.svg){kind=icon}
Question
Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:
"I see photos of patients on dentists' websites and social media. Is this a breach of confidentiality? Is there a way to use patients' photos for promotional purposes and remain compliant with the privacy requirements of HIPAA?"
Thank you for your question and for taking patient confidentiality seriously. Let's see what HIPAA has to say about using patients' photos online.
Is it PHI?
Our first step is to ask if the information we are concerned about is actually protected health information. PHI includes any data about healthcare treatment or payment that could be linked to a particular person. The simple fact that an individual is a patient of your practice is protected health information. So, just a person being associated with the practice needs to be kept private and confidential. In this question, the practice is posting a photo of a patient on the practice’s website or social media page. This would clearly identify the individual as a patient and would therefore be PHI, regardless of whether the patient’s name is used.
Three Exceptions
Let's see if HIPAA allows the disclosure. Our basic rule is that you cannot disclose PHI without valid patient authorization, unless there is a specific permitted disclosure rule that applies. Most permitted disclosures fit into the big three categories of treatment, payment, and healthcare operations. However, in this case, the disclosure is being done for business marketing purposes, which is not considered healthcare operations, so there is not a specific permitted disclosure rule for this situation. So, how can you use photos of all those beautiful smiles to market your practice?
The HIPAA Law
You will need to get specific valid authorization from each patient before posting their photo. HIPAA goes into detail about what makes an authorization valid in section 164.508 (and we have a form checklist tool in Bite-Size HIPAA® that can help you audit your forms against these requirements) but for the purposes of this Q&A, let me give a high-level overview of what HIPAA requires.
The authorization must contain a clear and specific description of what you will disclose and how you will disclose it. Furthermore, it must have an expiration date, inform the patient that they can revoke the authorization at any time, and it must be signed. Additionally, it must be written in plain English and explain that this is a voluntary authorization that they are free to deny with no effect on their treatment.
Summary
To summarize, HIPAA allows you to post patient photos, but only if your patients have given informed consent on a valid written patient authorization form.
Have a HIPAA Question?
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.
