One aspect of an aesthetic treatment that every practitioner will be familiar with is taking before and after photos. However, there is a lot more to consider than just pulling out your phone and snapping a few pictures.1 Some important questions to ask yourself include: Are you storing photos securely? Why is it important to have robust processes in place to manage them? Are you adhering to all your legal requirements for insurance and General Data Protection Regulation (GDPR), and are they in line with the standards of your professional bodies such as the General Medical Council (GMC), General Dental Council (GDC) and Nursing and Midwifery Council (NMC)?
This article will aim to give you some points to consider and offer advice on how to manage before and after photos appropriately within your clinic.
Why is it important to take before and after photos?
Before and after photos are an essential part of your patient’s record. They should be carefully and meticulously taken using consistent photography parameters, such as lighting, angles, facial expressions and more.2,3
Your pictures should clearly show the patient’s changes across their treatment journey, including the appearance before the treatment and the results during and following treatment, reducing any doubt the patient may have about their outcome. These photos can also provide supporting evidence for your insurance if a complication or complaint is made against you.
As well as forming part of your treatment documentation, before and after photos are a great way to showcase the transformation your patient has received and can have a positive impact on patient satisfaction, especially if you’re able to create and send a before and after comparison to them. With the correct consent (as discussed below), you can also use before and after images for training purposes, clinical research, publication in medical journals or for marketing.
What are your responsibilities?
Storage and security of your before and after photos (and your patient’s data in general) leads onto the requirements you have as a medical practitioner and business owner. It is your responsibility to protect your patients’ information. You must be aware of the responsibilities required to ensure you comply with government legislation, your insurance policy and professional bodies.
General Data Protection Regulation
GDPR sets out the way that you should process, use and store personal data about your patients.4 As an aesthetic practitioner, you handle a lot of your patients’ personal data. If your before and after photos are not stored in a secure system, how can you be confident that they aren’t at risk of being lost?
Often, the most common place that practitioners store photos, especially when they’re just getting started, is on a mobile phone. However, this method of storage raises concerns for data security and potentially can breach GDPR.4 If you fail to comply with the GDPR requirements, then the penalties for breaching these regulations can be severe – the maximum fine is either 4% of your total annual worldwide turnover or £17.5 million, whichever is higher.5
Storing patient photos on your phone puts them at risk of being lost or exposed. What if your phone went missing or was stolen? If your phone was to break, would you have a backup of all those photos, or would they be gone forever?
Whilst it is a quick and convenient way to take photos on your phone, this is not where they should be stored to ensure they are secure. Patient photographs should be stored in a secure cloud-based system. Somewhere that acts as a back-up to protect your photos from being lost forever, as well as protecting them from unauthorised access. There are several generic cloud-based storage options including Google Drive and Dropbox. However, I would recommend storing these against a patient record by using a secure clinic software system such as Aesthetic Nurse Software, e-clinic or Pabau, with other brands available. You want to use a system that is encrypted with a robust security protection such as Secure Socket Layers (SSL). This means that all photos are protected between the server and the web browser or device you are accessing them on.
Insurance
It’s common practice for insurance policies to state that before photos must be taken with all injectable treatments. For example, upon contacting Hamilton Fraser, they have advised me that without before photos, the policy conditions will not have been met, so the practitioner is running the risk of the underwriters declining to assist if a claim is brought against the policyholder. Hamilton Fraser also strongly advises that it is best practice to take after photos to show the results. Clear notes and photos are the best form of protection when it comes to defending a claim. This emphasises just how important it is to ensure you include before and after photos within your records, making sure you have documented evidence should there ever be a claim made against you.
Not only that, but if your photos have not been stored securely and they get lost, you may not be covered by your insurance. Hamilton Fraser always recommends that the policyholder reads the terms and conditions and policy wording so that they are familiar with all the conditions they need to adhere to, in order for full cover to be in force.
Professional bodies
As a medical professional, your responsibilities are no different when it comes to your aesthetic patients. Section 10 of the NMC’s code states that all qualified practitioners must keep clear, accurate and secure records.6 Section 119 of the GMC ethical guidance for ‘Managing and Protecting Personal Information’ insists you must make sure any personal information about patients that you hold or control is effectively protected at all times against improper access, disclosure or loss.7 Section 4.5.1 of the GDC guidance maintains that you must make sure patient information is not revealed accidentally and that no one has unauthorised access to it by storing it securely at all times. You must not leave records where they can be seen by other patients, unauthorised staff or members of the public.8
Are your before and after photos accessible?
After you have got a secure storage system in place to keep your photos safe, you want to be able to access your patients’ images quickly and easily. Are you scrolling through photos on your camera roll while hiding your screen from patients to stop them from seeing other patients’ photos? This not only looks unprofessional and breaks GDPR regulations, it’s also extremely time consuming. Being able to gain access to your photos in a timely and organised manner will make life a whole lot simpler, even easier if they are attached to a patient record.
In addition to the above, article five of the GDPR states that all data you keep needs to be in a format which makes it easy for you to locate, and must be stored securely whether it be in hard copy or electronic format. It should not be accessible to unauthorised people and should be stored in such a way that it cannot be accidentally lost, damaged or destroyed.9 Your patients’ before and after photos should only be accessible to people within your business who have a legitimate reason to view them, such as the treating practitioners.
The GMC’s good medical practice guidance states that you should not share passwords or leave patients’ records, either on paper or on screen, unattended or where they can be seen by other patients, unauthorised members of staff or the public.10 You should make sure that any staff you manage are trained and understand their responsibilities when it comes to handling patient photos.
When do you need consent and why?
Before and after photos are taken primarily for the purpose of treating that particular patient, and forms part of their patient record. Consent to having these photos taken and stored should form part of the patient’s treatment consent. Images of this kind are considered necessary for treatment to be carried out.11 However, if you are looking to use your patients’ photos for other purposes, then you must obtain explicit consent from your patient detailing how and where photos will be used. By showcasing your results to potential patients, this highlights your work and helps to bring in new enquiries.11
You should explain to your patient that you would like to use their photos for marketing purposes, being transparent and clear about where they may be used, such as on social media, your website or leaflets.12 It is important that you obtain explicit consent via a consent form which includes their signature with a date and time stamp. The consent form should explain where and how you intend to use their photographs in clear language that patients can understand. This gives you written evidence that your patient has agreed for the photos to be used. It’s important that the consent form includes a confirmation statement validating that they have understood what you have explained. By doing this, you protect yourself from issues that could occur if a patient changes their mind about your right to use their image.
In this situation, you must make it easy for patients to withdraw consent at any point; you can do this by having a clinic software in place which gives patients the option to click a button to withdraw their consent which is recorded with a date and time stamp. This leaves you with an audit trail for the period of time where the patient was happy for photos to be used.13
The British Association of Cosmetic Nurses (BACN) highlights in its ‘Code of Professional Conduct’ that written informed consent from the individual to whom they provide treatment before capturing images is crucial.14
Protect yourselves and your patients
It is important your business has a robust photo process in place. Remember these photos not only support the professional image of your business, but provide protection against your professional register and insurance. Photos should be accessible and stored on an encrypted server which cannot be accessed by unauthorised parties. In addition, clear photo consent which outlines your photo policy that allows patients the freedom to accept or withdraw consent should be introduced. By regularly reviewing your processes within your business, a solid foundation can be created that not only supports GDPR, but also your insurance policy.
