Healthcare organizations have long used video surveillance to enhance security, monitor patient and staff activities, and reduce risks. However, users must ensure that video surveillance doesn’t compromise protected health information (PHI) or violate other components of HIPAA.
The HIPAA security rule lays out standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). For video surveillance, this rule includes securing footage that may include PHI. Although video systems aren’t specifically designed to capture medical information, they might unintentionally record PHI, such as patient images or overheard conversations.
Here’s how healthcare organizations can secure their surveillance systems while ensuring HIPAA compliance.
Access control is a HIPAA requirement and means that organizations ensure only authorized personnel can view or interact with surveillance footage. Organizations should limit physical access to the cameras and remote access to stored footage.
HIPAA requires detailed logs of who accesses surveillance data. These logs should capture actions like logging in, reviewing footage, or downloading data. Audit trails help organizations detect and respond to suspicious activity or unauthorized access to PHI.
Security processes help protect surveillance footage in healthcare organizations. Policies and training on handling sensitive data, along with regular system checks, ensure the system remains secure.
These processes should include:
While HIPAA provides a framework for securing surveillance footage, other privacy laws must also be considered.
The Fourth Amendment protects individuals from unreasonable searches, which means people have a right to privacy in certain spaces. In healthcare settings, this applies to areas like patient rooms or treatment spaces, which are considered private.
Careful placement of cameras must be considered to avoid violating privacy expectations. In some cases, patient consent or clear signage about surveillance may be required.
State laws regarding video and audio recordings must also be followed. Many states require all parties to consent to audio recordings, which can complicate surveillance systems with microphones.
In addition, some states have strict rules on where cameras can be placed, such as in restrooms or locker rooms. Healthcare organizations must research and comply with the relevant laws to avoid legal trouble.
Read also: The HIPAA Privacy Rule's preemption of state law
Video surveillance may unintentionally capture PHI, even though the primary purpose is not to record medical information. For example, cameras might pick up patient images or overhear private conversations.
To prevent breaches, healthcare organizations should consider pixelating or blurring individuals in the footage and limiting how long recordings are stored. Reducing data retention minimizes the chances of violating HIPAA regulations.
Surveillance footage transmitted over the internet or stored in the cloud requires careful security measures. Encryption and other protections must be in place to safeguard footage from hackers or unauthorized access.
Some organizations choose to store footage on local networks or closed-circuit systems to reduce the risks associated with online storage. Cloud storage, if used, must follow HIPAA’s privacy and security guidelines.
Read more: The underlying risks of using cloud storage
Managing video surveillance alongside HIPAA compliance can be challenging, so working with security experts can help. These providers offer guidance on HIPAA compliant systems and assist with implementing effective privacy and security measures.
Collaborating with experienced providers ensures that surveillance systems are built and maintained properly, reducing the risk of compliance issues.
HIPAA also addresses how long organizations should retain ePHI, including surveillance footage. Clear policies for retaining and securely disposing of footage are key for compliance.
Automating deletion processes ensures that old footage is removed once it is no longer needed, helping organizations comply with retention rules.
Healthcare organizations that handle controlled substances must follow additional security regulations. Some states require surveillance cameras in areas where these substances are stored, and backup power systems may be necessary to ensure constant monitoring.
These surveillance systems should work in tandem with other security protocols to protect controlled substances.
Video surveillance improves security, but organizations must still respect the privacy of patients and staff. Sensitive areas, like exam rooms for patients and break rooms for staff, should remain private.
Patients have the right to access their PHI, including any PHI captured in surveillance footage. However, healthcare organizations must review the footage carefully before sharing it, making sure to obscure the identities of any other individuals. In some cases, providing partial access to footage may be the best approach to balance patient access rights with privacy concerns.
Related: What are HIPAA Right of Access provisions?
A notable example of a HIPAA violation occurred at Sharp Grossmont Hospital in California. Between 2012 and 2013, the hospital secretly recorded 1,800 patients without their consent using motion-activated cameras in operating rooms. These recordings captured patients during sensitive procedures, including childbirth and surgery. The hospital claimed the intent was to catch drug thefts by staff, but the recordings inadvertently included extensive footage of patients' private moments.
This incident led to a class-action lawsuit against the hospital, which settled in 2019 for $1 million. The case showed a serious breach of patient privacy and indicated the necessity of obtaining explicit consent before recording in medical settings, adhering strictly to HIPAA regulations to protect patient information.
Yes, HIPAA applies to video recordings if they capture protected health information (PHI) that could be used to identify a patient and relate to their medical condition, treatment, or care.
Exceptions are limited and typically pertain to situations required by law, such as certain public health activities or law enforcement purposes. Even in these cases, the recordings must comply with HIPAA's minimum necessary standard.
In telehealth, video recordings should be made using secure, HIPAA compliant platforms that ensure the confidentiality and integrity of PHI. Patients should be informed and provided consent for any recordings made during telehealth sessions.
Learn more: HIPAA Compliant Email: The Definitive Guide