Q&A: Photographing patients as part of the registration process

Q: Is it permissible to take pictures of patients (including behavioral health) for identification purposes as a part of the registration process? Do the patients need to sign a consent form before their picture can be taken?

A: Many facilities take photographs of patients to aid in the management of patient safety (for ­instance, these can be used as one of the two required identifiers prior to passing out medications or performing procedures). Having patient photos on file would also be helpful in the case of elopement or to avoid medical or other identity theft.

You should have a policy that lists your guidelines if it is your practice to take photos of every patient. You might also include this in your notice of privacy practices. The patient would not necessarily be required to consent in writing, but you need to determine by policy how you will handle a patient who resists. Will you release photos as part of your legal health record? How will you store the photos? How long will you keep the photos? If the patient was in last week, are you going to require another photo? These are all issues to be ­addressed in your policy, and in the end you may ­decide that taking and maintaining the photo is not worth the effort it will entail to manage the process.

In a psychiatric facility where I worked, we used patient photos (instead of ID bracelets) as one of the two identifiers. Occasionally, we had patients who did not want their photo taken, and we did everything we could to persuade them. Failing that, we might get a photo from home (from the family) or from a driver's license. On very rare occasions, we snapped the photo while the patient was unaware-this should be an absolute last resort, and we only did this because we felt we had to have the photo from a patient safety perspective. I would not recommend this approach when any other possibility exists.

Editor's note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, N.H., provided this answer. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.