Many HIPAA-compliant organizations wonder how video surveillance fits into their security solution. Security cameras help hospitals, pharmacies, clinics, labs, rehab centers, and other healthcare organizations secure their facilities and protect patients and employees. However, it’s crucial to maintain HIPAA compliance to protect Personal Health Information (PHI) while using a video security solution.
In this article, you’ll learn how to use security cameras in a HIPAA-compliant way, and how you can use video surveillance to strengthen overall HIPAA compliance throughout your entire organization.
Let’s start with a bit of background first. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
It was created to modernize the flow of healthcare information and specifies requirements to protect the personal health information (PHI or also referred to as PII or Personally Identifiable Information) of patients. These rules apply to anyone handling sensitive patient data and within HIPAA are often referred to as “covered entities”.
In 2013, the rules were expanded to include ‘business associates’ which includes anyone that might handle PHI on a covered entities’ behalf, such as a software vendor.
HIPAA is meant to protect Personally Identifiable Information in any form or medium. Many people assume this means data – like social security numbers, names, and driver’s licenses – but it is much broader and also includes any identifiable information including fingerprints, photographs (face or anything that can be identified to a person), or even voiceprints.
Anytime a facility or organization stores PHI (whether physical or digital), they must ensure that it is secure and private such that only authorized personnel can access that information. For computers, this often means requiring a password and encrypting their file contents. From a physical standpoint, it can entail putting privacy screens on monitors, access control on doors to sensitive files, and security cameras around a facility to document access to areas with PHI.
The basic idea is that PHI cannot accidentally be viewed, leaked, or seen by unauthorized personnel.
There are two aspects to consider when it comes to HIPAA compliance and video surveillance:
Many hospitals, pharmacies, clinics, labs, rehab centers, and other healthcare organizations use video surveillance as part of a physical security solution. By following best practices, it’s easy to use security cameras in full accordance with HIPAA regulations. Video security can also enhance HIPAA compliance on a facility-wide basis. In the following sections, we’ll go over both these aspects of HIPAA compliance and video security.
Video security can be used to enhance and improve overall HIPAA compliance throughout your organization because it records who is accessing PHI and when. By creating this visual documentation, it functions as a physical safeguard as described by the HIPAA Security Rule.
Under both the HIPAA Privacy Rule and Security Rule, an organization must put safeguards in place to protect PHI with the latter specifically pertaining to electronic PHI, which includes video surveillance footage.
Under the Security Rule, there are three main safeguards outlined that organizations need to implement: administrative safeguards, technical safeguards, and physical safeguards. To comply with HIPAA, you’ll need to have a game plan for each of these areas.
Video surveillance is a key part of the ‘physical safeguards’ component of the HIPAA Security Rule. Security footage provides a clear record of who accessed PHI and when—especially when the platform incorporates AI features such as facial recognition.
When it comes to HIPAA compliance, there are no specific rules that tell organizations exactly how to reach compliance—just that they must be compliant. The exact implementation is up to the covered entities and their business associates. So, with the case of video security, there are no specific regulations pertaining to recording PHI access.
Therefore, even though recording PHI access via security cameras is not specifically required, it falls under HIPAA compliance best practices. It’s in an organization’s best interest to deploy security cameras to ensure they can document and audit who has access to specific resources that contain PHI information.
The more ways to audit the access of this information, the better it is for an organization. In the event of a breach, they can definitively show who had access and when.
To learn how you can improve HIPAA compliance by combining smart cameras with integrated access control, read How to Protect PHI with Security Cameras & Integrated Access Control.
When you use security cameras in a healthcare environment, the video footage that you record qualifies as PHI. As PHI, video surveillance footage must be protected according to HIPAA regulations.
These best practices will help you stay within HIPAA compliance guidelines:
Audit Camera Placement: Identify any cameras that have access to PHI—this means anywhere it’s possible to see personal or identifying information. This includes both physical spaces—like labs or operating rooms—and cameras that have a view of computer screens that may display PHI.
Footage from these surveillance cameras must be tightly controlled to protect sensitive information. You can accomplish this by limiting access to footage and can also leverage a video security system that has configurable privacy masks (ability to black out a piece of video, such as a computer monitor) and integrates with access control.
Surveillance cameras are a helpful tool that many healthcare organizations use to secure their facilities and protect patients and employees. By following several best practices, it’s easy to use security cameras in a HIPAA-compliant way to increase your organization’s safety and visibility. In addition, security cameras can help healthcare facilities improve overall HIPAA compliance by creating a video record of who accesses PHI and when.
HIPAA compliance can be complicated, and Rhombus often addresses questions among prospects about video surveillance, security cameras, and HIPAA regulations. Feel free to request a personalized demo or reach out to one of our experts if you have any questions on how to best roll out video security within your organization.
Rhombus has worked with numerous healthcare organizations that use cloud security cameras as part of their compliance strategy and hopes to aid anyone considering the use of security cameras in their healthcare organization.
Organizations in every industry use video surveillance to make decisions that affect the safety of their facilities, employees, visitors, and more. If you use IP security cameras for live monitoring, it’s especially important that footage has low latency and it is as accurate and up to date as possible. But what is considered ‘good’ or ‘bad’ latency when it comes to video surveillance? How does being in ‘the cloud’ affect it? This post will explore the differences between low latency, ultra-low latency, and real-time streaming. We’ll talk about what you actually need for your video security system, and how you can achieve ultra-low latency and real-time streaming.
While many organizations use basic video surveillance for physical security, modern solutions like smart security cameras can take it a step further. Smart security cameras can in fact be a powerful tool for protecting PHI according to HIPAA guidelines, especially when combined with integrated access control.
In a healthcare environment, you need security solutions you can rely on long-term. That's why many hospitals, pharmacies, clinics, labs, rehab centers, and other healthcare facilities are future-proofing their video surveillance systems by moving to the cloud. With cloud video security, you can modernize and future-proof safety by automatically keeping cybersecurity up to date, supporting flexibility and growth with an integration-friendly platform, and by unifying physical security to save time and resources on a daily basis.