Department: UW School of Dentistry IT Services
Policy Number: SP-06
Effective Date: 6/2/2016
Revision Date: 10/3/2023
Reviewer: Rob Brown
- To provide guidance to faculty, staff, and students of University of Washington School of Dentistry (UWSOD). Specifically, this policy outlines the appropriate capture, storage, transfer, and use of clinical photographs, recorded audio, and/or video in classrooms, conference rooms, auditoriums or public spaces on campus.
- To facilitate compliance with the Health Insurance Portability and Accountability Act (HIPAA) standards for Privacy of Individually Identifiable Health Information (Privacy Standards).
- To establish guidelines for situations where individuals may or may not be photographed, video or audio recorded within UWSOD.
- To address use of Authorizations
- To address use of devices such as cell phones, cameras, web cams, laptops and other devices, and software applications that record images, audio or video.
Protected Health Information (PHI): A subset of individually identifiable health information maintained in health records and/or other clinical documentation in either paper-based or electronic format. Includes any information that relates to “the individual’s past, present, or future physical or mental condition” and “that identifies the individual or for which there is reasonable basis to believe it can be used to identify the individual.”[i]
Consent: the individual’s or their legal representative’s written acknowledgement and/or agreement of the use and/or disclosure of protected health information for treatment, payment, or health operations purposes or other reasons permitted by the HIPAA Privacy Rule.
Photography: recording an individual’s likeness (i.e. image, picture) using photography (e.g. cameras, cell phones), digital imaging (e.g., digital cameras, web cameras) or other technologies capable of capturing an image (e.g., Skype).
Covered entity: Individuals, organizations, and agencies that under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.[ii]
Privacy Rule: Part of HIPAA, this rule regulates the use and disclosure of PHI held by “covered entities” A covered entity may use or disclose PHI to facilitate treatment, payment, or health care operations without a patient’s express written authorization.[iii]
Business Associate: is a person or entity (with written agreement called a Business Associate Agreement, or BAA) that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or which provides services to, a covered entity. As allowed by the HIPAA Privacy Rule, a Business Associate must safeguard information from misuse, thereby aiding the covered entity’s duties under the Privacy Rule. [iv]
Workforce members: includes, faculty, affiliate faculty, staff, volunteers, business associates and all those employed by UWSOD.
Photographs, video and audio recordings can provide great academic value. Today, digital media and technology greatly influence communication. Over 90% of cell phone users in the US take photographs or videos on their phone. Photo and video apps are more popular than ever. In dentistry especially, the use of photography and video has become an indispensable part of dental education. At UWSOD. photography, audio, and video recording are convenient, effective, and a highly popular means of learning. Students frequently are required to take pictures of patients (e.g., teeth, mouths, etc.). Students also are often required to videorecord patient encounters and interactions for educational purposes. This facilitates student learning and supports broad peer review.
Patient privacy and security must be maintained
With all the benefits of photography, video, audio recording, potential risks to patients’ rights and privacy exist if appropriate protection measures are not adopted. The UWSOD recognizes that people can be particularly sensitive about their dental information. Even if PHI is not identifiable, it is important to be respectful. Therefore, it is essential that all attempts be made to adhere to ethical and legal principles for protecting patient health information.
With this policy document, the University Washington School of Dentistry (UWSOD), takes reasonable steps to protect patients and other individuals from unauthorized photography, video, or audio recordings.
Use of photographs, video or audio recordings containing PHI, for student education, are limited to UWSOD designated education purposes. Patient-identifiable photographs are considered PHI and may not be used outside the UWSOD without the following conditions being met:
- The release of patient-identifiable images was authorized in advance by the patient, in writing, using a UWSOD HIPAA-compliant Authorization form; and
- The original images are and remain under the direct control of a UWSOD Faculty or administrative representative.
The audio or video recording policies outlined in this policy must be followed by students and workforce members at UWSOD. Failure to follow the policy may result in disciplinary action.
UWSOD shall post this Photography and Recording Policy on the UWSOD policy web.
Student and workforce members are encouraged, wherever and whenever possible, to use only designated UWSOD devices for photography, video, and/or audio recording patients. When using personal cell phones, cameras, video recorders, and/or audio recorders, individuals must ensure, where possible, that the devices and storage are strongly encrypted. Do not use personal devices to capture patient-identifiable images that automatically upload images or other recordings to the Cloud—such transmissions could likely violate HIPAA. Additionally, because of security and HIPAA concerns, do not use wireless SD cards to capture PHI. Images/recordings should be transferred as soon as possible to UWSOD protected share drives or to the actual patient’s electronic health record. The original files should be permanently deleted from the device on which they were captured as soon as feasible and no later than seven calendar days.
UWSOD maintains various facility-owned recording and photography devices for student and workforce member use. This includes DSLR cameras and iPads. It is recognized that not every device supports encryption. In these cases the user should transfer files onto other encrypted storage such as axiUm or a secure share drive as soon as possible. The original files should be permanently deleted from the device on which they were captured.
UWSOD supports student and workforce member recording and photography for purposes of learning as long PHI remains protected, encrypted, and not shared with unauthorized individuals.
Efforts to minimize capture of PHI should be followed by UWSOD students and workforce members. To do so the SOD students and workforce members should follow procedures to minimize the collection of possible PHI.
Responsible, physical security measures should be taken by users. UWSOD iPads and other devices should be locked in a drawer or cabinet and reasonably secured between uses. Leaving devices in a car or gym locker (even if locked) is not considered an adequate security measure.
Content (video, audio, or photographs) should be stored on encrypted devices or memory cards, or on a UWSOD server. Students and staff can use UW OneDrive for Business to store their specific recordings, if needed.
Storage content must be deleted timely. Students must not store content for any longer than it is necessary (e.g. when using iPad for video recording, a student should delete video after basic editing and transfer to UWSOD secure servers). The student or the person copying content is responsible for making sure the content copied to computer for educational purposes is deleted when it is no longer needed. Content should not be accessed by unauthorized users.
Consent must be obtained prior to any recording or photographing. UWSOD is required by law to protect the privacy of patient information and provide notice about its privacy practices.
All patients or patient guardians receive a “Notice of Privacy Practices” upon joining UWSOD. The “Notice of Privacy Practices” includes a statement that patients may be photographed and that images and/or video recordings may be used for educational purposes. Upon signing, patients agree to care and consent to being photographed or recorded for educational purposes. For use of any UWSOD patient-identifiable images outside of the UWSOD (e.g. social media, peer presentations, published papers, etc), a HIPAA-compliant authorization must be obtained from the patient and retained in the patient’s electronic health record
All students and workforce members must complete HIPAA training prior to making or working with any patient recordings or photographs.
UWSOD permits the sharing of protected health information (PHI) with authorized UWSOD users, including affiliated institutions business associates, other healthcare providers involved in the treatment of our patients, and others.. See here for a more comprehensive list. For videos stored on UWSOD servers, permissions should be set on the folder that restrict access to operator, students and other relevant workforce members only.
Files stored on UW OneDrive can be shared with other UWSOD users, if needed. Files on OneDrive should at no point be shared with non-UWSOD students or workforce members, nor be shared publicly.
Photography, video, audio containing PHI or any other PHI may not be sent via personal email (e.g., Hotmail, Gmail, Yahoo mail, or any other commercial account) since UWSOD does not have a business associate agreement with such entities. Unencrypted data emailed through these types of servers could be accessed publicly. Sending unencrypted PHI through such accounts could constitute a violation of patient privacy.
Photography, video, audio or any other PHI may only be stored using Microsoft OneDrive. UWSOD has a business associate agreement with Microsoft and storage on the UWSOD’s Microsoft OneDrive is considered HIPAA-compliant.
Storing PHI on third party servers could constitute a violation of patient privacy.
Students and workforce members must adhere to UWSOD social media policy with regard to digital media capturing or sharing. Students and workforce members shall not use UWSOD PHI for any personal or private social media sites.
Photo and Video Releases (Authorizations)
Use these forms to obtain proper authorization when images or recordings of a UWSOD patients, faculty or staff will be shared outside of the UWSOD:
- UW Faculty, Staff & Student Photo Release (one time waiver) (PDF) for photos/video of workforce (faculty, students and staff). This is a one-time waiver for miscellaneous purposes.
- UW Faculty, Staff & Student Photo Release (for publications) (PDF) for photos/video of workforce (faculty, students and staff). Use this to authorize the use of photos of faculty, staff or students in a specific publication(s).
[i] US Department of Health and Human Services. Guidance regarding methods for de-identification of protected health information in accordance with HIPAA privacy rule. Obtained from https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html.
[ii] US Department of Health and Human Services. Covered Entities and Business Associates. Obtained from http://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
[iv] US Department of Health and Human Services. Business Associates. Obtained from: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/