HIPAA Restricts Some Photography, but Not All
Photography in healthcare settings is difficult to control but could lead to HIPAA violations if not monitored. How much one should try to control people taking pictures and video can be difficult to determine.
Any photo or video that could identify the patient may be subject to HIPAA restrictions, says Trish Markus, JD, a partner in the Raleigh, NC, office of law firm Nelson Mullins Riley & Scarborough. This includes full-face photographs but also photographs of distinctive tattoos, birthmarks, and other identifying features. Those all constitute PHI, she says, and therefore must be used and disclosed only for permitted purposes.
“There are legitimate reasons for healthcare providers to take pictures of patients, including to photograph rashes for inclusion in the patient’s medical record, to submit before-and-after photos of plastic surgery patients to a specialty board as part of a physician’s board certification process, and for use within the facility in educating students or clinicians,” Markus explains. “Providers even may use patient-identifying images for research studies, if patients agree to this use of their PHI.”
Additionally, before using photos or video of a patient for a healthcare provider’s marketing or fundraising purposes, the provider must obtain the patient’s written authorization outlining the manner and extent to which the images may be used, Markus adds.
Photographs that are used for treatment, payment, or healthcare operations purposes do not require patients’ written authorization, Markus says. However, obtaining written consent still can be a good idea, says Jennifer Romig, JD, an associate with the law firm of Ropes & Gray in Chicago.
“I advise explaining in very clear terms the purpose of the photography and how it will be used, including who will see it and how it will be stored. That’s best practice even though it is not strictly required for HIPAA compliance,” Romig says. “Any use of patient photos for something other than the patient’s care, like putting photos on your website, absolutely requires consent from the patient. You also have to make clear to them that they are free to say no.”
To limit the disclosure of such images outside the organization, providers should consider permitting photographs for legitimate clinical or operational use to be taken only using facility-owned or facility-approved equipment, not clinicians’ individual cellphones. “Providers should adopt a policy clarifying that any authorized photographs or videos are the sole property of the facility,” Markus says. “The policy also should prohibit distribution of photographs or other images involving patients to any person outside the facility without written authorization from the patient for a permissible use.”
Staff should be trained on the organization’s policy regarding photography and the consequences of violating it. Staff also should be trained to require individuals observed in violation of the policy to stop the photographic or video recording activity. Controlling photography by employees is one thing, but how much should healthcare organizations control what patients, family, and visitors do with photography? Given the ubiquity of cellphones and their enhanced photography and video recording capabilities, it’s important for healthcare providers to consider implementing a policy that addresses whether and how patients, their family members, and their friends may use photography and video while on the premises of the provider, Markus says. Most facilities find that policing non-staff use of photography is too difficult and don’t implement detailed restrictions, Romig says.
“Personal photography by patients, family, and visitors is very difficult to control. If people are taking pictures of relatives or people they know, hospitals generally are getting in the way of that,” Romig says. “But there are facilities in which if staff see people taking pictures of an unconscious person, or other patients they may not know, the staff will intervene and ask them to stop. Practically speaking, that is a difficult thing to catch because people have their phone out all the time and sometimes you don’t even know when they’re taking pictures.”
However, some restrictions may be necessary. Markus provides these examples to demonstrate different reasons for proactively addressing patients’ use of cameras in the healthcare setting:
- In 2008, at the University of California, Los Angeles’ Resnick Neuropsychiatric Hospital (Resnick Hospital), a patient violated the privacy of other patients by taking photographs during a group therapy session and posting the photos to a social networking website. The patient who posted the photos claimed that other patients consented to the photographs, but hospital administrators rejected this assertion and expressed concern that, due to the nature of the group session, the patients involved may not have been fully competent to give their consent.
- Patients sometimes take pictures of their loved ones in the hospital and share those images on social media sites. However, if the patient is not in a private room and the patient’s roommate is in the picture, or if the picture of the patient includes other patients participating in a physical therapy session, the taking and sharing of such photos without the other patients’ consent creates privacy headaches for providers.
- Family members sometimes wish to document physical conditions of healthcare facilities or the quality of the care their loved ones are receiving in a facility. They may take photographs of the patient’s room or other parts of the building. In some cases, family members set up hidden cameras to videotape the patient’s care or surreptitiously record discussions with clinicians or staff. These family members then use the photos or video recordings as leverage in litigation over patient care concerns. HIPAA clearly does not permit healthcare providers to use and disclose photos that contain PHI for purposes such as a staff member’s curiosity or prurient interest, Markus says. Unfortunately, this kind of privacy violation happens. Markus offers these examples:
- In a particularly egregious case, doctors and nurses at the University of Pittsburgh Medical Center Bedford used their personal cellphones to photograph and videotape the genitals of a man under anesthesia who was undergoing surgery to remove a foreign body that had caused a genital injury. These staffers shared the pictures with other personnel at the hospital who were not involved in the patient’s care. This occurred despite the hospital’s policy prohibiting photography that is not intended for educational use or for the benefit of the patient.
- An EMT student who photographed an emergency room patient suffering from a severe facial gunshot wound with her personal cellphone; the student then shared that photo with friends and colleagues in her training class, ostensibly in part for educational purposes. The facility determined that emergency room clinicians and staff present while the student was taking photos, including one of the student’s instructors, should have advised the student to refrain from taking the photos, and the facility instituted disciplinary action against those present and reviewed its arrangement with the institution providing the instruction.
Additionally, some obstetric practices are taking down their “baby walls,” bulletin boards covered with pictures of smiling babies, in response to concerns that posting such pictures violates HIPAA unless the patient (or, in an infant’s case, the patient’s parent or guardian) has signed a written HIPAA authorization permitting the posting. Although the article noted that some physicians believe that babies’ faces are anonymous, fertility physicians acknowledge that posting photos of babies with their birth mothers could violate the privacy of the adoptive mothers.
Healthcare facility policies limiting photography and video recording vary widely, Markus says, but they should address both staff and patient/family member activities. Healthcare providers should conspicuously post signs that clearly state the nature and extent of the limitation on camera and video use within the facility so that volunteers, visitors, patients, employees, and practitioners all understand what is permitted.
Following the group therapy incident, Markus says, Resnick Hospital instated a complete ban on the use of any cellphones or laptops within the facility, regardless of whether such phones or laptops included a camera. The hospital took this measure in lieu of requiring staff to check whether cellphones or laptops contained cameras.
“Ten years later, the idea of completely banning the use of cellphones or laptops in any healthcare provider environment seems unworkable,” Markus says. “However, it is realistic and appropriate to set some limits by reminding patients and visitors to respect other patients’ and visitors’ privacy by refraining from photographing or videotaping anyone other than the patient.”
SOURCE
- Jennifer Romig, JD, Associate, Ropes & Gray, Chicago. Phone: (312) 845-1234. Email: [email protected].
Photography in healthcare settings is difficult to control but could lead to HIPAA violations if not monitored. How much one should try to control people taking pictures and video can be difficult to determine.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.