Maintaining HIPAA Compliance in an Ever Surveilled World

Video surveillance of public areas within medical clinics and hospitals is usually acceptable and welcomed by patients, especially in those areas that have the highest levels of foot traffic and are thus the most crucial areas to monitor to determine who has entered the facility, to identify potential threats, and to record footage of any incidents that might occur. In today’s world, however, some people consider such security camera systems to be an invasion of privacy, especially when such systems are located within medical clinics and hospitals wherein confidential medical information is ever present. The presence of such video surveillance systems in areas with confidential medical information ultimately leads to concerns about potential Health Insurance Portability and Accountability Act (HIPAA) violations. Security cameras located in the public areas of hospitals, such as the check-in area and hallways, do not inherently violate HIPAA. HIPAA primarily pertains to the privacy and security of protected health information (PHI) in healthcare settings. Conversely, if security cameras are located in areas where PHI is present, and capable of being captured on video, there are steps that can be taken to help better ensure full compliance with HIPAA’s privacy and security provisions.

1. Cameras should be positioned to minimize capturing PHI.
2. Access to recorded video footage should be limited to those individuals with a ‘need to know’ ;
   i.e. those individuals who have a legitimate reason and/or need to view it.
3. Strict access controls and logs should be enforced to track who accesses recorded footage at any time.
4. All recorded footage should be securely stored and retained in accordance with HIPAA's retention requirements.
5. All staff and personnel should be trained in the proper handling of PHI and the potential risks associated with its exposure to security cameras.
6. A business associate agreement (BAA) should be put in place if a third-party is responsible for managing the security camera system to establish the responsibilities of the third-party to protect PHI. Although security cameras may not inherently violate HIPAA, the way that they are used within medical clinics and hospitals can certainly impact their compliance. Taking the necessary and proper steps to protect PHI in accordance with HIPAA is vital to both the patient and the healthcare provider.