Placing an emoji, sticker, or black bar over a patient's eyes does not meet the legal or ethical standard for de-identifying a patient under HIPAA.

The jawlines, ears, hairlines, scars, skin tone, and hair can all be enough to recognize someone. HIPAA's de-identification standard treats the entire face as identifying information, which is why "full-face photographic images" are listed as a protected identifier alongside things like Social Security numbers and medical record numbers. Covering the eyes alone or a part of the face leaves most of that identifying information.

Read also: Can you take pictures of patients?

 

What de-identification means

De-identification under HIPAA is found at 45 CFR § 164.514(a), which says health information is not individually identifiable, and therefore not PHI, only if it doesn't identify a person and there's no reasonable basis to believe it could be used to do so. That standard can be met one of two ways. The first is the Expert Determination method, defined at 45 CFR § 164.514(b)(1), where a qualified statistician or other expert applies generally accepted statistical and scientific methods and documents that the risk of re-identification is "very small." The second is the Safe Harbor method, defined at 45 CFR § 164.514(b)(2), the specific regulatory provision that lists the 18 identifier categories that must be removed before information can be considered de-identified, full-face photographs and comparable images are included.

According to Patients, pictures, and privacy: managing clinical photographs in the smartphone era, the original 1999 Proposed Privacy Rule treated all photographic images as direct identifiers and didn't permit them to be de-identified at all. The Final Rule issued in 2000 allowed patient photographs to go through the de-identification process but only on the condition that full-face photographs specifically be removed. The rule's own authors explained that requiring removal of every photographic image had been more restrictive than necessary, and that in the final version the only requirement is the removal of full-face photographs, relying instead on a catch-all clause covering any other unique characteristic to address the unusual case where a different kind of photo might still identify someone. That catch-all is what legal experts point to when they note that a tattoo or another distinctive feature can be enough, on its own, to count as a unique identifying characteristic.

Those legal experts also describe what actual de-identification looks like. Rather than masking a single feature, they point to two acceptable approaches which include blurring out the eyes, mouth, and hair together as a combined region, or cropping the image down so that only the clinical finding itself remains visible, with no surrounding facial structure at all. Either approach removes enough identifying information that the image stops being treated as protected health information and can be shared without separate patient authorization. An emoji sticker over a part of the face alone does neither.

A 2016 study published in Annals of Plastic Surgery, Standardization of Guidelines for Patient Photograph Deidentification, reviewed how thirteen medical journals instructed authors to de-identify facial photos, and then audited hundreds of published clinical images across eight of those journals to see what authors actually did. The findings were that when authors attempted to anonymize a photo at all, eye-region masking was the technique of choice, and the researchers found this method inadequate.

A separate, more recent pilot study, Informed Consent In Facial Photograph Publishing: A Cross-sectional Pilot Study To Determine The Effectiveness Of Deidentification Methods, put this kind of masking to an experimental test. Researchers showed study participants a series of celebrity photos that were progressively "unmasked," first using a black box over different facial regions, then a cropped "letterbox" view limited to certain landmarks, and then a "half letterbox" showing only one side of the face to see how much had to be revealed before someone could identify the person. More than half of faces (55.5%) were recognized immediately even with a black box covering the periorbital region, forehead, nose, mouth, and cheeks, and by the stage where only the eyebrows and periorbital region remained covered, 95.5% of faces were identifiable. The cross-sectional pilot study also offers a possible explanation for why partial masking does not work: covering part of a face makes the viewer scrutinize the visible parts more closely and mentally "fill in" what's missing. The authors' concluded that deidentification methods should not be used in place of consent.

 

Why an emoji doesn't solve the problem

Patients, pictures, and privacy: managing clinical photographs in the smartphone era recommends that providers also account for tattoos, birthmarks, surgical scars, distinctive clothing, jewelry, body piercings, and even the surroundings visible in a photograph, since any of these can function as identifiers, separate from the face.

The same article notes the risk posed by EXIF metadata, which is technical information that smartphones automatically embed in every photo file, including camera details, timestamps, and GPS-based geotagging. Put together, a photo's timestamp and location data can pinpoint when and where a patient was photographed, creating a specific identifier that an emoji over the face does not address. The article's practical recommendation is to disable GPS location services before taking clinical photos and to strip EXIF data using a dedicated removal tool.

Notably, The Annals of Plastic Surgery study makes the case that eyebrows are at least as important as the eyes for facial recognition, drawing on facial perception literature showing that eyebrows play an outsized role in identity recognition, emotional expression, and gender discrimination. The study's authors go so far as to propose that, at minimum, both the eyes and eyebrows need to be concealed together, and even then, cloning over the area with neighboring skin, blurring, or coarse pixelation are recommended over a simple emoji.

There's no clinical or regulatory specification for how much of the face needs to be covered, what opacity is required, or whether the emoji needs to move with the patient if it's a video. People apply them inconsistently, and the same study found that even among journals that did attempt facial masking, inadequate technique appeared in anywhere from 59% to as high as 91% of published photographs, depending on the publication.

Also, facial recognition and re-identification algorithms have become better at matching partial or obscured faces, especially when paired with social media images, public records, or other available photos of the same person. A redaction method that may have worked in 2010 might not work as well in 2026. Even the authors behind the eyebrow-masking research flag this, cautioning that as machine-learning-based facial recognition keeps advancing, even eye-and-eyebrow masking may eventually be circumvented.

 

What regulators and ethics boards actually expect

The standard expectation is closer to:

  • Cropping out the face entirely, showing only the relevant clinical finding (a lesion, a wound, a rash) without any identifiable facial structure.
  • Obtaining explicit, informed patient consent for use of an identifiable photo, including consent for the specific use case (a journal article, a teaching slide deck, a public social media post).
  • Using professional redaction techniques when a face genuinely must remain partially visible, which can include blurring an entire region rather than an emoji, paired with a sign-off from a privacy officer.
  • Treating any image where consent wasn't properly obtained as protected health information, regardless of how it's edited.

In short, the bar isn't "would a stranger scrolling past recognize this person in two seconds." The bar is closer to "would this image, combined with reasonably available information, allow someone to identify the patient,” which is a much higher standard than an emoji can satisfy. As the Annals of Plastic Surgery researchers frame it, the real legal test that has come up in court cases is whether patients can identify themselves in a published photo when consent was never obtained. The Cross-sectional Pilot Study reaches a similar conclusion, rather than treating masking as a substitute for consent, the authors recommend that consent forms themselves name the specific deidentification method that will be used and confirm that its real-world effectiveness has been discussed with the patient.

 

FAQs

Does this apply to pictures patients take of themselves and post online?

No, HIPAA only governs covered entities and their business associates, not patients sharing their own images.

 

Can a hospital get fined just for one improperly de-identified photo?

Yes, HIPAA violations are evaluated and penalized photo by photo, so even a single non-compliant image can trigger enforcement action.

 

Does HIPAA apply to photos taken on a personal phone instead of hospital equipment?

Yes, the device used doesn't matter, if the photo identifies a patient and was taken in the course of care, it's still PHI.

 

Do de-identification rules apply to video and audio the same way they apply to still photos?

Yes, video and audio recordings are treated the same as photographs under HIPAA if they could reveal a patient's identity.