HIPAA Resources

Posting Patient Photos on Social Media


Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

"I see photos of patients on dentists' websites and social media. Is this a breach of confidentiality? Is there a way to use patients' photos for promotional purposes and remain compliant with the privacy requirements of HIPAA?"

Thank you for your question and for taking patient confidentiality seriously. Let's see what HIPAA has to say about using patients' photos online.

Is it PHI?

Our first step is to ask if the information we are concerned about is actually protected health information. PHI includes any data about healthcare treatment or payment that could be linked to a particular person. The simple fact that an individual is a patient of your practice is protected health information. So, just a person being associated with the practice needs to be kept private and confidential. In this question, the practice is posting a photo of a patient on the practice’s website or social media page. This would clearly identify the individual as a patient and would therefore be PHI, regardless of whether the patient’s name is used.

Three Exceptions

Let's see if HIPAA allows the disclosure. Our basic rule is that you cannot disclose PHI without valid patient authorization, unless there is a specific permitted disclosure rule that applies. Most permitted disclosures fit into the big three categories of treatment, payment, and healthcare operations. However, in this case, the disclosure is being done for business marketing purposes, which is not considered healthcare operations, so there is not a specific permitted disclosure rule for this situation. So, how can you use photos of all those beautiful smiles to market your practice?


You will need to get specific valid authorization from each patient before posting their photo. HIPAA goes into detail about what makes an authorization valid in section 164.508 (and we have a form checklist tool in Bite-Size HIPAA® that can help you audit your forms against these requirements) but for the purposes of this Q&A, let me give a high-level overview of what HIPAA requires.

The authorization must contain a clear and specific description of what you will disclose and how you will disclose it. Furthermore, it must have an expiration date, inform the patient that they can revoke the authorization at any time, and it must be signed. Additionally, it must be written in plain English and explain that this is a voluntary authorization that they are free to deny with no effect on their treatment.


To summarize, HIPAA allows you to post patient photos, but only if your patients have given informed consent on a valid written patient authorization form.

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.

This article is available for members of our online HIPAA community for dentists.

Explore and learn FREE for 60 days!
No credit card required.

Join Now!
Todd Baker

Todd Baker, JD, CIPP

HIPAA & Privacy Attorney

Todd Baker is a uniquely qualified attorney with extensive experience regarding the intersection of HIPAA and technology. Todd earned his undergraduate degree in business at Boise State University and completed his law degree at the University of Virginia School of Law.

Content Tags

HIPAA education, compliance, and accountability created specifically for dental practices.

If you haven’t made HIPAA a priority yet, start today. Give us a little bit of your time and we’ll teach you about the HIPAA Law, why it exists, and how ‐if done right ‐you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.