Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org  and we will work with our experts to provide the information you need.
Q: If a patient gives verbal and written permission to have his or her photograph taken for educational reasons, is it a HIPAA violation to use the photograph in a presentation as long as the patient’s name, date of birth, admission date, etc., are not shown? Is using the photo—without PHI—in a group text discussing the patient’s clinical course a HIPAA violation? I have attended presentations that include patient photographs. I think this should be permitted with the patient’s permission. What is your opinion?
A: A patient’s photo may be used in a presentation as long as he or she signed an authorization permitting the use of the photo. Keep in mind that the photograph alone is PHI. This is true even if the name, date of birth, and so forth are not displayed. Don’t rely on verbal authorization.
There is an exception: if the patient’s picture is used internally for training purposes or other activities that fall under the umbrella of healthcare operations, then authorization is not necessary.
It’s not necessarily a violation of HIPAA to text a patient’s picture to a group if it’s for care coordination or treatment and is internal to the hospital, but it’s not a good idea unless that text message is encrypted. If the unencrypted text is intercepted or the mobile device that stores the message is stolen, it’s a breach of unsecure PHI.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA.  This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.