Legal Risks of Sharing Patient Photos in Dermatology & Cosmetic Surgery

Just because your peers feature before-and-after photos in their marketing doesn’t mean that it’s legally compliant. Learn the risks of sharing patient photos and how you can stay on the right side of HIPAA and your state laws.

Testimonials from real patients are some of the most compelling marketing tools available. For that reason, and because of the ubiquity with which potential patients ask about your results, it is common for your success stories to adorn your dermatology or cosmetic surgery practice’s website. Powerful before-and-after photos of a dermatological or aesthetic transformation build public trust and reassure existing patients of your experience and skill.

When a practice works with a marketing team or web developer unfamiliar with the requirements of the HIPAA Privacy Rule, those professionals may post patient before-and-after photos you collected without further inquiry about the legality of these marketing campaigns. This also happens when office assistants or practice staff managing social media have not been looped into the practice’s HIPAA trainings or properly educated about your social media policies.  When your social media, blogs, and company websites depict stories of miraculous transformations, this generates enthusiastic new patients, and makes it feel like the right marketing decision for your practice.

But is the benefit worth the risk? Remember that the fact “everyone else is doing it” doesn’t mean the conduct complies with HIPAA or your state laws, like the Biometric Information Privacy Act in Illinois.

Patient photos constitute protected health information that belongs in the patient’s designated record set. In short: they’re highly protected.

Protected health information (PHI) is broadly defined as individually-identifiable information concerning a patient’s health condition, receipt of healthcare services, or payment for those services, which is created by or for a covered entity or business associate.  Your patient records also encompass the specific set of data which constitutes the patient’s Designated Record Set (DRS).  The DRS is the portion of the record which must be made available to your patient upon request (pursuant, of course, to your HIPAA policy’s release of records provisions). The DRS commonly includes information about the patient’s claims adjudication, payments, health plan enrollment, lab test results, and clinical case notations.  For aesthetic practices, the DRS also typically includes photographs of a patient’s progress through treatment.

Medical images can comprise a vital component of a patient’s DRS. And while you may see the patient’s dermatological or surgical transition when viewing those photos, it is crucial to recognize the myriad of private information also conveyed by those images – tattoos, identifying information like hair or eye color, birth marks, the patient’s facial geometry, and even a medical record number or birth date. Thus, before sharing these photos for any purpose besides your treatment of the patient, you must obtain the required authorizations from the patient. The details of the authorization you obtain from the patient will vary by state and the type of information you’ll be sharing.

Remember that digital cameras which rely on MicroSD or traditional SD memory card storage usually lack HITECH Act-compliant encryption capabilities. This means that they cannot be used for storing patient’s photos or information.

Be careful with what you share on social media – even if you’re sharing publicly-available images that you didn’t create.

HIPAA covered entities are not responsible for monitoring or protecting photos that patients or others unrelated to the practice post to social media. However, if you use photos of your patient that were shared by others – whether the patient, family or friends, or news media – to create before-and-after collages for social media and include “after” photos that you lacked authorization to share, this would violate HIPAA. Best practices dictate that you also obtain your patient’s consent to your use of publicly-available “before” photos – even if they have already given you written authorization to share their identity and success story.

Approach the use of a patient’s image like everything else in your practice by obtaining informed consent.

Remember that the concept of informed consent is integral to the patient’s right to autonomy and should be a central theme of the patient’s relationship with your practice.  When you share your patient’s information on social media, it’s important that you engage in a similar conversation about how their information can be used, how it may be impossible to retract, and what the consequences of that sharing might include. It’s also crucial to consider that blogs can be loosely considered social media since the expectation that public eyes will view each blog post. Therefore, always exercise the same level of caution when sharing stories or photos on your blog.

Only use realistic and actual results when sharing photos in marketing campaigns.

When sharing patients’ photos to market your practice, your central focus should be on sharing realistic results and depicting actual work done, rather than displaying superficial results.

Your practice should never post patient photos that have been edited or altered in any way – unless the alterations were done to prevent the display of personal information or to obscure restricted anatomy. Violations of this tenet can run you afoul of federal communications and advertising laws, in addition to biometric protection and medical privacy laws.

Understand your IT systems and consider these details in your technical risk assessment.

Remember that the integration of patient photos into your publicly-viewable mediums like a website, social media, or even group emails requires you to be extra vigilant about HIPAA’s requirements. This means that you should also understand how photographs are stored by your computer, camera, and internet technologies. In collaboration with your attorney and IT department, these details should be considered when undertaking your annual HIPAA risk assessment – particularly as you address the technical security of your systems.

Our attorneys can help ensure your use of patient photos complies with your legal obligations.

Jackson LLP’s dedicated healthcare attorneys can help you identify the legal risks inherent in your practice’s use of patient photos. To schedule a free consultation, book online below: