I actually disagree. I do not believe this was a HIPAA violation because there was no disclosure of protected health information.
In order for HIPAA to have been violated, there must be sharing of personally identifiable information without the patient's consent. In this case, there were no identifiers on the picture, and the picture itself (since it does not identify the person) is not protected.
OP, here is a very detailed explaination of wha HIPAA covers and does not cover. UC Berkeley Committee for Protection of Human Subjects
You will see that the first section includes a list of the 18 personal identifiers covered under HIPAA. It does on to describe exactly what protected health information (PIH) is, and what it is not. I'll allow you to read it for yourself, but I've coped a few pertinent sentances below.
List of 18 identifiers
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)"
"Also note, health information by itself without the 18 identifiers is not considered to be PHI.
For example, a dataset of vital signs by themselves do not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. PHI is anything that can be used to identify an individual such as private information, facial images, fingerprints, and voiceprints.
These can be associated with medical records, biological specimens, biometrics, data sets, as well as direct identifiers of the research subjects in clinical trials."
In nursing school, we were allowed to copy information from the chart to work on our care plans
at home as long as we did not copy down any identifying information, such as name or medical record number. This was not a HIPAA violation because the information could not be used to identify the patient.
So, in short, unless the instructor could look at the picture of the scan and identify protected health information about the patient, it was not a HIPAA violation. The picture of the scan itself, with no protected health information, is not a violation.