Many HIPAA-compliant organizations wonder how video surveillance fits into their security solution. Security cameras help hospitals, pharmacies, clinics, labs, rehab centers, and other healthcare organizations secure their facilities and protect patients and employees. However, it’s crucial to maintain HIPAA compliance to protect Personal Health Information (PHI) while using a video security solution.
In this article, you’ll learn how to use security cameras in a HIPAA-compliant way, and how you can use video surveillance to strengthen overall HIPAA compliance throughout your entire organization.
Let’s start with a bit of background first. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
It was created to modernize the flow of healthcare information and specifies requirements to protect the personal health information (PHI or also referred to as PII or Personally Identifiable Information) of patients. These rules apply to anyone handling sensitive patient data and within HIPAA are often referred to as “covered entities”.
In 2013, the rules were expanded to include ‘business associates’ which includes anyone that might handle PHI on a covered entities’ behalf, such as a software vendor.
HIPAA is meant to protect Personally Identifiable Information in any form or medium. Many people assume this means data – like social security numbers, names, and driver’s licenses – but it is much broader and also includes any identifiable information including fingerprints, photographs (face or anything that can be identified to a person), or even voiceprints.
Anytime a facility or organization stores PHI (whether physical or digital), they must ensure that it is secure and private such that only authorized personnel can access that information. For computers, this often means requiring a password and encrypting their file contents. From a physical standpoint, it can entail putting privacy screens on monitors, access control on doors to sensitive files, and security cameras around a facility to document access to areas with PHI.
The basic idea is that PHI cannot accidentally be viewed, leaked, or seen by unauthorized personnel.
There are two aspects to consider when it comes to HIPAA compliance and video surveillance:
Many hospitals, pharmacies, clinics, labs, rehab centers, and other healthcare organizations use video surveillance as part of a physical security solution. By following best practices, it’s easy to use security cameras in full accordance with HIPAA regulations. Video security can also enhance HIPAA compliance on a facility-wide basis. In the following sections, we’ll go over both these aspects of HIPAA compliance and video security.
Video security can be used to enhance and improve overall HIPAA compliance throughout your organization because it records who is accessing PHI and when. By creating this visual documentation, it functions as a physical safeguard as described by the HIPAA Security Rule.
Under both the HIPAA Privacy Rule and Security Rule, an organization must put safeguards in place to protect PHI with the latter specifically pertaining to electronic PHI, which includes video surveillance footage.
Under the Security Rule, there are three main safeguards outlined that organizations need to implement: administrative safeguards, technical safeguards, and physical safeguards. To comply with HIPAA, you’ll need to have a game plan for each of these areas.
Video surveillance is a key part of the ‘physical safeguards’ component of the HIPAA Security Rule. Security footage provides a clear record of who accessed PHI and when—especially when the platform incorporates AI features such as facial recognition.
When it comes to HIPAA compliance, there are no specific rules that tell organizations exactly how to reach compliance—just that they must be compliant. The exact implementation is up to the covered entities and their business associates. So, with the case of video security, there are no specific regulations pertaining to recording PHI access.
Therefore, even though recording PHI access via security cameras is not specifically required, it falls under HIPAA compliance best practices. It’s in an organization’s best interest to deploy security cameras to ensure they can document and audit who has access to specific resources that contain PHI information.
The more ways to audit the access of this information, the better it is for an organization. In the event of a breach, they can definitively show who had access and when.
To learn how you can improve HIPAA compliance by combining smart cameras with integrated access control, read How to Protect PHI with Security Cameras & Integrated Access Control.
When you use security cameras in a healthcare environment, the video footage that you record qualifies as PHI. As PHI, video surveillance footage must be protected according to HIPAA regulations.
These best practices will help you stay within HIPAA compliance guidelines:
Audit Camera Placement: Identify any cameras that have access to PHI—this means anywhere it’s possible to see personal or identifying information. This includes both physical spaces—like labs or operating rooms—and cameras that have a view of computer screens that may display PHI.
Footage from these surveillance cameras must be tightly controlled to protect sensitive information. You can accomplish this by limiting access to footage and can also leverage a video security system that has configurable privacy masks (ability to black out a piece of video, such as a computer monitor) and integrates with access control.
Surveillance cameras are a helpful tool that many healthcare organizations use to secure their facilities and protect patients and employees. By following several best practices, it’s easy to use security cameras in a HIPAA-compliant way to increase your organization’s safety and visibility. In addition, security cameras can help healthcare facilities improve overall HIPAA compliance by creating a video record of who accesses PHI and when.
HIPAA compliance can be complicated, and Rhombus often addresses questions among prospects about video surveillance, security cameras, and HIPAA regulations. Feel free to request a personalized demo or reach out to one of our experts if you have any questions on how to best roll out video security within your organization.
Rhombus has worked with numerous healthcare organizations that use cloud security cameras as part of their compliance strategy and hopes to aid anyone considering the use of security cameras in their healthcare organization.
On December 9th 2021, the Apache Log4j project disclosed a zero day vulnerability that affects Log4j. This vulnerability is also known as Log4Shell. Upon learning of this exploit, Rhombus took immediate action to see if any of its services used Log4j. Our analysis over the last few days found the following.
Cybersecurity is becoming an increasing priority for enterprise organizations. Because cybersecurity deals with data, privacy, and security, organizations today are finding that cybersecurity and physical security—especially video surveillance—are unavoidably linked. But what exactly do you need to worry about when it comes to cybersecurity and video surveillance? How can you protect your video security system against breaches and cyberattacks? How do you know that the data privacy of your employees, customers, and more is secure? This guide will help you understand what good cybersecurity standards and practices look like in a video security context. You’ll learn what best practices you personally can follow, and what best practices you should look for in a vendor.
Many CJIS-compliant organizations wonder how video surveillance fits into their security policies. Security cameras help criminal justice organizations secure their facilities and protect employees. However, it’s crucial to maintain CJIS compliance to protect Criminal Justice Information (CJI) while using a video security solution. In this article, you’ll learn how to use security cameras in a CJIS-compliant way, and how you can use video surveillance to strengthen overall CJIS compliance throughout your entire organization.