A HIPAA photography policy should govern the use of cameras and mobile phones in healthcare environments – and the security of medical images – in order to protect the privacy of individually identifiable health information and prevent impermissible disclosures of Protected Health Information (PHI).
Photography has been used in healthcare environments since the invention of the camera to document patient conditions and behaviors. As technology advanced, photography helped physicians share their experiences, collaborate on diagnoses, and learn from each other – both improving and accelerating the delivery of healthcare.
However, as technology has further advanced, the benefits of photography in healthcare have been mitigated by threats to the confidentiality of health information. The increased use of photography has resulted in more images being added to individuals’ medical records – and more images being hacked from medical records in healthcare data breaches.
Additionally, server misconfigurations can cause medical images to be exposed on the Internet in great numbers, while there have been dozens of cases in which photographs of patients have been impermissibly shared online by hospital employees. For this reason, healthcare organizations are required to implement and enforce a HIPAA photography policy.
What is a HIPAA Photography Policy?
A HIPAA photography policy is the outcome of a risk assessment that analyses the risks to the privacy of individually identifiable health information and the risks to the confidentiality, integrity, and availability of electronic PHI. Conducting a risk assessment is a specific requirement of the Security Rule and necessary to comply with the Administrative Requirements of the Privacy Rule.
To conduct a risk assessment, healthcare organizations need to audit how photographs are received, created, stored, or transmitted, and how they are used or disclosed. Thereafter, each organization should attempt to identify every reasonably foreseeable event in which a photograph, image, or video could be used or disclosed impermissibly, or accessed by unauthorized personnel.
These events not only include data breaches, misconfigurations, and violations by hospital employees. Healthcare organizations also need to take in account the actions of members of the public and how they use personal devices to record their hospital experiences as, while focusing on their own experience, they may inadvertently record the experiences of other patients.
Although one member of the public photographing another member of the public is not a violation of HIPAA (because members of the public are not governed by HIPAA Rules), a member of the public who believes their privacy has been violated while on hospital premises could have a claim against the healthcare provider for an invasion of privacy, public disclosure of private facts, implied breach of contract, and/or breach of fiduciary duty.
Who Needs a HIPAA Photography Policy?
All healthcare providers that qualify as HIPAA covered entities – or who provide a service to or on behalf of a covered entity – must have policies governing the privacy and security of all types of PHI. The purpose of implementing a separate HIPAA photography policy is to emphasis the importance of keeping photographs, images, and videos private and secure.
However, rather than just implement a photography policy to comply with HIPAA, it is best to develop, implement, and enforce a more comprehensive photography policy that meets the requirements of HIPAA, and that also complies with the requirements of other federal and state laws relating to personal privacy and the security of healthcare data.
This means a HIPAA photography policy will not only have to take into account the Administrative, Physical, and Security Safeguards of the Security Rule, but also uses and disclosures of PHI permitted by the Privacy Rule, staff training and sanctions, and restrictions on members of the public for where and when they can use personal devices to take photos and videos.
How to Enforce a Photography Policy
Developing and implementing a comprehensive HIPAA photography policy that covers more than the requirements of HIPAA can be difficult to enforce – particularly with regards to patients that want to chronicle their experiences or the experiences of a loved one and share them on social media. Unfortunately, effective enforcement is essential to avoid privacy violations.
The recommended way of enforcing a photography policy is to divide it into three parts. The first part should cover the Administrative, Physical, and Technical safeguards of the Security Rule because once these components are implemented, they are relatively simple to enforce. The second part should govern staff conduct with regards to permissible uses and disclosures and the sanctions for violating the HIPAA photography policy.
The third part should be in the form of guidelines to patients and visitors which explain the acceptable uses of photography in the healthcare facility, explain when it is necessary to request permission before taking a photograph or video, and explain that the healthcare facility reserves the right to remove members of the public from the facility if they violate the guidelines.
Healthcare facilities that require assistance in conducting a risk assessment, implementing any necessary security measures, training members of the workforce on permissible uses and disclosures of PHI, or enforcing a HIPAA photography policy should seek professional compliance advice.