Skip to main content
All articles
Healthcare
8 min read

HIPAA and Document Metadata: What Healthcare Professionals Need to Know

Document metadata — GPS coordinates, device identifiers, timestamps — can constitute Protected Health Information under HIPAA. Here's what healthcare professionals need to understand.

The intersection of metadata and PHI

The Health Insurance Portability and Accountability Act (HIPAA) defines 18 categories of identifiers that constitute Protected Health Information (PHI) when associated with health data. Several of these categories overlap directly with metadata commonly embedded in digital documents and images:

  • Geographic data smaller than a state (identifier #3) — GPS coordinates in photos
  • Dates related to an individual (identifier #4) — file creation and modification timestamps
  • Device identifiers and serial numbers (identifier #17) — camera make, model, and serial number in EXIF data
  • Any other unique identifying number, characteristic, or code (identifier #18) — file hashes, session identifiers, user account names

When a healthcare professional creates, modifies, or shares a document or image related to patient care, the metadata in that file may contain identifiers that — combined with the health context — constitute PHI.

This does not mean that every document with a timestamp is a HIPAA violation. It means that metadata must be considered as part of the de-identification analysis, particularly when documents or images are shared outside the covered entity.

What the regulation says

HIPAA's Privacy Rule (45 CFR §164.514) provides two methods for de-identifying health information:

Safe Harbor method (§164.514(b)(2))

The Safe Harbor method requires removal of 18 specific identifier categories. If all 18 categories are removed and the covered entity has no actual knowledge that the remaining information could identify an individual, the information is considered de-identified.

The relevant identifiers for document metadata include:

  1. Geographic subdivisions smaller than a state: A photo's GPS coordinates that place the image at a specific clinic, hospital, or patient residence qualify as geographic data smaller than a state. The initial three digits of a zip code may be retained only if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people.

  2. All elements of dates (except year) directly related to an individual: This includes admission dates, discharge dates, dates of service — and by extension, file timestamps that record when a patient-related document was created or modified. The year alone may be retained.

  3. Device identifiers and serial numbers: Camera serial numbers embedded in EXIF data are unique device identifiers. If the camera is associated with a specific healthcare worker or department, the serial number becomes an indirect identifier.

Expert Determination method (§164.514(b)(1))

The Expert Determination method requires a qualified statistical or scientific expert to determine that the risk of identifying an individual from the information is "very small." This method is more flexible but requires formal expert analysis.

For most healthcare organizations, the Safe Harbor method is more practical — and it requires removal of the metadata categories listed above.

Where metadata risk appears in healthcare

Clinical photography

Clinical photographs — wound documentation, dermatology imaging, surgical progress photos, dental records — are taken with smartphones or dedicated clinical cameras. These devices embed EXIF metadata by default.

A clinical photo taken with an iPhone at a patient's bedside contains:

  • GPS coordinates of the hospital (geographic identifier)
  • Exact date and time of the photo (date identifier related to the patient encounter)
  • Device model and serial information (device identifier)
  • The photographer's device software version

If this photo is shared with a consulting physician at another facility, transmitted to a specialist for a second opinion, or included in a research dataset, the EXIF metadata travels with the image.

Telehealth documentation

Screenshots, screen recordings, and exported documents from telehealth platforms may contain metadata identifying the provider's location, the software used, and timestamps of the encounter.

Research and clinical trials

Research involving human subjects frequently includes de-identified datasets that must comply with HIPAA or IRB requirements. Images, documents, and spreadsheets used in research may carry metadata that re-identifies subjects through location data, timestamps, or device identifiers.

Insurance and billing documentation

Documents shared with insurance companies, third-party administrators, or clearinghouses may contain metadata identifying the preparing physician, the facility, and the timing of the preparation — information that, combined with the document's health content, constitutes PHI.

Inter-facility communication

When documents or images are shared between healthcare facilities — referral letters, imaging reports, lab results, clinical photos — the metadata in those files may identify the originating facility, the authoring physician, and the timing of care in ways that the Safe Harbor method requires to be removed.

Common metadata fields and their HIPAA relevance

| Metadata field | Where it appears | HIPAA identifier category | Risk level | |---------------|-----------------|--------------------------|------------| | GPS latitude/longitude | Image EXIF data | Geographic data (#3) | High — directly identifies location | | GPS altitude | Image EXIF data | Geographic data (#3) | Medium — can identify floor/wing | | File creation date | All formats | Dates (#4) | Medium — if related to encounter | | File modification date | All formats | Dates (#4) | Medium — if related to encounter | | Photo capture timestamp | Image EXIF data | Dates (#4) | High — directly tied to encounter | | Camera serial number | Image EXIF data | Device identifiers (#17) | Medium — if traceable to provider | | Device model | Image EXIF data | Device identifiers (#17) | Low — common device, not unique | | Author name | PDF, DOCX metadata | Names (#1) | High if author is the patient | | Author name (provider) | PDF, DOCX metadata | Not directly PHI | Low — but may identify provider-patient relationship | | Company/organization | DOCX app.xml | Not directly PHI | Low — identifies facility indirectly | | Template path | DOCX settings.xml | Not directly PHI | Low — but may contain department name | | Software version | All formats | Not directly PHI | Very low |

What healthcare organizations should do

Policy level

  1. Include document metadata in your HIPAA risk assessment. The OCR (Office for Civil Rights) expects covered entities to identify risks to PHI across all forms in which it exists — including metadata in digital files. If your risk assessment does not mention document or image metadata, it has a gap.

  2. Establish a metadata handling procedure. Define what metadata must be removed before files are shared outside the organization. This should cover at minimum: GPS data in clinical photos, author identity in reports shared externally, and timestamps in de-identified datasets.

  3. Train staff on smartphone photo metadata. Most clinical photographers do not know that their smartphone embeds GPS coordinates in every photo. A 5-minute training on how to check for and disable location services for the camera app addresses the most common source of metadata-related PHI exposure.

Technical level

  1. Disable GPS for clinical photography apps. On iOS: Settings > Privacy & Security > Location Services > Camera > Never. On Android: Camera app settings > Location tag > Off. This prevents GPS data from being written in the first place.

  2. Strip metadata before sharing. Before any clinical image or document is shared externally — via email, secure messaging, EHR integration, or cloud storage — strip the metadata fields listed above. This should happen as close to the point of sharing as possible.

  3. Verify removal. After stripping metadata, verify that the fields are actually gone by re-inspecting the file with a metadata reader. Removal without verification is a hope, not a control.

  4. Automate where possible. Manual metadata removal does not scale. If your organization shares hundreds of clinical images per month, an automated pipeline that strips metadata on upload or on export is more reliable than asking each clinician to remember to run a cleanup tool.

Documentation level

  1. Document your metadata handling in your policies and procedures. If OCR audits your HIPAA compliance, you want to be able to point to a written procedure that addresses metadata in clinical photos, documents, and shared files.

  2. Keep records of de-identification. When metadata is stripped from files as part of a de-identification process, a record of what was removed (a scan report, a verification certificate) provides evidence that due diligence was performed.

What Purgit does not do — and what it does

Purgit is a document and image metadata scanning, removal, and verification tool. It supports HIPAA de-identification practices by removing the metadata identifiers listed above from PDFs, Word documents, Excel spreadsheets, PowerPoint presentations, and images.

What Purgit does:

  • Scans files for GPS coordinates, timestamps, author fields, device identifiers, and other metadata
  • Removes or replaces metadata at the structural level (EXIF tags, XML nodes, PDF objects)
  • Verifies removal by re-scanning the output file
  • Produces a report documenting what was found, what was removed, and whether verification passed
  • Provides a verification certificate (Pro tier) as evidence of processing

What Purgit does not do:

  • Determine whether a specific file contains PHI (that determination depends on context that the tool cannot assess)
  • Provide legal advice on HIPAA compliance
  • Replace a comprehensive HIPAA risk assessment or compliance program
  • Guarantee that a file is "HIPAA compliant" — compliance is a property of an organization's practices, not of a single tool

Purgit helps remove the metadata identifiers that HIPAA's Safe Harbor method requires to be stripped. It does not — and no tool can — certify that a file is compliant. That responsibility belongs to the covered entity.

Purgit scans clinical photos and healthcare documents for GPS coordinates, timestamps, device identifiers, and author metadata. It removes findings and verifies removal. Supports HIPAA de-identification practices for Safe Harbor compliance.

[Scan a File Free]

Scan before you share.

Try Purgit free — no account required.

Scan a File Free