4 min read

HIPAA and video surveillance

Picture of Farah Amod Farah Amod Nov 11, 2024 6:11:38 PM

HIPAA Compliance
HIPAA and video surveillance

Healthcare organizations have long used video surveillance to enhance security, monitor patient and staff activities, and reduce risks. However, users must ensure that video surveillance doesn’t compromise protected health information (PHI) or violate other components of HIPAA. 

 

HIPAA security rule and video surveillance

The HIPAA security rule lays out standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). For video surveillance, this rule includes securing footage that may include PHI. Although video systems aren’t specifically designed to capture medical information, they might unintentionally record PHI, such as patient images or overheard conversations.

Here’s how healthcare organizations can secure their surveillance systems while ensuring HIPAA compliance.

 

Controlling access to surveillance data

Access control is a HIPAA requirement and means that organizations ensure only authorized personnel can view or interact with surveillance footage. Organizations should limit physical access to the cameras and remote access to stored footage.

 

Keeping audit trails

HIPAA requires detailed logs of who accesses surveillance data. These logs should capture actions like logging in, reviewing footage, or downloading data. Audit trails help organizations detect and respond to suspicious activity or unauthorized access to PHI.

 

Managing security processes

Security processes help protect surveillance footage in healthcare organizations. Policies and training on handling sensitive data, along with regular system checks, ensure the system remains secure.

These processes should include:

  • Steps for responding to security breaches
  • Training programs for staff on HIPAA and PHI 
  • Ongoing system monitoring to catch and fix any issues early

 

Navigating HIPAA and privacy laws

While HIPAA provides a framework for securing surveillance footage, other privacy laws must also be considered. 

 

Fourth Amendment

The Fourth Amendment protects individuals from unreasonable searches, which means people have a right to privacy in certain spaces. In healthcare settings, this applies to areas like patient rooms or treatment spaces, which are considered private.

Careful placement of cameras must be considered to avoid violating privacy expectations. In some cases, patient consent or clear signage about surveillance may be required.

 

State laws and recording rules

State laws regarding video and audio recordings must also be followed. Many states require all parties to consent to audio recordings, which can complicate surveillance systems with microphones.

In addition, some states have strict rules on where cameras can be placed, such as in restrooms or locker rooms. Healthcare organizations must research and comply with the relevant laws to avoid legal trouble.

Read also: The HIPAA Privacy Rule's preemption of state law 

 

Handling PHI in surveillance footage

Video surveillance may unintentionally capture PHI, even though the primary purpose is not to record medical information. For example, cameras might pick up patient images or overhear private conversations.

To prevent breaches, healthcare organizations should consider pixelating or blurring individuals in the footage and limiting how long recordings are stored. Reducing data retention minimizes the chances of violating HIPAA regulations.

 

Data transmission and storage

Surveillance footage transmitted over the internet or stored in the cloud requires careful security measures. Encryption and other protections must be in place to safeguard footage from hackers or unauthorized access.

Some organizations choose to store footage on local networks or closed-circuit systems to reduce the risks associated with online storage. Cloud storage, if used, must follow HIPAA’s privacy and security guidelines.

Read more: The underlying risks of using cloud storage 

 

Working with security providers

Managing video surveillance alongside HIPAA compliance can be challenging, so working with security experts can help. These providers offer guidance on HIPAA compliant systems and assist with implementing effective privacy and security measures.

Collaborating with experienced providers ensures that surveillance systems are built and maintained properly, reducing the risk of compliance issues.

 

Managing retention and disposal of surveillance data

HIPAA also addresses how long organizations should retain ePHI, including surveillance footage. Clear policies for retaining and securely disposing of footage are key for compliance.

  • Retention policies should specify how long footage is kept based on legal obligations or organizational needs.
  • Data disposal should involve secure methods, such as physically destroying storage devices or permanently wiping digital records.

Automating deletion processes ensures that old footage is removed once it is no longer needed, helping organizations comply with retention rules.

 

Surveillance in controlled substance areas

Healthcare organizations that handle controlled substances must follow additional security regulations. Some states require surveillance cameras in areas where these substances are stored, and backup power systems may be necessary to ensure constant monitoring.

These surveillance systems should work in tandem with other security protocols to protect controlled substances.

 

Respecting patient and staff privacy

Video surveillance improves security, but organizations must still respect the privacy of patients and staff. Sensitive areas, like exam rooms for patients and break rooms for staff, should remain private.

  • Patient privacy: Avoid placing cameras in locations such as bathrooms or treatment areas where patients expect privacy. Signage or patient consent may be necessary in some cases.
  • Staff privacy: Employees should be aware of where cameras are located and why they are used. Training and clear communication help staff feel comfortable with the surveillance system, and care should be taken not to place cameras in inappropriate areas like locker rooms.

 

Handling requests for footage

Patients have the right to access their PHI, including any PHI captured in surveillance footage. However, healthcare organizations must review the footage carefully before sharing it, making sure to obscure the identities of any other individuals. In some cases, providing partial access to footage may be the best approach to balance patient access rights with privacy concerns.

Related: What are HIPAA Right of Access provisions? 

 

In the news

A notable example of a HIPAA violation occurred at Sharp Grossmont Hospital in California. Between 2012 and 2013, the hospital secretly recorded 1,800 patients without their consent using motion-activated cameras in operating rooms. These recordings captured patients during sensitive procedures, including childbirth and surgery. The hospital claimed the intent was to catch drug thefts by staff, but the recordings inadvertently included extensive footage of patients' private moments.

This incident led to a class-action lawsuit against the hospital, which settled in 2019 for $1 million. The case showed a serious breach of patient privacy and indicated the necessity of obtaining explicit consent before recording in medical settings, adhering strictly to HIPAA regulations to protect patient information. 

 

FAQs

Does HIPAA apply to video recordings of patients?

Yes, HIPAA applies to video recordings if they capture protected health information (PHI) that could be used to identify a patient and relate to their medical condition, treatment, or care.

 

Are there any exceptions where video recordings can be made without patient consent?

Exceptions are limited and typically pertain to situations required by law, such as certain public health activities or law enforcement purposes. Even in these cases, the recordings must comply with HIPAA's minimum necessary standard.

 

How should video recordings be handled in telehealth under HIPAA?

In telehealth, video recordings should be made using secure, HIPAA compliant platforms that ensure the confidentiality and integrity of PHI. Patients should be informed and provided consent for any recordings made during telehealth sessions.

Learn more: HIPAA Compliant Email: The Definitive Guide