HIPAA for dermatology practices

HIPAA Compliance for Dermatology Practices

Dermatology practices handle clinical photography, teledermatology sessions, pathology integrations, and marketing consent workflows that create unique HIPAA obligations. Whether you already work with a compliance vendor or are evaluating for the first time, Patient Protect adds a security-first layer built for dermatology.

See your HIPAA score — free See pricing

Active breach prevention·Starting at $39/mo·No contracts

HIPAA in practice

What HIPAA actually looks like for dermatology practices.

The regulatory framework, the enforcement patterns OCR has historically cited, the non-HIPAA standards that apply, the gaps audits routinely surface, and the record-retention overlay where state law stacks on HIPAA’s six-year minimum.

Regulatory framework

Dermatology practices operate under HIPAA as covered entities through standard electronic transactions — claims, eligibility, e-prescribing for topical and systemic dermatology medications. State dermatology board rules govern practice standards. State pathology rules apply to in-office laboratory testing under CLIA. The FDA cosmetic-vs-medical-device line affects practices performing aesthetic procedures alongside medical dermatology — the line determines whether records and procedures fall under HIPAA's medical framework or a different consumer-product regulatory frame.

OCR enforcement patterns

OCR's dermatology enforcement record has historically focused on clinical photo storage on consumer platforms (Dropbox, Google Drive, iCloud, personal-device camera rolls — none HIPAA-compliant for treatment-record photos), dermatopathology lab BAA gaps, and teledermatology consultation transmission errors. Photo storage is the single highest-frequency exposure in this segment because the high-volume clinical photography pattern of dermatology practice exceeds what consumer cloud-storage platforms can compliantly support.

Specialty-specific standards beyond HIPAA

DICOM for clinical photography and dermatoscopy. CLIA for in-office laboratory testing. State pathology rules for biopsy specimens and dermatopathology workflow. The FDA cosmetic-vs-medical-device distinction governing aesthetic procedures. State dermatology board rules on cosmetic procedures performed by non-physician staff. State Medicaid and Medicare rules for medically-necessary versus cosmetic procedure billing.

Common compliance gaps

Dermatology practice compliance gaps cluster around clinical photography: photos taken on staff personal devices, photos stored on consumer cloud platforms without BAAs, before/after marketing photos used without explicit photography-specific consent, mole-mapping photo retention not aligned with state retention rules, and dermatopathology lab BAAs assumed but not signed. Mohs surgery practices have additional compliance complexity around multi-stage photo and pathology integration.

Retention overlay

State law stacked on HIPAA’s six-year floor.

HIPAA's six-year minimum; state dermatology and medical practice record laws typically require seven to ten years of retention. Photographs as part of the medical record are subject to the same retention as the chart. Biopsy specimens are retained per CLIA requirements (typically seven years for surgical pathology slides, ten years for blocks). Dermatopathology slides and reports are subject to separate state-specific retention rules. Cosmetic procedure records may have their own retention framework distinct from medical dermatology records.

Reference summary, not legal advice. This page summarizes how HIPAA and adjacent regulatory frameworks apply to dermatology practicesbased on Patient Protect’s reading of the relevant CFR provisions, OCR enforcement record, and state statutes. Operators with specific compliance questions should consult a qualified HIPAA attorney. Patient Protect is a HIPAA compliance platform; we are not a law firm and do not provide legal advice.

Where to start

The five-step path to compliant operation.

In order. Each step is the foundation the next one rests on. A dermatology that completes the five below has cleared the operational core of HIPAA compliance.

Run a risk analysis covering EHR, photo storage, and pathology-lab interfaces
Risk analysis under §164.308(a)(1)(ii)(A) covering EHR, electronic claims, clinical photo storage, dermatopathology lab interfaces, Mohs surgery photo and pathology integration, teledermatology platform if used, patient portal.
Migrate clinical photo storage to BAA-covered infrastructure
Mole mapping, before/after, biopsy-site documentation, treatment progression photos. Move from consumer cloud platforms (Dropbox, Google Photos, iCloud) and staff personal devices to BAA-covered storage with the access logging and retention controls clinical photos require.
Sign BAAs across the dermatology-specific vendor ecosystem
EHR vendor, claims clearinghouse, every dermatopathology lab partner, photo storage system, teledermatology platform if used, secure messaging tool, e-fax service. Each is a BA; each requires a current signed agreement.
Establish photo-handling policies for staff
Photos taken on personal devices, even temporarily, are non-compliant. Build operational policy covering practice-issued devices for clinical photography, automatic upload to BAA-covered storage, deletion from device camera rolls, and the audit-log expectations for clinical photos.
Designate Privacy and Security Officials, train all staff
Per §164.530(a) and §164.308(a)(2). Training under §164.530(b)(1) including dermatology-specific photo-handling protocols, lab-specimen labeling, teledermatology disclosure scenarios, and the §164.502(b) minimum-necessary standard for the high-volume clinical photo workflow.

The real risk

Where dermatology practices are most exposed.

Clinical photography creates high-risk ePHI

Before-and-after photos, dermoscopy images, and wound documentation are ePHI the moment they include identifying features. Storage on personal phones, unencrypted cloud folders, or shared drives without access controls is a breach waiting to happen.

Teledermatology platforms need BAAs and encryption

Virtual consultations, store-and-forward imaging, and asynchronous dermatology platforms all transmit ePHI. Each platform requires a signed BAA, end-to-end encryption, and documented security configurations.

Pathology and lab integrations introduce vendor risk

Biopsy reports, lab results, and pathology consultations flow between your practice and external labs. Each exchange point requires a BAA and encrypted transmission. Most practices don't audit these data flows.

Marketing use of patient images requires documented authorization

Using patient photos for social media, websites, or marketing materials requires specific written authorization separate from the general consent for treatment. HIPAA authorization for marketing use has strict requirements that generic consent forms rarely satisfy.

What HIPAA requires

Regulatory requirements specific to dermatology practices.

Clinical Photography Security

Encryption for all clinical images at rest and in transit. Access controls on photo storage. Documented workflows for image capture, transfer, and retention. No personal device storage without BYOD policies.

Teledermatology Compliance

Signed BAAs with every teledermatology platform. End-to-end encryption for video and store-and-forward imaging. Documented security configurations per platform.

Lab & Pathology Vendor Management

BAA tracking for every lab, pathology service, and diagnostic partner. Encrypted transmission of biopsy reports and results. Vendor risk assessment for each external integration.

Marketing Authorization

HIPAA-compliant authorization forms for marketing use of patient images. Separate from treatment consent. Documented revocation process. Training for staff on authorization requirements.

Your state, your rules

State-specific HIPAA rules for dermatology practices.

HIPAA is federal — but your state layers additional breach notification deadlines, AG reporting requirements, and privacy laws on top. Select your state to see what applies to your practice.

Select your state

Browse all 50 states

Each state layers its own breach-notification window, AG reporting threshold, and adjacent privacy laws on top of HIPAA. Open a state page for the dermatology practices reference summary.

How Patient Protect helps

Built for dermatology practices, not hospital systems.

Clinical photography risk assessment

SRA wizard evaluates image capture devices, storage locations, transmission methods, and access controls — specific to dermatology workflows.

Vendor BAA tracking for labs and platforms

Full BAA lifecycle management for pathology labs, teledermatology platforms, and imaging services — with renewal alerts and status tracking.

Policy generation for image handling

Auto-generated policies covering clinical photography, marketing authorization, image retention, and device management — customized to your practice.

Staff training on image privacy

Training modules covering clinical photography compliance, marketing authorization requirements, and secure image handling workflows.

Clinical photo storage compliance with BAA-covered infrastructure

Dermatology practices generate massive clinical photo volumes — mole mapping, before/after, biopsy site documentation, treatment progression. Photos linked to patient identity are PHI. The platform handles BAA-covered photo storage with the access logging and retention controls clinical photos require.

Pathology lab BAA tracking and Mohs surgery records

Dermatopathology labs receiving biopsy specimens with patient identifiers are business associates. Mohs surgery records — multi-stage, photo-heavy, often involving on-site pathology — create additional storage and BAA surfaces. The platform tracks the dermatology-specific lab and pathology vendor ecosystem rather than treating it as generic medical-practice infrastructure.

How we compare

See exactly what you get that competitors don't offer.

Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.

What to ask

Patient Protect

Risk assessment that satisfies §164.308(a)(1)

A readiness quiz is not a risk analysis.

Full SRA wizard mapped to NIST CSF with live scoring

Auto-generated policies with workforce acknowledgment

HIPAA requires documented proof your staff reviewed them.

48 policies from your risk profile, versioned acknowledgment

Staff training with delivery tracking

§164.308(a)(5) — sending a PDF is not sufficient.

80+ modules, completion tracking, audit-ready records

Full BAA lifecycle management

Expired BAAs are a top enforcement target.

E-signature, renewal alerts, Vendor Risk Scanner

Yes on all 10. Now run the checklist on the rest.

From $39/mo · No long-term contracts.

Start free trial See pricing

Pricing

Enterprise-grade compliance. Independent-practice pricing.

No contracts · No setup fees · Cancel anytime

Core

$39/mo

Risk assessments, policies, BAA management, training, and compliance scoring.

Start 14-day free trial

Recommended

Pro

$99/mo

Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.

Start 14-day free trial

See full feature comparison →

FAQ

Common questions about HIPAA compliance for dermatology practices.

Are clinical photos considered PHI under HIPAA?

Yes. Clinical photographs that include identifying features — face, distinctive marks, tattoos, or any feature that could identify the patient — are protected health information under HIPAA. Even cropped or de-identified images may still qualify if they can be linked back to the patient through metadata or context.

Can I store dermatology photos on my phone?

Only with proper safeguards — full-disk encryption, passcode lock, documented BYOD policy, and no personal cloud backup of clinical images. Many practices use dedicated clinical photography apps that encrypt and upload directly to a secured EHR. Patient Protect's risk assessment evaluates your actual image handling workflow.

What does HIPAA compliance cost for a dermatology practice?

Patient Protect starts at $39/month with no contracts — covering risk assessments, policy generation, BAA tracking for labs and platforms, staff training, and continuous compliance monitoring. Whether you use it alongside your existing compliance partner or as a standalone solution.

Are clinical photos in dermatology PHI even when faces aren't visible?

Yes when linked to patient identity in the medical record. A close-up photograph of a lesion that's stored as part of the patient's chart is PHI regardless of whether the patient's face is visible — it's identifiable through the link to the patient record, not through facial recognition. Photos require BAA-covered storage, encryption, access controls, and audit trails like any other ePHI.

Do dermatopathology labs need a BAA?

Yes. Dermatopathology labs receive biopsy specimens accompanied by patient-identifying information for slide preparation, interpretation, and reporting. Each is a business associate under §160.103 and requires a written BAA before specimens flow. Practices using multiple dermatopathology partners need separate BAAs with each.

How are teledermatology consultations handled under HIPAA?

Teledermatology — both store-and-forward (asynchronous) and live video — is HIPAA-regulated when it involves PHI. Asynchronous consults transmit clinical photos and patient information to a remote dermatologist; the platform mediating the transmission is a business associate. Live video uses standard telehealth compliance frameworks. Both require BAAs with the platform vendor and audit trails of consult transmissions.

See all FAQs →

“

Patient Protect is intuitive, proactive, and affordable — exactly what small clinics like ours need to keep patient data safe and stay on the right side of HIPAA.

Dr. Thomas E Murray, D.D.S.Patient Protect Member Since 2017

Also built for

Dentists Therapists Chiropractors Optometrists Physical Therapists Medical Practices Telehealth Pediatrics Psychiatry Urgent Care DPC Practices GLP-1 Clinics HRT / TRT Clinics Concierge Practices Med Spas

Next step

Your dermatology practice handles some of the most sensitive visual data in healthcare.

See your real exposure in five minutes. Free risk assessment — no login required.