Please see the following message from Wendi Wright, Chief Privacy Officer, Stanford University

We understand that taking pictures, videos and capturing other images of research participants is frequently an important component of research projects. In order to ensure that participants’ images, which are PHI as defined by HIPAA, remain protected we would like to re-iterate the following suggested practices:

1. If possible, use an encrypted device, e.g., iPad or iPhone. Please ensure that the device is enrolled in the university’s Big Fix program so that we can verify encryption if needed (encryption.stanford.edu).
2. If an encrypted device is not feasible, then you must move the images from the unencrypted camera/video camera to a secure environment immediately and without undue delay.
• As soon as you are done capturing images, upload them to a secure environment. This could be Medicine Box or transferring to an encrypted laptop or other Stanford-approved secure location.
• Once you have verified successful transfer of images from the memory card, erase the memory card.
• The previous two steps should occur on the same day that you take the images.
3. Keep all cameras/video cameras/iPads and other devices in secured and locked areas when not in use. Even if you leave the area for “just a minute” secure the camera/device first.
4. Report lost/stolen/misplaced cameras/devices with images on them to the Privacy Office immediately. Reporting is everyone’s responsibility, not just that of managers or PIs.
5. We also review this information in some of our privacy trainings, including “Know Your PHI”, “HIPAA Privacy Research” and “How To Secure Computing Devices and Electronic Data” (privacy.stanford.edu).

If you have any questions, please contact the University Privacy Office at privacy@stanford.edu.