Q&A: Storing patient photos for identification

Q. Can facilities require a patient to take a photo for the patient’s medical record? Can a photo of a patient be stored in the EMR? If so, would the photo be considered PHI? Are there any restrictions on how the photo could be used?

A. You can’t require a patient to have a photo taken. You can require a patient to present ID that validates the patient’s identity. You can’t require the patient to permit you to scan and store the patient’s driver’s license.

Photos can be stored in the EMR. Photos are PHI, especially given the fact that they will likely be stored in the EMR with other PHI. Just like any disclosure of PHI, there are restrictions on how photos can be used. You need to take into account the minimum necessary standard. If the patient’s photo is stored to help identify the patient when he or she is checking in, that’s all it should be used for. As far as disclosures, you can’t publicly display photos without patient authorization. It’s similar to children’s pictures that are posted at pediatric practices. You need authorization from the patient or the patient’s personal representative—often the parents when it comes to photos of minors.

Editor’s note: This question was answered by Chris Apgar. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a Briefings on HIPAA editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.