By Emily Alten, on behalf of RxPhoto
Before-and-after photos and photos used to document patient procedures are considered protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), regardless of whether or not clients are using health insurance to pay for their services. Therefore, it is essential that your practice properly secures patient photos to avoid potential fees for improper PHI handling. Here are five things to keep in mind to ensure that your patient photos remain HIPAA compliant.
Do not leave photos stored on devices indefinitely, and no photography equipment should ever leave the practice unless it has been wiped of photos. Remote-wipe technologies exist, but if you have set up this capability, make sure you are up to date on the most recent Health Information Technology for Economic and Clinical Health Act (HITECH) regulations. (Click here to learn more.) If using a DSLR camera, photos must be uploaded to a computer regularly and the SD card must be wiped clean so that photos cannot be accessed outside the practice or by anyone other than a trained staff member. If using a mobile device, the simplest way to remain HIPAA compliant is to use a service that stores photos in a HIPAA-compliant cloud server for you. That way, when photos are taken, they are automatically stored on the cloud and never stored on the device itself.
Sending or receiving photos of clients is an easy way to fall into HIPAA non-compliance. Emails are a big no-no. HIPAA requires that electronic communications with any PHI—including photos, names, any medical information or anything that can be used to identify a patient—be properly encrypted to ensure privacy. Also, be aware that sharing information with another party requires a consent form from the client to acknowledge that he or she is aware of what information being shared and with whom. HIPAA also states that communication between two parties should only include the minimum necessary information to properly care for the patient; however, if the client is a mutual patient of the two parties sharing health information, it can be freely shared.
It may be obvious that consent forms are required to use any client’s information or likeness in order to market your product, but you should be aware that blacking out a subject’s eyes or even face is not enough to remove all possible identifying features or information. Getting consent forms and being transparent with clients about how their information might be used by the practice is the most prudent move.
Social media is an excellent way to market to and communicate with present and potential clients. However, it is easy to slip into HIPAA-violating familiarities online. Even confirmation that an online persona is a client violates HIPAA rules. Make sure that any online communication from the practice does not include any of the following information:
- Recognition that someone is a client—“It was nice to see you the other day,” or, “Glad you enjoyed your visit”;
- Discussion or comment on a treatment—“We’re glad you’re happy with your Botox”; or
- Recommendations for treatments, which could be considered medical advice from a non-MD source—or, worse, public medical advice violating patient confidentiality.
Educate Your Staff
Your staff should be educated on HIPAA and HIPAA compliance to ensure that your practice is doing everything it can to remain above-board. There are numerous resources, including online courses, that offer HIPAA training for medical staff; pricing averages approximately $25 per employee. (HHS.gov, HIPAAExams.com and MyHIPAATraining.com are among the sites that offer these training opportunities). This will not only keep your practice HIPAA compliant, but also help keep any staff/client communication professional and courteous.
Writing enthusiast and biology nerd, Emily Alten specializes in educational health care and medicine content. She is a Magna Cum Laude graduate from Columbia University with a degree in biological sciences/pre-medical studies.