HIPAA Pictures and Videos. What are the Rules?
It may surprise some people to learn that, in the entire text of HIPAA pictures and videos are only mentioned twice – and that is only if you count the references to “photographic images” in the sections of HIPAA relating to the de-identification of PHI and Limited Data Sets. So, what are the rules relating to HIPAA pictures and videos, and who do they apply to?
When the HIPAA Administrative Simplification provisions were originally published, it would have been difficult to conceive the ease with which people can take pictures and videos almost two decades later. Consequently, and despite several updates to the provisions, there is no mention of pictures and videos beyond the photographic image references.
However, because “photographic images” appears in the lists of identifiers that have to de-identified or removed from designated record sets, many Covered Entities believe that all photographic images (including pictures and videos) qualify as PHI. This is not the case. Only photos, images, pictures, and videos that are created or received by a Covered Entity qualify as PHI if they relate to:
- the past, present, or future physical or mental health or condition of an individual,
- the provision of health care to an individual, or
- the past, present, or future payment for the provision of health care to an individual.
If they qualify as PHI, there are HIPAA rules for pictures and videos. Additionally, the rules may apply to pictures and videos of relatives, employers, or household members that could be used – or which there is a reasonable basis to believe could be used – to identify an individual if the pictures and videos are maintained in the same designated record set as other PHI pertaining to the individual.
The HIPAA Rules for Pictures and Videos
When pictures and videos qualify as PHI, they are subject to the General Principals for Uses and Disclosures found in the Privacy Rule, and the Administrative, Physical, and Technical Safeguards of the Security Rule. Business Associates are also required to comply with the HIPAA rules for pictures and videos when providing a service to, or on behalf of, a Covered Entity.
The rules not only apply to full-face images, but any picture or video that could be used to identify the individual. Therefore, when they qualify as PHI, images of injuries, tattoos, birthmarks, jewelry, and any other distinguishing feature are covered by the General Principles for Uses and Disclosures and the Administrative, Physical, and Technical Safeguards.
The General Principles of Uses and Disclosures
The General Principles for Uses and Disclosures govern when uses and disclosures of PHI are required, permitted, or require authorization. There are only two cases in which disclosures are required – when access to is requested by an individual under their patients´ rights, and when access is required by HHS´ Office for Civil Rights for an audit, investigation, or review.
The permitted uses and disclosures of PHI are more complicated; for although they generally allow uses and disclosures for treatment, payment, health care operations, reporting abuse, and law enforcement purposes (among others), there are exceptions to when it is permissible to disclose picture and videos. For example:
In §164.512(f) of the Privacy Rule – “Disclosures for Law Enforcement Purposes” – Covered Entities are allowed to disclose PHI to law enforcement officers to help identify or locate a suspect, a fugitive, a missing person, or a material witness. However, Covered Entities may only disclose certain PHI identifiers – and pictures and videos are absent from the list.
- Names and addresses
- Dates and place of birth
- Social security number
- ABO blood type and rh factor
- Type(s) of injury
- Date and time of treatment
- Date and time of death (if applicable)
- A description of distinguishing physical characteristics
The uses and disclosures requiring authorization are also complicated because individuals have the right to revoke authorizations at any time. Therefore, as pictures and videos in the public domain can be screenshot and copied, it is unwise to use patients´ pictures and videos for marketing or in Facebook posts because Covered Entities have no control over them once they are published.
The Administrative, Physical, and Technical Safeguards
The purpose of the Security Rule safeguards is to ensure the confidentiality, integrity, and availability of electronic PHI that is created, received, maintained, or transmitted by a Covered Entity or Business Associate. To comply with the Security Rule safeguards, Covered Entities and Business Associates must conduct regular risk assessments to:
- Identify and protect against reasonably anticipated threats
- Protect against reasonably anticipated impermissible uses and disclosures, and
- Ensure compliance by the workforce.
This final requirement is relevant to HIPAA pictures and videos because, if a member of the workforce (for example) takes a photo of a patient and posts it on social media without the authorization of the patient, the workforce member may be subject to criminal penalties under the Social Security Act in addition to any disciplinary actions taken by the Covered Entity.
However, if the Covered Entity has failed to conduct a risk assessment, protect against unauthorized pictures and videos being posted on social media (which is a reasonably anticipated disclosure), train members of the workforce on HIPAA compliance, and provided each with a copy of the Sanctions Policy, the Covered Entity may too be liable for criminal penalties due to their negligence.
Are Visitors Allowed to Take Pictures Under HIPAA?
Visitors are allowed to take pictures under HIPAA because the pictures or videos being taken are being created, received, transmitted, or stored by someone other than a Covered Entity and therefore the HIPAA Rules do not apply. Because of this interpretation, some Covered Entities are reluctant to allow workforce members to take pictures on behalf of patients or visitors; and, when a no-photo policy exists, it should be clearly explained to visitors in order to avoid awkward situations.
Furthermore, although visitors are allowed to take pictures under HIPAA, Covered Entities could encounter issues if other patients are included in a picture or video. This is because the potential exists for the unauthorized disclosure of individually identifiable health information (of other patients) if a picture or video is publicly shared or posted on social media. In theory, this could violate state, federal, or international privacy laws – for which the Covered Entity may be liable.
Consequently, it is recommended that visitor photography and video recording is carefully managed to mitigate the risk of a privacy violation. If a complaint is made to a State Attorney General or regulatory body, and the Covered Entity can demonstrate that measures were in place to carefully manage visitors taking pictures, it is unlikely the Covered Entity would be considered liable for the unauthorized disclosure of individually identifiable health information.
Baby Walls and HIPAA Pictures and Videos Rules
One of the grayer areas of the HIPAA pictures and videos rules concerns whether unsolicited images sent to medical professionals are classified as PHI and subject to the Privacy and Security Rules. These images can include photos sent to an obstetrician for inclusion on a “baby wall”, Thank You cards sent to a hospice that feature a picture of a deceased relative, and photo Christmas cards or vacation postcards sent to a family practitioner.
The gray area exists because the pictures and videos do not contain specific health information and, although it can be assumed the images relate to the “past provision of healthcare to an individual”, they wouldn´t normally be included in a designated record set. The compliance issue manifests when baby pictures and greetings cards are put on public display – for example, in a family practitioner´s waiting room. In theory, this could result in the impermissible disclosure of PHI.
The options available to Covered Entities in these circumstances are either to keep the pictures and videos private or obtain an authorization from the sender of the picture to publicly display it (“implied consent” does not fulfil the requirements of the General Principals of Uses and Disclosures). Neither are a great solution, and both appear unappreciative of the sender´s intentions, but unfortunately those are the HIPAA Rules for pictures and videos.
Penalties for Violating HIPAA Pictures and Videos Rules
In the majority of circumstances, picture and video-related violations of HIPAA are accidental or incidental – i.e., those that are incidental to a permissible use of disclosure of PHI that exceed the minimum necessary standard. If these are reported to HHS´ Office for Civil Rights by a patient, the most likely outcome is technical assistance to prevent the violation happening again or a Corrective Action Order if the violation is the result of an underlying culture of non-compliance.
When multiple pictures and videos are disclosed in a data breach, the HHS´ Office for Civil Rights has the authority to impose financial penalties. The amount of the penalties is variable depending on the efforts made to prevent impermissible uses and disclosures, whether or not the disclosure of unsecured PHI was attributable to an oversight, whether the data breach occurred due to willful neglect, and what efforts were made to contain the consequences of the breach within 30 days.
The penalties for violating HIPAA pictures and video rules can be increased if a Covered Entity or Business Associate subsequently fails to notify the victims of breaches and HHS´ Office for Civil Rights in a timely manner, or reduced if the Covered Entity or Business Associate can demonstrate twelve months compliance with a recognized security framework that supports the requirements of the Security Rule. The financial civil penalties for 2022 are:
HIPAA Pictures and Videos Compliance
There is no doubt that HIPAA pictures and videos compliance is complex, and easy to see why Covered Entities and Business Associates might adopt the approach that every photo and video is PHI. However, this approach can create issues with baby walls, unappreciated greetings cards, and patients and visitors who want a record of a birth, recovery, or other happy moment on video. It might also prevent the apprehension of a criminal or a missing person being found.
While this is the safest approach in terms of avoiding penalties for violating HIPAA pictures and video rules, the enforcement of over-arching policies may be difficult and may prompt workforce members to circumnavigate the policies to please patients or to help them do their jobs better. Consequently, the best approach is to establish what photos and videos are covered by the Privacy and Security Rules – and which are not – and develop reasonable and appropriate policies for each.
Covered Entities and Business Associates can also take advantage of technology to support HIPAA pictures and videos compliance. Secure photo and messaging apps can help prevent impermissible uses and disclosures of PHI, while solutions such as web filters and password managers can help prevent unauthorized access to healthcare systems. As with all areas of HIPAA, risk assessments and comprehensive workforce training are key to HIPAA pictures and videos compliance.