Safeguarding Patient Photographs and Recordings

Scope

This guidance applies to the workforce members in the designated Indiana University (IU) HIPAA Covered Healthcare Components and HIPAA Affected Areas, anyone rendering services as a Business Associate, and anyone who creates, receives, maintains, or transmits Protected Health Information (PHI) in any capacity at IU, including, but not limited to, faculty, staff, students, trainees, volunteers, visiting scholars, and third-party agents.  For the purposes of this policy, all of the above will be referred to as workforce members.

Guidance Statement

Exclusions: Unless otherwise specified in this guidance, all photography, audio and/or video recordings and cell phone/smart phone photographs and recordings that are taken in the clinical care setting or in other IUH, IUHP buildings or grounds or IU Clinical or Human Subject Research (including but not limited to clinical trials) areas are covered by this guidance. This guidance document does not apply to the following:

• Victims of suspected child abuse or neglect; refer to the IUH’s Child Abuse Manual;
• Photo identification taken at the point of registration; refer to IUH’s Patient Access Service policies;
• Marketing and public relations operations as well as for any event that attracts media attention. The IU, IUH or IUHP’s Public Relations teams are responsible for coordinating these consents;
• Radiology Images (X-ray, MRI, CT Scan, etc.);
• Ultrasound images;
• De-identified images of internal body part(s) that are taken during a procedure using specialized equipment (e.g., through a lumen). Examples include, but are not limited to Arthroscopy, Endoscopy, Colonoscopy, Colposcopy, -Bronchoscopy, Laparoscopy, etc.;
• EEG Monitoring, EEG Video Monitoring, EEG Intraoperative Monitoring, etc.;
• Pathology slides; and
• Autopsy photographs or recordings taken for purposes of death investigation by a County Medical Examiner’s Office
• Video monitoring of premises for security purposes, governed by other policies

A. Equipment/Devices

1. Organizationally Owned and Authorized
   Equipment may be used for photography and/or audio and video recording if authorized by Indiana University, Indiana University Health or Indiana University Health Physicians.
   
   Recordings made for IU, IUH, IUHP business purposes or patient care on authorized equipment which may be unsecured (e.g. digital cameras), should be downloaded from the recording device (camera, phone, etc.) to a secure environment, and then immediately deleted from the recording device.
   
   
2. Third Party Owned
   In general, employee and/or provider personally owned devices are considered third party devices. Third party devices are required to meet IU, IUH, IUHP’s security requirements.
   
   The individual is responsible for the security of the device and is required to follow all applicable security policies to implement physical and technical safeguards to protect the device and any data stored on the device.
   
   1. The Device must be encrypted and password protected
   2. The Device should be registered with your organization
   3. Maintain documentation to demonstrate compliance with the requirements document the following information and retain for your records. In the event of a lost or stolen device, this information may be requested by the investigating team.
      1. Take a screen capture of the device showing encryption and a passcode is enabled
      2. Record information about your device and keep for your records including:
         • Model Number
         • Serial Number
         • Mac Address
         • Version of operating system
   4. Once the photograph or recording is no longer required on the device and has been properly preserved, the individual is responsible for the proper deletion.

B. Consent Requirements

1. Clinical Purpose: Consent, implied or expressed, to receive care includes consent for the capture of any photograph and/or recording taken or made for clinical purposes.
2. Non-Clinical Purposes:
   1. Unless otherwise specified, written consent must be obtained prior to making and/or using a photograph and/or recording for a non-clinical purpose.
   2. If a photograph or recording is initially taken, made or used for a Clinical Purpose, and later deemed appropriate for a Non-Clinical Purpose, written consent must be obtained.

C. Security and Storage

1. Photographs and/or Recordings made and/or used for a clinical patient care purpose must be permanently stored in the patient’s medical record in accordance with policy.
2. All other patient photographs and/or video or audio recordings that are not stored in the electronic medical record must be stored in a secure manner that also allows for timely retrieval and protects the patient’s privacy. The images must be stored for the retention period required by law, regulation and/or policy and destroyed according to policies governing protected health information.

D. Deletion of Photographs and Recordings from any Device

1. Regardless of the ownership of the device, after proper preservation of any patient photograph or recording, the images stored on a digital camera, recording equipment, portable electronic devices memory card and/or any portable device (e.g., flash/thumb drive) must be properly and promptly deleted from the device.

E. Uses of Photography or Recordings for Educational Purposes

1. Internal Purposes
   Academic, education, training or personnel performance activity provided to or directed only toward IU, IUH or IUHP Audiences and/or IU, IUH, or IUHP patients and their family members. The term includes the use of patient photographs or recordings used for documentation of a trainee’s educational experience.
   
   1. Written consent must be obtained and documented in the patient’s medical record prior to photographing or recording a patient or a patient’s body part for the purpose of Internal Education. Internal Education includes the use of patient photographs or recordings used for documentation of a trainee’s educational experience.
   2. If patient photography or recording taken or made for a Clinical Purpose is later deemed appropriate for Internal Education, written consent must be obtained prior to the use of the photograph or recording for Internal Education.
   3. Patient images produced for the purpose of Internal Education should be de-identified to the extent reasonably possible. If the image cannot be de-identified, all facial identifiers should be removed (e.g., identifiers such as patient name, medical record number and date of birth should be removed or redacted/blocked out, facial images should be cropped so that the entire face is not showing, patient’s eyes and nose should be blocked out, etc.)
2. Uses of Photography or Recordings for External Education
   Education or training provided to or directed toward non-IU, IUH or IUHP audiences. An example is an educational presentation to members of a state or national specialty or professional organization.
   1. Written consent must be obtained and documented in the patient’s electronic medical record prior to photographing or recording a patient or a patient’s body part for the purpose of External Education. If a patient photography or recording taken or made for a Clinical purpose is later deemed appropriate for External Education, written consent must be obtained prior to the use of the photograph or recording for External Education.
   2. Patient images produced for the purpose of External Education must be de-identified (e.g., all identifiers must be removed or redacted/blocked out, including but not limited to patient name, medical record number and date of birth.) If facial images will be used for External Education, they should be cropped so that the entire face is not showing, patient’s eyes and nose are blocked out, etc., to the extent reasonably possible for purposes of de-identification of the patient.

F. Uses of Photography or Recordings for Research
Photographing and/or recording of patient images is allowed if necessary for research purposes, as long as the research has been:

1. Approved by an IU/IUH Institutional Review Board (IRB); and
2. Appropriate written consent and authorization of the patient (or the patient’s legal representative), as determined by the IRB are obtained; or
3. An IRB approved waiver of informed consent and authorization. Under a waiver, the recordings will need to be de-identified or in the form of a limited data as defined by HIPAA.

Reason for the Guidance

Photography, audio and/or video recordings of a patient or a patient’s body part in any medium by IU, IUH or IUHP personnel for the purpose of patient identification, diagnosis, documentation, evaluation, management and/or treatment are a component of the patient’s medical record and therefore are to be managed in compliance with medical record description, content, and requirements.

As defined in policy, hard copy and digital/electronic photographic images, audio and/or video recordings must be handled in a manner that meets requirements to ensure compliance with university policy, state and federal law and third party regulatory and accreditation requirements for medical record documentation.

The use of a workforce member’s cell phone/smart phone and/or personal camera to photograph or record a patient (and/or any patient body parts) for any workforce member’s personal, non-business purpose is prohibited.

Definitions

See Glossary of HIPAA Related Terms for complete list of terms. 

History

05/16/2013   Draft reviewed by IU, IUH, IUHP
07/16/2013   Draft updated by IU, IUH, IUHP        
08/08/2013   Final approved by HIPAA Privacy and Security Council
01/12/2016   Updated Definitions Section
08/01/2016   Added link to Glossary
12/13/2021   Updated contacts and policy references