Keep Your Dermatology Practice HIPAA Compliant With These 5 Photo Tips
Recommendations for managing patient photos while preserving privacy.
By Emily Alten
In today’s digital age, most practices take advantage of the ease of digital photographs for documentation. Using cameras to document lesions, acne or rosacea treatment, or to create before and after photos of any treatment helps to maintain detailed and accurate patient information. However, as with any patient documentation, patient photos are considered PHI (Protected Health Information) by HIPAA, and the 2009 HITECH Act specifically addresses digital PHI. Therefore, it is essential that your practice properly secures patient photos to avoid potential fees for improper PHI handling.
Here are five easy tips to keep in mind to ensure that your patient photos remain HIPAA compliant.
Do not leave photos stored on devices indefinitely; no photography equipment should ever leave the practice unless it has been wiped of photos. Although remote-wipe technologies exist, if you have set up this capability, make sure you are up to date on the most recent HITECH regulations (see csrc.nist.gov for more). If using a DSLR camera, photos must be uploaded to a computer regularly and the SD card must be wiped clean so that photos cannot be accessed outside the practice or by anyone other than a trained staff member. Further, any photographs stored “at rest” on an office computer, for instance, must be encrypted. If using a mobile device, the simplest way to remain HIPAA compliant is to use a service, such as RxPhoto, that stores photos in a HIPAA compliant cloud server for you. That way, when photos are taken, they are automatically stored on the cloud and never stored on the device itself. By storing on a HIPAA-compliant cloud server, any office device can be used to access the PHI without the need to download and encrypt the data.
Sending or receiving photos of clients is an easy way to fall into HIPAA non-compliance. Emails and texting are big no-no’s. HIPAA requires that electronic communications with any PHI be properly encrypted to ensure privacy. Also be aware that in order to share information with another party requires a consent form from the client to acknowledge that he/she is aware of the information being shared and with whom. HIPAA also states that the communications between two parties should only include the minimal necessary information to properly care for the client/patient. The exception is for any information of a mutual client/patient of the two parties sharing health information.
Social media is an excellent way to market to and communicate with present and potential clients. However, it is easy to slip into HIPAA-violating familiarities online. Even confirmation that an online persona is a client violates HIPAA rules. Make sure that any online communication from the practice does not include any of the following information:
• Recognition that someone is a client (“It was nice to see you the other day,” or “Glad you enjoyed your visit.”)
• Discussion or comment on a treatment (“We’re glad you’re happy with your Botox.”)
• Recommendations for treatments, which could be considered medical advice from a non-MD source, or worse, public medical advice violating patient confidentiality!
Educate your staff
Your staff should be educated on HIPAA and HIPAA compliance to ensure that your practice is doing everything it can to remain above board. There are numerous resources and online courses that offer HIPAA training for medical staff. Pricing averages approximately $25/employee (HSS.gov, hipaaexams.com, and myhipaatraining.com for example).This will not only keep your practice HIPAA compliant but will help keep any staff/client communications professional and courteous.
It may be obvious that consent forms are required to use any client’s information or likeness in order to market your product. But be aware that blacking out a subject’s eyes or even face is not enough to remove all possible identifying features/information. As mentioned above, markers such as birthmarks, moles, or tattoos can also be used to identify a patient. The smartest move is to get consent forms and be transparent with clients about what and how information might be used by the practice to cover all bases and make sure that no PHI is shared without explicit consent.
For more information on how your practice can use photos for marketing purposes, please check out the 11 Rules to make your before and after gallery convert visitors to patients at RxPhoto.com
Emily Alten is a writing enthusiast and biology nerd who specializes in educational healthcare and medicine content for RxPhoto. She is a Magna Cum Laude graduate from Columbia University with a degree in biological sciences/pre-medical studies. RxPhoto’s medical app converts an iPhone or an iPad into a clinical photography system securely capturing, managing and sharing patient photos and videos. Learn more at RxPhoto.com