Doctors began photographing patients as soon as cameras were invented. For over a century, there really were no limits on that. Doctors owned the pictures and could use them as they wished.

Over the last 25 years, though, there have been two very significant changes that actually run counter to each other. As phones turned into cameras that can grab an image and disseminate it to the world with a click, HIPAA created national standards to protect a patient’s sensitive health information, including their image, from being disclosed without their consent.

In other words, the issue now is that we can capture anything easily… But are we allowed to—and how can we—use it?

Let’s take a look. (Note: The rules applying to still photography should be assumed to apply to videos as well.)

The first issue is whether a photograph is protected health information (PHI) or not.

PHI is a medical fact coupled to a method of identifying the patient. HIPAA lists 18 identifiers and one of these is “Full face photographic images and any comparable images.”

This much would be intuitively clear even without the law, but short of this is where physicians tend to start making mistakes. A photograph that does not include the patient’s full face could still include something like a distinctive tattoo or a nameplate necklace or a T-shirt with a business name on it that enables identification of the patient and converts the photograph to PHI.

A photograph that would itself not be PHI can also become such if it includes not just the patient material but other medical identifiers that alone or collectively allow identification. For example, a photograph of a surgical specimen becomes PHI when a card containing the medical record number is added. Similarly, the name of the facility in the credits of a journal article coupled to the patient’s initials mentioned in the text turns a bare photograph of a skin lesion in a published case into PHI.

A physical finding may itself be so unique that it will identify the patient, as in a case in which a photograph was used in an ad and the patient was able to sue successfully on the grounds that it was in and of itself an identification of her in her community.

Since the last of the 18 identifiers is “Any other unique identifying number, characteristic, or code,” it is therefore prudent to consider that any photograph that is not fully anonymous should be treated as PHI. If you intend to take it outside the confines of an office or hospital file, then you should treat it as material that presumptively requires authorization from the patient to be released.

Of course, a photograph that is PHI is also subject to the exceptions to the need for an authorization to be shared. The exceptions for sharing with a co-treater or in a curbside or consult, with a payor asking for the image as a claim verification, or for use in healthcare operations, all apply.

So does the exception for “training and teaching,” so photographs that are PHI can be used in lectures and case presentations on-site without a specific authorization. This does not, though, extend to publication in a journal, to presentations at professional meetings, or to lay presentations such as a medical segment on local TV, so these require the patient’s consent to use their photographic PHI.

Posting on a physician chat site, however, is outside the exceptions. The treatment exception does not apply because, even though they may give good advice, commenters are neither co-treaters nor consultants, and the training exception does not apply because the forum is outside the doctor’s institution. Any posted image must therefore be completely de-identified and the text should not reveal information that personalizes it.

Even in permitted situations, though, under an authorization or exception, remember that HIPAA still requires that only the minimum PHI needed should be released. Photographs should be tightly tailored to only the medical issue.

When an authorization is obtained, it should always specify the particular use so there is no question later that the patient understood what they were consenting to regarding what would be done with their image.

An authorization for photography during surgery should be just for taking pictures. Limit any mention of intraoperative photography in the consent to the recording of the image and get a separate consent later for its use.

You should also take archiving under HIPAA into account when you want to include photographs in the medical record.

To favor portability of patient records, a covered entity must identify the “designated record set” for a patient. This includes everything that the covered entity used in making treatment decisions, whether maintained physically or electronically.

What this therefore means to you practically is that, if you are pulling out your phone to snap pictures that you intend to add to the chart, you first need to verify that transfer is possible. The days of stapling in a Polaroid are gone; you will need access to, and compatibility with, the EMR system. You want to make sure that you are not in the same situation as the enterostomal therapy nurse who was told to stop taking photographs for her charts because the hospital EMR system did not allow inclusion of those; the designated record set comprised what was in the EMR system itself, even though the photos were being used in the treatment.

Of course, you cannot just hold onto the images for long periods. Your phone is most likely not capable of the level of encryption needed for a photograph, but—even if it is—it can still be lost, so it is best to download it as soon as possible.

If you are responsible for setting policies on photographing patients, you may want to actually limit that to facility-owned devices to hedge against staff carrying around images on devices that can be lost or breached. However, whether you initiate that restriction or not, there must be a clear statement that any images of patients taken during their care are the sole property of the facility, even if maintained on a staff member’s private device.

Now let’s move onto the situations in which you want to use a patient photograph for your benefit.

Obviously, you will need permission if you want to put up a billboard or run an ad in a newspaper or magazine or on TV, but many doctors do not realize that the same principle applies to their own website, their office’s Facebook page, or the patient photographs in their office.

Bear in mind that these are not just “feel good” uses or morale boosters. They are marketing tools, intended to show what a great doctor you are. The law refers to this as “exploitative use.” You cannot just co-opt the picture that a grateful patient sent to let you know how well they are doing into a public testimonial without checking with them and getting their agreement that it be used as such.

There is no implied waiver over the use of a photograph if a patient does not say something, even though they know about such use.  For example, even if all your obstetrics patients walk by your “baby wall” at every visit and therefore know that it is there, the picture they later send of them beaming with their new triplets does not mean that they agree to be posted, unless you get a release that says that they do.

Similarly, just because a patient is caught in a photo does not entitle you to use their image. The fact that you are creating what will be a stock photo for your website of your front desk area does not mean you can use one that includes a patient who just happens to be there, paying their bill, without their consent. (To avoid this issue, it would be best to use staff or friends who are not patients to play the roles in photos of this type.)

Finally, bear in mind that if you have a patient who is a celebrity, their pictures must be dealt with the same way.  Even if they give their picture to many local businesses as a customer testimonial, this isn’t a Seinfeld episode and you are not running a dry cleaner or a diner. The revelation that they are your patient is PHI and so they must specifically waive confidentiality as to its use.

Now, let’s look at the issue of other people photographing your patients.

Visitors, and patients themselves, are not fiduciaries or covered entities and therefore have no confidentiality obligations. However, you are, and you do, so it is your responsibility to make sure that when they are clicking away on your premises that they are not compromising the confidentiality of someone else who is just caught in the picture.

Obviously, a patient can waive their own privacy by photographing themselves or by authorizing someone to do it for them. The problem occurs when a visitor is photographing the patient without the patient having agreed to it (for example, an unconscious patient). Another example is when the patient or visitor is taking photographs that also include the PHI of others, such as the face of another patient in the waiting room.

You will need a policy on this and a sign to make it known: “Medical care is a very personal matter. Please respect the privacy of others as they respect yours. No photography please. If you need a picture, ask a staff member to help you.”

Also have a written notice for the staff to be aware of enforcing this.

If a picture still gets through and upsets a patient and an Office for Civil Rights complaint ensues, you will be able to show that you did take reasonable steps to prevent that from happening.

Finally, do not forget that you are also responsible for how your staff uses patient photographs. In other words, the Office for Civil Rights will fine you for any misconduct.

You must have a clearly stated policy that unauthorized use of patient images is barred just as unauthorized use of documents about patients is. Once you have done so, then sharing patient photographs in person or on social media should be a one-strike firing offense.

You also want to make it clear that the use of photographs for claimed educational purposes must be vetted before it is done. This goes to a case in which an emergency medical technician student photographed a patient with a facial gunshot wound and then shared the photographs with her class, claiming that it was intended as education (but was more likely for its shock value). When the case was investigated, the hospital found that ED staff was present and did not intervene when the photographs were taken, and it disciplined those staff members.

It also has to be made clear, even when staff members have posting rights, that patient confidentiality is still inviolate. For example, federal labor regulations allow an employee to post about the conditions of their work without retaliation. However, if an employee were to post about being upset over having to assist on treating a necrotic infection while pregnant, accompanied by a picture of the infected area that could identify the patient, that posting would be impermissible as to the image, even though the underlying complaint is protected.

These are all proactive points that the Office for Civil Rights will look for, along with actual training of staff, if they investigate a complaint.

In summary: Unless completely deidentified, also taking into account potential identification by aggregate information, photographs should be presumptively considered to be PHI, subject to the limitations and exceptions for their release. Safeguard their maintenance and transfer that govern written PHI.