ClickCare Café

Are You Making HIPAA Mistakes in Sending Medical Photos Online?

Posted by Lawrence Kerr on Thu, Feb 13, 2014 @ 08:54 AM

babyemail resized 600

(Reviewed and updated May 18, 2016)

Recently, we've shared our suggestions on how to share patient files securely and the best ways to take medical photos. From those posts, an additional question came up from our readers who are using technology but still trying to stay HIPAA secure...

How do I send medical photos securely over the internet?

Good question! Many of the tactics for staying HIPAA-safe while sending medical photos over the internet came up in our recent posts, but there are a couple of specific things to keep in mind.

When sending medical photos on the internet, don't make these HIPAA mistakes:

  • Texting from your phone. As with texting patient information, you can't text photos unless you use a secure service. Merely texting from your smartphone definitely won't do the trick when it comes to HIPAA, even if it's just a patient photo (without their record.) 
  • Saving photos on your camera roll. Few people realize that the camera roll on your smartphone is not HIPAA-secure. ClickCare uses a HIPAA-secure camera roll for that very reason.
  • Sending photos via email. Email isn't HIPAA-secure, even "secure" email. If you're looking for the kind of sharing that email and photos can give you, consider doing medical collaboration with a hybrid store-and-forward telemedicine platform, which can let you share photos while not running afoul of HIPAA. 
  • Leaving them on your data card. A final thing to be careful of is the data card in your digital camera. If you store your data card in a place where people can get to it, or you're sharing your camera with other people, that data card is not HIPAA secure. The system we recommend is to erase the data card as soon as you've uploaded your photo to the secure sharing platform you're using. 
  • Saving them on your hard drive. As safe as it may seem, in most contexts it is not HIPAA-compliant to leave patient photos on your computer's hard drive. So use the same protocol as with a data card -- erase the photos as soon as they're uploaded to your telemedicine platform. Did you know your copier also has a hard drive - the old way may not be so safe either!


For an in-depth look at HIPAA mistakes you might not know about, get our guide:

New Call to action

Image courtesy of ben_grey on, used under Creative Commons rights.


Tags: iPhone photography, Medical iPhone Photography, medical collaboration software, HIPAA, HITECH, Telemedicine and HIPAA, HIPAA secure images, mhealth, iPhone medical apps, medical photography

How to send patient files without HIPAA headaches

Posted by Lawrence Kerr on Wed, Jan 29, 2014 @ 08:38 AM


patientfiles resized 600


A colleague of mine works in the Appalachian mountains. She's a committed practitioner who works with rolling green hills out the window, cultivates close relationships with every patient, and has a great breadth of skill.

What she does not have nearby is a Diabetes specialist. The closest Diabetologist is in Washington, DC, more than 3 hours away. And whenever a consult is needed, the specialist inevitably wants a long look at the patient files before offering advice. So when my friend in Applachia needs to get a consult and so needs to "share" the patient file with that specialist, she usually does it by driving the 200 miles to his office.

Recently, however, this provider asked me if there is any better way: "Can I upload and share patient files using telemedicine?" The answer is yes. There are certainly ways to use today's technology to safely and efficiently share patient files with colleagues, without running afoul of HIPAA -- or having to drive 3 hours. However, there are some key things to keep in mind so that patient data stays safe and the provider doesn't run into hassles.

How to send patient files without HIPAA headaches:

  • If it doesn't promise it is HIPAA-compliant, don't use it. We hear providers talking about using Google Docs, Dropbox, text messaging, email, and even Facebook to send patient information. The problem with every single service in that list? They're not HIPAA-compliant. Stay away from these platforms when it comes to patient data, and only use a medium that promises to keep you, and the patient, safe. 
  • Consider hybrid store-and-forward telemedicine. Because it is a hybrid store-and-forward model, when you upload a PDF of a patient file to ClickCare (or send questions, pictures, or video), the consulting provider doesn't have to be available on your timeframe. The data will sit there until they're ready to review -- safely -- and you can review their response on your own time as well. 
  • If you're texting, do it securely. Although regular text messages are not secure and can't be used for patient information, there are secure text messaging services available. So if you don't need to send a full patient file, don't need to include pictures, and don't need to review treatment or teach, secure text messaging can be a good way to go.
  • Be skeptical of the "easy way." The two most common ways that providers share patient information are either by driving patient files to other offices or talking about histories and conditions in the elevator. Driving, of course, is a huge time-waster and isn't scalable or sustainable. And it turns out that provider-to-provider conversations in the elevator are actually the most common HIPAA breach. So while we always encourage face-to-face conversations with colleagues -- in the elevator, or elsewhere -- we suggest using those conversations to connect as people... and use the technology available to send the actual patient information. 


Looking for more guidance on staying HIPAA-safe?

Download Quick Guide HIPAA Toolkit



Image courtesy of stephanieasher on, used under Creative Commons rights.

Tags: collaboration, hybrid store and forward medical collaboration, medical collaboration software, HIPAA Collaboration, HIPAA secure images

How Secure are Your Medical Photos on the iPhone?

Posted by Lawrence Kerr on Thu, Jan 16, 2014 @ 08:34 AM

iclickcare iphone visit pic 300dpi 2 copy copy


Increasingly, taking photos is a part of our lives. We snap photos when we're out at dinner or on a trip. And we certainly want to take a picture when we see an interesting case or need to remember or share something about a patient.

With the significant fines and punishments for HIPAA violations, however, medical photography on your iphone or smartphone brings up a several HIPAA compliance and security issues:

  • If your phone gets lost, all photos on your camera roll are insecure
  • Once a photo is on your phone, it is tempting to email or text it, both of which are in conflict with HIPAA.
  • Photos on your camera roll may be susceptible to access by apps that are not HIPAA compliant.

So what is a person to do? It seems ridiculous to choose not to use technology in service of patient care. Here is the good news: you can and should use your iPhone or other smartphone for medical photography. In fact, we think that medical photography is a simple, powerful way to improve how we care for patients and make our lives as providers a little easier.

So here is a checklist to make sure that your medical photos are secure and useful:

  • Understand HIPAA. You don't need to drive yourself crazy, but a little understanding of the fines and penalties goes a long way 
  • Never put patient photos into your regular camera roll. Sometimes smartphone apps (with the exception of iClickCare) pull from your camera roll-- even sharing pictures without your knowledge. And even if that doesn't happen, your camera roll only has one layer of security -- the login password on your smartphone. So when dealing with patient photos, we recommend using a secure app like iClickCare that doesn't ever save photos to your camera roll. You'll know your pictures are safe, and used only for your purposes. 
  • Use some overall security strategies so you don't have to worry. When your technology is more secure overall, your photos are more secure, too. 
  • Don't email photos. Email is never a secure way to collaborate. 
  • Use apps that are explicitly HIPAA-secure. When you do collaborate, only use collaboration platforms that explicitly promise HIPAA security.


Security issues aside, we all want our medical photos to be a little bit better. Get the first chapter of our book on iphone photography for free:


medical photography introductory chapter

Tags: HIPAA, HITECH, HIPAA Collaboration, Telemedicine and HIPAA, HIPAA secure images, best medical apps, clinical photography, medical photography, clickcare, telemedicine law

3 Simple Ways to Stay HIPAA Compliant

Posted by Lawrence Kerr on Fri, Jan 03, 2014 @ 08:28 AM

hipaasafelock resized 600


As we transition out of the holidays and into the new year, we start to move faster. Our days are busy, we're preparing for yearlong projects, and patients are packed into the schedule following vacations.

In our practice, we've noticed that as we start to move faster, details suffer. The first detail to go? HIPAA compliance. And despite our prioritization of patient care, HIPAA violations are no minor consideration, as we all have come to know

So as the 2014 kicks into gear, we wanted to share our favorite easy tips for staying HIPAA safe and compliant.

3 simple ways to stay HIPAA compliant:

  • Only use apps that promise HIPAA compliance. Some apps may feel safe, or even say they are "secure", but unless they explicitly promise they are HIPAA-compliant or HIPAA-secure, we'd be wary.
  • Focus on patient communication. Patient communication is one of the places where providers tend to get a little lax with their HIPAA considerations, just because it feels like regular communication. But a few simple practices can keep your patient communication simple, personal -- and HIPAA safe. 
  • Check your email settings. Although email can't be used for medical collaboration, we use it for so many things that HIPAA complications can sneak in. So we created a guide to make sure your settings help you, rather than hinder.  

We've found that small ways of keeping on top of regulatory issues end up keeping us on track even better than more intensive strategies. So keep it simple -- and stay HIPAA safe. 

Telemedicine can bring HIPAA issues, but doesn't have to. Get our guide here:


ClickCare Quick Guide to Telemedicine

Tags: HIPAA, communication with patients, HIPAA Collaboration, Telemedicine and HIPAA, HIPAA secure images

Getting Started Simply: HIPAA for Dentists

Posted by Lawrence Kerr on Mon, Nov 04, 2013 @ 08:54 AM


HIPAA compliance represents society


We've heard from many of our dentist colleagues that there is increasing pressure to be HIPAA-compliant. Some dentists are choosing to hope for the best and keep using email to communicate about patients. Others are spending upwards of $100,000 to hire HIPAA consultants.

Forget secure email, that is not the answer to keeping you safe. You need to bring your entire office into compliance with HIPAA. 

Here is a brief summary and a tool for how to start the process immediately and quickly, without expensive and slow consultants. You will eventually need more, but this is a start. As you read this, please be aware that we are not lawyers, we do not represent the government, and that this post is merely a place to start. Because our iClickCare Hybrid Store-and-Forward collaboration service was developed from the onset with HIPAA in mind, we want to share some time-saving experience with you. At the end of this post is a link which will bring you to a more complete framework and a tool which reduces 492 compliance questions to only 32

Why should you care and comply with HIPAA, HITECH and the Omnibus Reconciliation 2013 Rule? Increasingly, understanding and adapting to these laws is the only way to care for our patients -- and protect ourselves.

What you need to know about the health privacy laws that affect you as a dentist:

  • HIPAA was passed in 1996. The internet bubble was expanding. The world wide web was born. What about our privacy? The Health Information Portability and Accountability Act came into being. It mandates electronic processes to protect health information. It controls everything from digital electronic information to paper charts to locks on doors and conversations.
  • HITECH is the acronym for Health Information Technology of Economic and Clinical Health Act. It is part of the American Recovery and Reinvestment Act of 2009. It stipulates that healthcare providers be offered financial incentives for demonstrating meaningful use of electronic health records. It also provides penalties for not using them and markedly increases fines and jail terms for disclosure of health information.
  • Omnibus Rule 2013. In 2013, HIPAA was amended with the final rules that expand and detail the reach of the act -- these additional regulations are termed the "Omnibus Rule." The Office of Civil Rights of the Department of Health and Human Services summarized the over 500 pages of Omnibus Rule with four final rules that:
    • Make Business Associates of Covered Entities directly liable for compliance.
    • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
    • Expand individuals' rights to receive electronic copies of their health information.
    • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
    • Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.
    • Incorporate the increased and tiered civil money penalty structure provided by the HITECH Act.
    • Adopt the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. 
    • Replace the breach notification rule's "harm" threshold with a more objective standard [Previously, a breach had to reported if there was a “risk of harm”. The Omnibus Rule requires any breach to be reported.]
    • Prohibit most health plans from using or disclosing genetic information for underwriting purposes.

A risk assessment of your practice is required. There are five components:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Safeguards
  • Policy and Procedures and Documentation Requirements

This assessment can be done by you. Of course, the findings of the assessment and the plan of action must be documented. The assessments need to be ongoing. In addition to the self-assessment below -- ClickCare's Quick Guide to HIPAA Toolkit -- here are a couple of other tools that might be useful:


For our free kit to bring your dental office into HIPAA compliance, click here:

Download Quick Guide HIPAA Toolkit 


And take a look at some dental cases that can be solved with telemedicine:

What would you do? Fun cases.




Tags: HIPAA, HITECH, HIPAA secure images, Omnibus Rule

HIPAA HITECH Omnibus Rule 2013 and Healthcare Collaboration

Posted by Lawrence Kerr on Sun, Feb 24, 2013 @ 11:23 AM

HIPAA? I know about it, but I text anyway because it is good patient care.HIPAA requirements for telemedicine cannot be contradicted

Do you really want to say that?

Our advice: Don’t even think about it! And moreover, forget it and move on -- there is too much to worry about that you can change, and this, you can’t.

We are taught to understand as well as follow. Here is some understanding.

The Federal Register, on January 25, 2013, added another 563 pages (78 Fed Reg. 5566) to the voluminous hundreds of pages that constitute three acts over the past 17 years. These are HIPAA, HITECH and GINA, and an entire industry has been built on these rules. The 563 pages as a totality constitute the Omnibus Rule of 2013.

What does all of this mean to us providers? What does all of this mean to us who help providers? Since this post is conversing with patient care professionals, many of whom are mere HIPAA laymen, these answers are brief and focused.

Four main points for day-to-day care:

1. There is increased penalty and enforcement. 

Fines can be avoided with use of HIPAA secure telemedicine

2. Business associates are responsible for all their subcontractors. Did a cleaning lady, employed by a cleaning service pick up a CD? Reasonable Cause -- an act or omission in which a CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the CE or BA did not act with willful neglect. 

3. Any disclosure of PHI will be presumed to be a breach, and HHS will, not may, investigate.

4. Individuals have enhanced rights to obtain electronic copies of their records. With this, is an enhanced right to restrict disclosure of PHI. Patients who pay solely for care by cash can restrict release to insurance companies and billers.

Some collateral damage to be aware of:

  • Schools  -- Immunizations can be shared.
  • Research -- Special notes about current research releases, and how they may apply to future analysis of the same data with different research.
  • Genetics -- Genetic information is protected and cannot be used against the patient.
  • Marketing and Fundraising -- Defines how information is used. Can you ask for money from patients for a cause you know that they are near and dear to?
  • Notification -- You may have to send new notifications to your patients about your privacy policy. Did you ever get one of those from your credit card company?

How much time is there to comply?

The final rule was announced on January 25, 2013. It is effective March 26, 2013 (including penalties), and compliance (such as notifications) must be completed by September 23, 2013.

Cost and Conclusion.

The cost of all of this...114 to 225.4 million dollars (government estimate, your experience may vary). In 2011, the CDC estimates 1 billion physician office visits. That works out to 23 cents per visit.

Finally, there is a lot to this and a lot to read. Download the "Omnibus Rule -- High Overview" to learn more and send you speedily on your way.


Omnibus High Level Overview


It is not totally depressing. But, as Jim Croce says,

"You don't tug on superman's cape

You dont' spit into the wind

You don't pull the mask of the ol' lone ranger

And you don't mess around with ..."


Find the compilation of References here:


2. Debbie Tokos, RHIT, CHPS, United Health Service, Johnson City, NY 13790


Tags: HIPAA, HITECH, HIPAA Collaboration, Telemedicine and HIPAA, HIPAA secure images, Omnibus Rule

Big Data Moves to Healthcare: A Description. A Warning. A Solution. 1

Posted by Lawrence Kerr on Sun, Oct 21, 2012 @ 01:39 PM

This a three part blog post. Emphasis of Big Data acquisition and analysis is supposed to improve healthcare. We emphasize that healthcare collaboration is a way to deal with the massive amounts of data considered to be medical knowledge that has grown beyond mastery of anyone. That said, we also are concerned that attempts to improve quality and profitabilility remove focus from care and caring. This first post will describe a source of error. The second will show how this error can happen in clinical practice -- with healthcare collaboration or not. The third will suggest a solution. The whole of the three should bring fair warning to those who hear the sirens of Big Data which is done poorly, and look to solutions which are done well.

Here is the problem. Many companies are moving from providing big data services for government to big data services for healthcare.

These companies need to understand what they are getting into.Big data without healthcare collaboration is failure

We, as health care providers, need to realize that we affect the outcome of big data as we provide care alone or as we are part of healthcare collaboration.

Since healthcare collaboration is about taking care of the problem at hand, together, and patient care is about helping another human being either get better, be comfortable, or die peacefully, data entry and codes have no relevance.

On the other hand, we providers are asked to be data input specialists even though we don’t see a benefit for our patients. We have the suspicion that we are working for government -- and thus a boss who regulates; or insurance, and thus a boss who underpays. 

And as happened in the office last week, we are sorely tempted to underperform as data input specialists. Thus, all of you big companies who have migrated from the TSA, CIA and NSA with your Big Data tools should be forewarned. Any of you providers, who see no value in coding precision, should consider the consequences.

Let’s use rounding errors as an example. Then compare the rounding errors to what we sometimes are tempted to (or need to) do as clinicians.

Kees Vuik of the Delft Centre for Computational Science and Engineering clearly and understandably highlights some disasters caused by numerical errors. These range from a Patriot Missile failure which killed 28 soldiers after it missed intercepting a Iraqi Scud missile, to errors on conversion of the Euro. In essence, they all (and there are many other examples) have the same root cause: the magnification of minute inaccuracies of a number by repeated calculation.

iClickCare helps erroneous interpretation by including HIPAA compliant images, words, discussion and judgment. While healthcare collaboration is taking place, accuracy is being increased.Click me

The next post, Part 2,  will describe in detail how simple rounding errors will bring Big Data, Bad Data...

Tags: medical collaboration, HIPAA secure images, healthcare collaboration, big data

Subscribe By Email

Recent Posts

Posts by Topic

see all