Patient Photos in Marketing Materials Pose HIPAA Risks
December 1, 2025
By Gregory Freeman
The Office of Civil Rights (OCR) recently announced a settlement with five healthcare providers in a case that illustrates the dangers of using patient photos in marketing materials. HIPAA violations are possible even when the patient photos seem innocuous and do not reveal medical information.
The settlement resolves an investigation of a health system that the OCR initiated after receiving a complaint alleging that it had impermissibly disclosed a patient’s name, photograph, and information pertaining to the patient’s conditions, treatment, and recovery in the form of a “success story” posted to the health system’s website. The OCR determined that the health system had posted protected health information (PHI) of 150 patients to its public-facing website without first obtaining a valid, written HIPAA authorization from the patients.
The resolution agreement requires the health system to pay $182,000 to the government and implement a corrective action plan that will be monitored by the OCR for two years. (The agreement is available online at https://www.hhs.gov/sites/default/files/ocr-ra-cap-cadia-healthcare-facilities.pdf.)
Many healthcare facilities, particularly those providing long-term care, post pictures to social media and in their marketing materials to show their residents are happy and enjoying their care, notes Joseph J. Lazzarotti, JD, principal with the Jackson Lewis law firm in Tampa, FL. The practice may seem harmless, and healthcare or marketing professionals might not even think there is a HIPAA concern, he says.
“I think what happens a lot of times is that these are the ones that have the relationships with the residents, and then some of the marketing people are taking photographs. For the most part, people don’t mind,” he says. “They think, ‘Ooh, it’s fun. Let’s show us at the Christmas party.’ And no one makes an issue of it. Until someone does, and then you have an issue.”
Those posting the images often assume PHI is not involved and, therefore, HIPAA does not apply, Lazzarotti says. But photos without identifiers or obvious PHI still can fall under HIPAA requirements, he says.
“Just the fact that you’re at a nursing home says something about your health condition, and that might be viewed as PHI. If you’re in a wheelchair, smiling at the Christmas party, that says something about your health,” he says. “You really have to be careful. It’s important to train people, everyone from clinical staff to the people in marketing, about how HIPAA can apply in these situations.”
One strategy is to include language in intake documents that authorizes the use of patient photos in social media and marketing materials, but Lazzarotti says such a blanket permission may not satisfy HIPAA requirements. A more effective solution is to secure permissions from individuals at the time the photos are captured, or at least after they are published, he says.
The proliferation of social media has obscured how some people see the need for obtaining permission, says James Chisum, vice president of Miller Geer & Associates, a marketing communications and public relations agency based in Los Alamitos, CA.
“Some people don’t perceive social media as the same as traditional media, and so there’s an assumption of a little more latitude when posting things online,” Chisum says. “They’re not doing an interview, they’re not speaking with a reporter, and we’re not unveiling any specific information, and we’re just sharing a post, right? We have conversations with physicians who have, in their excitement to tout some new technology or a milestone case, or some phenomenal outcome, are posting photos of their patients online. They may put little stars over their eyes or some other modicum of an attempt to provide some anonymity. But that just doesn’t check the box. There is a lack of understanding and sophistication around what media is and what OCR perceives as a violation of HIPAA.”
Administrators of healthcare facilities must have a full understanding of how HIPAA applies to all of their own media, Chisum says. Staff must be trained and refreshed regularly on how HIPAA applies to social media and marketing, he says.
OCR’s recent settlement reminds everyone in the healthcare field that HIPAA does not conform with technology trends, says Henry Norwood, JD, an attorney with the Kaufman Dolowich law firm in San Francisco. Rather, the trends need to conform with HIPAA.
HIPAA prohibits healthcare providers from disclosing PHI for promotional and marketing purposes without patient consent, he says. The PHI disclosed by the providers in this case was particularly problematic because the providers disclosed the patients’ treatment success stories as well as photographs of each patient, he says. The photographs would allow third parties to identify the individuals whose PHI was being disclosed.
The providers were found to be in violation of HIPAA by failing to obtain written authorization to use and disclose their patients’ PHI. The HIPAA authorization requirement requires providers to detail the PHI they intend to disclose, provide an expiration date for the intended disclosure, and explain the purpose for the disclosure, Norwood says.
“It is unclear in this situation whether the patients may have informally given verbal consent to have their success stories and photographs shared on the website, but either way, this does not comply with HIPAA and a written authorization is required,” he says.
The providers also were found to be in violation of HIPAA’s breach notification rule, requiring providers to notify all individuals impacted by a breach of their PHI, Norwood says. Because the providers seemingly were unaware and impermissibly disclosing PHI by posting the success stories on their website, they did not comply with the breach notification rule, he says.
“In today’s internet age, in which everyone has a microphone and content is king when it comes to marketing, OCR’s findings are an important reminder to ensure that any public displays of a patient’s identity or care from healthcare providers are compliant with HIPAA,” Norwood says. “Always check before you post.”
This settlement means that OCR treats posting “success stories” on a public website as a marketing disclosure that requires a valid, written HIPAA authorization, says Paul F. Schmeltzer, JD, member with the Clark Hill law firm in Los Angeles.
There are several important takeaways for covered entities from this settlement, he says. First, using patient stories or images to promote services is “marketing” and needs a HIPAA authorization that meets 45 C.F.R. §164.508, he says. The corrective action plan from the settlement mandates training for all workforce members, including marketing personnel, on the approved policies.
“All covered entities would be wise to train their employees and independent contractors about the risks from posting patient success stories for marketing purposes, whether that post is on the practice’s website or on social media. Additionally, if PHI was posted without authorization, it can be a reportable breach of unsecured PHI under the Breach Notification Rule,” Schmeltzer says. “Finally, covered entities should use the Cadia settlement as an opportunity to review and update their written policies to address this type of marketing activity. The covered entity should ensure there is documentation of signed authorizations, and clearly defined sanctions in policies for violations.”
Covered entities can avoid violating HIPAA in this manner by using an authorization built for marketing that is not a generic release to use the patient’s photo(s), he advises. The authorization should contain a description of the PHI to be used, who may disclose or receive it, the purpose of the use, have an expiration date, and provide the patient with the ability to revoke the authorization. The covered entity also should have written policies that ban the use of any patient identifiers unless a compliant authorization is on file, Schmeltzer says.
Featuring patient “success stories” is very commonly used in marketing by healthcare entities, but HIPAA treats this as marketing, and authorization is required unless an exception applies, he says. The recent settlement put providers on notice that photos and narratives on public sites without a HIPAA authorization are noncompliant, he says.
If a covered entity has used photos for marketing without patient consent, they should take down the content, stop further sharing, and preserve evidence for their investigation, Schmeltzer says.
“They should treat this as a potential breach of unsecured PHI and properly document their assessment,” Schmeltzer says. “If a breach occurred, the covered entity must notify affected individuals without unreasonable delay and no later than 60 days after discovery. The covered entity must also notify (Health and Human Services) OCR.”
For covered entities, this settlement provides a clear example of the importance of adhering to the conditions set by the HIPAA Privacy Rule with respect to uses and disclosures of PHI, including the rules governing marketing communications, says Hillary M. Stemple, JD, partner with the ArentFox Schiff law firm in Washington, DC. Covered entities should remember that the expectations imposed by HIPAA apply to all facets of their organizations, not just those divisions using PHI for treatment, payment, or operational purposes, she says.
Marketing departments may not realize they have obligations with respect to patient’s PHI. However, with limited exceptions, HIPAA explicitly requires obtaining a valid, written authorization from a patient prior to using PHI for marketing purposes, she says.
“Essentially, the settlement is a reminder of how vital it is to have a robust HIPAA compliance program. This includes implementing role-specific training throughout organizations to account for individuals whose job functions require them to either commonly or rarely use PHI,” Stemple says. “This ensures that all workforce members understand what restrictions apply and when to ask questions or raise potential concerns to the appropriate supervisor, compliance officer, or privacy and security officers.”
From the recent settlement, covered entities should learn that they always must think about whether HIPAA applies, even for something as informal as a social media post, she says. Having a strong HIPAA compliance program helps all workforce members understand what information, photos, or combination of details constitutes PHI and triggers the requirement to secure a valid, written authorization prior to using or disclosing that information, she says.
“Consistent HIPAA training also ensures that everyone understands when an authorization is valid,” Stemple says. “This helps to avoid situations where, for example, a workforce member believes they can rely on a patient’s verbal consent for the use of PHI in marketing initiatives and then fails to obtain a valid, written authorization.”
The settlement also highlights the growing intersection of PHI and public-facing websites and apps, such as social media platforms, blogs, or other print and digital materials where patient images may appear, she says. Because more businesses rely on these platforms for marketing purposes, covered entities should continuously audit and update their internal HIPAA compliance policies to make sure there are procedures for identifying appropriate uses and disclosures of PHI like patient images, even on public-facing websites or apps.
“Such reviews should also include assessing whether the organization is using patient photos on public-facing websites and apps and whether valid HIPAA authorizations support such uses and disclosures,” Stemple says.
If a covered entity wants to use photos and images for marketing, it can minimize the risk of violating HIPAA by obtaining proactive authorizations allowing the covered entity to film or take pictures of the patient and to use such images in its marketing materials, as part of the initial patient intake or onboarding process, ensuring each patient understands that their PHI may be used in marketing campaigns in the future, she says. If it is not feasible to obtain an authorization at the time of admission, the covered entity can develop specific marketing protocols that require obtaining valid authorizations when rolling out new initiatives that involve patient photos or images, Stemple says.
“A covered entity’s marketing teams could also work with the organization’s compliance officer to develop a ‘library’ of images from patients who have signed authorizations on file granting the provider permission to use their photos or images,” she says. “This library could be maintained specifically for marketing purposes and updated with each new patient who provides the required authorization. In this case, it would also be prudent to develop policies around removing PHI from the library if explicitly requested by a patient or upon expiration of the authorization.”
It probably is common for healthcare organizations use photos in this manner, she says. Marketing teams may no longer be relying on formal photo shoots to capture images for patient testimonials or examples of patient activities because of the convenience of using a cellphone, particularly when posting on social media, she says.
“There is a real risk that a marketing representative may take a patient’s photo using a phone without thinking about the HIPAA implications. Particularly if the marketing representative forgets to delete the photo from their phone and inadvertently shares a patient’s image or information,” Stemple says. “This is why proper training is so crucial. Not only does it help provide oversight at a company level, but it helps train individuals on how to differentiate between improper and proper uses and disclosures of PHI.”
If a covered entity finds itself in a situation where photos containing PHI have been used for marketing purposes without adequate authorization, the appropriate members of information technology or marketing should immediately remove those images from any public facing platform and replace them either with stock images or photos of patients who have appropriately consented to their information being used in such a manner, Stemple says.
The next step would be to conduct an internal breach assessment to determine whether the unauthorized use of the photos created a reportable breach, she says. If the facts indicate that a breach occurred, the covered entity should follow the process for notifying the affected individuals of the breach. Lastly, the covered entity should develop internal policies to ensure that, going forward, valid authorizations are obtained for any patient images the entity wants to use for marketing purposes, Stemple says.
This enforcement action re-affirms that HIPAA covered entities need to look at all aspects of their business to ensure that they are not unintentionally violating HIPAA’s privacy requirements, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ.
This requires that all workforce members — even those who do not have direct contact with patients, such as marketing and business development employees — must understand their obligations under HIPAA to protect patient information, he says. HIPAA-covered entities need to make sure compliant policies and procedures are in place that address all aspects of the regulations, he says.
“Assuming good faith in what occurred, covered entities should pay attention to the fact that even well-intentioned marketing activities can fall in violation of HIPAA. Making sure to have a privacy officer involved when any patient information is used for any purpose is necessary,” Howard says. “These subject matter experts can help review and flag proposed uses of PHI to ensure compliance.”
Covered entities can avoid violating HIPAA in the way this health system did by making sure that they obtain a valid HIPAA authorization from every patient whose information they want to use in this way, Howard says. For a HIPAA authorization to be valid, it must meet the enumerated authorization requirements under the Rule.
Once this is done, and a patient has provided their authorization, the entity will be free to use the PHI, Howard says. The only catch is that they need to make sure to keep the use within the agreed to uses in the authorization, he says.
“With the prevalence of social media, this is becoming more and more common. We will see covered entities posting this type of information for marketing, recruiting, or basic public relations fairly often,” Howard says. “Additionally, you will often see employees at healthcare facilities, such as nurses and doctors posting stories to their personal social media accounts regarding situations they run into during their work day. It is critical that all workforce members be trained in what can and cannot be posted publicly. Even a well-intentioned healthcare professional can cross the line and post information that is considered PHI and a violation of HIPAA.”
If an entity already has posted photos improperly, the first step is to take down any photos that do not have authorization to post, Howard says. Then, open an internal investigation, working with your privacy officer or other workforce member assigned with oversight with compliance, and determine the facts behind the use and disclosure.
“If the photo was posted in violation of HIPAA, a determination regarding whether a breach occurred and if any notification obligations were triggered will need to be made,” Howard says. “After this is done, or ideally concurrently to the investigation, a review of applicable policies and procedures should be done to avoid any recurrence of the issue.”
Greg Freeman has worked with Clinican.com and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Clinician.com products. In addition to his work with Clinician.com, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
Sources
- James Chisum, Vice President, Miller Geer & Associates, Los Alamitos, CA. Telephone: (714) 496-0541.
- John F. Howard, JD, Senior Attorney, Clark Hill, Scottsdale, AZ. Telephone: (480) 684-1133. Email: [email protected].
- Joseph J. Lazzarotti, JD, Principal, Jackson Lewis, Tampa, FL. Telephone: (908) 795-5205. Email: [email protected].
- Henry Norwood, JD, Kaufman Dolowich, San Francisco. Telephone: (628) 219-9814. Email: [email protected].
- Paul F. Schmeltzer, JD, Member, Clark Hill, Los Angeles. Telephone: (213) 417-5163. Email: [email protected].
- Hillary M. Stemple, JD, Partner, ArentFox Schiff, Washington, DC. Telephone: (202) 350-3638. Email: [email protected].
The Office of Civil Rights (OCR) recently announced a settlement with five healthcare providers in a case that illustrates the dangers of using patient photos in marketing materials. HIPAA violations are possible even when the patient photos seem innocuous and do not reveal medical information.
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content