Whether it is a HIPAA violation to take a picture of an X ray depends on who is taking the picture, the purpose of taking the picture, and whether the picture contains any individually identifiable health information. What happens to the picture after it has been taken may also influence whether it is a HIPAA violation to take a picture of an X ray.
One of the issues regarding any “is it a HIPAA violation to …” question is that most answers are event specific. For example, with regards to the question is it a HIPAA violation to take a picture of an X ray, the first thing to consider is whether the person taking the picture is an employee of a HIPAA covered entity, the patient who the X ray relates to, or an unauthorized third party.
If the person taking the picture is an employee of a HIPAA covered entity, do they have the appropriate permissions to access the X ray in order to take a picture of it? If so, is the reason they are taking the picture a reason permitted by the HIPAA Privacy Rule? (Assuming the HIPAA Privacy Rule applies because the X ray contains individually identifiable health information.)
If the X ray does not contain individually identifiable health information and could not identify – or be used to identify – the individual to whom it relates, it is not a HIPAA violation to take a picture of an X ray because neither the X ray nor the picture of it qualifies as Protected Health Information (PHI) – unless the picture is saved or transmitted with an identifying title.
Other Scenarios Would Result in Different Answers
If the picture is saved or transmitted with an identifying title, the picture and the title is classified as a designated record set and – if the picture taken by an employee of a HIPAA covered entity – subject to the confidentiality requirements of the HIPAA Security Rule. Thereafter, if the picture is shared outside the organization, it may be necessary for a Business Associate Agreement to be in place or a valid HIPAA authorization.
Neither an Agreement nor an authorization are necessary if the patient who the X ray relates to has taken the picture. Patients have rights under HIPAA to request copies of their PHI maintained in designated record sets, and – in this case – it would be a HIPAA violation to deny a patient their HIPAA right to take a picture of an X ray. What happens to the picture thereafter is irrelevant because the patient does not qualify as a HIPAA covered entity or business associate.
Then there are the scenarios of an employee who does not have appropriate permissions to access the X ray and unauthorized third parties. In both scenarios, it would be a HIPAA violation to take a picture of an X ray. However, in the first scenario, the employee could be sanctioned for accessing PHI without authorization, whereas in the second scenario, the covered organization could be sanctioned for failing to ensure the privacy and confidentiality of PHI.
The Importance of Understanding HIPAA in any Scenario
While it is relatively straightforward to work through the possible scenarios in an event of this nature to determine when is it a HIPAA violation to take a picture of an X ray, it is not as straightforward in all scenarios. Furthermore, not only are there scenarios more complex than this one, but decisions about the correct course of action to take – or allow – might have to be made at a second’s notice under emotive or stressful conditions.
It is not practical for HIPAA covered organizations to create decision flowcharts for every foreseeable event in which it may be – or may not be – a HIPAA violation to take or allow a specific course of action. Therefore, in order to mitigate the risk of an avoidable HIPAA violation, all members of covered organizations’ workforces are encouraged to ensure they have an adequate understanding of HIPAA to support decision making in any scenario.