Picture This: HIPAA and Photography – Staying Compliant

Are Pictures Protected Health Information (PHI)?

Yes! Pictures that show any individually identifiable information is considered PHI. The 18 Health Insurance Portability Accountability Act (HIPAA) individually identifiable elements are listed below.

• Names
• All geographical subdivisions smaller than a state (including street address, city, county, precinct and ZIP code)    
• All elements (except year) of dates directly related to an individual, including birth date, admission date, discharge date, date of death and all elements of dates indicative of age    
• Phone numbers 
• Fax numbers    
• Email Addresses    
• Social security numbers    
• Medical record numbers    
• Health plan beneficiary numbers    
• Account numbers    
• Certificate/license numbers    
• Vehicle identifiers and serial numbers, including license plate numbers    
• Device identifiers and serial numbers
• Web Uniform Resource Locators (URLs)
• Internet protocol (or IP) address numbers
• Biometric identifiers, including fingerprints and voiceprints
• Full-face photographic images (and any comparable images)
• Any other unique identifying number, characteristic or code 

If a photograph can be connected to a patient, it’s considered PHI, which falls under the HIPAA privacy rule. 

HIPAA-Compliant Pictures

Qliq from QliqSOFT is one of the only health care secure texting platforms with HIPAA-compliant camera technology. Photos taken using the Qliq app are used strictly for peer-to-peer communication and patient care. Any photo a provider takes within the app is not saved on a smartphone or the cloud.

In addition, the PowerChart Touch Camera Capture app is used to take clinical images that integrate directly to Cerner and become part of the medical record. The images are not stored on personal devices.

Please review our Photography and Recording Policy that outlines additional HIPAA-compliant guidelines. The policy can be found at https://mhsintranet/Main/Policies/Photography-and-Recording-11646.aspx.

Photo and Recording Violations Not Permitted by Methodist Health System (MHS) Staff or Providers

• Personal use of photographs of patients
• Use of patient photographs for entertainment purposes or malicious use
• Posting of photographs of patients in public areas to social media, internet websites, blogs, etc., without written consent from the patient’s legal representative prior to posting
• Including live streaming to any social media platforms
• Including other individuals, in addition to the consenting patient, in the photograph without consent
• Use of photographs to defame MHS
• Taking photographs in a way that is disruptive to patient care or the work environment
• Taking photographs without the individual's consent except as defined in this policy
• Surreptitious photography and recording except for cases covered under "Documentation of Abuse and/or Neglect” in the Photography and Recording Policy
• Taking or participating in photography and recording without respect for patient privacy and/or dignity

Summary 

In order to avoid breaches, employees should not take photos on their personal phones or personal computers under any circumstances. In addition, employees should not risk taking selfies at work to post on social media because they may capture PHI in the background on whiteboards, desks, patient boards, etc. In addition, employees are not allowed to post on social media in a manner that states or reasonably suggests that they are representing Methodist Health System without express prior approval from the Marketing Department.

Questions?

Contact MHS Privacy Officer Anita Patterson, MS, at (402) 354-6863 or anita.patterson@nmhs.org.