HIPAA Privacy & Security Compliance: Managing the Use of Photographs and Videos in the Wound Clinic

When using photographs to more accurately document and to enhance a patient’s wound care treatment, privacy and confidentiality issues can arise that could put providers in violation of federal HIPAA regulations. In fact, a seemingly harmless click of the wound care clinician’s camera in an attempt to more visually track one’s wound care progression (or lack thereof) can raise as many red flags concerning HIPAA regulations in regards to protected health information (PHI) as compared to such practices as photographs/film captured by police wearing body cameras in emergency departments, posting of patient photographs or X-rays to social media, and uploading pictures of newborns after hospital delivery (and potentially before the parents ever see their child for the first time). When it comes to photography in the wound clinic, healthcare professionals cannot be too careful in justifying this issue given the increasing prevalence of using photographs for wound management. 

Assessing Use of Photos in The Wound Clinic 

You’re probably asking yourself, “Are photographs really protected under the HIPAA privacy rules?” Remember, PHI is defined as “individually identifiable health information transmitted or maintained by a covered entity (CE) or its business associates (BAs) in any form or medium” — 45 Code of Federal Regulations (CFR) 160.103. 

Individually identifiable health information includes 18 identifiers: 1) names; 2) all geographical subdivisions smaller than a state (including street address, city, county, precinct, and zip code); 3) all elements (except year) of dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all elements of dates indicative of age; 4) phone numbers; 5) fax numbers; 6) email addresses; 7) Social Security numbers; 8) medical record numbers; 9) health plan beneficiary numbers; 10) account numbers; 11) certificate/license numbers; 12) vehicle identifiers and serial numbers, including license plate numbers; 13) device identifiers and serial numbers; 14) Web universal resource locators (commonly referred to as URLs); 15) Internet protocol (or IP) address numbers; 16) biometric identifiers, including finger and voice prints; 17) full-face photographic images (and any comparable images); and 18) any other unique identifying number, characteristic, or code. 

Note that “full-face photographs and any comparable images” are considered PHI [CFR164.514(b)(2)] and thus fall under HIPAA privacy protections if they can be tied directly to a patient. HIPAA specifies that PHI is any of these 18 identifiers tied to a patient that identifies an individual or with respect to which “there is a reasonable basis to believe the information can be used to identify the individual.” 

Then, the question becomes, “Are the pictures tied to identifying data?” If the photograph can be connected to a patient, it is considered PHI. If it’s a picture of a wound and it is not tied to any identifying information and is in no way tied to a patient otherwise (eg, unique tattoo or scar), it is not considered PHI.  

Managing Consent & Authorization 

HIPAA does not specifically require informed consent for video recordings. However, the American Health Information Management Association (AHIMA) suggests photography should be included in an organization’s informed consent if it’s routinely used. AHIMA also suggests specific healthcare policies that define photography for clinical need (eg, videotaping, filming, or still photography of patients) versus content that is not being used for clinical purposes (eg, photography for the purposes of promotion, artwork, or advertising). Clinical photos for healthcare fall into three categories: 1) treatment (use, disclosure, and treatment itself); 2) education (academic training); and 3) publication (for use in medical journals).¹ Let’s look at these categories in more depth: 

Treatment. HIPAA requires patient authorization for release of PHI (including photography that is part of treatment) when used for purposes beyond treatment and healthcare operations. Thus, wound care photos do not require a separate release when shared for treatment purposes, including consulting with other healthcare professionals who may be internal or external to an organization. Photographs, when documenting for treatment, would become part of a patient’s designated record set (DRS), as required by HIPAA regulations. The DRS includes (among other things) medical records that are used in whole or in part for a CE to make treatment decisions about patients. Wound care photos are considered part of the DRS.  

Education. In addition to treatment purposes, PHI is regularly used for educational purposes. For internal educational settings, PHI (including photographs) can be used for internal training without additional authorization. It cannot be shared at professional meetings, conferences, or outside lectures without specific patient consent. The amount of PHI used in training should be the minimum necessary to accomplish the training. However, any use of PHI outside the educational setting (eg, seminars, conferences) would require authorization from the patient.  

Publication. Publication in medical journals would require the PHI to be de-identified, otherwise specific patient authorization must occur. To be de-identified, the photograph would need to be stripped of the 18 identifiers previously mentioned, if any can be tied specifically to the patient.  If it is tied to the patient, his/her authorization is necessary.   

Electronic Security of Photographs  

There are several considerations when photographs become PHI. One thing about portable devices is they are at the highest risk of breach; the most frequent cause of breach of PHI is loss of devices such as laptops, tablets, cell phones, and flash drives.² The Ponemon Institute surveyed 618 information technology (IT) and IT security practitioners who are familiar with their organizations’ management and security of mobile devices used by employees. These experts believe mobile devices are at high risk due to the following factors:²

• It is difficult to prevent employees from using insecure mobile devices.
• Employee use of mobile apps and devices has substantially increased.
• It is difficult to track all employee-owned devices that connect to networks and enterprise systems.
• It is difficult to determine which employees are using insecure devices.
• They are unable to account for all mobile devices that connect to networks or enterprise systems.
• Use of employee-owned mobile devices is encouraged. 

Because mobile devices contain electronic protected health information (ePHI), they are at high risk for hacking opportunities. Providers should take heed of HIPAA security regulations aid in giving direction to decrease security risk to ePHI, which would include any photographs with PHI that are accessed, received, transmitted, or stored. In many ways, mobile device security raises major security concerns. In fact, there are an average of 25 hidden vulnerabilities in many mobile devices being used today, making them an attractive target for hackers.³ According to one study that sheds light on the alarming number of connected devices with serious security weak spots, a whopping 70% of all commonly used mobile devices and apps have a variety of known vulnerabilities.³ This starts with the fact that some 80% of devices fail to require sufficient passwords, along with these other deficiencies: 

• 70% of devices do not encrypt communications to the cloud, Internet, or local wireless networks.
• 60% of devices had weak user interfaces, poor session management, weak default credentials, and credentials transmitted in clear text contributing to potential security breaches.
• 70% of devices allowed a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
• 60% of devices did not use encryption when downloading software updates.  

Understanding Encryption  

Encryption is an addressable implementation specification within HIPAA regulations [45 CFR 164.312(a)(2)(iv) and (e)(2)(ii)]. “Addressable” means it must be implemented if, after a risk assessment, the CE or BA has determined it is a reasonable and appropriate safeguard. If it is not determined to be reasonable and appropriate, the CE/BA must document the rationale as well as that an equivalent alternative measure considered to be reasonable and appropriate has been substituted. Some digital cameras can encrypt on their operating system, or there are tools to encrypt secure digital memory cards. Because mobile devices with PHI in transit are most at risk, encrypting a camera may be worth the investment in the technology. An organization’s policies and procedures should address how data in transit as well as stored data will be protected, including final disposition of the data when they are no longer needed on the device. 

Company-owned cell phones can be better managed through company policies and procedures addressing security risks to ePHI. Using personal cell phones for recording photographs brings additional challenges in managing security of ePHI. There is more control over company-owned cell phones where encryption, use of mobile networks, and cloud storage issues can be addressed. However, many people use personal mobile devices for PHI purposes. Personal mobile devices bring the following questions regarding HIPAA security:

• Are the mobile devices using, transmitting, or receiving ePHI via public Wi-Fi or unencrypted texts or emails?  
• Are the devices inventoried so that the CE/BA knows which devices are handling ePHI?  
• Are policies and procedures in place should the device be lost or stolen?
• Is cloud storage being used?  
• Are pictures connected to patient identity in any way?  
• Is the device encrypted?  
• When ePHI is stored or transmitted via a third party, is a BA agreement in place with the third party? 

Disregarding HIPAA regulations can cause consequences that include fines and penalties. Penalties increase significantly when there has been “willful neglect,” meaning the regulations have been ignored. For those organizations that do not have policies and procedures in place regarding portable media devices, such as cameras or cell phones, there’s increased risk of both breach of PHI and taking ire from the Office for Civil Rights, which enforces HIPAA. When CEs/BAs are diligent about HIPAA compliance yet experience a breach, fines for breaches (inappropriate use or disclosure of PHI) range from $100 per violation to $50,000. If there is willful neglect and the breach is remediated, fines increase to $10,000 up to $50,000. Let’s imagine someone has a photo he/she has taken of an unusual injury (or from a celebrity) and then sells that photo to a tabloid.  In this situation, where information is used or disclosed inappropriately (ie, breached) deliberately under false pretenses and/or for profit, fines can reach $250,000 and prison time can be up to 10 years. The best way to protect photographic ePHI is through encryption in any device that is used to take, store, and transmit photos. If devices are lost or stolen and they are encrypted, the breach falls under what is known as “safe harbor.”  Safe harbor means the CEs/BAs do not have to report the breach to the U.S. Department of Health & Human Services (HHS), nor do they need to report it to the patient(s). If a lost/stolen device is not encrypted, the CE/BA must report the loss to HHS and the patient(s) within 60 days of the date of the discovered lost (ideally, much sooner). If the loss of PHI is 500 records or more, HHS must be notified immediately and the name of the organization, the type of loss, and the amount of records breached is posted on the HHS website for all to see. Smaller breaches are reported to HHS in an end-of-year report. In short, encryption represents a minor business investment compared to the major reputational, financial, ethical, legal issues that a breach of PHI can bring.

Summary  

Photographs that can be linked to a patient are considered PHI. This means they may have one or more of the 18 PHI identifiers attached, making them clearly tied to the patient. In this case, photographs are PHI that fall under the HIPAA security regulations. Regulations that must be considered concern stored data and data in transit. Portable data devices, such as cameras, cell phones, and laptops, bring heightened concerns around privacy of PHI due to high rates of loss and theft. Encryption brings “safe harbor” when faced with a lost or stolen device, thus negating the need to report the breach of PHI. HIPAA regulations aid in the protection of ePHI; ignoring the regulations can bring increased fines and penalties and, in cases of mal-intent, penalties that include prison time. Carrying unencrypted ePHI in cameras or cell phones may be convenient, but can bring increased risk of breach of ePHI. CEs and BAs must have policies and procedures in place to address security issues around these devices.  n

Roger Shindell is chief executive of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. He is also chairman of the HIMSS Risk Assessment Work Group and a member of the American Health Information Management Association’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindel@carosh.com.

References

1. Sample Consent for Clinical Photography, Videotaping, Audiotaping, and Other Multimedia Imaging of Patients. American Health Information Management Association. 2010. Accessed online: https://bok.ahima.org/doc?oid=99416#.VxZadfkrLX4 

2. The Cost of Insecure Mobile Devices in the Workplace. Ponemon Institute. 2014. Accessed online: www.ponemon.org/local/upload/file/AT%26T%20Mobility%20Report%20FINAL%202.pdf

3. McCann E. Mobile Devices, Apps Open for Attacks. Healthcare IT News. Accessed online: www.healthcareitnews.com/news/mobile-devices-apps-open-attacks