Handing something off to another person

Photos & Protected Health Information

Photos that show individually identifiable information are considered protected health information (PHI). Are you showing or sharing too much?

Any photo that shows individually identifiable information is considered protected health information (PHI). This can include a patient’s face, name or initials, their date of birth, the date of their treatment or photos of any birthmarks, moles or tattoos.

Here’s advice on what to do and not to do with PHI photos:

  • Photos should not simply be wiped of PHI and then stored on a device for any period of time. To hold onto photos long term, use software that uses encryption.
  • Never email, text, or otherwise send this information without proper encryption software.
  • Patients should always give their consent before photos are shared.
  • Only take pictures on facility-owned and approved equipment. To avoid a breach in health information, a PHI photo should not be taken on a personal phone or computer under any circumstances.
  • Never post any photograph that contains PHI to any social media accounts without direct consent from the patient.

Photo risk tips in review:

  • Don’t disclose photos without proper encryption and protection.
  • Don’t share unauthorized photos of patients on social media.
  • Avoid taking patient photos out of the practice on devices.
  • Only use photo equipment owned by the practice.