Table of Contents
Before and after photos, as well as photos used to document patient procedures are considered PHI (Protected Health Information) by HIPAA, regardless of whether or not clients are using health insurance to pay for their services. Therefore, it is essential that your practice properly secures patient photos to avoid potential fees for improper PHI handling. Here are five easy tips to keep in mind to ensure that your patient photos remain HIPAA compliant.
Storage
Do not leave photos stored on devices indefinitely, and no photography equipment should ever leave the practice unless it has been wiped of photos. Although remote-wipe technologies exist, if you have set up this capability, make sure you are up to date on the most recent HITECH regulations (see csrc.nist.gov for more.) If using a DSLR camera, photos must be uploaded to a computer regularly and the SD card must be wiped clean so that photos cannot be accessed outside the practice or by anyone other than a trained staff member. If using a mobile device, the simplest way to remain HIPAA compliant is to use a service that stores photos in a HIPAA-compliant cloud server for you. That way, when photos are taken, they are automatically stored on the cloud and never stored on the device itself.
Communications
Sending or receiving photos of clients is an easy way to fall into HIPAA non-compliance. Emails are a big no-no. HIPAA requires that electronic communications with any PHI (this includes photos, names, any medical information or anything that can be used to identify a patient) be properly encrypted to ensure privacy. Also be aware that in order to share information with another party requires a consent form from the client to acknowledge that he/she is aware of the information being shared and with whom. HIPAA also states that the communications between two parties should only include the minimal necessary information to properly care for the client/patient. The exception is if the client is a mutual client/patient of the two parties sharing health information.
Marketing
It may be obvious that consent forms are required to use any client’s information or likeness in order to market your product. But be aware that blacking out a subject’s eyes or even face is not enough to remove all possible identifying features/information. The smartest move is to get consent forms and be transparent with clients about what and how information might be used by the practice.
Social media
Social media is an excellent way to market to and communicate with present and potential clients. However, it is easy to slip into HIPAA-violating familiarities online. Even confirmation that an online persona is a client violates HIPAA rules. Make sure that any online communication from the practice does not include any of the following information:
- Recognition that someone is a client (“it was nice to see you the other day,” or “glad you enjoyed your visit.”)
- Discussion or comment on a treatment (“we’re glad you’re happy with your botox”)
- Recommendations for treatments, which could be considered medical advice from a non-MD source: or worse, public medical advice violating patient confidentiality
Educate your staff
Your staff should be educated on HIPAA and HIPAA compliance to ensure that your practice is doing everything it can to remain above board. There are numerous resources, including online courses, that offer HIPAA training for medical staff. Pricing averages approximately $25/employee (HSS.gov, hipaaexams.com, and myhipaatraining.com for example). This will not only keep your practice HIPAA compliant, but will help keep any staff/client communications professional and courteous.
Are you struggling to take high-quality and consistent before and after photos?
Check out our whitepaper on
Emily Alten
Writing enthusiast and biology nerd, Emily specializes in educational healthcare and medicine content. She is a Magna Cum Laude graduate from Columbia University with a degree in biological sciences/pre-medical studies.