Surveillance and HIPAA - What You Should Know
by Kathy Everitt on Tuesday, February 26, 2019
Surveillance cameras are showing up everywhere. For a healthcare practice, surveillance cameras offer both patients and staff safety. Keep in mind, however, there can be HIPAA concerns.
If you have cameras, you must ensure that the cameras can be used without compromising patients’ Protected Health Information (PHI). PHI is not only the data we are most familiar with in a healthcare office, such as medical record information, but also biometric identifiers such as voice prints and full-face photographic images. This is where the HIPAA issue comes into play with the use of surveillance cameras in a healthcare facility.
To mitigate a HIPAA violation or allegation of a PHI breach, follow these guidelines:
- There should be absolutely no cameras in exam rooms.
- Security cameras at the front and back entrances are acceptable, as these are considered public areas. However, there should be a highly visible notice to the public that the areas are being monitored by video surveillance.
- Take precautions so that there is no possibility of the public viewing any recorded information.
Create a policy and procedure for your staff regarding the use of, management of, and disposal of the cameras/recordings to mitigate the risk of releasing PHI:
- Who will have access to the recordings?
- How long will the recordings be kept?
- Where will the recordings be kept?
- How will recordings be disposed of (disposal must be consistent with disposing other PHI if PHI is present)?
- How will a recording be released in the event of a request so as to prevent the unintentional release of other PHI?
- Have security measures in place to prevent hacking and if video is stored, consider encryption?
- If the cameras are monitored by a third party, a Business Associate Contract (BAC) is necessary.
- Provide appropriate HIPAA training to the staff who might have access to the PHI involved with the recordings.