What are the HIPAA Rules on Surveillance Cameras and Recording?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

HIPAA-covered entities may wish to install surveillance cameras to record video in and around their facilities. The placement of video surveillance in a facilities should be reviewed for compliance with legal standards by a qualified person with sufficient understanding prior to implementation.

What are Some Video Surveillance Considerations?

Video surveillance can play a valuable role in enhancing security and safety within healthcare settings but can violate privacy rights of individuals.  To effectively use video surveillance while safeguarding patient privacy and meeting HIPAA requirements, consider the following:

• Always consult with legal counsel or other individuals viewed to be qualified by your organization who are knowledgeable about laws in your locations prior to installing video surveillance.
• Do not include audio surveillance unless truly required for the operational need.
• Never install cameras in non-public areas like consultation rooms with the exception of rooms housing medications and information technology servers if they are not accessible by non-workforce members.
• Never record video of computer screens.
• Post notice of any surveillance.
• Only allow designated trained workforce members to review video footage.
• Consider asking individuals to consent to surveillance in public areas.
• NEVER install video surveillance in areas, even in public areas, in a facility where substance use disorder services will be delivered.
• Always clearly document the reasons for the video surveillance and the review.
• Periodically determine if the need for video surveillance remains.
• Establish a retention and review schedule for all video surveillance and follow it.

What are Some Additional Video Surveillance Considerations?

1. Clearly define the purpose of video surveillance and the areas to be monitored. Ensure that surveillance is justified for security, safety, and operational reasons. The rationale for surveillance should be well-documented to demonstrate a legitimate need.  Before installing cameras, conduct a thorough risk assessment to identify potential privacy risks.

2. Assess the areas to be monitored and ensure that they don't compromise patient privacy, such as exam rooms, bathrooms, and other sensitive areas.  

3. Limit the scope of video surveillance to areas that genuinely require monitoring.

4. Avoid capturing unnecessary or unrelated activities that could involve patient information.

5. Configure cameras to focus on entrances, exits, public areas, and critical access points.

6. Post visible notices to inform individuals that video surveillance is in use. Ensure that patients and staff are aware of the surveillance and its purpose. While consent may not always be required, transparency is essential.

7. Restrict access to video footage to authorized personnel only. Implement strong access controls, including passwords and multi-factor authentication, to prevent unauthorized viewing of recorded material.

8. Establish a clear retention policy for video footage. Keep footage only for as long as necessary for its intended purpose, and promptly delete or overwrite recordings that are no longer needed.

9. Ensure that video recordings are encrypted during transmission and storage to protect against unauthorized access. Regularly update and maintain camera systems to prevent vulnerabilities.

10. Regularly review video footage to detect and investigate any unusual activities or security breaches. Implement an auditing process to monitor access to video recordings and ensure compliance with access controls.

11. Educate staff about the proper use of video surveillance, its limitations, and their responsibilities in maintaining patient privacy.

12. Provide training on how to handle footage appropriately and securely. Develop a clear plan for responding to incidents captured on video, including breaches of patient privacy.

13. Establish procedures for reporting and addressing potential violations promptly.

14. Document the implementation of video surveillance, including its purpose, areas covered, risk assessment results, and security measures implemented.

15. Keep records of video surveillance policies, procedures, training, and incident responses.