Sterling Seacrest Partners’ Bartley Miller: Before and After Photos – A Signed Consent May Not Suffice

Sterling Seacrest Partners’ Bartley Miller: Before and After Photos – A Signed Consent May Not Suffice

As with all industries, the healthcare industry is undergoing dramatic changes in risk due to the advances in technology.

The plastic surgery realm offers a particularly compelling and cautionary example of such risk.

Plastic surgeons today must work harder than ever to attract good consumers. One way to attract these consumers is to provide real life “before and after” photos of patients who have undergone procedures similar to those the consumer is considering purchasing from the provider. These before and after photos have become a marketing necessity rather than merely serving as the portfolio of surgical outcomes that are expected through these procedures. In many ways, plastic surgery is an art form and surgeons need to show the consumer their work.

With every digital picture comes potential risk. Over the last 12 months, our firm has evidenced multiple claims involving the unauthorized disclosure of a patient’s identity in their before and after photos. As all practices should do, and for the most part do, these practices collected signed consent forms from these patients, allowing the practices to post these pictures on their website without identifying the subjects. What these practices didn’t realize is that even if these patients’ identities had been obscured by hiding all or part of their facial features, there is other identifiable information that comes in the form of embedded file names.

[Embedded Files – definition: An embedded file refers to any type of multimedia file that you might insert or embed into a Web page. This includes files like graphics and sound files. – Source: Webopedia]

Most practices hire a trained/skilled website designer to upload and place online images on their websites. What we are finding is that IT consultants and web designers are sometimes failing to encrypt the image’s file name to ensure the file contains no identifiable components of the patients.

Please allow us to provide you a claim example:

A plastic surgery office is going through the process of designing its website with a web designer. The practice took a sampling of its before and after portfolio to include on the website. As is customary, the provider collected signed consent forms, allowing the provider to place these images on the website. After receiving consent, they sent the digital image files to their web designer so the designer could create the before and after photo page. Each image file was saved using as the file name the patient’s last and first name. Unfortunately, these file names were not changed by the web design company and were uploaded to the practice’s website. A number of months later, the practice was contacted by one of its former patients whose picture was posted on the website. She told the practice that she had just been alerted that when an acquaintance typed the patient’s name into Google, up popped the before and after photos! The patient immediately made a demand for damages to the practice for failure to conceal her true identity.

How does this happen? Google and other search engines utilize software that searches embedded file names within websites. Since, in this case, the files included the name of the patient, Google’s search engine located the pictures on the practice’s website, among other general pictures of that person on the Internet.

It is very difficult for people outside of the technology industry to know how information is disclosed or found through the Internet. As we all know, technology is continually evolving and the exposures created change almost daily. Below are two important recommendations for managing this exposure:

How do you minimize this liability?

  1. Sign a contract with your IT Professional – Make sure this contract includes strong indemnification and hold harmless language so as to help protect your business from a mistake made by your IT professional. Require and confirm that your IT professional carries appropriate insurance that supports the indemnification and hold harmless language in the contract. In your contract, require that the IT professional ensure patient privacy, and request that they also sign a Business Associate Agreement.
  2. Purchase Cyber/Privacy Liability Insurance – In an ever-changing IT environment there is no possible way to manage all exposures through risk avoidance. All businesses are subject to technology-related risks whether in healthcare, manufacturing, or any other industry. We recommend that all of our clients discuss this coverage option with us thoroughly.

As all providers – regardless of specialty – continue to expand their marketing efforts with new multimedia channels, it is good to evaluate the additional liability that is generated through these activities. Please feel free to call us to discuss this topic.


Bartley Miller