If you’re reading this article, then you are probably involved in the healthcare industry and tasked with implementing or managing video security. There are many things to consider when working with video security, and this article will provide what you need to know when deploying HIPAA compliant security cameras within your organization.
What is HIPAA Compliance?
Let’s start with a little bit of background first. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
It was created to modernize the flow of healthcare information and specifies requirements to protect the personal health information (PHI or also referred to as PII or Personally Identifiable Information) of patients. These rules apply to anyone handling sensitive patient data and within HIPAA are often referred to as “covered entities”.
In 2013, the rules were expanded to include ‘business associates’ which includes anyone that might handle PHI on a covered entities’ behalf like a software vendor.
The act is meant to protect this information in any form or medium. Many people often assume this information means data – like social security numbers, names, and driver’s licenses – but it is much broader and includes any identifiable information like fingerprints, photographs (face or anything that can be identified to a person), or even voiceprints.
Anywhere a facility or organization stores PHI (whether physical or digital), must ensure that it is secure and private such that only authorized personnel can access that information. For computers, this often means requiring a password and encrypting their file contents. From a physical standpoint, it can entail putting privacy screens on monitors, access control on doors to sensitive files, and security cameras around a facility to document access to areas with PHI.
The basic idea is that PHI cannot accidentally be viewed, leaked, or seen by unauthorized personnel.
How Does HIPAA Compliance Pertain to Video Security?
Reading the above about PHI, you might assume you don’t want or need security cameras because they might capture patients on video. While there are some areas where you shouldn’t have cameras, which we’ll address below, in general, security cameras are a good way to help comply with HIPAA.
Under both the HIPAA Privacy Rule and Security Rule, an organization must put safeguards in place to protect PHI with the latter specifically pertaining to electronic PHI.
Under the Security Rule, there are three main safeguards outlined that organizations need to implement: administrative safeguards, physical safeguards, and technical safeguards.
Administrative safeguards pertain to the policies and procedures within an organization to help protect PHI.
Technical safeguards can refer to anything like encryption, using modern firewalls, or using a single sign-on provider like Okta across the organization.
For physical safeguards, this can include using access control (badge systems) and security cameras where appropriate. The idea is to restrict physical access to sensitive information and create a documented trail of who accesses the data and when.
So, to comply with HIPAA, you’ll need to have a game plan in each of these areas and video security is a key component in ensuring physical safeguards.
Following the Basic Rules of Video Security First
Even though video security is a key component of your HIPAA compliance plan, there are basic guidelines you need to follow when setting up cameras.
First of all, while healthcare facilities can legally install cameras in ‘public’ areas, there are certain areas that are always off-limits. These are areas where people expect a reasonable amount of privacy, which includes changing rooms, bathrooms, exam rooms, etc.
There are other best practices you should follow; like ensuring any publicly viewed camera monitors do not expose any PHI. For example, you shouldn’t have monitors available that unauthorized personnel can see that might show an operating room or a computer screen that displays PHI. For all video, we strongly encourage that the viewing of footage is only done in restricted areas where the public has no possibility in viewing this information.
Do You Need Security Cameras to Record Who Is Accessing PHI / PII?
There are no specific rules when it comes to HIPAA compliance (just requirements for complying), the exact implementation is up to the covered entities and their business associates.
So, with the case of video security, there are no specific rules pertaining to recordings on who is accessing PHI, but it is in an organization’s best interest to deploy security cameras to ensure they can document and audit who has access to specific resources that contain PHI information.
The more ways to audit the access of this information the better it is for an organization, so in the event of a breach, they can definitively show who had access and when.
What Safeguards Need to Be Taken With Security Cameras to Follow HIPAA Compliance Requirements?If you decide you want to use security cameras in your organization, a few safeguards are required to stay within the HIPAA compliance guidelines.
Only Use Cameras in ‘Public’ Areas
First of all, and as mentioned above, ensure you are using cameras in ‘public’ areas and not in areas where people expect reasonable privacy like bathrooms or changing rooms.
Audit Camera Placement
Identify any cameras that have access to PHI, which can include being able to view screens with PHI, operating rooms where you might be able to identify a patient, or anywhere else there is a potential to see personal information.
If you need a camera in one of these areas, you can leverage a video security system that has configurable privacy masks (ability to black out a piece of video like a computer monitor) and has access control.
Limit Access to Video System
Have strict access control into the system so that you know exactly who logs in and when. Don’t Put Viewing Stations or Monitors in Public Areas . Avoid having any viewing stations or monitors that show camera footage in public areas. Make sure the cameras can only be viewed in restricted areas by authorized personnel.
Choose a Video Security System That Has Documented Security Practices
Choose a system that leverages strong security safeguards like end-to-end encryption of video footage, audit logs of all system access, and regular 3rd party security audits to check for potential system vulnerabilities.
In this blog we address the pro's and Con's of traditional on site (Hosted) video systems vs. Cloud based systems. While this is centered around Video systems most of it would apply to different cloud based systems such as access control or phone systems as well. While we here at Intuitiv Technology Solutions highly support cloud based technology we realize each client has certain needs and we continue to offer the best solution for your business.
Wow in today's advancements in technology not only do we have to understand the differences in our CCTV cameras but our DVR / NVR 's as well. While one would think that resolution is specific to the camera that is entirely not true. It has as much to do with the recording device or video management system as well. Follow the link below for an extensive study an this subject but warning it's a little lengthy so if your getting ready to head to the Golf course you might want to save this for later.
If you are a building owner, facilities manager, security director, or anyone else that has had to work with security cameras over the past decade you have seen a lot of changes. DVR, NVR, Hybrid,Tribrid, and other such terms can leave your head spinning. In an effort to make your life better or at least easier we will help explain some of this technology provided from one of our partners. Follow the link below for a summary.
How do you find cameras that perform in cold weather environments? There are a number of things you can do. 1 is research your cameras online most cameras only are listed to about -15 f. If you live in Alaska, the Northwest or Siberia that is not going to cut it. You may find some cameras that will go as low as -40 f but they are few and far between. The best bet you have is step number 2 which is putting your camera in an enclosure with a heater (click here for an example). This will help your camera stay at an ambient temperature year round. Be sure the heater itself is rated to operate in those cold weather conditions also and make sure you use an external power supply to power it. pulling from the cameras power will usually not have enough power. Check out the article below for more info. If you have any more questions leave your information and we will reach out to you with the answers.
What to look for when buying IP outdoor security cameras
The 25 best outdoor home security cameras
At the Time of this posting I could not find a list of commercial cameras listed for cold weather use. They are out there. You will have to utilize a little homework when shopping.
Graduate of "The Specs Howard School of Broadcast Arts", Lifelong student of technology, and former Contractor / Building manager My goal is to bring you fresh relevant content to help you grow in your role while embracing technology as a tool to build your business.