HIPAA and HITECH: Where Are Your Photos … Do You Know?

  A few months ago, several employees at a Florida hospital were disciplined after taking unauthorized cell phone pictures of a shark attack victim and posting them on the web. Most of us would instantly recognize that sort of behavior as a terrible breach of patient confidentiality. However, in the wound care industry, we see patient photographs reproduced on the pages of almost every journal article and projected on huge screens at every national meeting. Right now you probably have patient photographs in your portable computer, and you certainly have photographs in a variety of formats in your clinical records. The regulations governing how photographs are stored, transmitted, and used for educational purposes are poorly understood even by many experienced clinicians and some of the best healthcare institutions. In this article, we will not discuss photographic techniques. We will also not address whether a clinician ought to take wound photographs. The decision regarding whether or not to photograph, how, and by whom should be made by the individual facility or clinician. Our goal is to assist the clinician in ensuring that photographs, if taken, are correctly handled and secured according to existing Federal regulations.

  Most healthcare workers are familiar with “HIPAA” because ever since The Health Insurance Portability and Accountability Act was enacted by Congress in 1996, it has controlled the way we manage patient information. Originally, the act was passed to facilitate the stability of health care benefits as individuals changed jobs (that is the “portability” part). Health insurance companies and health care providers asked Congress to find a simple way to transfer records in a standardized manner as patients moved their coverage. However, protecting the privacy of the medical records was a substantial obstacle in transferring these data, so many of the HIPAA provisions, and most of what healthcare workers understand about HIPAA, have to do with “privacy.” However, as we will discuss, there is more to HIPAA than privacy when it comes to electronic records in general, and photographs in particular. On February 17, 2009, the President signed another act, which dramatically affected the management of patient healthcare data. That is when the new Health Information Technology for Economic and Clinical Health (HITECH) Act took effect as a part of the American Recovery and Reinvestment Act (ARRA) of 2009, more commonly known as the “Stimulus Bill.” The HITECH Act seeks to streamline healthcare delivery and reduce costs through the use of health information technology, including the adoption of electronic health records (EHR). Because it addresses the privacy and security concerns associated with the electronic transmission of health information, the HITECH Act expanded many of the provisions HIPAA. Since most photographs are stored in electronic formats, the provisions of the HITECH Act apply to them. The Joint Commission on the Accreditation of Healthcare Organization (JCAHO) has also published standards pertaining to patient photography.

  The HITECH Act substantially increased penalties for breaching privacy regulations. Healthcare organizations are now required to notify all individuals affected by a data breach, as well as the federal government, which posts the information publicly. Some of the largest names in healthcare have suffered data breaches. The penalties for breaching protected health information can be in the millions of dollars, and since the response to many breaches requires public notification (e.g. publishing it in the newspapers) there is the potential for adverse publicity as well as monetary penalties. So, how do all these various standards and regulations affect the taking and storing of patient wound care photographs? And to whom exactly do their requests apply?

What is “Protected Health Information?”

  In response to HIPAA, in December of 2000, Congress authorized the U.S. Department of Health and Human Services (DHHS) to write standards to protect the privacy of individually identifiable health information, so-called protected health information (PHI). These standards are found in the U.S. Code of Federal Regulations and collectively are called the Standards for Privacy of Individually Identifiable Health Information, known as the "Privacy Rule." The Privacy Rule is intended to prevent covered health care providers from using or disclosing health information without patients' authorization. “Health Information” includes any information, recorded in any form that is created or received by a healthcare provider. So, patient photographs are certainly “health information,” but are they “protected health information (PHI)?” PHI is defined as any information gathered by a health care provider that contains data that may be used to directly or indirectly to identify the patient. Most of us are familiar with the typical data comprising the PHI such as the patient’s name, social security number and date of birth. Facial photographs, often obtained and used as a method of confirming patient identification, are included in that list. However, many clinicians forget that date of service is considered an identifier, as are patient initials, and the patient’s medical record number. Similarly there are body areas other than the face, which can be identifying such as unique birthmarks or tattoos. Photographs of these can therefore be considered PHI. In addition, photographs of relatives, employers, or household members can be considered PHI, according to Section 164.514(b)(2).

  So, what about photographs of a wound if no facial features are included? Are these PHI? Most experts agree that if a wound is photographed and there is NO identifying feature in the photograph, then the photograph alone does not contain PHI as long as no written information-containing PHI is in the photograph. However, the common practice of placing a ruler with either date, patient initials, medical record number or any other link to the patient turns what would otherwise have been a “de-identified” photograph (falling outside of the PHI regulations), into a photograph with protected heath information. Once you have done this, all the regulations of the HITECH Act and HIPAA now apply.

Consent to Photograph

  Most wound centers obtain photographic consents on the patient’s initial visit, in keeping with the Joint Commission’s strong advice that organizations obtain informed consent prior to photographing patients. State law, the Joint Commission and/or institutional policy should be followed without exception when the clinician intends to use photographs for diagnostic, treatment, quality assurance, educational, or marketing purposes. HIPAA further requires patient authorization for the release of protected health information, which includes patient photography, for purposes beyond treatment and healthcare operations. In other words, HIPAA does not require a patient release for photos used in “healthcare operations.” Importantly, the "health care operations" provision of HIPAA includes "training and teaching." However, photos and videotapes should be “de-identified” (164.514[b][2][Q]). This means that the clinicians who obtained the photographs may use them (even those containing PHI, if consent was obtained) in lectures, case presentations, or in other classroom settings for educational purposes to teach students, residents, and other faculty within an academic setting. However, clinicians cannot use photographs containing PHI in external settings, such as conferences, and seminars unless specifically authorized to do so by the patient. The clinicians may not take photographs with PHI with them when leaving the institution, unless specifically authorized to do so by the patient. For photographs that do not in any way identify the patient or include any identifying characteristics of the patient, such as a photograph that excludes (1) the patient’s name, (2) medical record number, (3) patient’s face or any part of the face that would identify the patient, and (4) all other “identifiers,” a HIPAA Authorization is not required. In other words, if the photograph is completely de-identified, HIPAA’s requirements have been satisfied.

Photographs and the Designated Record Set

  As part of the process of creating national standards to protect personal health information and to make information more “portable,” HIPAA requires that the provider identify the “designated record set” for a patient. This means that the healthcare system must define all the documents, which together are going to consist of the “medical record” for a patient, regardless of whether those documents are maintained on paper or electronically. A health care entity must first specify what constitutes the medical record in the organization. If your organization utilizes an electronic medical record for all or parts of the medical record, you must specify if the designated record set (DRS) is the electronic one or a paper copy produced from the automated system. The following is an example of how this requirement can affect photography in a hospital following the adoption of an EHR.

  An Enterostomal therapy nurse reported that after years of encouraging patient photos, the administration of her hospital told her to stop taking wound photographs. The decision was made, not out of medicolegal concerns, but because the hospital was adopting an electronic health record (EHR). The hospital had chosen NOT to purchase photographic data storage for the EHR. In compliance with HIPAA, they had determined that the “designated record set” would be ONLY what was inside the hospital EHR. Thus, if the ET nurses took photographs, where would these photos “live” from the standpoint of the record set? The nurses had been carrying around a camera in their pocket, using it to photograph pressure ulcers in the hospital. To ensure that they did not place the photograph in the wrong chart, they simply put a ruler with the date and patient initials in it. At the end of the day, they went to their office and printed out the photographs, put the printed photos on the patient chart and stored the digital files in their office computer. This meant that a nurse was walking around the hospital with a camera full of patient photos, which contained PHI (initials or MRN and date). If the camera was stolen or lost, there would be a breach of patient confidentiality. In addition, the computers in their office also contained photos with PHI. The only “HIPAA complaint” answer, given the facility’s perhaps unfortunate decision about photo management in their EHR, was to stop taking photographs.

  HIPAA requires that the DRS be clearly defined. If the DRS is PAPER, the best option is likely to print out the digital photos and incorporate them into the paper chart. If your DRS is electronic, then the digital images would ideally be stored as part of that file (more on the storage of digital images below). The “written” record (which might be electronic or the printed version of an electronic file) and the photos can be physically separate but they have to be able to be re-united if the record is subpoenaed, or if the patient simply asks for it. However it is that you establish the DRS, have a written policy, which defines the DRS including the whereabouts of the photos and how they will be retrieved if requested. The custodian of medical records for your institution must be involved in this process. As an aside, the DRS has very important implications for wound centers which often have their hyperbaric and wound center records on different systems. Recently a hyperbaric program came under scrutiny because when they went under post payment review by Medicare for the appropriateness of services, the hospital’s medical records’ department provided only the hyperbaric notes while much of the data substantiating the need for HBOT was in a completely separate electronic wound center database. Having patient records in different departments, with no one knowing where all the pieces are, is a recipe for disaster.

  A good “test” is to call the custodian of medical records for your facility and ask them if they know what constitutes the totality of a patient file for one of your wound center patients. You may be surprised to find that your DRS looks a lot like “Humpty Dumpty,” and that it would be difficult to put all the pieces together if you had to. Under the HITECH Act, clinicians must be able to provide the chart (including the photographs) to the PATIENT (if they requested it) within 48 hours. Could you do that?

Security and Storage Photographic Files

  In response to the HITECH Act, the DHHS has exhaustively detailed the requirements for electronic data security, and these same requirements for security apply to electronic photographic data. To ensure confidentiality, storage systems must deploy strong encryption in both the actual storage and the data pathways leading in and out. The HITECH Act itself does not mandate that data be encrypted. However, under the HITECH act, there are substantial penalties for breaches, which may be specifically avoided if the data is strongly encrypted both “at rest” and “in motion.” In other words, while the HITECH Act does not require encryption, if there is a data breach, you risk substantial penalties if the data were NOT encrypted. This means clinicians are ill advised to leave photographs containing PHI at rest, unencrypted, in a camera. Clinicians are accustomed to carefully securing the “written” part of the patient’s chart, whether paper or electronic. But clinicians often handle patient photos in a very cavalier fashion, carrying cameras in pockets, leaving them in patient rooms, and keeping photos with PHI in personal computers and laptops. So, in a nutshell, if you have PHI in the camera, and it is lost or stolen, you have a potentially serious HIPAA violation exacerbated by the fact that you seemingly made no attempt to comply with electronic encryption requirements. Since the HITECH Act establishes penalties for breaching data, which is not encrypted “at rest,” and since a camera cannot do this, photos cannot stay in a camera but must instead be placed inside some sort of encrypted electronic file, preferably the EHR.

  If you do not have an EHR, you must still find a secure “home” for your electronic photos. There are software solutions, which can at least provide a secure electronic home for photos outside of an EHR. This means that there are really TWO elements to your photographs. The designated record set (which might be a physical photo which you printed out) and the electronic FILE which may exist somewhere else. You must find a secure electronic “home” for that file if the DRS is not inside an electronic medical record.

  The HITECH act mandates that clinicians using a certified EMR be able to provide electronic copies of those records within 48 hours, and that would include electronic copies of photographs. The storage system for records must be capable of providing long-term retention guarantees. Since it is conceivable that the failure of storage servers, as well as obsolescence of technology and formats will require migration of records, the storage system must provide trustworthy and verifiable migration mechanisms. There must exist strong backup and restore operations. Organizations outsourcing some of their record management tasks, including the storage of photographs, must ensure that the third parties also comply with HIPAA. The HITECH act extends the complete Privacy and Security Provisions of HIPAA to “business associates” of covered entities. (Generally speaking, a business associate is anyone with whom you have a contract who is intended to have access to health information.) So, now the newly updated civil and criminal penalties for the inappropriate disclosure of protected healthcare information extend to them as well. These changes are required to be included in any business associate agreements, so, if you work with an EHR vendor or a management company, their contract must include the updated language.

HIPAA “101” for Patient Photographs:

  HIPAA requirements for photograph management can be summarized into 4 very basic concepts:

  1) Photographs have to go into the right patient’s chart. The sooner this happens after the photo is taken the more likely this is to be done correctly.
  2) The designated record set (“written” and photographic) has to be formally identified
  3) If a camera contains PHI, it must to be emptied in a timely fashion since normal cameras cannot encrypt data
  4) All patient identifiable information has to be encrypted at REST. Photographs must be stored in a place, which can provide this, preferably an EHR.

  These challenges can be substantial for a wound center. The evolution of the way the wound center at The University of Texas, Houston has dealt with photos over the past 21 years provides some examples of the both the right and the wrong way to handle photos. The wound center opened in 1990 and photography was very different 21 years ago. Wound photography began by taking Polaroid photographs of patients. These had 3 big advantages: 1) Ease: Polaroids could easily be taped into the paper charts (no risk of an accidental entry into the wrong patient’s chart), 2) Immediacy: there was no “lag time” to entry or data storage issue (no one had to stay after hours in clinic to move electronic photo files), 3) DRS: there was no problem with the “designated record set” (paper chart + Polaroid photographs = DRS). However, the Polaroid photographs deteriorated over time, the quality was poor and of course if one wanted to use them in a lecture, they had to be scanned and made into slides or digital images. When the first digital camera arrived in the clinic in 1995, the question became, how to incorporate these digital images into paper charts? This was when, unknowingly, poor practices were developed (although fortunately none of the above regulations had been written). No easy method of electronic data storage existed (a busy wound center can rapidly require terabytes of electronic data storage for photographs). The problem was solved by using an early digital camera, which stored photographs on “mini-discs.” Each patient’s small CD was kept in the patient’s paper chart. When necessary, photographs were printed out. However, when the retired paper charts were sent to storage, the storage facility refused to accept the discs. Unwittingly a problem had been created with the designated record set. (The problem with the DRS could have been avoided if all photos had been printed out and put into the paper chart.) Ultimately, the discs were stored in the clinic while the paper chart went to the hospital’s long-term storage and the custodian of medical records for the hospital never knew that the information was separated.

  When EHR for the wound center was implemented in 1998, the problem was neatly resolved. At first the original technology used cabled video cameras, which, after activation, entered the digital photo immediately into the patient’s electronic chart at the right place (eg, “Jane Doe: left medial malleolar ulcer”). Digital technology has advanced since 1998. Now digital cameras have Wi-Fi technology and these can be linked to the EHR so that the HIPAA criteria needed for wound care photographs are met. The Wi-Fi card transmits the photograph directly and immediately to the patient’s EHR, and then wipes the camera memory card clean. There great irony is that for the first time in 20 years, it is possible to have the same advantages that old Polaroids had! Specifically: 1) Ease: The photos go immediately into the RIGHT patient’s chart (no risk of an accidental entry into the wrong patient’s chart and no staff staying after hours to laboriously move digital images into patient files), 2) Immediacy: there is no “lag time” to entry, 3) DRS: there is no problem with the “designated record set” (electronic record + digital photographs = DRS). By immediately sending the digital image to the EMR, it is not necessary to put PHI in the photograph (e.g. no need to write patient name, initials or MR in the photograph). This means that the photographs are de-identified if they are used by individual clinicians in presentations, but when stored in the EHR, they are encrypted with the date and MR number so that there is no mistaking in what chart they belong within the file. Erasable Wi-Fi card technology linked to the EHR is probably the best way to be compliant with the high standards of security required by HIPAA in the HITECH act.

Summary

  Suggestions for Photographs in Teaching: For a clinician who keeps a camera in his or her pocket to add to their personal library of patient photographs, as long as NO IDENTIFERS are put in the photograph (no date, no initials, no MR number, absolutely NOTHING that could be traced back to that patient), and there are no tattoos or facial features, then there should be no PHI in the camera. The photographs, which are subsequently put on your personal computer and make their way into your professional presentations, contain no PHI and if your camera or PC are lost or stolen, there should be no breach of HIPAA. However, if a clinician has photos containing PHI (initials, dates, MR) in a camera or PC, then they have created a potential HIPAA violation. Although he or she may mask this information before displaying these photos at meetings, it is easy to unmask these, even unintentionally, as files move from one computer format to another. Thus, clinicians are urged never to store, maintain, display or otherwise utilize photographs containing PHI.

  Photographs for the patient chart: What about a nurse who carries a camera which is used to record patient photographs that are later going to make their way into a patient’s chart? JCAHO recommends in these circumstances that identifiers are put in the photo to ensure that it is ultimately entered into the correct chart. However, if the camera is lost, you could have a serious data breach as far as HIPAA is concerned because the data was unencrypted. Unfortunately, at this time, no camera memory cards can encrypt data, so photos “at rest” in a camera cannot meet the security standards in the HITECH Act. HITECH also states that physical security is no substitute for electronic security. So, saying that the camera will remain physically secured will not substitute for the required electronic security. The bottom line is that a camera containing multiple patient photos with PHI is not compliant with HITECH data security standards.

  Inexpensive Wi-Fi technology currently allows digital photos to be instantly transmitted into the patient’s EHR, after which the camera memory card is wiped clean. This is probably the best way to be compliant with HIPAA regulations and the HITECH Act. If you do not currently have an EHR, the time is also right to get one since clinicians who wait will soon lose incentive payments for EHR adoption. As various EHR options are evaluated remember to carefully consider the way that photos will be incorporated into the EHR from the standpoint of the “designated record set.” If you do not have an EHR, you need to find a secure electronic “home” for your digital files.

References

  Health Insurance Portability and Accountability Act of 1996 (HIPAA).Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996). Available at https://www.hhs.gov/ocr/hipaa/ https://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf

  U.S. Department of Health & Human Services. (2003, April 14). Privacy rule: Standards for privacy of individually identifiable health information. 45 Code of Federal Regulations, Parts 160 and 164. Available at https://www.hhs.gov/ocr/hipaa [cited as CFR].

  U.S. Department of Health & Human Services. (2000). Standards for privacy of individually identifiable health information (final rule). Federal Register, 65(250), 82461-82829. Available at https://www.gpoaccess.gov/index.html.