EHRs and patient photos

October 7, 2005

I've started incorporating digital pictures of my patients into their electronic health records for identification purposes. Does this require their authorization?

Q: I've started incorporating digital pictures of my patients into their electronic health records for identification purposes. Does this require their authorization?

A: Generally, no. Although HIPAA considers such photos protected health information, patient authorization isn't necessary because their use as an ID tool is part of your healthcare operations, one of three areas where authorization isn't required (treatment and payment are the other two). But since this use of patient photos in EHRs is still relatively uncommon, you might want to proceed cautiously. For instance, as part of the materials you ask new patients to fill out and sign, include a statement describing how you intend to use their photos. You'd also be wise to give established patients a similar acknowledgement to sign.