Praxis MEDICAL SEO
Book a diagnostic
HIPAA Before and After Photos

HIPAA before and after photos.

Abstract

Identifiable patient imagery is PHI under HIPAA. 45 CFR 164.514 Safe Harbor de-identification removes 18 identifiers including facial features. Expert Determination is the statistical-risk alternative. Identifiable before-and-after photos require 164.508 written authorization scoped to imagery specifically, distinct from the text-testimonial workflow.

Book a diagnostic
Regulatory surfaces addressed
45 CFR 164.514 De-identification standards 45 CFR 164.508 Imagery authorization Safe Harbor 18-identifier removal Expert Determination Statistical risk standard
When imagery becomes PHI

Facial features. Distinctive marks. Distinctive anatomy. Actual-knowledge test.

Imagery becomes PHI when the photo can be used alone or in combination to identify the individual. Facial features are explicitly listed in the 18 identifiers under 45 CFR 164.514 Safe Harbor 1 . A facial photo of a patient is PHI. Distinctive marks (tattoos, scars, birthmarks), unique anatomical features, identifiable jewelry or clothing also surface as identifying information. Photos of body parts that the patient considers distinctive (even when the face is cropped) can still be PHI.

The Safe Harbor test reads against actual knowledge: the covered entity must not have actual knowledge that the remaining information could be used alone or in combination to identify the individual. Practical de-identification of patient imagery is harder than text de-identification because the identifiable features are visual and harder to remove cleanly.

Safe Harbor and Expert Determination

Two paths. Different documentation requirements.

Safe Harbor removes 18 specific identifiers (name, address, dates more specific than year, contact information, biometric identifiers, full-face photographic images and any comparable images) and requires the covered entity not have actual knowledge that the remaining information could identify the individual 1 .

Expert Determination is the alternative: a qualified statistician determines that the risk of identification is very small. Expert Determination accepts more granular de-identification (cropped photos, blurred facial features) when the statistical analysis supports the conclusion. Plastic-surgery and dermatology galleries occasionally use Expert Determination for partial-face or cropped imagery; the determination has to be documented by a qualified expert at the time of de-identification, with the methodology and result retained for audit.

Imagery-specific authorization

Five elements scoped to imagery use, not text.

The imagery-specific authorization carries the same five elements as text-testimonial authorization under 45 CFR 164.508(c), but the description has to be specific to imagery use 2 . Which photos, what surfaces they appear on (the practice's website gallery, social media, print marketing materials), the duration of use, the patient's right to revoke. The form names the photos by reference or by attached identifier; a catch-all 'gallery use' description does not satisfy the specific-and-meaningful standard.

The ASPS Code of Ethics on patient-image use adds specialty-specific guidance that several state medical boards reference 3 . Several boards adopt the ASPS framework by reference when no state-specific imagery rule exists. The architectural pattern: a separate imagery-specific authorization form executed at the time of the imagery use, distinct from the text-testimonial authorization. The two forms operate on different uses of patient information and a text-testimonial authorization does not cover imagery use.

When the workflow doesn't run

Aggregated outcome graphics. De-identified statistical surfaces.

De-identification works for aggregated outcome graphics where no individual patient is the subject. A bar chart showing 'typical recovery time across 200 patients in a plastic-surgery series' has no individual identifiable; the aggregate is the surface. The covered entity must still document the de-identification methodology and confirm no individual is identifiable from the aggregate.

The OCR has resolved enforcement actions against practices that published identifiable imagery without authorization 4 . The HHS Wall of Shame retains the public log 5 . The architectural pattern errs on the side of imagery-specific authorization rather than de-identification for identifiable imagery.

The imagery-consent workflow is the load-bearing surface for plastic-surgery and dermatology pages in the healthcare SEO architecture at Praxis. The gallery surface depends on the workflow upstream of every published photo.

References
  1. 01.U.S. Department of Health and Human Services, Office for Civil Rights. 45 CFR §164.514. De-identification of protected health information. Code of Federal Regulations, HIPAA Privacy Rule. 2024. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.514
  2. 02.U.S. Department of Health and Human Services, Office for Civil Rights. 45 CFR §164.508. Uses and disclosures for which an authorization is required. Code of Federal Regulations, HIPAA Privacy Rule. 2024. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508
  3. 03.American Society of Plastic Surgeons. ASPS Code of Ethics on Patient-Image Use. ASPS. 2024. https://www.plasticsurgery.org/about-asps/governance/code-of-ethics
  4. 04.U.S. Department of Health and Human Services, Office for Civil Rights. OCR Resolution Agreements and Civil Money Penalties. HHS OCR. 2024. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/
  5. 05.U.S. Department of Health and Human Services, Office for Civil Rights. HHS Breach Portal (Wall of Shame). HHS OCR. 2024. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Common questions

Questions practice administrators ask about HIPAA imagery. Before publishing the next before-and-after photo.

01.

When does a before-and-after photo become PHI?

When the photo can be used alone or in combination to identify the individual. Facial features are explicitly listed in the 18 identifiers under 45 CFR 164.514 Safe Harbor. A facial photo of a patient is PHI. Distinctive marks (tattoos, scars, birthmarks), unique anatomical features, identifiable jewelry or clothing also surface as identifying information. Photos of body parts that the patient considers distinctive even when the face is cropped can still be PHI. The Safe Harbor test reads against actual knowledge: the covered entity must not have actual knowledge that the remaining information could be used alone or in combination to identify the individual. Practical de-identification of patient imagery is harder than text de-identification.

02.

What's the Safe Harbor method versus Expert Determination?

Safe Harbor removes 18 specific identifiers (name, address, dates, contact information, biometric identifiers, full-face photographic images and any comparable images, etc.) and requires the covered entity not have actual knowledge that the remaining information could identify the individual. Expert Determination is the alternative: a qualified statistician determines that the risk of identification is very small. Expert Determination accepts more granular de-identification (cropped photos, blurred facial features) when the statistical analysis supports the conclusion. Plastic-surgery and dermatology galleries occasionally use Expert Determination for partial-face or cropped imagery; the determination has to be documented by a qualified expert at the time of de-identification.

03.

What does the imagery-specific authorization require?

The same five elements as text-testimonial authorization under 45 CFR 164.508(c), but the description has to be specific to imagery use: which photos, what surfaces they appear on (the practice's website gallery, social media, print marketing materials), the duration of use, the patient's right to revoke. The ASPS Code of Ethics on patient-image use adds specialty-specific guidance that several state medical boards reference. The architectural pattern: a separate imagery-specific authorization form executed at the time of the imagery use, distinct from the text-testimonial authorization. The two forms operate on different uses of patient information.

04.

What about photos taken at the practice but published anonymously?

If the photo is fully de-identified per Safe Harbor or Expert Determination, the photo is not PHI and authorization is not required. The practical bar is high: anatomical features specific to the patient (a distinctive tattoo, a unique scar, an unusual body part) can carry identifiability even when the face is cropped or blurred. The covered entity's actual knowledge test: if anyone at the practice can identify the patient from the photo, the photo is not de-identified. The architectural pattern errs on the side of imagery-specific authorization rather than de-identification for identifiable imagery. De-identification works for aggregated outcome graphics where no individual patient is the subject.

Stop watching your competitors rank

If your before-and-after gallery shipped photos without imagery-specific authorization, the OCR Wall of Shame is the documented downstream.

The diagnostic audits the gallery against the 164.514 de-identification standard, builds the imagery-specific authorization form against the 164.508 five-element standard, and rebuilds the gallery-publication workflow so a photo without an authorization or a documented de-identification record does not publish. Comes back inside two weeks.

Book a diagnostic Email us
Book a diagnostic

Four fields. We respond inside one business day with a few questions to confirm fit before either of us spends time on a call.

We use what you submit to qualify, then respond by email. We don't subscribe you to anything.