HIPAA Medical Photography - Interim
|Title||HIPAA Medical Photography|
|Sub-category||Health Affairs Matters - General|
Effective: December 1, 2015
ECU HIPAA Privacy Office, 252-744-5200
“Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule,” 78 Federal Register 17 (25 January 2013), pp. 5566-5702.
1.1. This policy sets forth guidelines that ECU clinical staff, faculty, learners, and other employees must follow when photographing patients in any ECU clinical site.
1.2. This policy does not govern medical photography of patients in any non ECU healthcare facility where care is being rendered by an ECU clinical staff, faculty, learner, or other employee.
2.1 Photograph or photography – any videotaping, filming, still photography, images, digital or other means of recording and reproducing images.
2.2 Consent – permission granted by the patient (or legal representative) agreeing to allow the production of photographic images of patients.
2.3 Publication – any method of displaying or distributing photographs, including simply showing or sending the photographs to a limited number of individuals.
2.4 Treatment – purposes of identification, diagnosis, evaluation, management and/or treatment of a patient.Treatment includes diagnostic or therapeutic procedures where obtaining the non-textual data is part of the procedure using specialized equipment, clinical communications, and documentation to support reimbursement for services rendered to the patient.
2.5 Payment – health information disclosed to commercial or federal insurance companies or the Department of Social Services for claims processing, insurance review, or to determine benefits.
2.6 Health care operations – clinical functions internal to or within an ECU clinic or department.Examples may include:peer review, quality improvement, and risk management activities; certification, licensing and credentialing; business planning and management.
2.7 Clinical staff – includes any ECU employee, learner, visitor, or other workforce member who is providing clinical care to a patient or client.Clinical staff includes, but is not limited to: dentists; physical therapists; occupational therapists; speech pathologists; audiologists; physicians; substance abuse counselors; nurses; dental hygienists; students in medicine, dentistry, or other health professions.
3.1 The purpose of this policy is to protect patient privacy and confidentiality, and to ensure the security of patient identifiable information in accordance with federal and state laws, regulations, and ECU policies regarding the security of protected health information (PHI).
3.2 Clinical photography of patients may be appropriate and necessary for the identification, diagnosis, evaluation, management and/or treatment of medical conditions.Photographs or videos of patients may be used for payment or healthcare operations purposes.
3.3 The general consent for treatment provided by a patient includes the patient’s consent to take medical photographs for treatment purposes.The photographs may also be used for treatment, payment, and healthcare operations purposes without additional consents or authorizations.
3.4 Patient photographs taken for treatment purposes must be permanently stored in the patient’s record and/or the electronic health record. As soon as possible after inclusion in the medical record, the image must be deleted from the device on which it was produced.
3.5 Patient images and/or video recordings that are not stored in the medical record must be stored in a secure manner that allows for timely retrieval and protects the patient’s privacy and security, per ECU HIPAA policies and procedures.
3.6 Any employee taking or storing medical photography on any electronic storage or mobile device is required to follow ECU HIPAA security policies and procedures.
3.7 Details regarding required safeguards and university policy for PHI on electronic and mobile devices are located www.ecu.edu/hipaa.
3.8 If a mobile device is used to take clinical photographs, an appropriate application must be used to take and transmit the clinical photographs directly into the medical record (e.g. Haiku or Canto applications if the EPIC electronic health record is used).
3.9 It is inappropriate to photograph any patient for social or personal use.
3.10 Any other use of identifiable patient photographs—education, media, publication, and research - requires that the patient execute a separate ECU HIPAA Authorization form found at www.ecu.ecu.hipaa.
4.1. Consent for Clinical Photography
4.2. Patients who complete any appropriate consent for treatment also provide permission to use patient information, including photographs, for treatment, payment, and health care operations. This general consent includes the provision of medical treatment or diagnostic procedures, including clinical photographs, deemed necessary.
4.3. If clinical photographs are used/disclosed for treatment, payment, or operations, they may be shared internally or externally to ECU.Use or disclosures external to ECU related to payment or operations may require the execution of a HIPAA Business Associate Agreement (see ECU HIPAA regulation 12.60.19).
5. Authorization for Clinical Photography for Other Purposes
5.1. Patient photography might also be used and/or disclosed (internal or external to ECU) for: education (internal or external to ECU), research, media, and publication purposes.
5.2 If patient photography is used and/or disclosed (internal or external to ECUP) for any purposes other than treatment, payment, or health care operations:
5.3. HIPAA patient authorization of protected health information (PHI) must be completed by the patient or legal representative; or
the patient photography must be de-identified.
6. De-identified Photography
6.1. Patient photography that is de-identified appropriately, per ECU HIPAA De-Identified regulation 12.60.20, does not require a patient consent or authorization for use/disclosure.
6.2. Such uses requiring authorizations might include: patient photography of the patient or body part may be sufficiently unique or recognizable to make it patient-identifiable;therefore, use/disclosure of the photograph may require a HIPAA patient authorization of protected health information (PHI).