Sharing practice videos and patient photos in the office and online can be a vital marketing tool for aesthetic physicians. However, you need to ensure conformity with the regulations set down in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which were designed to protect the privacy and security of certain health information.
This third and final part of the practice management series on photo and video galleries, provides an overview of the various legalities that must be obeyed when posting patient images.
Before-and-after images of dermatological or aesthetic procedures are a vital means of attracting new patients, building public trust and reassuring current patients of your abilities.
But, before you publish any information or patient images, it is crucial to recognize the types of private information also conveyed by those images, such as a patient’s tattoos, hair and eye color, birthdate, birth marks or a medical record number.
Often, these violations arise in content that is posted on social media. Social media is used by three-quarters of Internet users. Furthermore, 80% of those on Facebook, practice websites, Instagram and other Internet-based media, are actively seeking medical news, research, physicians and clinics.
To completely avoid HIPAA violations of this kind, you will need to follow a few rules.
“Many physicians that have developed the skills to take good photos and use video effectively may stumble when it comes to HIPAA compliance and patient privacy,” stated Tim Sawyer, president and co-founder of Crystal Clear Digital Marketing in Orlando, Fla. “In this Kardashian era most people will do anything in front of a camera. They have no reservations whatsoever, because so many people over share everything. While we are in a generation where it is not difficult to get consent, you still have to get it.”
Incorporating patient photos and video into public facing media, like websites, social media, or even group e-mails, requires extra vigilance regarding HIPAA’s requirements. Accordingly, prior to sharing any photos or videos for any reason other than the treatment of the patient, physicians need to obtain requisite patient authorization.
Obtaining informed consent from patients is essential to creating a positive relationship with the practice. When sharing patient information and their likeness online or in marketing materials, physicians should initiate a conversation early on about how their information can be used and the consequences of that sharing.
Most physicians would be wise to create, “an airtight patient consent form that covers everything related to posting patient images,” said Michael Cohen, vice president of marketing at eRelevance, a marketing service firm based in Austin, Texas.
“A photo release document is usually a single page with relatively simple language,” he continued. “Versions are readily available on the Internet. For some, hiring counsel to help develop these forms is a very good idea. It is a one-time effort and expense that is necessary to avoid future legal matters, and it is a good idea to review that consent form on an annual basis, because the laws do change.”
According to Gregory A. Buford, M.D., F.A.C.S., a plastic surgeon in Denver, Colo., “Twenty years ago, the consent form had a disclaimer in small print at the bottom of the page, where it said patient photos can be used for educational or promotional purposes. Now, because of the explosion of social media and the Internet, it is in bold print and big letters.
“There are different levels of consent and release,” Dr. Buford continued. “My lawyers have always advised me to include a specified duration, as in obtaining consent to release a patient’s photos for, say, the next five years. The consent and release need to be specific about where their photos and videos will be used – on a website, for internal use, on social media, etc., as well as the amount of time involved.”
Policies and procedures
Another way to avoid legal snares with social media-based HIPAA violations is for offices to maintain a carefully crafted policy statement on how to take, edit, process and post patient images for online use or in an in-office look book.
In addition, hired staff should be trained on those privacy and security policies with an annual review process. “Your social media policy should be integrated into these policies and procedures,” Mr. Cohen noted.
Image storage guidelines
Storage requirements are also stringent when sharing images, including to third parties. So, for a practice to be fully HIPAA compliant, physicians and staff should learn how photos are stored in the camera, on computer hard drives and when using Internet technologies.
The safest approach is to save photos in a HIPAA-compliant system or a professional medical photo database. Do not store them in a camera, an iPhone or iPad, as these are not HIPAA-compliant.
Also, stored images should not include a patient’s protected health information (PHI) within the photo, file names or a photo’s EXIF information or metadata.
Annual risk assessment
Undertaking a regularly scheduled HIPAA risk assessment can help practices understand the technical security of these systems. For instance, HIPAA severely restricts the use of e-mail to send and receive patient images or information.
Controlling photography by staff can be much easier than supervising what patients, family and/or visitors photograph. Today, cell phones are common, and many have cameras with advanced photo and video recording abilities. Thus, practices should contemplate employing a policy that addresses limits to non-staff photography and video in the office.
Above all, using photos or videos created by another physician and posted publicly on the Internet is a no-no, Dr. Buford expressed.
“If you’re looking for images to illustrate your latest lecture, you cannot grab a Google image and put it on your website or in your PowerPoint deck,” he elaborated. “There are firms that troll for copyrighted images, and it can be very expensive if you take them for your own uses.”