Can you take pictures of patients?

Photographs are named in 45 CFR § 164.514(b)(2) as one of the identifiers that should be removed to deidentify protected health information (PHI), specifically named as, “(Q) Full face photographic images and any comparable images.” There is still a distinction between patient photographs for treatment and other purposes like education, research, or publication, particularly in the context of HIPAA compliance. When photographs are used for treatment, they are typically considered part of the patient's medical record. However, when patient photographs are intended for use beyond direct patient care, such as for educational, research, or publication purposes, specific and explicit patient consent is usually required.

Rules for using patient photos for treatment vs. other purposes 

For treatment

• Consent: In a treatment context, photographs are often considered a part of the patient's medical record. General consent for medical treatment typically includes consent for necessary documentation, encompassing clinical photos.
• De-identification: De-identification is usually not required since these pictures are used in patient care. They are protected under the confidentiality norms that govern all medical records.
  
  

For education, research, or publication

• Consent: When photographs are used for education, research, or publication, specific informed consent is required. This consent must clearly state that the images will be used for purposes beyond direct patient care and describe the nature of these uses. 
• De-identification: Photographs must be de-identified by removing identifiable features such as faces, tattoos, or other unique identifiers. This ensures that the photographs can be used for their intended purpose without the risk of linking them back to the individual patient.

See also: HIPAA Compliant Email: The Definitive Guide

Informed consent for patient photography

Based on a Baylor College of Medicine blog post, “Under HIPAA, patients are legally entitled to the protection of their health information. This protection includes patient imaging data, which clinical photographs are considered.”

In the process of obtaining consent for patient photography in healthcare, the consent form plays a big role. This form should articulate the purpose of taking the photographs, be it for treatment, diagnosis, education, research, or publication, ensuring that this intent is transparently communicated to the patient. It also needs to detail how these photographs will be utilized and shared, specifying, for instance, the audience in educational contexts. 

The form should address the process of deidentification, particularly when photographs are used beyond treatment purposes, highlighting the measures in place to safeguard the patient's identity. The anticipated duration for which the photographs will be retained and used is another piece of information, clarifying whether they will be stored indefinitely or discarded after a certain period.

It is also necessary to note that emphasis is placed on the voluntary nature of the patient's participation, and providing information on how they can retract their consent in the future. This should be offset by the description of the confidentiality measures implemented to protect the security and privacy of the photographs, covering aspects of storage and handling.

See also: Consent vs. permission in healthcare

How does de-identification apply to patient photographs?

De-identification in the context of patient photographs involves removing or obscuring any identifiable information that could be used to trace the image back to an individual patient, including:

• Full-face photographs or any comparable images that can reveal the patient's identity. 
• Unique physical markers such as distinctive birthmarks, tattoos, and scars.
• Identifiers like the patient's name, birth date, medical record number, or any other unique characteristic or code that could link the image to the individual.
• Details like room details or medical equipment with identifiable tags, may also need to be altered or removed to prevent recognition.

See also: How to de-identify protected health information for privacy

FAQs

What is de identification?

Deidentification is the process of removing or altering personal identifiers from health information so that individuals cannot be readily identified.

When should PHI be deidentified?

PHI should be deidentified when it is used for research, public health, or other purposes where individual identification is not necessary.

Is taking a picture of a patient a HIPAA violation if it is not taken by a covered entity for treatment or related purposes?

No, if an image is not taken by a covered entity or used for clinical processes or related purposes, it might not fall under HIPAA.