DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Covered entities may wish to install surveillance cameras to record video in and around their facilities. This article goes over the HIPAA concerns posed by such recordings.
What Are the Concerns Raised by Video Recording?
One issue raised by video recording of patients is that of patient consent. HIPAA does not require that a patient consent to recording. State law generally requires such consent, though.
HIPAA regulates the use and disclosure of PHI. As soon as PHI is created through the act of recording, the HIPAA rules regarding the use and disclosure of PHI "kick in." HIPAA generally prohibits the use or disclosure of video footage of a patient without that patient's prior written authorization.
A recording of a patient serves to identify that patient - that is, the recording captures PHI. PHI may include, but is not limited to, photos of unique identifying marks (such as birthmarks or tattoos), full-face photos, and photos of a patient that are "date-stamped" (the date stamp is an identifier, reflecting a date of service).
If a recording is made for certain treatment, payment, or healthcare operations purposes, it is possible that the use or disclosure of the recording might not require prior written authorization. Providers also might not have to obtain prior written authorization if the recording is required by law. Providers should always consult with healthcare counsel to determine whether consent to the recording is required, to determine whether the purpose for the recording is permissible, and to determine whether the recording requires written patient authorization. Providers should also consult with healthcare counsel to determine what safeguards should be in place with respect to the use and disclosure of a permissible, authorized recording.
When Else Should Covered Entities Not Conduct Recording?
Providers should always consult with local counsel prior to installing any video surveillance in a facility. Generally (a provider should confirm this with legal counsel), regardless of whether video surveillance of a patient is permitted, audio surveillance should not be conducted; providers should never install cameras in public areas like consultation rooms, with the possible exception of rooms housing medications and information technology servers if those areas are not accessible by non-workforce members; amd providers should not record video of computer screens. Again, providers should consult with qualified legal counsel with respect to these activities.
Providers should NEVER install video surveillance in areas, even in public areas, in a facility where substance use disorder services will be delivered.
What Can Surveillance Cameras Record?
In the absence of a law or policy prohibiting the practice, video surveillance of public areas is generally permitted. Even if recording is permitted, though, it is a best practice to have to a patient sign a consent form to make them aware that these areas (lobby, front desk/reception area) are being surveilled. Surveillance of waiting room activity is generally permissible. Providers should have patients sign a consent form to make the patient aware that the waiting room is being surveilled.
What are the HIPAA Rules Once Something Has Been Recorded?
Once footage, whether of a patient, a room, or anything else in a facility, has been recorded, the use or disclosure of that footage must be conducted in accordance with the HIPAA Privacy Rule, Breach Notification Rule, and Security Rule. To ensure recordings are not viewed, used, or disclosed impermissibly or by people without authorization, providers should adhere to Security Rule standards, including (but not limited to) access controls and audit controls, that specify who may footage (e.g., only authorized personnel who have a need to view specific footage), and that can determine who in fact DID view the footage (and what footage was reviewed)
What About Recordings of Employees?
If the purpose of video surveillance is specifically to monitor employee activity, the surveillance must be conducted in accordance with state and federal law. If there are no specific laws prohibiting video surveillance of employees, a provider should let employees know before they begin their employment that the premises are being monitored. Providers may also post clear signage that states something to the effect of "Video cameras are used to monitor the premises."
Are there other Issues About Recordings to be Aware of?
If video surveillance recording is managed in the cloud (e.g., ring, alarm.com, Google, etc., the cloud services provider is acting as a business associate of the provider. Providers must sign business associate agreements with cloud storage vendors, even if the vendor is simply storing the footage (as opposed to accessing it).
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article