From an Atlanta plastic surgeon’s mid-surgery music videos, to illicit pictures of patients shared among nurses, misuse of photography and videos in the healthcare setting can carry substantial legal risks. Yet, despite these risks, it is not always practical for healthcare providers to adopt a wholesale prohibition on photography. Photographs and videos can have legitimate and important treatment purposes. In light of these risks and benefits, healthcare providers should evaluate carefully and plan deliberately when deciding when and how to implement the use of photography and video in their organizations.
The legal risks and obligations of the use of photographs and videos in the healthcare setting depend on several factors, including the type of healthcare provider, the person taking the photograph or video, and the content and purpose of the photograph or video. Below is a list of some key issues and best practices for healthcare providers to consider before using photography or video in their organizations. The list below is not exhaustive, and application of the legal requirements is often highly fact-specific; healthcare providers should consider consulting counsel for guidance on their specific situations.
- Patient Consent. As a foundational matter, it is best practice to obtain written patient consent prior to taking a photograph or video of a patient. The form of such consent may vary depending on the purpose of the photograph (e.g., treatment versus marketing), and may vary from state to state.
- HIPAA Privacy and Security. Photographs and videos in which a patient can be identified constitute protected health information covered by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA). Thus, all the usual HIPAA protections and rights will apply to such photographs or videos in the same way they apply to other paper or electronic records, including privacy and security protection requirements, breach notification rules, patient access rights, and other HIPAA obligations. Healthcare providers should evaluate their use of photography and video with these requirements in mind and train staff accordingly.
- Integration in the Medical Record. Providers that use photographs or videos in the treatment or evaluation of a patient should incorporate such files into the patient’s medical record. In doing so, providers should first consider the mechanism by which photographs and videos can be incorporated into the medical record. For example, is there a secure mobile application that can interface with the provider’s electronic health record system? If not, how will photographs be transferred from the camera to the record?
- Security Risk Analysis. HIPAA requires healthcare providers to perform a security risk analysis and update it “as needed”. HIPAA does not specify how frequently to perform a risk analysis, and the frequency of performance will vary among healthcare providers. However, it is best practice to conduct a risk analysis and risk management process as new technologies and business operations are planned, in order to better identify and mitigate risks after implementation. Healthcare providers should conduct a risk analysis to determine how and when photographs and videos are being used and stored within their organization. For example, are personal devices being used to take photographs and if so, is it through a secure application, or are photographs stored within employees’ personal devices?
- BYOD Policies. Integral to the considerations for healthcare providers using photography and video is what hardware will be used to take the photographs or videos. For healthcare providers that permit their staff to “bring your own device” (BYOD), the healthcare provider should have a BYOD policy in place that addresses issues such as remote wiping of the device, passcodes for entry, storing patient information on the device, and a method for alerting the healthcare provider if the device is lost or stolen.
- Marketing and Advertising. HIPAA requires patient authorization prior to the use or disclosure of patient information for marketing and advertising activities. Thus, a healthcare provider that wants to photograph patients enjoying a facility activity (and which eventually will be used for marketing or advertising, including being placed on the facility’s social media accounts) should ensure that all patients pictured have authorized the use and disclosure of their photograph for marketing/advertising purposes.
- Social Media Policies. The use of social media is ubiquitous, even among physicians, nurses, and other healthcare provider staff. Healthcare providers should have social media policies in place that prohibit employees from posting photographs or videos that include patients (or patient body parts) to social media accounts without proper review and authorization. Healthcare providers can also be exposed to malpractice liability from a posted video or photograph.
- Business Associates. HIPAA applies to “covered entities” (e.g., healthcare providers that submit certain transactions electronically), and also applies to their “business associates” (e.g., contractors who provide services to the covered entity that involve the use or disclosure of protected health information). If a healthcare provider contracts with a vendor for services that require access to protected health information, including patient photographs or videos—perhaps an agreement with the photographer herself, or with a cloud service provider to store the images—the healthcare provider should ensure that a compliant business associate agreement is in place before the vendor accesses any patient information.
- Research. A variety of rules and requirements apply to the use of photographs and videos for research. Healthcare providers should confirm that compliant research protocols are in place prior to taking or using photographs or videos for research purposes.
- Family and Friends. Notably, HIPAA’s privacy requirements generally do not govern the actions of patients or their family and friends. Thus, HIPAA does not directly prohibit family and friends from snapping pictures or video within a healthcare facility, nor does it prohibit them from sharing photographs or videos. It does, however, require that a healthcare provider take reasonable steps to protect the privacy of patients. Thus, healthcare providers should be prepared to address the use of photography and video by patients or their family and friends within the organization. Healthcare providers should also be aware that some states have passed legislation addressing the use of video in certain healthcare settings (e.g., “granny cam legislation”).
Photographs and videos can serve many valid purposes in the healthcare setting. Despite the various legal requirements and potential pitfalls, it is possible to appropriately and meaningfully utilize photographs and videos. In order to do so, healthcare providers should assess their current practices, evaluate them against the legal requirements, and implement policies and procedures to support compliance going forward. For further information or for assistance understanding the legal requirements applicable to a particular situation, contact Jennifer E. Tyler or Madison M. Pool.