PHI in Photographs and Audio/Video Recordings

When a medical assistant photographs a wound for clinical documentation, the image is Protected Health Information. When a front desk staff member takes a photo of a patient’s insurance card on their personal smartphone, PHI has entered a personal cloud account without authorization. When a clinic posts a “patient success story” photo on its website without HIPAA-compliant authorization, the violation is public.

Photographs and recordings are easy to overlook in HIPAA compliance programs because they feel different from records in an EHR. They aren’t. The HIPAA definition of PHI applies to all forms of health information, regardless of medium.

When a Photograph or Recording Is PHI

Under 45 CFR §164.501, PHI is individually identifiable health information — information that:

1. Relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or payment for healthcare
2. Identifies the individual or could reasonably be used to identify the individual

A photograph of a patient taken in a clinical context satisfies both criteria. The photograph itself is an identifier — the patient’s face. The clinical context (the wound being documented, the telehealth session, the physical therapy session) is the health information. Together, they constitute PHI.

HIPAA’s de-identification standard at 45 CFR §164.514(b) lists full-face photographs and comparable images as one of the 18 identifiers that must be removed for information to be considered de-identified. This means HIPAA specifically recognizes patient photographs as identifiers, not incidental data.

PHI if:

• Photograph documents a clinical condition (wound, rash, surgical site, physical finding)
• Recording captures a patient encounter (telehealth visit, in-person visit audio)
• Image was captured in the course of providing healthcare to that individual
• Image could be linked back to an individual’s health information

Not PHI if:

• Photograph is of a staff member only, with no patient present
• Generic facility photo with no patients visible
• Image of a model with no real patient information attached

Clinical Photography: Treatment Use Is Permitted, But Controls Are Required

Taking clinical photographs for treatment purposes — wound documentation, dermatology monitoring, surgical progress photos — is a permitted use of PHI under the Treatment exception. Authorization from the patient is not required for photographs that are part of the medical record and used to provide care.

“Permitted use” doesn’t mean “no controls required.” Clinical photographs captured for treatment must be:

Stored in the medical record. Clinical photographs belong in the patient’s chart, in your BAA-covered EHR or document management system. Not in a personal smartphone photo library, on a shared clinic drive without access controls, or in a cloud storage service without a HIPAA BAA.

Captured on authorized devices. Photographs taken on personal smartphones for clinical purposes create an immediate PHI management problem: the image lands in the personal photo library, potentially backed up to a personal iCloud or Google Photos account, accessible to anyone who has access to that account. Clinic policy should require clinical photographs to be taken on clinic-issued devices or within the EHR’s built-in camera function (if available).

Access-controlled within the medical record. Clinical photographs in the EHR should carry the same access controls as other clinical record content. A billing specialist doesn’t need access to wound photographs.

Telehealth Recordings

A telehealth recording of a clinical encounter is PHI — it captures the patient’s identity, the healthcare context, and clinical content in a single file.

If your telehealth platform records sessions and stores them in the platform’s cloud, that storage must be covered by a HIPAA BAA. Storing telehealth recordings in a default cloud location without a BAA — the platform’s built-in recording library, Zoom cloud, Google Meet storage — is a PHI storage violation.

For clinics that record telehealth sessions:

• Confirm the recording is stored in a BAA-covered environment
• Limit access to recordings to authorized clinical and administrative staff
• Obtain patient consent for recording before the session — state law may require consent separately from HIPAA’s general requirements
• Establish a retention period and a disposal process for recordings

Audio Recordings: In-Person and Phone

Audio recordings of patient encounters — in-person clinical visits recorded by a provider, phone calls recorded by the clinic’s phone system — are PHI when they capture health information.

Many small clinics use phone systems with automatic call recording for quality and training purposes. If patients call about their health information (appointment details, clinical questions, prescription refills, billing), those recordings are PHI. The fact that the system records everything automatically doesn’t change what the content is.

For clinics with automatic call recording:

• Confirm the phone and recording system vendor has a BAA with your clinic
• Review what calls are captured and whether PHI routinely appears in them
• Assess retention and access controls for call recordings

Marketing and Educational Use: Authorization Required

Using a patient’s photograph or recording for marketing, education, or public communication requires a HIPAA-compliant authorization from the patient that is separate from — and more specific than — any general consent signed for treatment.

The authorization must (45 CFR §164.508):

• Describe the information to be used or disclosed in specific terms (not just “photograph”)
• Describe the purpose of the use or disclosure (“to appear in a testimonial on our clinic’s website and social media”)
• Identify the persons or organizations authorized to make the use or disclosure
• Identify the persons or organizations authorized to receive the information
• Explain that the patient has the right to revoke the authorization and how to do so
• Include an expiration date or event

A signed general “release” from a patient intake form does not typically satisfy these requirements for marketing use. Clinics posting patient photos, videos, or testimonials on websites, social media, or in printed materials should have a marketing-specific HIPAA authorization on file for each patient whose image is used.

Staff Smartphones: The Fastest Route to Unauthorized PHI Storage

The most common photograph-related PHI problem in small clinics: a staff member photographs a wound, an insurance card, a patient document, or a whiteboard with patient information on their personal phone. The image immediately syncs to their personal cloud account. That is an unauthorized PHI disclosure. PHI has entered a personal account with no BAA, no access controls, and no connection to the clinic’s HIPAA program.

Preventing it requires:

• A written policy prohibiting personal device cameras from capturing PHI
• Staff training on what constitutes a “clinical photograph” and why personal phones are off-limits for it
• A practical alternative: clinic-issued devices, or EHR-integrated camera functions, for all clinical photography

For clinics where a BYOD (bring your own device) policy permits personal devices for some functions, the camera prohibition should be explicit — “personal phone camera may not be used to photograph patients, patient information, or clinical findings.”

Practical Checklist for Small Clinics

Review these items at your next compliance meeting:

• Does the clinic take clinical photographs? If yes, on what devices, and where are the images stored?
• Are clinical photographs in the patient’s EHR record or in an uncontrolled location (email folder, personal photo app, shared drive without access controls)?
• Does the clinic have a telehealth recording policy? Are recordings stored in a BAA-covered location?
• Does the clinic’s phone system record calls? Is the recording vendor under a BAA?
• Has any patient’s image or story been used for marketing without a specific HIPAA-compliant authorization?
• Does the clinic’s BYOD or device policy explicitly address camera use and clinical photographs?

The photograph questions take five minutes. The compliance gaps they reveal may take longer to fix — but finding them on your own is far better than finding them because OCR is asking.