HIPAA and Video Surveillance
Complying with HIPAA and video surveillance regulations requires careful planning to ensure that Protected Health Information captured by surveillance cameras is secured against unauthorized uses or disclosures, and that the deployment of surveillance cameras – and the data captured by them – does not violate other federal or state laws.
Most healthcare facilities in the U.S. use some kind(s) of video surveillance for security, conflict resolution, policy compliance and “situation monitoring” (i.e., ER overcrowding, theft of drugs, workplace violence, etc.). Because it is impossible to isolate Protected Health Information (PHI) from any other data captured by surveillance cameras, all data captured by video surveillance software must be secured in accordance with the safeguards of the HIPAA Security Rule.
This means that access must be controlled to the data captured by video surveillance systems (both physical and remote access), it must be possible to audit who accesses and views captured data, and a security management process must be implemented to prevent, detect, contain, and resolve HIPAA security violations. It may also be necessary to implement monitors that automatically log users out of the video surveillance system after a period of inactivity.
Other HIPAA and Video Surveillance Considerations
Other considerations to factor in with regard to complying with HIPAA and video surveillance include the retention and disposal of data, and transmission security if data is communicated by a surveillance camera via Bluetooth, Wi-Fi, or Internet (*). If data is communicated via the cloud or via a third party service provider, it will also be necessary to enter into a HIPAA Business Associate Agreement with the cloud or third party service provider.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A difficult issue to overcome is that, when an image of an individual is captured on video, it becomes a designated record set in its own right if the image contains information relating to the individual’s health condition or treatment for the condition. Individuals have the right to request access to PHI maintained in designated record sets, and it may be difficult to comply with such a request without disclosing PHI belonging to other individuals.
(*) Note: Some security experts do not advocate data encryption in transit due to potential latency issues. These issues can result in transmission delays, which can affect response times in emergency events. Recommended alternatives include HIPAA compliant security cameras connected to a Local Area Network or closed circuit networks. It is advisable that these alternatives and the use of data encryption should be considered on a case-by-case basis.
Other Federal and State Laws to Consider
The most important federal “law” to consider when deploying any surveillance equipment is the “reasonable expectation of privacy” requirement of the Fourth Amendment. While still arguably vague in certain healthcare scenarios, many states specifically prohibit video surveillance “in any place where persons normally disrobe including but not limited to a fitting room, dressing room, locker room or bathroom.” (i.e., Delaware Criminal Code §1335 “Violation of Privacy”).
In many states, the reasonable expectation of privacy extends to audio recordings captured by video surveillance systems. Most states have wiretapping laws prohibiting the recording of audio by video surveillance systems unless the individual(s) being recorded has given their informed consent. Due to the logistical issues this would create, healthcare video surveillance equipment is often supplied without audio recording capabilities or with the capability disabled.
A further consideration is state laws relating to the storage and security of controlled substances. Although neither the FDA nor any state specifically requires video surveillance to ensure the security of controlled substances, if video surveillance is used, conditions may apply with regards to how the system connects with the party responsible for monitoring security. For example, Virginia’s Administrative Code (18VAC110-20-710) requires surveillance cameras to have an auxiliary power source.
Final Thoughts on HIPAA and Surveillance Cameras
A number of sources discussing HIPAA and surveillance cameras err on the side of caution by suggesting that images should be pixelated to prevent individuals from being identified or that HIPAA compliant security cameras should only be used for monitoring activities, rather than recording them. In many use cases, these suggestions would undermine the purpose of installing surveillance cameras and may still not resolve the issue of HIPAA compliance.
Healthcare organizations with concerns about complying with HIPAA and video surveillance regulations are advised to speak with a security service provider that has experience of physical healthcare installations. Service providers of this nature will more likely be able to answer compliance questions relating to HIPAA and other federal and state laws than a software vendor with limited experience of complying with multiple regulations simultaneously.
