Before and after photos, as well as photos used to document patient procedures are considered PHI (Protected Health Information) by HIPAA, regardless of whether or not clients are using health insurance to pay for their services. Therefore, it is essential that your practice properly secures patient photos to avoid potential fees for improper PHI handling. Here are five easy tips to keep in mind to ensure that your patient photos remain HIPAA compliant.
Do not leave photos stored on devices indefinitely, and no photography equipment should ever leave the practice unless it has been wiped of photos. Although remote-wipe technologies exist, if you have set up this capability, make sure you are up to date on the most recent HITECH regulations (see csrc.nist.gov for more.) If using a DSLR camera, photos must be uploaded to a computer regularly and the SD card must be wiped clean so that photos cannot be accessed outside the practice or by anyone other than a trained staff member. If using a mobile device, the simplest way to remain HIPAA compliant is to use a service that stores photos in a HIPAA-compliant cloud server for you. That way, when photos are taken, they are automatically stored on the cloud and never stored on the device itself.
Sending or receiving photos of clients is an easy way to fall into HIPAA non-compliance. Emails are a big no-no. HIPAA requires that electronic communications with any PHI (this includes photos, names, any medical information or anything that can be used to identify a patient) be properly encrypted to ensure privacy. Also be aware that in order to share information with another party requires a consent form from the client to acknowledge that he/she is aware of the information being shared and with whom. HIPAA also states that the communications between two parties should only include the minimal necessary information to properly care for the client/patient. The exception is if the client is a mutual client/patient of the two parties sharing health information.