The relationship between HIPAA and pictures is a challenging area of compliance – especially for healthcare providers who may often receive unsolicited images that do not qualify as Protected Health Information, or who have to contend with patients and visitors taking photos and videos in healthcare environments that can reveal the identities of other patients.
Pictures play an important role in the provision of healthcare. They can be used to record detailed and accurate images of injuries and conditions to assist physicians in the diagnosis and treatment of patients, they can monitor a patient´s progress through their treatment, and they can be used to teach the next generation of physicians or for research into new treatments.
Under HIPAA, pictures that could identify a patient, a relative of the patient, the patient´s employer, a household member, or any other characteristic relating to the patient are generally regarded to be Protected Health Information (PHI) and subject to the Privacy and Security Rules. However, this interpretation does not apply at all times.
What Pictures are Protected by the Privacy Rule?
The Health Insurance Portability and Accountability Act (HIPAA) is a complex Act of legislation with challenging compliance requirements. One of the most complex areas of HIPAA concerns what information is – or is not – protected under the Privacy Rule; for whereas many Covered Entities and Business Associates are guided by the Safe Harbor method of de-identification to determine what is PHI under HIPAA, there are multiple exceptions and conditions that may apply.
In the context of HIPAA and pictures, one of the exceptions concerns whether or not a picture, image, photo, or video is, or contains, individually identifiable health information – “health” being the key word, because if the picture does not relate to “an individual´s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care” it is not PHI. (see §160.103)
An exception to this exception exists if a picture that does not meet the criteria to be classified as PHI is included in a designated record set. This is because a designated record set can contain information such as medical records, billing records, and case management records that do meet the definition of individually identifiable health information and, as such, must be protected. Any information in the same record set – whether PHI or not – must also be protected.
Why Might a Picture Not Be In A Record Set?
There are several scenarios in which a picture might not be included in a designated record set. These can include unsolicited photos sent to an obstetrician for inclusion on a “baby wall”, self-portrait Christmas cards sent to a family practitioner, or Thank You cards sent to a hospice that feature an image of a deceased relative. In all these cases, the pictures are unlikely to be included in a designated record set and would not require protecting.
However, an issue exists with regards to putting photos and images of patients and their relatives on public display. This is because the subjects of the photos and images are past recipients of health care; and, while it could be argued that, by sending a greeting to a medical professional, the patient or their relative is giving “implied consent” for the image to be publicly displayed, “implied consent” does not fulfil the written authorization requirements of the Privacy Rule.
While this might seem to contradict the explanation of what pictures are protected by the Privacy Rule above, there is a distinction between pictures that remain private and public disclosures of unsecured PHI. Furthermore, although an argument exists that the “unauthorized person to whom the impermissible disclosure was made (i.e., a patient in a waiting room) would not have been able to retain the information” – and therefore the unauthorized disclosure is not a reportable breach under the Breach Notification Rule – the unauthorized disclosure is still a violation of HIPAA.
Is Taking Photos and Videos Against HIPAA Rules?
With regards to patients and visitors taking photos and videos in a healthcare environment that can reveal the identities of other patients, these pictures are not classified as PHI because only images created, received, maintained, or transmitted by Covered Entities are subject to the Privacy and Security Rules. As patients and visitors are not Covered Entities, they are not subject to the Privacy and Security Rules, and any images they capture (“create”) are not protected by HIPAA.
Nonetheless, it is prudent to control the use of cameras and smartphones in healthcare environments. Although the rules for HIPAA and pictures do not apply to the actions of patients and visitors, other federal laws may prohibit the unauthorized disclosure of individually identifiable health information under any circumstances – for example 42 CFR Part 2 relating to the confidentiality of substance use disorder patients.
State privacy laws may also apply to patient images that are shared without authorization; and a patient who discovers their image has been shared may have a claim for invasion of privacy, public disclosure of private facts, implied breach of contract, and/or breach of fiduciary duty. Alternatively, if the image of an EU citizen is disclosed without authorization, the healthcare provider could be liable for a violation of GDPR and a penalty potentially much higher than for a violation of HIPAA.
Penalties for Violating the HIPAA Picture Rules
Most violations of the HIPAA picture rules are unintentional; and, if an unintentional violation is reported to HHS´ Office for Civil Rights, it will normally result in technical assistance to prevent the violation happening again or in a Corrective Action Order if the unauthorized disclosure of a photo or video is one of a number of compliance issues. However, if multiple pictures are disclosed in a large-scale data breach, the consequences could be much different.
Financial penalties for violating the HIPAA picture rules vary according to whether the Covered Entity or Business Associate had identified the likelihood of a data breach and made reasonable efforts to prevent it, whether there is a reasonable cause to believe the risks should have been identified, but weren´t, and whether the violation of the HIPAA picture rules is attributable to willful neglect – with penalties increasing if the violation is not corrected within 30 days.
The current financial penalties for violating the HIPAA picture rules are:
| Penalty Tier | Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Reasonable Efforts | $127 | $63,973 | $1,919,173 |
| Tier 2 | Reasonable Cause | $1,280 | $63,973 | $1,919,173 |
| Tier 3 | Neglect – Corrected | $12,794 | $63,973 | $1,919,173 |
| Tier 4 | Neglect – Not Corrected within 30 days | $63,973 | $1,919,173 | $1,919,173 |
Penalties for Staff Violations of the HIPAA Picture Rules
With regards to members of the workforce impermissibly disclosing PHI under their own volition, the consequences depend on what policies and procedures have been put in place to mitigate data breaches of this nature. They may also depend on the content of the organization´s internal policies as much as any HIPAA policies because the consequences could include disciplinary actions such as a demotion, a suspension, loss of professional accreditation, or the termination of a contract.
In such circumstances, the impermissible disclosure of PHI is undoubtedly a violation of the HIPAA picture rules and has to be reported to HHS´ Office for Civil Rights. The Office for Civil Rights will investigate, and the penalties imposed on the Covered Entity or Business Associate will depend on the level of culpability. If the Office of Civil Rights believes the violation by the workforce member constitutes a criminal activity, the case will be referred to the Department of Justice.
The Department of Justice will determine who is a fault and what criminal penalties should be imposed. If the violation is attributable to a lack of training or the lack of a social media policy, the organization may be found liable. If the workforce member has been trained and is aware they acted in violation of the HIPAA picture rules policies, they will be found liable. Depending on what harm has been caused, criminal penalties consist of a fine up to $250,000 and/or up to ten years in jail.
How to Resolve the Challenge of HIPAA and Pictures
Most Covered Entities and Business Associates are familiar with the HIPAA requirements for protecting photos, videos, and other images used for the provision of health care, the payment for health care, and health care operations. They are also familiar with the processes for seeking patient authorization for disclosures of PHI other than those permitted by the Privacy Rule. However, there are occasions when the rules for HIPAA and pictures don´t cover every scenario.
In these cases, Covered Entities should conduct a risk analysis to determine if further policies are required to resolve compliance challenges. For example, it may be the case that Notices of Privacy Practices have to be changed so patients have the option of authorizing public displays of baby photos or greetings cards, or it may be necessary to prohibit cameras and smartphones in certain areas to eliminate the risk of privacy violations by visitors and/or staff.
If Covered Entities and Business Associates are unaware of their compliance obligations in relation to HIPAA and pictures, professional compliance help should be sought at the earliest possible opportunity; and, if new policies are developed as a result of a risk analysis – or material changes are made to existing policies – it is important that all members of the workforce whose functions may be affected by the new/revised policies are provided with appropriate HIPAA refresher training.