients, because, if the photos and videos are publicly shared, the unauthorized disclosure of individually identifiable health information could be in violation of state privacy laws, other federal privacy laws (for example, 42 CFR Part 2 relating to the confidentiality of substance use disorder patients), or international privacy laws such as the EU´s General Data Protection Regulation (GDPR).
Therefore, it is advisable to control patient and visitor photography in healthcare environments in order to mitigate the risk of a privacy violation. While this can cause misunderstandings between patients, their visitors, and healthcare professionals, the alternative is to have any patients adjacent to the subject of the photo or video sign a HIPAA-esque authorization that allows their image to be shared anywhere by anyone. This may create more problems than it solves if any patients object.
The Penalties for Violating the HIPAA Photo Rules
In the majority of cases, violations of the HIPAA photo rules are accidental – for example, when patients in a waiting room can see a photo displayed on a workstation screen. If this type of violation is escalated to HHS´ Office for Civil Rights, most often it is resolved by technical assistance or a Corrective Action Order. However, if unsecured photographs are exposed in a data breach due to a failure to comply with the Security Rule safeguards, the penalties can be much tougher.
HHS´ Office for Civil Rights has the authority to impose financial penalties on negligent Covered Entities and Business Associates. The amount of the penalties is dependent on the level of culpability – i.e., the efforts made – or not made – to prevent the disclosure, the cause of the disclosure, and whether or not the negligent party has attempted to correct the impact of the disclosure within 30 days. As of 2022, the financial penalties for violating the HIPAA photo rules are:
|Penalty Tier||Level of Culpability||Minimum Penalty per Violation||Maximum Penalty per Violation||Annual Penalty Limit|
|Tier 1||Reasonable Efforts||$127||$63,973||$1,919,173|
|Tier 2||Reasonable Cause||$1,280||$63,973||$1,919,173|
|Tier 3||Neglect – Corrected||$12,794||$63,973||$1,919,173|
|Tier 4||Neglect – Not Corrected within 30 days||$63,973||$1,919,173||$1,919,173|
What if Staff Violate the HIPAA Photo Rules?
If any member of the workforce (staff, temporary workers, contractors, volunteers, etc.) deliberately violates the HIPAA photo rules, the penalties can depend on what efforts have been made by the Covered Entity or Business Associate to prevent impermissible disclosures of PHI, the harm that has resulted from the impermissible disclosure, the previous conduct of the member of the workforce, the content of the sanctions policy, and the nature of training the workforce member has received.
As soon as an impermissible disclosure is identified, it must be reported to HHS´ Office for Civil Rights if the impermissible disclosure involves a breach of unsecured PHI. The Office for Civil Rights will investigate; and, if the Covered Entity or Business Associate has implemented necessary and appropriate safeguards against violations of the HIPAA photo rules, there will likely be no further action taken against the Covered Entity or Business Associate.
If, however, the Covered Entity or Business Associate has failed to comply with the Security Rule safeguards, failed to implement policies to control photography in healthcare environments, or failed to provide suitable training to the workforce, they will be found liable and subject to the penalties listed above. If the Office for Civil Rights feels the violation is criminally negligent, it can also refer the case to the Department of Justice for a criminal investigation.
For the individual who deliberately violated the HIPAA photo rules, it is likely they will face disciplinary action; and, if the case is referred to the Department of Justice, a criminal investigation. If the investigation concludes that either the individual or the Covered Entity/Business Associate was guilty of a criminal activity, they will be subject to the penalties listed under §1320d-6 of the Social Security Code – “Wrongful disclosure of individually identifiable health information”.
Complying with the HIPAA Photography Rules
State, federal, and international privacy laws aside, it can be complicated to comply with the HIPAA photography rules. If Covered Entities play it safe by assuming every picture should be classified as PHI and subject to Privacy and Security Rule standards, this means no more public facing baby walls, no more displays of greetings cards, and no disclosures of photographs to law enforcement officers – no matter the impact they may have on solving a crime or locating a missing person.
Covered Entities and Business Associates should also implement technologies that support HIPAA-compliant photography and data sharing that monitor access to, alteration of, and the deletion of all PHI, plus implement policies that prevent workplace members taking photos and videos on non-entity issued devices or apps. There should also be controls for how, where, and when visitors can record happy events without capturing the individually identifiable image of another patient.
As with all areas of HIPAA compliance, Covered Entities and Business Associates should conduct risk analyses to assess the likelihood of a violation attributable to a lack of compliance with the HIPAA photography rules. Thereafter, they should calculate the consequences of a violation, develop policies that mitigate the risk of a violation, and train members of the workforce on the policies – including the sanctions that will be imposed for photography-related violations of HIPAA.