Posting Patient Photographs: Are You Compliant?
Patient photographs are used for a variety of reasons related to medical care. Patient photographs taken in a clinical setting become part of a patient’s designated record set as Protected Health Information (PHI) and thus should be treated with the same privacy, confidentiality and safeguards as any other part of the medical record. A patient photo is considered to be PHI if the patient can be identified in any way, a patient photo may be PHI if it contains:
- Any portion of the face
- Name or Initials
- Birth Date
- Social Security
- Date of service
- Medical Record Number
HIPAA allows patient photographs to be used within a healthcare organization for treatment and teaching purposes. Any external use (such as publication, social media, seminar/conference materials, marketing, etc.) of photographs requires explicit informed consent by the patient that accurately defines the intended use of the photographs. Out of respect for the privacy of patients, it is vital that consent is not only specific but also accurately explained to patients prior to their consent.
In 2016, a Los Angeles physical therapy provider was ordered to pay $25,000 as part of a settlement agreement for impermissibly disclosing patient information. The Office of Civil Rights (OCR) received a complaint that the provider had posted patient testimonials, including names and full face photographs, to its website without obtaining valid, HIPAA-compliant authorizations. The settlement agreement also required implementation of a corrective action plan, and annual reporting of all compliance efforts.
According to OCR’s investigation, the provider failed to reasonably safeguard PHI, impermissibly disclosed PHI without an authorization, and failed to implement policies and procedures that comply with HIPAA’s authorization requirements.
“The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”
- OCR Director Jocelyn Samuels
Respect for patients and their privacy should always take precedence when putting together any material for external use. Always utilize the University’s approved authorization/release for patient photographs or audio/video recording which can be found on the Privacy Office website. Please note that in order for an authorization to be valid, it must be completed in its entirety. Forms with missing or incomplete elements are not valid and thus do not grant consent by the patient.
Departments that would like to share a story, testimonials, or would like a social media presence should contact the Office of Communications and Marketing at 305-284-2211 to obtain further guidance.