What are the HIPAA Photography Rules?
The HIPAA photography rules vary according to the nature of the photograph, its purpose, and whether it is part of a designated record set. The HIPAA rules for photos also may or may not apply depending on who is taking the photos, while the environment in which photos are taken can also influence hospital policies.
Photos are only mentioned twice in HIPAA – once in the Safe Harbor method of de-identifying PHI, and once in the list of individually identifiable health information that has to be removed from a designated record set to make it a limited data set. Because these are the only mentions of photographs in HIPAA, many covered entities assume that every photograph should be classified as Protected Health Information (PHI) and subject to HIPAA Privacy and Security Rule standards. But this is not the case.
Individually identifiable information such as photos and videos only become individually identifiable health information when they are created or received by a covered entity and relate to “the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” or are maintained in the same designated record set as individually identifiable health information.
What HIPAA Photography Rules Apply to Health Information?
When photos and videos are created or received by a covered entity and relate to a patient’s healthcare or are maintained in the same record set as the patient’s healthcare information, they are subject to the General Principles for Uses and Disclosures; and – when maintained or transmitted electronically – to the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule. Business associates are also required to comply with the HIPAA Security Rule safeguards when providing a service to, or performing a function on behalf of, a covered entity.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
It is important for covered entities and business associates to be aware that photos that do fulfil the criteria for health information not only include full-face photographs, but also photos of distinctive injuries, jewelry, tattoos, and other identifying features. The photos might also be of emotional support animals. In addition, any photos of relatives, employers, or household members that could be used to identify an individual – and that are kept in the same designated record set – are also subject to the HIPAA photography rules.
The General Principles of Uses and Disclosures for Health Information
The General Principles for Uses and Disclosures of PHI stipulate when uses and disclosures of photos are required (when access is requested by the patient or a representative of HHS’ Office for Civil Rights), when they are permitted (mainly for treatment, payment, and health care operations, but also for public interest and benefit activities), and when they must be authorized by a patient or the patient’s representative (for any other purpose not required or permitted by the HIPAA Privacy Rule).
With regard to the HIPAA photography rules, some permitted uses and disclosures exclude photos. For example, §164.512(f) – “Disclosures for Law Enforcement Purposes” – allows covered entities to only disclose a limited amount of PHI to law enforcement in response to a request for help to identify or locate a fugitive, suspect, missing person, or material witness. In such circumstances, covered entities are only allowed to disclose:
- Names and addresses
- Dates and place of birth
- Social security number
- ABO blood type and Rh factor
- Type(s) of injury
- Date and time of treatment
- Date and time of death (if applicable)
- A description of distinguishing physical characteristics
The Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule
While there are no specific HIPAA photography rules in the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule, there are factors that covered entities and business associates may have to take into account to ensure images, pictures, photos, and videos containing PHI are not disclosed accidentally, or altered or disposed of improperly. It is also important that workforce members are instructed on the compliant use of photography in healthcare environments.
With regards to accidental disclosures, it is often the case that images, pictures, photos, and videos are displayed “full screen”. Workforce members need to be conscious of this to ensure workstations are turned away from public view and mobile devices are used discreetly. With regard to improper alterations and disposals, it can be harder to ascertain that an image has been altered (compared to text being altered), while video files are usually the first to be deleted when low on storage space.
Workforce members are allowed to take photos and videos of patients, but only for a use or disclosure required or permitted by the HIPAA Privacy Rule. Photos taken for any other purpose require a written authorization from the patient, which explains why the photo is being taken and who it will be shared with. As patients have the right to revoke authorization, photos, videos, and other images should not be posted on social media, as they cannot be permanently and absolutely retracted.
When do the HIPAA Picture Rules Not Apply?
The HIPAA picture rules do not apply when photographs of patients are de-identified to be included in a limited data set, or when they do not contain health information and are not included in a designated record set (because any information included in a designated record set that also includes PHI has to be protected as if it were PHI). This latter exception can lead to compliance issues when unsolicited, but well-meaning, pictures of patients are sent to healthcare professionals.
Many healthcare professionals receive unsolicited and non-health-related pictures of patients that would not normally be included in a designated record set. For example, photos sent to an obstetrician for inclusion on a “baby wall”, self-portrait Christmas cards sent to a family practitioner, and Thank You cards sent to a hospice that feature a picture of a deceased relative. In all these cases, the HIPAA picture rules do not apply, provided the pictures remain private.
However, once the pictures are put on public display, it could be argued that – without the written authorization of the patient or their legal representative – the covered entity is violating the HIPAA picture rules because the images contain individually identifiable information that relates to the “past provision of healthcare to the individual”. While there is a counterargument that the sender is giving implied consent, this does not fulfill the authorization requirements of the HIPAA Privacy Rule.
Are Visitors Allowed to Take Photos Under HIPAA?
Patients and visitors are generally allowed to take photos and videos under the HIPAA photo rules, and many healthcare providers encourage this activity to record happy events such as births, successful surgeries, and recoveries from serious illnesses. Photos and videos taken by patients and visitors are not subject to the HIPAA photography rules because the images are not being created, received, transmitted, or stored by a covered entity, and HIPAA does not apply.
However, potential privacy issues exist when visitors take photos and videos that include other patients, because, if the photos and videos are publicly shared, the unauthorized disclosure of individually identifiable health information could be in violation of state privacy laws, other federal privacy laws (for example, 42 CFR Part 2 relating to the confidentiality of substance use disorder patients), or international privacy laws such as the EU´s General Data Protection Regulation (GDPR).
With this in mind, it is advisable to control patient and visitor photography in healthcare environments in order to mitigate the risk of a privacy violation. While this can cause misunderstandings between patients, their visitors, and healthcare professionals, the alternative is to have any patients adjacent to the subject of the photo or video sign a HIPAA-esque authorization that allows their image to be shared anywhere by anyone. This may create more problems than it solves if any patients object.
The Penalties for Violating the HIPAA Photo Rules
In the majority of cases, violations of the HIPAA photo rules are accidental – for example, when patients in a waiting room can see a photo displayed on a workstation screen. If this type of violation is escalated to HHS’ Office for Civil Rights, most often it is resolved by technical assistance or a Corrective Action Order. However, if unsecured photographs are exposed in a data breach due to a failure to comply with the HIPAA Security Rule safeguards, the penalties can be much tougher.
HHS’ Office for Civil Rights has the authority to impose financial penalties on negligent covered entities and business associates. The amount of the penalties is dependent on the level of culpability – i.e., the efforts made – or not made – to prevent the disclosure, the cause of the disclosure, and whether or not the negligent party has attempted to correct the impact of the disclosure within 30 days. As of December 2026, the financial penalties for violating the HIPAA photo rules are:
| Penalty Tier | Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Reasonable Efforts | $141 | $35,581 | $35,581 |
| Tier 2 | Reasonable Cause | $1,424 | $71,162 | $142,355 |
| Tier 3 | Neglect – Corrected | $14,232 | $71,162 | $355,808 |
| Tier 4 | Neglect – Not Corrected within 30 days | $71,162 | $2,134,831 | $2,134,831 |
What if Staff Violate the HIPAA Photo Rules?
If any member of the workforce (staff, temporary workers, contractors, volunteers, etc.) deliberately violates the HIPAA photo rules, the penalties can depend on what efforts have been made by the covered entity or business associate to prevent impermissible disclosures of PHI, the harm that has resulted from the impermissible disclosure, the previous conduct of the member of the workforce, the content of the sanctions policy, and the nature of training the workforce member has received.
As soon as an impermissible disclosure is identified, it must be reported to HHS’ Office for Civil Rights if the impermissible disclosure involves a breach of unsecured PHI. The Office for Civil Rights will investigate; and, if the covered entity or business associate has implemented necessary and appropriate safeguards against violations of the HIPAA photo rules, there will likely be no further action taken against the covered entity or business associate.
If, however, the covered entity or business associate has failed to comply with the HIPAA Security Rule safeguards, failed to implement policies to control photography in healthcare environments, or failed to provide suitable training to the workforce, they will be found liable and subject to the penalties listed above. If the Office for Civil Rights feels the violation is criminally negligent, it can also refer the case to the Department of Justice for a criminal investigation.
For the individual who deliberately violated the HIPAA photo rules, it is likely they will face disciplinary action; and, if the case is referred to the Department of Justice, a criminal investigation. If the investigation concludes that either the individual or the covered entity/business associate was guilty of a criminal activity, they will be subject to the penalties listed under §1320d-6 of the Social Security Code – “Wrongful disclosure of individually identifiable health information”.
Complying with the HIPAA Photography Rules
State, federal, and international privacy laws aside, it can be complicated to comply with the HIPAA photography rules. If covered entities play it safe by assuming every picture should be classified as PHI and subject to HIPAA Privacy and Security Rule standards, this means no more public-facing baby walls, no more displays of greeting cards, and no disclosures of photographs to law enforcement officers – no matter the impact they may have on solving a crime or locating a missing person.
Covered entities and business associates should also implement technologies that support HIPAA-compliant photography and data sharing that monitor access to, alteration of, and the deletion of all PHI, plus implement policies that prevent workplace members from taking photos and videos on non-entity-issued devices or apps. There should also be controls for how, where, and when visitors can record happy events without capturing the individually identifiable image of another patient.
As with all areas of HIPAA compliance, covered entities and business associates should conduct risk analyses to assess the likelihood of a violation attributable to a lack of compliance with the HIPAA photography rules. Thereafter, they should calculate the consequences of a violation, develop policies that mitigate the risk of a violation, and train members of the workforce on the policies – including the sanctions that will be imposed for photography-related violations of HIPAA.
HIPAA Photography Rule FAQs
Is there a specific HIPAA photography policy?
There is no specific HIPAA photography policy or standard mentioned in the HIPAA Privacy or Security Rules. However, covered entities are required to conduct a risk assessment to identify risks to PHI. If it is considered that taking photos or storing photos (either within or outside a designated record set) constitutes a risk to the privacy or security of PHI, a covered entity will be required to develop policies and procedures with regard to photography and ensure members of the workforce are trained on the policies and procedures as appropriate to their functions.
What are the penalties for HIPAA photo violations?
The penalties for HIPAA photo violations are the same as the penalties for similar HIPAA violations that involve impermissible uses and disclosures of PHI. A member of a covered entity’s workforce would be sanctioned in line with the covered entity´s sanctions policy; or, if the impermissible use or disclosure is attributable to a failure to conduct a risk assessment, develop policies, and/or provide training, the covered entity would be subject to OCR enforcement action.
Also, there may be circumstances in which a violation occurs that is not a violation of HIPAA, but rather of a covered entity´s own policies. For example, it is not a violation of HIPAA to take a photo of a patient for a personal keepsake, provided the patient has signed a written authorization. However, if the hospital at which the healthcare worker is employed has prohibited all photographs, the healthcare worker may still be sanctioned even though they did not violate HIPAA.
What is the HIPAA law about taking pictures in a hospital environment?
The HIPAA law about taking pictures in a hospital environment is that it is okay for a covered entity or members of a covered entity’s workforce to take pictures, provided the pictures are for a permissible use or disclosure, and that the individually identifiable health information of any person in the picture remains private and secure. If a covered entity or a member of a covered entity’s workforce takes pictures for a purpose not permitted by the HIPAA Privacy Rule, the subject(s) of the pictures have to provide a written authorization.
It is important to be aware that the HIPAA law about taking pictures in a hospital environment only applies to covered entities, members of the workforce, and business associates providing a service to or on behalf of a covered entity. It does not apply to members of the public, or individuals or organizations not covered by HIPAA (including some hospitals that do not qualify as covered entities). However, although in these circumstances HIPAA law about taking pictures does not apply, hospital policies or state laws may prohibit taking pictures in a hospital environment.
Is taking a picture of a patient a HIPAA violation?
Taking a picture of a patient is not a HIPAA violation. Who takes the picture, whether the subsequent use of the picture is authorized by the patient, and how the picture is subsequently used, disclosed, stored, or transmitted, determines whether or not a HIPAA violation has occurred.
- For example, if an individual who is not a member of a covered entity’s workforce takes a picture of a patient, it is not a HIPAA violation because the individual is not subject to the HIPAA Rules.
- If a patient has authorized a covered entity to use the picture in a marketing or fundraising campaign, it is not a HIPAA violation provided the terms of the authorization are complied with.
- If the picture is taken for a purpose permitted by the HIPAA Privacy Rule, and it is subsequently used, disclosed, stored, and transmitted in compliance with the HIPAA Privacy and Security Rules, it is not a HIPAA violation.
The only time taking a picture of a patient is a HIPAA violation is when a picture is taken by a member of a covered entity’s workforce without the authorization of the patient and/or for a use or disclosure not permitted by the HIPAA Privacy Rule. In such circumstances, the use or disclosure of the picture would constitute a reportable breach of unsecured PHI, which has to be notified to the patient and to HHS’ Office for Civil Rights.
What happens if you are caught taking photos without consent?
If you are caught taking photos without consent and you are a member of a covered entity’s workforce, what happens depends on the covered entity’s sanctions policy. Most covered entities would regard taking photos without consent (for a use or disclosure not permitted by the HIPAA Privacy Rule) as a grave violation of privacy, and you would likely be fired or, at best, given a written warning and required to undergo refresher compliance training.
If there is evidence that you have taken pictures of patients previously and used or disclosed them for a purpose not permitted by the HIPAA Privacy Rule, this would qualify as a breach of unsecured PHI, which would require notification to be sent to the patient(s) and to HHS’ Office for Civil Rights. If HHS’ Office for Civil Rights believes you took the pictures and used them for malicious harm or personal gain, they can refer your case to the Department of Justice to pursue a criminal conviction.
Is taking photos in a hospital a violation of HIPAA?
Taking photos in a hospital is not a violation of HIPAA – although what is subsequently done with the photos might be a violation if you are a member of a covered entity’s workforce and the photos are used for a purpose not permitted by the HIPAA Privacy Rule. Even when taking photos in a hospital is not a violation of HIPAA, it may be a violation of the hospital´s privacy policy – which may apply to all patients and visitors as well as members of the hospital’s workforce.
Is it against the law to take pictures of someone in the hospital?
It is not against the law to take pictures of someone in a hospital unless you are a member of the hospital’s workforce who has taken pictures without authorization for a use or disclosure not permitted by the HIPAA Privacy Rule. However, regardless of whether or not you are a member of the hospital’s workforce, it may be against the hospital’s privacy policy to take pictures of someone in the hospital, so it is always better to seek confirmation first, and authorization where necessary.
Is it a HIPAA violation to take a picture of an X-ray?
It is not a HIPAA violation to take a picture of an X-ray, provided the picture is going to be used for a purpose permitted by the HIPAA Privacy Rule. It is worth noting that patients and their personal representatives may soon be allowed to take pictures of any PHI maintained in a designated record set, according to a Request for Information published by the Department of Health and Human Services.
Why do you need HIPAA authorizations before displaying baby photos?
You need authorizations before displaying baby photos because baby photos imply a past treatment relationship and can be used to identify the individual who was the subject of the past treatment relationship (i.e., the baby). This means that baby photos qualify as PHI even if they are maintained outside of a medical record (or other designated record set) and cannot be displayed in public without a written authorization from the baby’s personal representative.
Can a patient take a picture of their medical records?
A patient can take a picture of their medical records under §164.524(c)(2)(i) of the HIPAA Privacy Rule: “The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format”. To eliminate any debate about whether this section allows patients to take pictures of their medical records, the Department of Health and Human Services intends to amend this section in proposed changes to the HIPAA Privacy Rule. The changes are expected to take effect sometime in 2025.
What is a HIPAA-compliant photo release?
A HIPAA-compliant photo release is a HIPAA photo authorization form that needs to be completed by a patient when a photo is being taken by a covered entity or a member of a covered entity’s workforce for a purpose not permitted by the HIPAA Privacy Rule. For example, a HIPAA-compliant photo release would not be required if the photo is to be used for treatment, payment, or healthcare operations purposes, but must be obtained if the photo is to be used for marketing purposes.
Can nurses take pictures with patients?
Nurses can take pictures with patients if the pictures are going to be used for a purpose permitted by the HIPAA Privacy Rule or if the nurses obtain a written authorization before taking the pictures. It is often the case that nurses like to take pictures with patients to remind themselves of former patients, particularly those who have recovered from a serious injury or illness, and nothing in HIPAA prohibits this, provided an authorization is obtained first. However, it may also be necessary to check the hospital’s privacy policy in case taking pictures of patients is prohibited by the hospital.
Can I email a photo and be HIPAA-compliant?
You can email a photo and be HIPAA-compliant, provided the communication is for a permissible use (or a patient has consented to receiving a photo by email), provided the service used to email the photo has sufficient security measures in place to comply with the HIPAA Security Rule, and provided the vendor of the email service has entered into a Business Associate Agreement. If you email a photo for impermissible uses (without an authorization) or without these provisions in place, it is a violation of HIPAA because an unencrypted email is not a secure communication channel.
What is the HIPAA law on photos?
The HIPAA law on photos is that they should be treated the same as any identifying information that can be used to identify the subject of a designated record set containing Protected Health Information. This means that a photo can only be used or disclosed for a purpose permitted by the HIPAA Privacy Rule, and the confidentiality, integrity, and availability of the photo must be ensured by complying with the standards of the HIPAA Security Rule.
Is posting a picture of a patient a HIPAA violation?
Posting a picture of a patient can be a HIPAA violation if, for example, a picture of a patient is posted on a social media platform without the written authorization of the patient. In such circumstances, the impermissible disclosure of the patient’s picture is a reportable breach of unsecured PHI that must be reported to the patient and to HHS’ Office for Civil Rights. However, if a covered entity has obtained an authorization to post the picture on a social media platform as part of (for example) a marketing campaign, this would not be a violation of HIPAA.
Is it ever acceptable to take pictures of patients’ confidential information?
It can be acceptable to take pictures of patients’ confidential information if a) the person taking the picture is the patient, b) the picture is going to be used or disclosed for a purpose permitted by the HIPAA Privacy Rule, or c) the patient has given their authorization for the information to be used for a purpose not permitted by the HIPAA Privacy Rule. In the second and third options, measures have to be in place for the confidentiality, integrity, and availability of the picture until it is no longer required and securely disposed of.
Is it illegal to take photos in hospital?
It is not illegal to take photos in hospital. However, when a photo is taken in hospital by a covered entity or a member of a covered entity’s workforce, what happens to the photo after it has been taken is governed by the HIPAA Privacy and Security Rules. In this case, the photo can only be used or disclosed for a purpose permitted by the HIPAA Privacy Rule and must be secured from unauthorized access using the controls mandated by the HIPAA Security Rule.
