Title
Adams School of Dentistry: Policy on Photography of Patients
I. Introduction
Purpose
The purpose of this Policy is to establish reasonable measures to regulate the creation, use, and disclosure of patient images at the UNC Adams School of Dentistry.
Scope
This Policy applies to all UNC Adams School of Dentistry personnel who create or otherwise have access to patient images.
II. Definitions
- Clinical photography: photographs or video recordings made of patients during the course of their evaluation or treatment.
- De-identified: health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
III. Policy
A. Policy Statement
All photographs of patients must be created for a legitimate Adams School of Dentistry business purpose and stored using appropriate technical safeguards. Except as permitted by the HIPAA Privacy Rule (e.g., for treatment, payment, or health care operations), patient images that are not de-identified cannot be used or disclosed unless the patient has signed a valid authorization.
1. Legitimate Business Purpose
Clinical photography is often appropriate and necessary for the identification, diagnosis, evaluation, management and/or treatment of health conditions. Accordingly, the general consent to treatment includes the patient's consent to take and use photographs for treatment, payment, or health care operations purposes, including the education and training of Adams School of Dentistry students and other personnel in the practice of health care. In addition, photographs may also be taken for research purposes, provided this is done in a manner consistent with the University's Institutional Review Board (IRB) requirements. Patients must give their written permission before they may be photographed for other business purposes, such as for marketing or public relations.
It is inappropriate to photograph a patient for personal reasons (including patients who are family or friends of the provider).
2. Appropriate Technical Safeguards
All photographs of patients must be taken using a device that is owned or approved by the School. Once created, patient images must be stored to a University-approved secure environment as soon as practicable and deleted from the device on which was created.
a. School-Owned Devices
School-owned camera devices are encouraged as the most appropriate means to create patient images. Department Chairs and Heads of other administrative units are responsible for ensuring that devices used in their area are appropriately handled in accordance with the requirements above.
b. Personally-Owned Devices
Under no circumstances may patient images be stored locally on a personal smartphone or tablet. Since many smartphones automatically backup data to third party cloud services, storing images on a local device could lead to unauthorized disclosure. In addition, personal smart devices may not be used to create photographs of patients unless:
- using a mobile application specifically designed to interface photos with Epic (e.g., Haiku or Canto) that does not store images locally; and
- the device complies with the University's IT Security Controls Standard.
Other personally-owned camera devices (e.g., cameras required by residency programs) may be approved for patient photography only if:
- the SD card contained within the device that will be used to store patient images is owned by the School; and
- the device owner agrees in writing that patient images will be appropriately secured, including but not limited to, keeping SD cards on Adams School of Dentistry premises at all times.
B. Exceptions
When providing or supervising patient care at UNC-Health Care (UNCHCS), Adams School of Dentistry personnel should adhere to relevant UNCHCS privacy and security policies.
External media representatives wishing to photograph patients must obtain approval from the Public Affairs and Marketing Team. External media representatives may not photograph or record patients without the patient's prior written permission as coordinated through the Public Affairs and Marketing Team (see attached External Media Release form). Once signed, the form is to be uploaded to the patient's dental record.
IV. Related Requirements
A. External Regulations and Consequences
- UNC-Chapel Hill Policy on the Privacy of Protected Health Information
- UNC-Chapel Hill Policy on Information Security
- UNC-Chapel Hill Information Classification Standard
- UNC-Chapel Hill Information Security Controls Standard
- UNC-Chapel Hill Standard for the Transmission of PHI and SI Over an External Network or Unsecure Medium
B. Unit Policies, Standards, and Procedures
- UNC Adams School of Dentistry Policy on the Use of Social Media
V. Contact Information
Topic, Title, and Contact Info Table
Topic |
Title |
Contact Info |
Appropriate Technical Safeguards |
Assistant Dean for IT (VACANT)
ASOD HIPAA Security Officer
|
INTERIM
phani_bolisetty@unc.edu
|
External Media Representatives |
Director for Marketing and Communications |
Mary_Erskine@unc.edu |