HIPAA Compliance for Dermatology Practices

HIPAA guide for dermatology practices covering clinical photography, pathology coordination, and cosmetic services.

HIPAA Applicability to Dermatology

Dermatology practices are covered entities under HIPAA when they transmit health information electronically in connection with standard transactions (45 CFR § 160.103). Whether your practice focuses on medical dermatology, cosmetic procedures, or a combination of both, HIPAA compliance is mandatory if you file electronic insurance claims, submit electronic referrals, or conduct other standard electronic transactions.

Dermatology presents unique HIPAA challenges because the specialty is inherently visual. Clinical photography is a foundational tool for diagnosis, treatment monitoring, and patient education. Practices routinely capture, store, share, and sometimes publish detailed images of patients' skin, which creates significant privacy obligations. Additionally, the growing overlap between medical and cosmetic dermatology raises questions about what services and records fall under HIPAA's protection.

Unique Compliance Pressures in Dermatology

• Clinical photography is used more extensively in dermatology than in almost any other medical specialty
• Pathology coordination requires secure transmission of patient data and biopsy results between the dermatology practice and pathology laboratories
• Cosmetic services create confusion about whether HIPAA applies to non-insurance-billed treatments
• Teledermatology has expanded rapidly, introducing remote imaging and virtual consultation requirements
• Marketing pressures drive the desire to showcase before-and-after results, which directly involves PHI
• Multi-provider practices where dermatologists, physician assistants, nurse practitioners, and aestheticians work together require careful access controls

Clinical Photography

Clinical photography is central to dermatology practice. Photos are used for documenting skin conditions, tracking treatment progress, facilitating specialist consultations, and supporting insurance pre-authorizations. Under HIPAA, clinical photographs linked to patient identity are PHI and must be protected accordingly.

Consent and Authorization

There are two distinct but related requirements for clinical photography:

Clinical consent (for treatment purposes):

• Obtain informed consent to take clinical photographs as part of the patient's treatment
• This consent covers use of photos within the patient's medical record for diagnosis and treatment
• Document the consent in the patient's chart

HIPAA authorization (for uses beyond treatment, payment, and operations):

• A separate, HIPAA-compliant authorization is required if photos will be used for marketing, publications, presentations, social media, or any purpose beyond the patient's direct care
• The authorization must meet the specific requirements of 45 CFR § 164.508
• It must describe the photos, state the purpose, identify who will see them, include an expiration date, and inform the patient of their right to revoke
• The patient cannot be required to sign the marketing authorization as a condition of treatment

Storage and Security

Device management:

• Use practice-owned, encrypted devices for all clinical photography — never personal phones or cameras
• If using smartphones, deploy a HIPAA-compliant photo app that stores images separately from the personal photo library
• Enable remote wipe capability on all devices used for photography
• Disable automatic cloud synchronization to personal accounts (iCloud, Google Photos)

Digital storage:

• Store clinical photos in your encrypted EHR system linked to the patient's record
• If using a separate photo management system, ensure it is HIPAA compliant with a signed BAA
• Implement access controls so only authorized clinical staff can view patient photos
• Maintain audit logs of photo access and downloads
• Back up photo data with encryption

Metadata protection:

• Clinical photos often contain EXIF metadata including GPS coordinates, device information, and timestamps
• Strip or protect metadata before storing or sharing images
• Ensure metadata does not inadvertently reveal patient location or other identifying information

Sharing with Specialists

Dermatologists frequently share clinical images with other specialists for consultations:

• Use secure, encrypted channels for sharing images — HIPAA-compliant messaging or EHR-integrated image sharing
• Never send clinical photos via standard text message or unencrypted email
• When using store-and-forward teledermatology platforms, ensure the platform has a signed BAA
• Document all image sharing in the patient's record, including what was shared, with whom, and the purpose
• Apply the minimum necessary standard — share only the images relevant to the consultation

Pathology Coordination

Dermatology practices regularly coordinate with pathology laboratories for biopsy processing and histopathological analysis. This coordination involves significant PHI exchange that must be managed compliantly.

Biopsy Results and Lab Reports

Sending specimens and information to the lab:

• Biopsy requisition forms contain PHI (patient name, date of birth, clinical history, suspected diagnosis)
• Requisition forms must be transported securely — sealed in tamper-evident packaging
• Electronic requisition systems must be HIPAA compliant with encryption and access controls
• The pathology lab is a business associate and must have a signed BAA

Receiving results:

• Pathology reports contain highly sensitive information including diagnoses (e.g., melanoma, basal cell carcinoma, squamous cell carcinoma)
• Electronic reports must be received through secure channels
• Faxed reports should be received on a secured fax machine in a restricted area
• Reports must be reviewed promptly and filed in the patient's secured record
• Abnormal results requiring urgent follow-up must be communicated to the patient through appropriate, secure channels

Secure Transmission

• Use encrypted electronic pathology interfaces when available
• If using a pathology lab's web portal, ensure it meets HIPAA security standards
• Document all pathology communications in the patient's record
• Implement tracking systems to ensure all biopsy results are received, reviewed, and acted upon
• Flag unreceived results to prevent lost specimens or missed diagnoses

Multiple Lab Relationships

Many dermatology practices use multiple pathology labs (e.g., general pathology, dermatopathology specialists, immunohistochemistry labs):

• Maintain signed BAAs with each laboratory
• Ensure each lab's electronic systems are compatible with your security requirements
• Track which labs are used for which patients and specimens
• Verify that all labs maintain appropriate HIPAA compliance

Cosmetic vs. Medical Services

Dermatology practices often provide both medical and cosmetic services. Understanding how HIPAA applies to each category is essential for proper compliance.

Medical Dermatology (Always Covered by HIPAA)

Medical dermatology services are clearly subject to HIPAA. These include:

• Diagnosis and treatment of skin diseases (eczema, psoriasis, acne, rosacea)
• Skin cancer screening, diagnosis, and treatment
• Biopsy and pathology services
• Treatment of infections, allergies, and autoimmune conditions
• Mohs surgery and other medically necessary surgical procedures
• Prescription medications for skin conditions

All records, imaging, and communications related to these services are PHI and must be fully protected.

Cosmetic Services (HIPAA Still Applies)

A common misconception is that cosmetic services fall outside HIPAA because they are not medically necessary or insurance-billed. This is incorrect.

HIPAA applies to cosmetic services when:

• A licensed healthcare provider performs or supervises the service
• The practice is a covered entity (which it is if it files any electronic claims)
• Health information is collected as part of the cosmetic service (medical history, allergy information, current medications, pre-treatment assessments)

Examples of cosmetic services subject to HIPAA in a dermatology practice:

• Botox and dermal filler injections
• Chemical peels performed by clinical staff
• Laser treatments for cosmetic purposes (hair removal, skin resurfacing, tattoo removal)
• Body contouring treatments
• Cosmetic surgical procedures

The key principle: If a cosmetic service is provided by a covered entity and involves collecting or maintaining health information, HIPAA applies. The fact that insurance does not pay for the service is irrelevant to HIPAA applicability.

Separate Cosmetic Entities

Some dermatology practices establish separate legal entities for cosmetic services to potentially limit HIPAA applicability. This strategy has significant legal complexity:

• The separate entity must be truly independent — separate EINs, separate medical records, separate billing systems
• If the same providers work in both entities and share information, HIPAA may still apply
• Consult with a healthcare attorney before pursuing this approach
• Even if technically separate, maintaining HIPAA-level protections for all patient data is a best practice

Teledermatology Compliance

Teledermatology has grown significantly, offering patients convenient access to dermatological care through virtual consultations and remote image review. Both synchronous (live video) and asynchronous (store-and-forward) teledermatology must comply with HIPAA.

Synchronous Teledermatology (Live Video)

Platform requirements:

• Use a HIPAA-compliant video platform with end-to-end encryption and a signed BAA
• Ensure the platform supports access controls and audit logging
• Consumer video apps (Zoom free tier, FaceTime, Skype) are generally not HIPAA compliant
• Test platform security before deploying for patient care

Provider environment:

• Conduct virtual visits from a private, secured location
• Ensure your screen is not visible to unauthorized persons
• Use headphones to prevent others from hearing the patient
• Secure your internet connection and avoid public Wi-Fi

Documentation:

• Document the patient's informed consent for telehealth
• Note the patient's location at the start of each session
• Maintain the same clinical documentation standards as in-person visits
• Record any limitations of the virtual examination

Asynchronous Teledermatology (Store-and-Forward)

Store-and-forward teledermatology involves patients or providers submitting clinical images for review at a later time. This modality has specific HIPAA considerations:

• Images submitted through store-and-forward platforms are ePHI
• The platform must encrypt images in transit and at rest
• A signed BAA is required with the platform provider
• Access to submitted images must be restricted to authorized providers
• Images must be incorporated into the patient's medical record
• Patients submitting images through portals must be authenticated before access

Patient-Submitted Photos

Increasingly, patients send photos of skin conditions via patient portals, secure messaging, or (problematically) regular text and email:

• Encourage patients to use the practice's secure patient portal for submitting images
• If a patient sends photos via unsecured channels (text, email), incorporate them into the record and educate the patient about secure alternatives
• Establish a clear policy for handling patient-submitted images
• Do not request patients send photos via standard text message or unencrypted email

Before/After Photos for Cosmetic Procedures

Before-and-after photography for cosmetic dermatology procedures follows the same HIPAA authorization requirements outlined for clinical photography, with additional marketing considerations.

Authorization for Marketing Use

• Obtain a specific, HIPAA-compliant authorization before using any before/after photos for marketing
• The authorization must specify each intended use (website, social media, brochures, presentations)
• Separate authorizations may be needed for different platforms or uses
• The patient must be able to revoke authorization at any time
• Upon revocation, remove photos from all platforms where they appear (within a reasonable timeframe)

De-identification for Research and Education

If you want to use clinical images for research, publications, or education without patient authorization, you must fully de-identify them:

• Remove all patient identifiers from the image and metadata
• Crop or obscure identifying features (face, tattoos, birthmarks, unique scars) unless the area is the subject of the photo
• Ensure the image cannot be linked back to the patient through any means
• Follow de-identification standards under 45 CFR § 164.514

Skin Cancer Screening Records

Skin cancer screening and monitoring records deserve special attention due to their longitudinal nature and the critical importance of accurate documentation.

Full-Body Photography

Many dermatology practices use total body photography for melanoma surveillance:

• Full-body photos are highly sensitive PHI — they contain extensive identifying information
• Store these images with the highest level of security — encryption, restricted access, strong audit controls
• Limit access to authorized clinical staff with a direct care relationship
• Never use full-body surveillance photos for marketing or educational purposes without robust de-identification and explicit authorization
• Clearly separate surveillance images from any marketing-approved photos

Mole Mapping and Longitudinal Tracking

• Mole mapping records linking images to anatomical locations are detailed ePHI
• Sequential images used for monitoring changes must be stored securely over time
• Ensure backup and disaster recovery plans include these critical longitudinal records
• When patients transfer care, these records must be made available under the Right of Access

Multi-Provider Practices

Dermatology practices often include multiple dermatologists, physician assistants, nurse practitioners, and aestheticians. Managing access and privacy in multi-provider settings requires careful planning.

Access Controls

• Implement role-based access so each team member can access only the information necessary for their duties
• Physicians and clinical providers may need access to complete medical records
• Aestheticians providing cosmetic services may need limited clinical information
• Administrative staff should have access appropriate to their billing, scheduling, or records management functions
• Review access permissions regularly and adjust as roles change

Shared Clinical Spaces

• If multiple providers share exam rooms, ensure patient information from one provider's patient is not visible when another provider uses the room
• Log out of all systems between patients
• Secure any paper records before leaving the exam room
• Clean whiteboards or other visible information surfaces between patients

Internal Communications

• Discuss patient cases in private settings (closed-door meetings, secure messaging)
• Do not discuss patient details in hallways, break rooms, or elevators
• Use secure, audited messaging systems for internal clinical communications
• Grand rounds and case conferences should use de-identified information when possible or ensure all attendees have a legitimate purpose for accessing the information

Staff Training for Clinical vs. Cosmetic Staff

Clinical Staff (Dermatologists, PAs, NPs, Medical Assistants)

• Proper clinical photography protocols (devices, consent, storage)
• Pathology coordination security (secure requisitions, result handling)
• Documentation security in shared clinical spaces
• Teledermatology compliance requirements
• Patient rights and access requests
• Minimum necessary standard for disclosures to labs, specialists, and insurers

Cosmetic and Aesthetic Staff (Aestheticians, Cosmetic Coordinators)

• Understanding that HIPAA applies to cosmetic services
• Before/after photo authorization requirements
• Social media and marketing restrictions
• Patient privacy during cosmetic consultations
• Handling cosmetic treatment records

Front Desk and Administrative Staff

• Check-in privacy in waiting areas
• Insurance verification and billing security
• Phone and electronic communication protocols
• Record release procedures
• Payment processing security

All Staff

• What constitutes PHI and the obligation to protect it
• How to recognize and report potential breaches
• Sanctions for HIPAA violations
• Social media policies — never post patient information
• Annual refresher training requirements
• Document all training with signed acknowledgments and retain for six years

How HIPAA Agent Helps Dermatology Practices

HIPAA Agent provides AI-powered compliance tools designed for dermatology workflows:

• Clinical photography compliance tools to manage consent, authorization, storage, and sharing protocols
• Pathology coordination checklists to ensure secure specimen and result handling
• Cosmetic service guidance clarifying HIPAA applicability to non-insurance services
• Teledermatology compliance assessments for both synchronous and asynchronous platforms
• Multi-provider access management guidance for practices with diverse clinical teams
• Security Risk Assessments tailored to dermatology practice environments including imaging systems and lab interfaces
• Staff training modules with separate tracks for clinical, cosmetic, and administrative staff
• Marketing compliance reviews for before/after photo usage and social media activities

Frequently Asked Questions

Are clinical photos of skin conditions considered PHI?

Yes. Any clinical photograph that can be linked to a patient's identity — through facial features, identifying marks, metadata, or association with patient records — is PHI under HIPAA. Even photos of skin conditions on areas that might not seem identifying (a hand, a back) are PHI if they are linked to the patient's name, record, or other identifiers.

Do I need a BAA with my pathology lab?

Yes. Any pathology laboratory that receives patient specimens, requisition forms with patient information, or provides reports containing patient data is a business associate and must sign a BAA. This applies to all labs you work with, including dermatopathology subspecialty labs.

Can I use patient before-and-after photos in a medical journal article?

For publication in a medical journal, you should either obtain a HIPAA-compliant authorization from the patient specifically permitting use in professional publications, or fully de-identify the images so that the patient cannot be identified. Most medical journals have their own consent and de-identification requirements that align with or exceed HIPAA standards.

Does HIPAA apply to cosmetic Botox and filler treatments?

Yes. If your dermatology practice is a covered entity (which it is if it files electronic claims for any services), all health information collected in connection with any service — including cosmetic Botox and fillers — is PHI. The fact that these services are not billed to insurance does not exempt them from HIPAA.

How should I handle patient photos sent by text message?

If a patient sends photos via text message, you should incorporate the images into their medical record through your secure EHR system, then delete them from the phone. Educate the patient about using the secure patient portal for future photo submissions. Establish a clear policy prohibiting staff from requesting photos via text message, and document your policy for handling unsolicited text photos.

Can I use a personal phone to take clinical photos?

This is strongly discouraged. If personal phones must be used, they must have mobile device management (MDM) installed, encryption enabled, remote wipe capability, and a HIPAA-compliant photo application that separates clinical images from personal photos. The best practice is to use dedicated, practice-owned devices for all clinical photography.

Ready to Automate Your Compliance?

HIPAA Agent handles all of this for you automatically.

Related Guides