HIPAA and whiteboard photos: if the board has PHI, the photo does too.
Short answer
Yes — if a whiteboard contains protected health information (PHI), photographing it creates a PHI record subject to HIPAA Security Rule requirements. This includes patient names, diagnoses, treatment plans, or any information that could identify a patient. Healthcare organizations must apply the same safeguards to whiteboard photos as to any other PHI document.
## What constitutes PHI on a whiteboard
Protected health information includes any individually identifiable health information. A whiteboard in a clinical or administrative healthcare setting may display:
- Patient names (even just first names in context)
- Room assignments or bed numbers linked to names
- Diagnoses, conditions, or treatment information
- Appointment schedules with patient identifiers
- Medication lists
- Case discussion content from rounds or care conferences
All of this is PHI. A photograph of a whiteboard containing any of the above is a PHI record.
## HIPAA requirements for PHI records
Under the HIPAA Security Rule and Privacy Rule, PHI must be:
- Stored securely: On HIPAA-compliant systems, not in personal camera rolls or consumer cloud services (personal Google Photos, iCloud family albums, etc.)
- Access-controlled: Only accessible to personnel with a need to know
- Transmitted securely: Encrypted in transit; not sent via standard SMS or personal email
- Retained only as long as necessary and then disposed of according to your organization's retention policy
- Included in your risk assessment: If whiteboard photos are a regular workflow, they should appear in your organization's HIPAA risk analysis
## What this means for whiteboard photography in healthcare
For clinical whiteboards (patient tracking boards, care conference boards, ICU status boards), photography should generally be avoided or tightly controlled under a formal policy. Where photography is necessary — say, capturing a care plan drawn in a working session — it should be done on organization-managed devices with MDM controls, not personal phones.
Before using BoardSnap in a healthcare setting: confirm with your Compliance Officer that the workflow meets your organization's HIPAA policies and that any cloud processing is covered by an appropriate Business Associate Agreement.
This is general information, not legal or compliance advice. Consult your Compliance Officer for organization-specific guidance.
Frequently asked
Can I use BoardSnap in a hospital or clinic?
BoardSnap can be used for administrative and operational meetings that don't involve patient data. For clinical whiteboards containing PHI, consult your Compliance Officer before using any third-party app, including BoardSnap.
What should I do if I accidentally photographed a board with patient names?
Delete the photo from your device and any cloud backup, and report the incident to your organization's Privacy Officer per your breach notification policy. Document what was in the image and who may have had access.
See it work in ten seconds.
BoardSnap is free on the App Store. Snap a board — get a summary and action plan.