HIPAA regulations apply when handling photos, audio recordings, and video recordings that contain protected health information (PHI). Health organizations must ensure they have a thorough understanding of the regulations, obtain consent and authorization, implement safeguards, properly retain and dispose of media, provide employee training, and establish business associate agreements.
Healthcare organizations must obtain appropriate consent and authorization from individuals before using or disclosing their PHI in photos, audio recordings, or video recordings.
Under HIPAA, covered entities are generally allowed to use and disclose PHI for treatment, payment, and healthcare operations without the need for consent. However, patients must be informed about the potential use of their PHI in photos, audio, or video recordings and allowed to object if they have concerns.
For purposes beyond treatment, payment, and healthcare operations, organizations must obtain written authorization from individuals. This can be done with a HIPAA authorization form.
The form must be specific, clearly stating the purpose of the use or disclosure, the information to be disclosed, and the expiration date of the authorization.
To maintain HIPAA compliance, organizations must implement appropriate safeguards to protect photos, audio recordings, and video recordings that contain PHI.
Physical safeguards involve the physical protection of photos, audio recordings, and video recordings to prevent unauthorized access or disclosure. This can include storing the media in locked cabinets or rooms, implementing access controls, and restricting physical access to authorized personnel only.
Technical safeguards involve the use of technology to protect confidentiality. Encryption should be used to secure the media both at rest and in transit. Access controls, such as unique user IDs and passwords, should be implemented to restrict access to authorized individuals. Regular auditing and monitoring should be conducted to detect unauthorized access or breaches.
Related: HIPAA Compliant Email: The Definitive Guide
Establish appropriate policies and procedures to ensure that media is retained for the required period and disposed of securely when no longer needed.
Consider applicable state laws and professional guidelines when determining the retention period. Retain the media for a sufficient period to support patient care, legal requirements, or other legitimate purposes.
Related: Understanding medical record retention requirements by state
When disposing of media, organizations must ensure that PHI cannot be easily retrieved or reconstructed. This may involve permanently deleting digital files, shredding physical media, or using secure destruction services.
To promote HIPAA compliance, organizations must provide ongoing training and education to employees who handle or have access to photos, audio recordings, or video recordings containing PHI. Employees should be educated about the importance of privacy and security and the specific policies and procedures in place within the organization.
If organizations engage service providers to handle or process photos, audio recordings, or video recordings containing PHI, a business associate agreement (BAA) must be in place. A BAA outlines the responsibilities and obligations of the business associate in safeguarding PHI.
Organizations should implement systems and processes to detect and investigate unauthorized access or breaches. Audits should be conducted periodically to assess the effectiveness of security measures and identify any vulnerabilities or areas for improvement.
In the event of a breach or security incident involving photos, audio recordings, or video recordings containing PHI, organizations must have an incident response plan in place. The plan should outline the steps to mitigate the impact of the breach, notify affected individuals and authorities, and conduct an internal investigation.
Go deeper: Understanding HIPAA regulations for audio recording
A notable example of a HIPAA violation involving video recording occurred at Sharp Grossmont Hospital in California. Between 2012 and 2013, the hospital secretly recorded 1,800 patients without their consent using motion-activated cameras in operating rooms. These recordings captured patients during sensitive procedures, including childbirth and surgery. The hospital claimed the intent was to catch staff drug thefts, but the tapes inadvertently included extensive footage of patients' private moments.
This incident led to a class-action lawsuit against the hospital, which settled in 2019 for $1 million. The case showed a serious breach of patient privacy and indicated the necessity of obtaining explicit consent before recording in medical settings, adhering strictly to HIPAA regulations to protect patient information.
Yes, photos, audio, and video recordings are considered PHI under HIPAA if they contain individually identifiable health information.
To ensure HIPAA compliance, obtain written patient consent, de-identify recordings, use secure storage and transmission methods, limit access to authorized personnel, and provide staff training on HIPAA regulations.
Yes, patient consent or authorization is generally required before making recordings that contain PHI, except in specific situations such as public health reporting or law enforcement purposes.
Recordings can be de-identified by removing all information that could identify the patient, such as names, contact information, and unique identifiers, and by blurring facial features or altering voices in recordings.
Non-compliance with HIPAA can result in civil penalties ranging from $100 to $50,000 per violation, criminal penalties including fines and imprisonment, reputational damage, and potential lawsuits from affected patients.
Learn more: HIPAA Compliant Email: The Definitive Guide