HIPAA Compliance and Video Surveillance:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law to protect the confidentiality of personal health information. The HIPAA Privacy Rule requires that all covered entities must provide safeguards for electronic protected health information. HIPAA compliance includes physical, technical, and administrative safeguards.

These requirements are in place to ensure that individuals' privacy is protected when their medical records are accessed or shared with others outside the patient's medical care team.

What does this mean for your business? It means you need to be aware of how video surveillance can impact patient privacy!

What is HIPAA Compliance and Why is it Important?

As we stated before, HIPAA is a federal law to protect a patient's confidentiality and health information. Typically, HIPAA compliance is a concern when it comes to sharing or securing patient medical records. This is because HIPAA contains specific regulations that mandate the protection of electronic protected health information (ePHI).

For hospitals and clinics that have video surveillance, patient confidentiality is also a concern. While video cameras are not typically thought to violate HIPAA compliance, misplaced cameras or misuse of data can result in HIPAA violations.

The intersection between video surveillance and HIPAA is twofold.

First, as we mentioned above, cameras can be used to capture PHI such as images of patients and other staff members. However, it can also be difficult to determine if a camera is capturing PHI or not. If the operator of the camera cannot tell whether they are recording PHI, it is intuitive to assume that PHI can easily be recorded at any given time.

Secondly, if the images captured by a camera are stored or transmitted, the data is considered ePHI and HIPAA regulations must be followed. This means that images containing ePHI cannot be stored on an unsecured network nor shared without specific consent of the patient. The Health Insurance Portability and Accountability Act (HIPAA) dictates that only authorized individuals are allowed access to PHI. This means that if an individual is not on staff or family of a patient, they cannot view any images containing ePHI without explicit written consent of the patient.

Furthermore, the video surveillance system must be compliant with HIPAA guidelines in order to store or transmit PHI. This means that it cannot be an unsecured network and must only allow access by authorized individuals.

How to Make Your Video Surveillance Compliant with HIPAA

There are a few things to consider when trying to make video surveillance HIPAA compliant.

1. Identify the Information You Need & Who Can Access It

The first thing you need to do is identify the types of information that you have in your record and who can access it. When determining this, remember that anyone from outside your organization needs written authorization before they have rights to review any patient data or images.

If you are not sure who can access the information, ask yourself the following questions:

Where is this information stored?
Who has physical access to it?
How many people have electronic access to your data and images?

The answers will help you determine what type of security measures need to be taken. For example, if you have a secure facility and restrict access to those with a need-to-know, then you likely don't need to worry as much about security measures. However, if your information is stored in an insecure location or is accessible by many people, you will need to take more precautions.

2. Understand What Data Are You Collecting

The second thing to consider is what type of data and images you are collecting. If your video surveillance system captures identifiable information such as name, address, social security number, etc., then it is considered PHI (protected health information) under HIPAA.

If your system does not capture this type of information but captures images of people that could be identified by their facial features or other unique identifiers such as tattoos or scars, then your system is also considered PHI under HIPAA.

For example, MOBOTIX cameras protect identities by automatically pixelating faces and recording without audio, if you program the cameras with the required apps.

3. Determine if the Data Could Cause Harm

The next thing you need to do is determine if any of this data and images could cause harm should they be disclosed (i.e., obtained by a hacker or shared with someone outside the organization). If so, it needs to be secured and properly disposed of.

Similarly, videos that show patients in compromising or embarrassing situations could also cause them harm if they were made public.

To protect patient privacy, it is important to have a system in place that properly manages and secures data and images. This includes having the proper policies and procedures in place, as well as training employees on how to properly handle information.Processes like MOBOTIX’s Cactus Concept allows you to keep data secure from cyber threats.

4. Ensure Your Devices are NDAA Compliant

NDAA is the National Defense Authorization Act, which means your devices follow strict security standards set by the U.S. government, including video surveillance equipment and media storage systems.

Devices that are compliant with NDAA have certain levels of encryption to protect them from hacking attempts or unauthorized access while they are being shipped, stored, etc., which is very important when you consider how valuable data can be.

NDAA-compliant devices ensure an extra layer of mechanical and cyber security, which is especially important when dealing with HIPAA compliance.

5. Using a Cloud-Based Video Surveillance Platform to Store Your Data

One way to make your video surveillance HIPAA compliant is by storing the data electronically in a cloud-based system. This means that instead of having all your information stored on physical servers, which are vulnerable to leaks and breaches, you store it online using an encrypted platform.

Since this type of data storage is also used by banks and other financial institutions, it is considered the most secure way to store video data.

Why You Should Be Using a Cloud-Based Video Surveillance Platform for All Your Needs

One way to protect your data is by using a secure platform to manage your assets. There are several benefits to using cloud-based video surveillance, but the main one is that it will make your system HIPAA compliant.

Cloud platforms encrypt all data and images at rest as well as in transit between computers, tablets, or mobile devices so you can be confident that patient information remains secure--even if a hacker gets into your network.

Additionally, cloud-based platforms provide a secure viewing portal that is password protected and allows for authorized users to access information from any device, anywhere.

If you are looking for a video surveillance platform that is HIPAA and NDAA compliant, highly cyber secure and easy to use, consider MOBOTIX Cloud. Our cloud-based platform will make managing your data and images easy and secure.