One of the areas of HIPAA compliance with the most complexity relates to HIPAA compliance and photos. This is because some sections of the Privacy Rule suggest all photos are subject to the General Principles of Uses and Disclosures, while other sections suggest otherwise.
The General Principles of Uses and Disclosures is a key part of the Privacy Rule which governs when uses and disclosures of PHI are required, permitted, or require authorization. There are only two occasions when disclosures are required – when an individual exercises their patients´ rights, and when a disclosure is required by HHS´ Office for Civil Rights during an audit, investigation, or review.
The permitted uses and disclosures generally cover uses and disclosures for treatment, payment, health care operations, reporting abuse, and law enforcement purposes (among others). However, there are exceptions to when Covered Entities are permitted to disclose photos – for example, §164.512(f) omits photos from the information Covered Entities can provide to law enforcement.
Covered Entities have to be very careful with the uses and disclosures requiring authorization because an individual or their legal representative can withdraw their authorization at any time. Consequently, photos of patients should never be posted on social media because – under the Terms of Service – the social media channel may also have rights to the photos and may continue to use them even if authorization is withdrawn and the photo deleted from the entity´s timeline.
The reason why some Covered Entities and Business Associates find HIPAA compliance and photos complex is that references to “photographic images” appear in the Privacy Rule de-identification standard (§164.514(b)) and in the list of identifiers that need to be removed from a designated record set in order to be able to disclose PHI as a limited data set (§164.514(e)).
The lists of Patient Identifier Data Elements in these sections of the Privacy Rule are frequently interpretated as the data elements that constitute PHI. Although this is a good guide to what data needs protecting from impermissible uses and disclosures, it is not an entirely accurate interpretation of how PHI is defined in the Privacy Rule (§160.103).
In the Privacy Rule, Protected Health Information is defined as “Individually identifiable health information that is […] transmitted or maintained in any form”. To understand why all photos may not be subject to the General Principles of Uses and Disclosures, you have to look at the definition of individually identifiable health information in the Privacy Rule, which states:
“Individually identifiable health information is information […] created or received by a health care provider, health plan, employer, or health care clearing house that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”
Therefore, if a photo or any other Patient Identifier Data Element does not fulfil these criteria, it is not Protected Health Information and not subject to the General Principles of Uses and Disclosures – unless it is maintained in a designated record set with other data elements that do fulfil the criteria (for example, as medical records, billing records, etc.). In this case, a photo that does not qualify as PHI still needs to be protected as if it were PHI.
Photos are often received by healthcare providers that do not directly relate to the provision of health or payment for health treatment. For example, a family might send their family doctor a Christmas greetings card featuring a group photo on the front. Similarly, a grateful family may send a hospice a Thank You card on which an image of their deceased relative appears, or a mother may send her obstetrician a photo of her new-born for inclusion on the obstetrician´s “baby wall”.
In all the above scenarios, the photos are unlikely to be included in a designated record set and would neither qualify as PHI nor need protecting. However, there is an issue with HIPAA compliance if photos are put on public display without the authorization of the sender because the photos relate to past recipients of healthcare, and they could be used to identify the individuals in them.
Therefore, not only are there occasions when individually identifiable health information might not be maintained in a designated record set, but there are also occasions when individually identifiable health information is not PHI (when it is kept private) or when it is subject to the General Principles of Uses and Disclosures (when it is on public display). No wonder some Covered Entities adopt the approach that all photos qualify as PHI and should not be disclosed without authorization.
HIPAA doesn´t prohibit visitors taking photos, but there are potential privacy risks if photos taken by visitors (or healthcare professionals on a visitor´s behalf) contain individually identifiable information relating to other patients. If the photos are shared – for example, on social media – this could be in breach of other state, federal, or international laws protecting the privacy of individuals.
These laws might relate to certain areas of healthcare or all areas of healthcare. For example, 42 CFR Part 2 relating to the confidentiality of substance use disorder patients makes it an offense to disclose any individually identifiable information relating to patients (note the absence of the word “health”), while Covered Entities could be held liable for unintentional or accidental disclosures of an individual´s identity if the individual is an EU citizen and covered by GDPR.
Consequently, Covered Entities – and particular healthcare providers – should carefully manage visitors taking photos to mitigate the risk of a privacy violation. Even though there is no conflict between HIPAA compliance and photos taken by visitors, if a complaint is made to a State Attorney general or other regulatory body, the Covered Entity may have to demonstrate that policies and procedures existed to mitigate unintentional or accidental disclosures of an individual´s identity.
Most impermissible disclosures of photos are unintentional or accidental; and, if such an event is reported to HHS´ Office for Civil Rights, the Office of Civil Rights will likely offer technical assistance to prevent the impermissible disclosure happening again or – if the impermissible disclosure is attributable to an underlying culture of non-compliance – impose a Corrective Action Order.
When multiple photos are disclosed in a breach of unsecured PHI, the Office for Civil Rights has the authority to impose financial penalties. The amount imposed as a financial penalty depends on factors such as the efforts made by the Covered Entity to prevent the impermissible disclosure, if the Covered Entity should have known about the risk and it occurred due to a lack of oversight, or if the impermissible disclosure was the result of willful neglect. The penalties for 2022 are:
|Penalty Tier||Level of Culpability||Minimum Penalty per Violation||Maximum Penalty per Violation||Annual Penalty Limit|
|Tier 1||Reasonable Efforts||$127||$63,973||$1,919,173|
|Tier 2||Lack of Oversight||$1,280||$63,973||$1,919,173|
|Tier 3||Neglect – Corrected||$12,794||$63,973||$1,919,173|
|Tier 4||Neglect – Not Corrected within 30 days||$63,973||$1,919,173||$1,919,173|
In circumstances in which a Covered Entity or any member of the Covered Entity´s workforce has knowingly obtained or disclosed PHI in violation of the Rules for HIPAA compliance and photos, the Office for Civil Rights may refer the incident to the Department of Justice. Under §1320d-6 of the Social Security Act (“Wrongful disclosure of individually identifiable health information”), the DoJ can also impose financial penalties of up to $250,000 and/or imprison the guilt party for up to ten years.
It is understandable some Covered Entities take the approach that all photos are subject to the General Principles of Uses and Disclosures, while others allow photos to go on public display – either with or without authorization. It is also understandable that some healthcare facilities might operate a no-photo policy or limit photos to certain areas of the facility to avoid potential privacy violations.
Prohibiting all public displays and visitor photographs is unlikely to be the answer to HIPAA compliance and photos because workforce members and hospital visitors will find ways around the prohibition – which may result in even more serious privacy violations. Therefore, Covered Entities and, where applicable, Business Associates should make reasonable and appropriate efforts to protect patient privacy while enabling authorized disclosures of non-health related photos.
Copyright © 2022 ComplianceHome