HIPAA Pictures and Videos. What are the Rules?
The HIPAA rules for pictures and videos are the same as for any piece of information that qualifies as Protected Health Information (PHI) when pictures or videos relate to an individualโs health condition or treatment for the condition, or when pictures or videos could be used to identify the subject of the PHI. However, healthcare providers may also have to develop additional policies covering the HIPAA pictures and videos rules when pictures and videos are taken by hospital visitors.
It may surprise some people to learn that, in the entire text of HIPAA pictures and videos are only mentioned twice โ and that is only if you count the references to โphotographic imagesโ in the sections of HIPAA relating to the de-identification of PHI and Limited Data Sets. So, what are the rules relating to HIPAA pictures and videos, and who do they apply to?
When the HIPAA Administrative Simplification provisions were originally published, it would have been difficult to conceive the ease with which people can take pictures and videos more than two decades later. Despite advances in technologies, and several updates to the provisions, there is no mention of pictures and videos beyond the photographic image references.
However, because โphotographic imagesโ appears in the lists of identifiers that have to de-identified or removed from designated record sets, many covered entities believe that all photographic images (including pictures and videos) qualify as PHI. This is not the case. Only photos, images, pictures, and videos that are created or received by a covered entity qualify as PHI if they relate to:
Get the FREE
HIPAA Compliance
Email Checklist
Learn How To Prevent All Email Related HIPAA Violations
Immediate Access
- the past, present, or future physical or mental health or condition of an individual,
- the provision of health care to an individual, or
- the past, present, or future payment for the provision of health care to an individual.
- or, if they could be used to identify the the subject of PHI and are maintained in the same data set as PHI.
If they qualify as PHI, there are HIPAA rules for pictures and videos. In addition, the rules may apply to pictures and videos of relatives, employers, or household members that could be used โ or which there is a reasonable basis to believe could be used – to identify an individual if the pictures and videos are maintained in the same designated record set as other PHI pertaining to the individual.
The HIPAA Rules for Pictures and Videos
When pictures and videos qualify as PHI, they are subject to the General Principals for Uses and Disclosures found in the Privacy Rule, and the Administrative, Physical, and Technical Safeguards of the Security Rule. Business associates are also required to comply with the HIPAA rules for pictures and videos when providing a service to, or on behalf of, a covered entity.
The rules not only apply to full-face images, but any picture or video that could be used to identify the individual. When they qualify as PHI, images of injuries, tattoos, birthmarks, jewelry, and any other distinguishing feature are covered by the General Principles for Uses and Disclosures and the Administrative, Physical, and Technical Safeguards.
The General Principles of Uses and Disclosures
The General Principles for Uses and Disclosures govern when uses and disclosures of PHI are required, permitted, or require authorization. There are only two cases in which disclosures are required โ when access to is requested by an individual under their patientsยด rights, and when access is required by HHSยด Office for Civil Rights for an audit, investigation, or review.
The permitted uses and disclosures of PHI are more complicated; for although they generally allow uses and disclosures for treatment, payment, health care operations, reporting abuse, and law enforcement purposes (among others), there are exceptions to when it is permissible to disclose picture and videos. For example:
In ยง164.512(f) of the Privacy Rule โ โDisclosures for Law Enforcement Purposesโ โ covered entities are allowed to disclose PHI to law enforcement officers to help identify or locate a suspect, a fugitive, a missing person, or a material witness. However, covered entities may only disclose certain PHI identifiers – and pictures and videos are absent from the list.
- Names and addresses
- Dates and place of birth
- Social security number
- ABO blood type and rh factor
- Type(s) of injury
- Date and time of treatment
- Date and time of death (if applicable)
- A description of distinguishing physical characteristics
The uses and disclosures requiring authorization are also complicated because individuals have the right to revoke authorizations at any time. As pictures and videos in the public domain can be screenshot and copied, it is unwise to use patients’ pictures and videos for marketing or in Facebook posts because covered entities have no control over them once they are published.
The Administrative, Physical, and Technical Safeguards
The purpose of the Security Rule safeguards is to ensure the confidentiality, integrity, and availability of electronic PHI that is created, received, maintained, or transmitted by a covered entity or business associate. To comply with the Security Rule safeguards, covered entities and business associates must conduct regular risk assessments to:
- Identify and protect against reasonably anticipated threats
- Protect against reasonably anticipated impermissible uses and disclosures, and
- Ensure compliance by the workforce.
This final requirement is relevant to HIPAA pictures and videos because, if a member of the workforce (for example) takes a photo of a patient and posts it on social media without the authorization of the patient, the workforce member may be subject to criminal penalties under the Social Security Act in addition to any disciplinary actions taken by the covered entity.
However, if the covered entity has failed to conduct a risk assessment, protect against unauthorized pictures and videos being posted on social media (which is a reasonably anticipated disclosure), train members of the workforce on HIPAA compliance, and provided each with a copy of the Sanctions Policy, the covered entity may too be liable for criminal penalties due to their negligence.
Are Visitors Allowed to Take Pictures Under HIPAA?
Visitors are allowed to take pictures under HIPAA because the pictures or videos being taken are being created, received, transmitted, or stored by someone other than a covered entity and the HIPAA Rules do not apply to visitors. Because of this interpretation, some covered entities are reluctant to allow workforce members to take pictures on behalf of patients or visitors; and, when a no-photo policy exists, it should be clearly explained to visitors in order to avoid awkward situations.
In addition, although visitors are allowed to take pictures under HIPAA, covered entities could encounter issues if other patients are included in a picture or video. This is because the potential exists for the unauthorized disclosure of individually identifiable health information (of other patients) if a picture or video is publicly shared or posted on social media. In theory, this could violate state, federal, or international privacy laws โ for which the covered entity may be liable.
Because of these reasons, it is recommended that visitor photography and video recording is carefully managed to mitigate the risk of a privacy violation. If a complaint is made to a State Attorney General or regulatory body, and the covered entity can demonstrate that measures were in place to carefully manage visitors taking pictures, it is unlikely the covered entity would be considered liable for the ย ย unauthorized disclosure of individually identifiable health information.
Baby Walls and HIPAA Pictures and Videos Rules
One of the grayer areas of the HIPAA pictures and videos rules concerns whether unsolicited images sent to medical professionals are classified as PHI and subject to the Privacy and Security Rules. These images can include photos sent to an obstetrician for inclusion on a โbaby wallโ, Thank You cards sent to a hospice that feature a picture of a deceased relative, and photo Christmas cards or vacation postcards sent to a family practitioner.
The gray area exists because the pictures and videos do not contain specific health information and, although it can be assumed the images relate to the โpast provision of healthcare to an individualโ, they wouldnยดt normally be included in a designated record set. The compliance issue manifests when baby pictures and greetings cards are put on public display โ for example, in a family practitionerยดs waiting room. In theory, this could result in the impermissible disclosure of PHI.
The options available to covered entities in these circumstances are either to keep the pictures and videos private or obtain an authorization from the sender of the picture to publicly display it (โimplied consentโ does not fulfil the requirements of the General Principals of Uses and Disclosures). Neither are a great solution, and both appear unappreciative of the senderยดs intentions, but unfortunately those are the HIPAA Rules for pictures and videos.
Penalties for Violating HIPAA Pictures and Videos Rules
In the majority of circumstances, picture and video-related violations of HIPAA are accidental or incidental โ i.e., those that are incidental to a permissible use of disclosure of PHI that exceed the minimum necessary standard. If these are reported to HHS’ Office for Civil Rights by a patient, the most likely outcome is technical assistance to prevent the violation happening again or a Corrective Action Order if the violation is the result of an underlying culture of non-compliance.
When multiple pictures and videos are disclosed in a data breach, HHS’ Office for Civil Rights has the authority to impose financial penalties. The amount of the penalties is variable depending on the efforts made to prevent impermissible uses and disclosures, whether or not the disclosure of unsecured PHI was attributable to an oversight, whether the data breach occurred due to willful neglect, and what efforts were made to contain the consequences of the breach within 30 days.
The penalties for violating HIPAA pictures and video rules can be increased if a covered entity or business associate subsequently fails to notify the victims of breaches and HHS’ Office for Civil Rights in a timely manner, or reduced if the covered entity or business associate can demonstrate twelve months compliance with a recognized security framework that supports the requirements of the Security Rule. The financial civil penalties for 2024 are:
HIPAA Pictures and Videos Compliance
There is no doubt that HIPAA pictures and videos compliance is complex, and easy to see why covered entities and business associates might adopt the approach that every photo and video is PHI. However, this approach can create issues with baby walls, unappreciated greetings cards, and patients and visitors who want a record of a birth, recovery, or other happy moment on video. It might also prevent the apprehension of a criminal or a missing person being found.
While this is the safest approach in terms of avoiding penalties for violating HIPAA pictures and video rules, the enforcement of over-arching policies may be difficult and may prompt workforce members to circumnavigate the policies to please patients or to help them do their jobs better. In most cases, the best approach is to establish what photos and videos are covered by the Privacy and Security Rules โ and which are not โ and develop reasonable and appropriate policies for each.
Covered entities and business associates can also take advantage of technology to support HIPAA pictures and videos compliance. Secure photo and messaging apps can help prevent impermissible uses and disclosures of PHI, while solutions such as web filters and password managers can help prevent unauthorized access to healthcare systems. As with all areas of HIPAA, risk assessments and comprehensive workforce training are key to HIPAA pictures and videos compliance.