A patient and DC look at medical records

Photos and PHI: Three Must-Dos

Photos that show identifiable information about patients are considered protected health information (PHI). Are you showing or sharing too much?

Any photo that shows individually identifiable information is considered protected health information (PHI). Of course this includes obvious things like photos of their face and records that show name or date of birth, but even things like initials, birthmarks, tattoos or moles are considered PHI.  Here are a few must-dos when it comes to PHI photos in your practice.

Opt for Safe Storage and Encryption

Wiping photos of PHI isn't enough if you're simply storing them on a device that isn't well protected. If you need to keep photos for a long period of time, invest in software that uses encryption. And you should never email, text, or send any PHI without using the proper encryption software.

Obtain Consent

Before you share any photos, make sure your patient has agreed. Preferably, this agreement will be on a written or digitally signed consent form you can save for your records. This is especially true if you're sharing the photo via social media accounts. 

Use Facility-Owned Equipment

Never use your personal phone or laptop to take photos of patients—ever. To avoid a breach in data, as well as any ethical concerns, keep PHI photos limited to equipment provided and approved by the practice or clinic.


This website uses first party and third party cookies to improve your experience and anonymously track site visits. By visiting this website, you opt-in to the use of cookies. OK