How Patient Skin Photos Should Be Stored: Encryption and PHIPA Basics
Skin photos taken for dermatology are personal health information under PHIPA. This guide covers how clinics should encrypt, store, restrict access to, and delete patient skin images, plus where the data should live in Canada.
Elham Hafezi
Healthcare data & security
As of January 28, 2026.
Skin photos sit at the center of modern dermatology. A patient snaps a mole, a clinic uploads a lesion to a referral, an artificial intelligence (AI) triage tool reads a rash. Every one of those images is a medical record, and in Canada it has to be handled like one. I lead data and security at DermaDex, and the question I hear most from clinics is simple: where do these photos go, and who is responsible for them? This guide answers that, starting with the law and ending with a checklist you can hand to your team.
What is the Personal Health Information Protection Act (PHIPA) in Canada?
Short answer: The Personal Health Information Protection Act (PHIPA) is Ontario's health privacy law. It took effect on November 1, 2004 and sets the rules for how health information custodians collect, use, store, and disclose personal health information, with oversight from the province's Information and Privacy Commissioner of Ontario.
PHIPA governs Ontario. Other provinces run parallel statutes: Alberta's Health Information Act, plus the Personal Health Information Act in Nova Scotia and Manitoba. Where no provincial health law applies, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) can fill the gap for private-sector custodians. The Government of Canada privacy overview and the Health Canada legislation pages describe how these layers fit together. A dermatology clinic that stores skin photos is almost always a custodian and carries legal duties for every image it holds.
| Jurisdiction | Health privacy law | Oversight body |
|---|---|---|
| Ontario | Personal Health Information Protection Act (PHIPA), 2004 | Information and Privacy Commissioner of Ontario |
| Alberta | Health Information Act (HIA) | Office of the Information and Privacy Commissioner of Alberta |
| Nova Scotia | Personal Health Information Act (PHIA) | Information and Privacy Commissioner for Nova Scotia |
| Federal / private sector | Personal Information Protection and Electronic Documents Act (PIPEDA) | Office of the Privacy Commissioner of Canada |
Why are patient skin photos considered personal health information?
Short answer: A skin photo is personal health information because it documents an identifiable person's physical condition. Identifiability does not depend on a printed name. A face, a tattoo, a distinctive birthmark, or hidden file metadata can each tie an image back to one patient.
Dermatology images are unusually identifying. Many are close-ups of visible skin, and some include the face. Even a cropped lesion photo carries Exchangeable Image File Format (EXIF) metadata: camera model, timestamp, and sometimes GPS coordinates. That hidden data can re-identify a supposedly anonymous image. Under PHIPA, the moment a custodian collects that photo for care, the full set of privacy duties attaches. The Canadian Dermatology Association (CDA) and teledermatology practice treat clinical images as records, not casual snapshots. Patients who photograph a changing mole at home, as the American Academy of Dermatology (AAD) recommends for skin cancer monitoring, are creating the same kind of sensitive record. Strip metadata, store the file securely, and document consent before the image moves anywhere.
How should patient skin photos be encrypted at rest and in transit?
Short answer: Encrypt stored images with Advanced Encryption Standard 256-bit (AES-256) and protect every transfer with Transport Layer Security (TLS) version 1.2 or 1.3. Encryption keys must be managed separately from the data, and access to those keys logged.
Encryption is two jobs. "At rest" protects files sitting on a disk or in a database, where AES-256 is the accepted baseline. "In transit" protects images moving between a phone, a server, and an electronic medical record (EMR) system, where modern TLS does the work. Neither helps if keys are stored next to the data or shared over email. Strong key management, short-lived access tokens, and multi-factor authentication (MFA) close those gaps. The Canadian Institute for Health Information (CIHI) privacy and security program and the broader peer-reviewed literature on medical image security describe the same baseline.
| Safeguard | What it protects | Practical baseline |
|---|---|---|
| Encryption at rest | Stored image files and databases | AES-256 |
| Encryption in transit | Uploads and transfers between devices | TLS 1.2 or 1.3 |
| Access control | Who can open an image | Role-based access plus MFA |
| Audit logging | Record of every view and export | Tamper-evident, time-stamped logs |
Where should patient skin images be stored to satisfy Canadian privacy rules?
Short answer: Store patient skin images on servers governed by Canadian privacy law, with a written agreement covering any third-party host. PHIPA does not ban storage outside Canada outright, but custodians must keep the data secure and accountable wherever it lives, and several provinces and hospitals require Canadian data residency.
Where data physically sits matters. Many Ontario hospitals, and provinces such as British Columbia and Quebec, push for storage inside Canada to keep records under domestic legal protection. A clinic using a cloud vendor or an electronic health record (EHR) system stays responsible for that vendor's safeguards through a data processing agreement. Digital health adoption is rising worldwide, and the World Health Organization (WHO) digital health program stresses that privacy and security have to scale with it. Ask three questions before signing: Is the data encrypted and stored in Canada? Who else can access it? What happens to the images if the contract ends? DermaDex stores scans encrypted on Canadian servers for exactly these reasons.
Who should be able to access stored patient photos, and how is access controlled?
Short answer: Only people inside the patient's circle of care should reach a stored skin photo, and only to the minimum extent their job requires. Role-based access control, multi-factor authentication, and audit logs enforce that limit and prove who looked at what.
PHIPA builds on a need-to-know principle. A receptionist does not need the same access as a dermatologist. Role-based permissions assign each staff member the narrowest set of rights, MFA blocks stolen-password access, and audit logs create a tamper-evident record of every view, download, and share. Those logs matter twice: they deter snooping, and they let a clinic investigate a suspected breach. PHIPA also requires custodians to notify affected patients and the Information and Privacy Commissioner of Ontario when a breach poses a real risk of harm. Patients are entitled to ask any clinic for its access and breach-notification policy before they upload a single image.
How long should patient skin photos be retained, and when must they be deleted?
Short answer: Keep clinical skin photos as long as provincial record-retention rules require, then delete them securely. In Ontario, physicians must retain medical records for at least 10 years after the last entry, or 10 years after a minor patient turns 18, before secure destruction.
Retention is a balance. Delete too soon and you lose records needed for follow-up or legal defense. Keep them forever and you expand the data a breach could expose. Provincial medical colleges set the floor, and the Ontario standard above is a common reference, though periods differ across provinces and record types. Secure deletion means the file and its backups are cryptographically erased, not just dragged to a trash folder. Patients also hold rights here: under PHIPA they can request access to their own images and ask for corrections to the record. Build a written retention and deletion schedule before the first photo is ever stored.
What should clinics and patients check before storing skin photos?
Short answer: Confirm five things: the image is encrypted at rest and in transit, access is role-based and logged, the data lives under Canadian privacy law, consent is documented, and a retention and deletion schedule exists. If a vendor cannot answer all five in writing, treat that as a warning sign.
This is the practical version of everything above. Patients uploading a photo to any app should ask where the image is stored and who can see it, the same questions we cover in Is it safe to upload skin photos to an app?. Clinics evaluating an AI skin tool should demand the same answers from the vendor. A quick note on scope: secure storage protects the record, it does not replace clinical judgment. Image quality, lighting, and patient history all shape a diagnosis, so confirmed findings should always come from a licensed clinician.
This article is general information about data security and privacy law, not medical or legal advice, and it is not a diagnosis. For a skin concern, see a physician or dermatologist. For legal duties specific to your clinic, consult a privacy professional. Questions about DermaDex can go through our contact page, and our about page explains who builds the platform.
What do patients and clinics most often ask about storing skin photos?
Short answer: Four questions come up most: whether you can smile in a health card photo, the four areas PHIPA's purposes cover, whether a photo of an Ontario health card is usable, and what PHIPA actually is. Each answer ties back to one rule: treat any image of health information as a protected record.
Can you smile in your health card photo?
A relaxed, natural expression is generally fine for an Ontario photo health card, but a wide grin that shows teeth or distorts your features can be rejected, because government identity photos are checked against facial-recognition standards. Rules vary by province and change over time, so confirm current requirements with ServiceOntario or your provincial card issuer before your appointment. The reason this matters for our topic: a health card photo is personal information tied to your identity and your Ontario Health Insurance Plan (OHIP) number, the same class of sensitive data as a clinical skin photo. Treat any image of your health card the way you would a medical image. Store it carefully, share it only through secure channels, and never email it over an unsecured connection.
What four categories do PHIPA's purposes fall into?
PHIPA's stated purposes are commonly grouped into four areas. First, it sets rules for collecting, using, and disclosing personal health information in a way that protects confidentiality while still letting clinicians provide care. Second, it gives individuals a right to access their own health records. Third, it gives them a right to request corrections to those records. Fourth, it provides independent oversight, including complaint review by the Information and Privacy Commissioner of Ontario and remedies when the Act is broken. For a dermatology clinic, the practical translation is straightforward: protect the image, let patients see and correct their own records, and stay accountable to a regulator. Those four themes shape every storage and access decision a custodian makes.
Can you use a picture of your health card in Ontario?
Sometimes. For many virtual or phone visits, a clear photo of your health card is accepted so the clinic can read your number and verify coverage, but the provider may still need to validate the card electronically or ask for the physical card at a later visit. The bigger issue is how that photo travels. A health card image is personal information, so never send it through unsecured text or email, and delete it from shared chat threads once the visit is booked. Clinics should accept these images only through encrypted channels and store them under the same safeguards as a clinical photo. When in doubt, ask the clinic how the image will be stored and how long it is kept.
What is PHIPA in Canada?
PHIPA is the Personal Health Information Protection Act, Ontario's health-specific privacy law, in force since November 1, 2004. It sets the rules for health information custodians, such as doctors, hospitals, and clinics, on how they collect, use, store, disclose, and protect personal health information. It also gives patients the right to see their own records, request corrections, and complain to the Information and Privacy Commissioner of Ontario, who enforces the Act. PHIPA applies only in Ontario. Other provinces have their own health privacy laws, and the federal Personal Information Protection and Electronic Documents Act (PIPEDA) can apply where no provincial law does. For skin photos, PHIPA is the reason a clinic must encrypt, restrict, and account for every clinical image it holds.
Sources
- Government of Canada, Treasury Board of Canada Secretariat. "Privacy." https://www.canada.ca/en/treasury-board-secretariat/services/access-information-privacy/privacy.html
- Health Canada. "Legislation and Guidelines." https://www.canada.ca/en/health-canada/corporate/about-health-canada/legislation-guidelines.html
- Canadian Institute for Health Information (CIHI). "Privacy and security." https://www.cihi.ca/en/privacy-and-security
- World Health Organization (WHO). "Digital health." https://www.who.int/health-topics/digital-health
- Canadian Dermatology Association (CDA). https://dermatology.ca/
- American Academy of Dermatology (AAD). "Skin cancer." https://www.aad.org/public/diseases/skin-cancer
- U.S. National Library of Medicine, PubMed. "Medical image encryption (literature search)." https://pubmed.ncbi.nlm.nih.gov/?term=medical+image+encryption