Section 164.514 of the Final Privacy Rule acknowledges the inherent difficulties in de-identifying health information and photographs. It states that “there is always some probability or risk that any information about an individual can be attributed to that individual.” This rule proposes two methods to remove identifying information from records and photographs to “render the information ‘de-identified’ and thus not subject to [the Privacy] rule.”5
When a person’s identity may be ascertained from a medical photograph, the image is then subject to HIPAA and the protections afforded to individually identified personal health information. If the image identifies the patient, it is considered protected health information (PHI) and the Privacy Rule requires the physician or hospital to obtain the individual’s written authorization for any use or disclosure of the PHI if it is not to be used for treatment purposes, payment for services, or healthcare operations. When HIPAA’s Privacy and Security Rules are violated, and patients’ individually identifiable PHI is inappropriately made available electronically, the result can be catastrophic for the healthcare organization, even if the breach results from the unilateral actions of one healthcare professional.
