The question is - is this PHI? You said a person posted a photo of her and her patient. If the healthcare provider's photo indicates what that healthcare provider does, i.e., the provider's specialty, then it may be PHI. Remember - to be regulated the data must be Individually Identifiable Health Information or "PHI" - and that type of information consists of two parts, generally speaking - (1) - past, present or future physical or mental health information, (2) - about a person - (i.e., that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual). If as indicated the two photo's provide health information about an individual, then you may have a breach on your hands. If so - that breach needs to be recorded and reported to DHHS in the year it occured, as a breach under 500 individuals.