Security cameras at medical practices: Potential HIPAA and PHI risks

Security cameras have become an unavoidable part of daily life in America, both in business settings and in public spaces, as well as those used for personal security at home.

While they might also enhance staff and patient safety in a medical practice, the use of security cameras in a medical setting raises a complex series of ethical and legal issues under HIPAA rules.

In this episode of the Ask MGMA podcast, senior advisor Cristy Good discusses many of the considerations and limitations practice managers must consider before rolling out security cameras anywhere in a medical facility.

Public vs. Private Spaces

Good explains that to legally protect violations of sensitive patient health information (PHI), cameras can generally only be used in public areas such as practice lobbies and hallways, building entrances and parking lots.

Cameras can be used for facility security and monitoring unauthorized access to restricted areas such as supply closets or pharmacies. They can also help deter theft or vandalism, as well as documenting any incidents or disputes at reception or check-in.

“The key is that there’s no reasonable expectation of privacy in those public areas,” she says. “But cameras should not be installed in places like exam rooms, treatment areas, nursing stations or restrooms, anywhere that PHI might be visible or discussed.”

Protecting PHI in Sensitive Locations

In general, a recording is considered PHI if it captures individually identifiable health information such as names, faces or overheard conversations about treatment.

“So even a check-in conversation with the front desk person could be considered PHI if it includes identifiable details,” she says. “Once that happens, HIPAA has full privacy and security requirements that are applied to the footage.”

Good also cautions that any audio recordings that capture conversations between staff and patients can also elevate your compliance risk.

“Some states say that audio recordings without all parties’ consent is illegal, so even if your video is OK under HIPAA, recording sound may violate state law or require informed consent.”

Access Controls Required for HIPAA Compliance

For practices that could still potentially capture PHI with their security systems, Good says HIPAA compliance rules are rigid. Practices will need to encrypt that recorded video and audio, and will also have to restrict any access to authorized personnel only, implementing role-based controls with the footage stored on a secure server.

“Any access is also logged, and there’s a defined retention policy from 30 to 90 days,” she adds. “And, importantly, any monitors shouldn’t be viewable in public areas. This all ties into the HIPAA security role.”

Special Rules for Third-Party Vendors

If practices decide to use an outside provider to set up and collect security video and audio, those third-party vendors need to have a business associate agreement (BAA) in place, just in case they store or access any recordings that might contain PHI data. Under HIPAA, they’ll also need to sign a BAA outlining how they’ll safeguard that data.

Signage and Notification of Recordings

Good says the best practice for medical organizations is to always notify patients and staff that cameras are being used through visible signage, even if that is not a strict HIPAA requirement.

“In every case, it’s about transparency and trust,” she says. “It’s also important to have a written policy on camera use and make sure your staff are trained on it annually. You want to make sure that everyone knows what’s appropriate, and what isn’t.”

Do a Legal Consult Before Installing Cameras

While HIPAA sets a federal standard for PHI protection, states such as California have their own individual privacy rules regarding audio recordings called “two-party consent.”

According to the Cooperative of American Physicians, there may be similar and elevated rules regarding security cameras across the U.S. Good suggests practices work with a local legal counsel to ensure they aren’t potentially breaking any other regulations by installing security camera equipment.

“Your state might also have some additional protection under federal law like 42 CFR Part 2, as is the case for behavioral health units. You really still need to make sure your legal counsel for your practice is on the same page with you before doing anything with cameras,” she adds.  

Action Items for Practice Managers

MGMA has provided the following risk management checklist for those practices who are either considering adding a brand-new security camera system, or reviewing the potential liabilities related to an existing system:

• Conduct a privacy and security analysis/risk analysis to review where cameras are placed and what they are capturing.
• Review state laws to ensure compliance, in addition to federal HIPAA rules.
• Update signage and written policies, and ensure staff are well-trained on the camera usage policy.
• If using a third-party vendor to record and store audio/video, ensure a Business Associate Agreement (BAA) is in place.

Resources:

• HHS/HIPAA Privacy Rules: Security Rule Guidance Material - visit here
• HIPAA Journal: HIPAA and Video Surveillance - read here
• AMA Code of Ethics: Patient Privacy & Outside Observers to the Clinical Encounter - visit here
• National Institutes of Standards and Technology: Implementing the HIPAA Security Rule, A Cybersecurity Resource Guide - read here