HIPAA Compliance and Video Security – What You Need to Know
June 10, 2021
Many HIPAA-compliant organizations wonder how video surveillance fits into their security solution. Security cameras help hospitals, pharmacies, clinics, labs, rehab centers, and other healthcare organizations secure their facilities and protect patients and employees. However, it’s crucial to maintain HIPAA compliance to protect Personal Health Information (PHI) while using a video security solution.
In this article, you’ll learn how to use security cameras in a HIPAA-compliant way, and how you can use video surveillance to strengthen overall HIPAA compliance throughout your entire organization.
What is HIPAA Compliance?
Let’s start with a bit of background first. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
It was created to modernize the flow of healthcare information and specifies requirements to protect the personal health information (PHI or also referred to as PII or Personally Identifiable Information) of patients. These rules apply to anyone handling sensitive patient data and within HIPAA are often referred to as “covered entities”.
In 2013, the rules were expanded to include ‘business associates’ which includes anyone that might handle PHI on a covered entities’ behalf, such as a software vendor.
What kinds of information does HIPAA cover?
HIPAA is meant to protect Personally Identifiable Information in any form or medium. Many people assume this means data – like social security numbers, names, and driver’s licenses – but it is much broader and also includes any identifiable information including fingerprints, photographs (face or anything that can be identified to a person), or even voiceprints.
Anytime a facility or organization stores PHI (whether physical or digital), they must ensure that it is secure and private such that only authorized personnel can access that information. For computers, this often means requiring a password and encrypting their file contents. From a physical standpoint, it can entail putting privacy screens on monitors, access control on doors to sensitive files, and security cameras around a facility to document access to areas with PHI.
The basic idea is that PHI cannot accidentally be viewed, leaked, or seen by unauthorized personnel.
How Does HIPAA Compliance Pertain to Video Security?
There are two aspects to consider when it comes to HIPAA compliance and video surveillance:
- Using video surveillance as a tool to improve overall HIPAA compliance
- Making sure your video surveillance setup itself is HIPAA compliant
Many hospitals, pharmacies, clinics, labs, rehab centers, and other healthcare organizations use video surveillance as part of a physical security solution. By following best practices, it’s easy to use security cameras in full accordance with HIPAA regulations. Video security can also enhance HIPAA compliance on a facility-wide basis. In the following sections, we’ll go over both these aspects of HIPAA compliance and video security.
How do video security cameras improve overall HIPAA compliance?
Video security can be used to enhance and improve overall HIPAA compliance throughout your organization because it records who is accessing PHI and when. By creating this visual documentation, it functions as a physical safeguard as described by the HIPAA Security Rule.
Surveillance Cameras and the HIPAA Security Rule
Under both the HIPAA Privacy Rule and Security Rule, an organization must put safeguards in place to protect PHI with the latter specifically pertaining to electronic PHI, which includes video surveillance footage.
Under the Security Rule, there are three main safeguards outlined that organizations need to implement: administrative safeguards, technical safeguards, and physical safeguards. To comply with HIPAA, you’ll need to have a game plan for each of these areas.
- Administrative safeguards pertain to the policies and procedures within an organization to help protect PHI.
- Technical safeguards can refer to anything like encryption, using modern firewalls, or using a single sign-on provider like Okta across the organization.
- For physical safeguards, this can include using access control (badge systems) and security cameras where appropriate. The idea is to restrict physical access to sensitive information and create a documented trail of who accesses the data and when.
Video surveillance is a key part of the ‘physical safeguards’ component of the HIPAA Security Rule. Security footage provides a clear record of who accessed PHI and when—especially when the platform incorporates AI features such as facial recognition.
Do You Need Security Cameras to Record Who Is Accessing PHI / PII?
When it comes to HIPAA compliance, there are no specific rules that tell organizations exactly how to reach compliance—just that they must be compliant. The exact implementation is up to the covered entities and their business associates. So, with the case of video security, there are no specific regulations pertaining to recording PHI access.
Therefore, even though recording PHI access via security cameras is not specifically required, it falls under HIPAA compliance best practices. It’s in an organization’s best interest to deploy security cameras to ensure they can document and audit who has access to specific resources that contain PHI information.
The more ways to audit the access of this information, the better it is for an organization. In the event of a breach, they can definitively show who had access and when.
To learn how you can improve HIPAA compliance by combining smart cameras with integrated access control, read How to Protect PHI with Security Cameras & Integrated Access Control.
How do you ensure video surveillance is HIPAA compliant?
When you use security cameras in a healthcare environment, the video footage that you record qualifies as PHI. As PHI, video surveillance footage must be protected according to HIPAA regulations.
These best practices will help you stay within HIPAA compliance guidelines:
Follow the ‘Reasonable Expectation of Privacy’ Rule: In general, security cameras are not permitted in areas where people have a “reasonable expectation of privacy”. Make sure you are using cameras in ‘public’ areas and not in areas where people expect privacy, such as bathrooms or changing rooms.
Audit Camera Placement: Identify any cameras that have access to PHI—this means anywhere it’s possible to see personal or identifying information. This includes both physical spaces—like labs or operating rooms—and cameras that have a view of computer screens that may display PHI.
Footage from these surveillance cameras must be tightly controlled to protect sensitive information. You can accomplish this by limiting access to footage and can also leverage a video security system that has configurable privacy masks (ability to black out a piece of video, such as a computer monitor) and integrates with access control.
Limit Access to Video System: Have strict access control into the system so that you know exactly who logs in and when. If you use dedicated Viewing Stations or Monitors, don’t place them in public areas. Make sure camera footage can only be viewed in restricted areas by authorized personnel.
Use Permissions-Based Role Management: Use a platform that lets you customize system access levels for different users. Control access to PHI by sharing and restricting access to different cameras on an individual or role-based basis. For example, you may want to give your receptionist access to a lobby camera, but not interior cameras.
Choose a Video Security System That Has Documented Security Practices: Choose a system that leverages strong security safeguards like end-to-end encryption, audit logs of all system access, and regular 3rd party security audits to check for potential system vulnerabilities. You can review some of Rhombus' security practices here and here.
Surveillance cameras are a helpful tool that many healthcare organizations use to secure their facilities and protect patients and employees. By following several best practices, it’s easy to use security cameras in a HIPAA-compliant way to increase your organization’s safety and visibility. In addition, security cameras can help healthcare facilities improve overall HIPAA compliance by creating a video record of who accesses PHI and when.
HIPAA compliance can be complicated, and Rhombus often addresses questions among prospects about video surveillance, security cameras, and HIPAA regulations. Feel free to request a personalized demo or reach out to one of our experts if you have any questions on how to best roll out video security within your organization.
Rhombus has worked with numerous healthcare organizations that use cloud security cameras as part of their compliance strategy and hopes to aid anyone considering the use of security cameras in their healthcare organization.