Today, digital medical photographs are everywhere. In contemporary medicine, and especially in fields like plastic and reconstructive surgery that have such an emphasis on visual results, photography has come to play a crucial role in communicating results and setting patient expectations. Instagram is filled with before and after photos. We now capture clinical photographs on cell phones and directly upload them into the electronic medical record.
But what about patient privacy? Patient privacy is top of mind for providers, and the medico-legal implications have never been more important. In this blog post, based on our recently published viewpoint in Plastic and Reconstructive Surgery, we provide a brief overview of medical photography and offer recommendations for safe handling of patient photographs in the surgical context.
Let’s start with the history and the law. The advent of digital photography in the early 1990s coincided with the enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 1996. Providers have since carefully navigated the medico-legal landscape of medical photography. Under HIPAA, patients are legally entitled to the protection of their health information. This protection includes patient imaging data, which clinical photographs are considered. Patients own the rights to their own likeness, meaning that although medical providers are responsible for safe and secure storage, patients retain the rights to the actual contents of their images.
However, U.S. copyright laws stipulate that the right to publish and distribute medical photographs, such as for a research article or for marketing purposes, remains with the person who took the photographs. Because this person is often a provider, patient consent must be obtained prior to taking and sharing patient images.
What about de-identified photographs? Under HIPAA, covered entities are permitted to share health information that has been successfully deidentified using either the safe harbor method (removal of 18 unique identifiers) or Expert Determination (professional de-identification). Although sharing deidentified images is allowed without explicit consent, providers should request permission to use the image in academic presentations, teaching or publications, and many academic journals require proof of consent in order to publish deidentified medical photographs.
One common format for medical photographs is before and after images. However, publishing photographs in this format is accompanied by the fear that patients may form unrealistic expectations based on the results of others. Indeed, patients have previously sued their surgeons for not achieving the same outcomes shown to them in “before and after” photographs during their initial consultation, arguing that they were misled and induced to undergo a procedure.
Misrepresentation of surgical outcomes, depending on state laws, could be considered a breach of warranty or even medical misconduct. With this in mind, all informed consent documentation should include a clause that addresses patient expectations. Consent documents should clearly state that before and after images of other patients do not constitute a guarantee of results.
What about the photos we take on our cell phones? Patient- and provider-generated images taken on personal devices can also be used for clinical or research purposes. When used to inform clinical care, such images must be deposited in the electronic medical record using HIPAA-compliant patient portals. Photographs should always be stored in a password-protected, encrypted location that is HIPAA-compliant. Methods of sending patient images, including via text message and email, must also align with HIPAA specifications.
Below is a summary table to help providers successfully navigate the medicolegal complexities around patient photography. Key principles include carefully consenting patients and securely sending and storing patient images.
|Summary Table: Medico-legal Photography|
|Set Clear Expectations: Essential Elements to Informed Consent||
|Securely Send and Store Patient Images||Sending photographs: Ensure email and text messaging systems are HIPAA-compliant
Storing photographs: Ensure storage structures are encrypted, password-protected, and HIPAA-compliant
By Dr. Matthew J. Davis, plastic and reconstructive surgery resident, Baylor College of Medicine, and Dr. Sebastian Winocour, associate professor of surgery, Baylor College of Medicine