While it’s been an accepted -- and fairly standard – practice for decades for doctors to proudly display photos of infant and children patients in their offices, you might not see as many images in the future according to a New York Times article and White Paper. The reason is a change in the Health Insurance Portability and Accountability Act (HIPAA).
“What has changed is an increased level of HIPAA enforcement at the state and federal levels,” explained Mike Egan, Senior Vice President at Kansas City-based Lockton Companies, a risk management advisor and insurance broker. “While it appears that no clinic or health care organization has been fined over the unauthorized posting of patient photos, the increased enforcement concern has led many health care providers to be more cautious.”
Even if parents submit the photos on their own, that won’t be enough to protect the health care entity. The posting of a photo identifies or potentially identifies an individual. The posting in a medical office implies the provision of health care to that individual. As a result, a photo – as cute as it may be – is “individually identifiable health information” that may not be disclosed under HIPAA’s privacy guidelines without specific patient consent.
In his recent White Paper, “What, No More Baby Pictures?”, Egan offers three tips to health care professionals to help them implement a HIPAA-compliant process: 1) obtain consent with a HIPAA-compliant consent form completed by a parent or legally authorized decision-maker; 2) create a log with an expiration date to track when a photo is posted and removed from display; and 3) establish a proper destruction process that follows the same precautions for photos as with any other protected health information.