July 23, 2019
What You Need to Know – HIPAA Compliance and Video Security
If you’re reading this article, then you are probably involved in the healthcare industry and tasked with implementing or managing video security. There are many things to consider when working with video security, and this article will provide what you need to know when deploying HIPAA compliant security cameras within your organization.
What is HIPAA Compliance?
Let’s start with a little bit of background first. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
It was created to modernize the flow of healthcare information and specifies requirements to protect the personal health information (PHI or also referred to as PII or Personally Identifiable Information) of patients. These rules apply to anyone handling sensitive patient data and within HIPAA are often referred to as “covered entities”.
In 2013, the rules were expanded to include ‘business associates’ which includes anyone that might handle PHI on a covered entities’ behalf like a software vendor.
The act is meant to protect this information in any form or medium. Many people often assume this information means data – like social security numbers, names, and driver’s licenses – but it is much broader and includes any identifiable information like fingerprints, photographs (face or anything that can be identified to a person), or even voiceprints.
Anywhere a facility or organization stores PHI (whether physical or digital), must ensure that it is secure and private such that only authorized personnel can access that information. For computers, this often means requiring a password and encrypting their file contents. From a physical standpoint, it can entail putting privacy screens on monitors, access control on doors to sensitive files, and security cameras around a facility to document access to areas with PHI.
The basic idea is that PHI cannot accidentally be viewed, leaked, or seen by unauthorized personnel.
How Does HIPAA Compliance Pertain to Video Security?
Reading the above about PHI, you might assume you don’t want or need security cameras because they might capture patients on video. While there are some areas where you shouldn’t have cameras, which we’ll address below, in general, security cameras are a good way to help comply with HIPAA.
Under both the HIPAA Privacy Rule and Security Rule, an organization must put safeguards in place to protect PHI with the latter specifically pertaining to electronic PHI.
Under the Security Rule, there are three main safeguards outlined that organizations need to implement: administrative safeguards, physical safeguards, and technical safeguards.
Administrative safeguards pertain to the policies and procedures within an organization to help protect PHI.
Technical safeguards can refer to anything like encryption, using modern firewalls, or using a single sign-on provider like Okta across the organization.
For physical safeguards, this can include using access control (badge systems) and security cameras where appropriate. The idea is to restrict physical access to sensitive information and create a documented trail of who accesses the data and when.
So, to comply with HIPAA, you’ll need to have a game plan in each of these areas and video security is a key component in ensuring physical safeguards.
Following the Basic Rules of Video Security First
Even though video security is a key component of your HIPAA compliance plan, there are basic guidelines you need to follow when setting up cameras.
First of all, while healthcare facilities can legally install cameras in ‘public’ areas, there are certain areas that are always off-limits. These are areas where people expect a reasonable amount of privacy, which includes changing rooms, bathrooms, exam rooms, etc. If you want more details regarding this, we’ve previously written about where cameras can be installed here and here.
There are other best practices you should follow; like ensuring any publicly viewed camera monitors do not expose any PHI. For example, you shouldn’t have monitors available that unauthorized personnel can see that might show an operating room or a computer screen that displays PHI. For all video, we strongly encourage that the viewing of footage is only done in restricted areas where the public has no possibility in viewing this information.
Do You Need Security Cameras to Record Who Is Accessing PHI / PII?
There are no specific rules when it comes to HIPAA compliance (just requirements for complying), the exact implementation is up to the covered entities and their business associates.
So, with the case of video security, there are no specific rules pertaining to recordings on who is accessing PHI, but it is in an organization’s best interest to deploy security cameras to ensure they can document and audit who has access to specific resources that contain PHI information.
The more ways to audit the access of this information the better it is for an organization, so in the event of a breach, they can definitively show who had access and when.
What Safeguards Need to Be Taken With Security Cameras to Follow HIPAA Compliance Requirements?
If you decide you want to use security cameras in your organization, a few safeguards are required to stay within the HIPAA compliance guidelines.
Only Use Cameras in ‘Public’ Areas
First of all, and as mentioned above, ensure you are using cameras in ‘public’ areas and not in areas where people expect reasonable privacy like bathrooms or changing rooms.
Audit Camera Placement
Identify any cameras that have access to PHI, which can include being able to view screens with PHI, operating rooms where you might be able to identify a patient, or anywhere else there is a potential to see personal information.
If you need a camera in one of these areas, you can leverage a video security system that has configurable privacy masks (ability to black out a piece of video like a computer monitor) and has access control.
Limit Access to Video System
Have strict access control into the system so that you know exactly who logs in and when. Don’t Put Viewing Stations or Monitors in Public Areas . Avoid having any viewing stations or monitors that show camera footage in public areas. Make sure the cameras can only be viewed in restricted areas by authorized personnel.
Choose a Video Security System That Has Documented Security Practices
Choose a system that leverages strong security safeguards like end-to-end encryption of video footage, audit logs of all system access, and regular 3rd party security audits to check for potential system vulnerabilities. You can check out some of our security practices here and here.
We wrote this article because we’ve worked with numerous organizations that need to be HIPAA compliant and chose to use our cloud security cameras as part of their compliance strategy. We often address similar questions among prospects looking to use cameras, so we thought it’d be really helpful to write an article for anyone considering the use of security cameras in their healthcare organization.
Feel free to reach out to one of our experts if you have any questions on how to best roll out video security within your organization.