Safeguarding PHI is required under both the HIPAA Privacy Rule and Security Rule. The Security Rule specifically pertains to electronic PHI, which includes video surveillance footage.
How to ensure your video surveillance system meets these standards:
1. Administrative Safeguards
Administrative safeguards involve creating policies and procedures to protect electronic PHI. For video surveillance this includes:
- Implementing policies that outline the appropriate use of surveillance cameras.
- Training staff on these policies to ensure everyone understands their role in protecting PHI.
- Regularly auditing the surveillance system and camera placement to identify and address any areas of concern.
2. Technical Safeguards
Technical safeguards refer to the technology we use to protect electronic PHI. For video surveillance, this includes:
- Using encryption for all recorded footage to prevent unauthorized access.
- Implementing secure access controls to manage who can access the footage.
- Configuring cameras to black out sensitive information in the video, such as computer monitors displaying PHI. If this is not possible, cameras should be placed so as not to be able to view screens.
3. Physical Safeguards
Physical safeguards are measures that prevent unauthorized physical access to sensitive information. For video surveillance, this involves:
- Proper camera placement to ensure they are not in areas where there is a reasonable expectation of privacy, such as exam rooms and bathrooms.
- Controlling access to ensure that camera footage can only be viewed by authorized personnel in restricted areas.
- Using permissions-based role management to customize access levels for different users, ensuring that only those with a need to know can view certain footage.
Best Practices for HIPAA-Compliant Video Surveillance
- Reasonable Expectation of Privacy: Do not place cameras in private areas. Ensure cameras are only in public or semi-public areas where individuals do not expect complete privacy.
- Audit Camera Placement: Regularly review camera placements to ensure they do not capture unnecessary PHI.
- Limit Access to Footage: Implement strict access controls to monitor who can view the footage and when. Utilize dedicated viewing stations in restricted areas only.
- Permissions-Based Management: Customize access based on individual roles. For instance, a receptionist may access lobby cameras but not interior cameras. Individual log ins should be used for auditing capabilities.
- Choose a Secure System: Select a video security system with strong security practices, including end-to-end encryption, audit logs, and regular third-party security audits.
- It is advised to work with a HIPAA compliant company willing to sign a Business Associate Agreement.
- Patient Information: Include information about the use of surveillance cameras in patient welcome packets. Clearly explain the purpose of the cameras and how the footage is used and protected. You may want to consider signage as well stating security cameras are in use in public areas of the facility.