When is a client photo PHI? A client’s photo is considered to be PHI under HIPAA in certain circumstances. It is important to understand what these circumstances are in order to avoid unintentional HIPAA violations due to impermissible disclosures of PHI.
Whether or not a client’s photo is considered Protected Health Information (PHI) under HIPAA depends on multiple factors. The first is whether the client’s photo is in the possession of an individual or organization that qualifies as a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA).
Not all health plans and healthcare providers qualify as covered entities, and not all third party service providers qualify as business associates. If an individual or organization does not qualify as either, the answer to “when is a client photo PHI?” is “Never”, because organizations not covered by HIPAA are not required to comply with the HIPAA regulations.
At this stage, it is important to point out that, although a client’s photo might not be considered PHI under HIPAA, it may be considered personally identifiable information under another state or federal law and subject to other privacy and security regulations – including breach notification regulations if it is disclosed impermissibly or without prior authorization.
As we continue to discuss when is a client photo PHI, there will be other occasions when a photo of a client does not qualify as PHI – even though it may be maintained by a covered entity or business associate. When these occasions arise, other state or federal laws may – or may not – apply. If you are concerned about a specific circumstance, it is best to seek professional compliance advice.
How are Client Photos Used in Healthcare?
Client photos are used in many ways in healthcare. They can be used to determine the nature or the scale of an injury, support diagnoses and treatments, or demonstrate a recovery. They can also be used for workforce training, research, and to conduct quality assessments, or in marketing campaigns to promote a healthcare facility and its services.
When a health plan or healthcare provider qualifies as a HIPAA covered entity or business associate, photos of this nature are classified as PHI if they are maintained in a designated record set with other individually identifiable health information that relates to the past, present, or future condition of the client, treatment for the condition, or payment for the treatment.
Client photos can also be classified as PHI if they imply a treatment relationship between an individual and a healthcare provider. For example, a photo used to verify a client’s ID which is not maintained with health data is classified as PHI, whereas an image captured by CCTV in a hospital car park is not PHI – because the image could relate to a visitor, salesperson, delivery driver, etc. – even though the identity of the individual can be determined from the image.
The fine line between when is a client photo PHI and when is it not PHI can lead to all client photos being treated the same and secured as if they were PHI. This default position is not beneficial for operational efficiency if, for example, a member of the facility security team wanted to identify the owner of a vehicle that was blocking ambulance access, but did not have the user credentials to access databases in which photos had been secured.
Obtaining Authorizations to Share Client Photos
Another scenario which can obstruct operational efficiency is when covered entities develop policies requiring unnecessary HIPAA authorizations to share client photos. The HIPAA Privacy Rule allows more uses and disclosures of PHI without authorization than many organizations may be aware of. These include, but are not limited to:
- Conducting quality assessments and reviews
- Assessing the cost of providing health care
- Case management and care coordination
- Workforce performance competence reviews
- Conducting supervised workforce training
- Licensing and credentialing activities
- Arranging medical reviews and legal services
- Business planning and development
- The administration of customer service
- The resolution of internal grievances
While it is important to obtain an authorization from a client before using or disclosing their photo for a purpose not required or permitted by the Privacy Rule, policies that require authorizations unnecessarily can (for example) delay the coordination of care or limit the ability of instructors to train members of the workforce about certain types of injury.
Therefore, it is not only important to know when is a client photo PHI, but when it can be used or disclosed without an authorization – notwithstanding that some permitted uses and disclosures of PHI exclude client photos. For example, §164.512(f)(2) – “Disclosures for Law Enforcement Purposes” – does not include photos in the list of PHI that can be disclosed to law enforcement officers.
Is a Client Photo PHI if Taken by Family or Friends?
The question of is a client photo PHI if it is taken by family or friends – or indeed the individual themselves – can also be complicated to answer. This is because family members and friends of the client are not covered by the HIPAA Privacy Rule, and provided the photo stays within the family/friends group, there is no risk of a HIPAA violation.
However, if the client photo is sent to a covered entity – for example, a mother and baby photo is sent to a pediatrician for inclusion on a baby wall – the photo implies a treatment relationship between the subject of the photo and a healthcare provider. In this case it would be necessary for the healthcare provider to obtain an authorization from the subject of the photo (or their personal representative) to put the client photo on display.
It can also be the case that a photo taken by family or friends includes identifiable images of other hospital patients. If such a photo is subsequently posted on social media by a family member or friend, although it would not constitute a HIPAA violation (because the individual who posted the photo is not covered by HIPAA), it would violate the privacy of any other patients appearing in the photo.
For these reasons, it is important that healthcare providers implement policies about displaying photos submitted by clients and the environments in which client photos are taken. Healthcare providers that are unsure about the privacy requirements of HIPAA and any other federal or state laws that apply to their facilities should seek professional compliance advice.