Risk Considerations for Using Surveillance Cameras in Healthcare Practices
Marcy A. Metzgar
Providers install surveillance cameras in their healthcare practices for a variety of reasons. They seek to protect and secure all their office and medical equipment, health records, and medications in their offices; their employees; and their patients. Some wish to prevent access into their offices by unauthorized individuals that may result in theft, violence, or patient record violations. Others want to prevent any physical or verbal abuse that may occur. And some appreciate being able to monitor their practices remotely.
Whatever the reason, healthcare providers should carefully consider why they are installing surveillance cameras to balance their security concerns with their obligation to safeguard their patients' protected health information (PHI) and comply with HIPAA privacy and security requirements.
No specific federal rule addresses surveillance cameras in medical or dental offices. However, it's imperative that providers are aware of their state laws and regulations that apply to recording. For example, some states allow audio recording if at least one party to the conversation consents. In other states, all parties must consent to the recording. State laws also might differ regarding telephone versus in-person recording requirements.1
Before installing surveillance systems, providers should devise a written policy that identifies their purpose for doing so, the locations of the security cameras, employee notification method, signage posting, system security, privacy considerations, and archiving. The policy should include how the data will be securely stored, how the footage showing an incident from the security cameras will be maintained, as well as specify who will manage the system, who will have access to the files, and under what circumstances.
Providers should determine the type of surveillance that is most appropriate and lawful in their state — live monitoring vs. recording — and include procedures in their written policy regarding the retention and release of recorded video. Depending on state law, providers may also need to be prepared to respond to legal and patient requests to view surveillance tapes or supply a copy of the recordings.
Since the laws and regulations differ from state to state, providers also may consider consulting their professional liability carrier, an attorney, or a compliance officer to discuss recording as well as HIPAA implications.
Here are some mindful steps to take when installing surveillance cameras:
- Perform a risk analysis before camera installation to determine the risks to patient privacy from their use. If vulnerabilities are pinpointed in the assessment, devise policies and procedures, safeguards, and other remediation plans to address them, and ensure all staff members are informed and educated about them.
- Specify policies and procedures for the surveillance cameras and their products regarding their access, use, management, control, and disposal. Inform and educate staff members about these policies and procedures, and ensure they have sufficient HIPAA training to be involved in the installation, monitoring, use, and storage of the equipment and recordings.
- Install security cameras in visible (not concealed) common areas, such as the waiting room. You may also choose to put video surveillance in areas where important equipment is placed or where prescription medications are stored. Cameras should not be placed in exam rooms, bathrooms, employee lunch or break rooms, or other areas where patients and employees have a reasonable expectation of privacy.
- Ensure that the system is secured both physically (i.e., locked in a cabinet) and digitally (i.e., password protected). Use a protected or encrypted account in the cloud or save footage in a CD locked with a key for as long as required for analysis.
- Position cameras so they avoid any view of patients' PHI, including information on charts or a computer screen.
- Inform all employees, in writing, that surveillance cameras are being used in the office. Your employees also should sign an acknowledgment form about the cameras, which should be filed in their human resources file.
- Post signage indicating that security cameras are in use. Ensure signage is in languages appropriate for your patient population.
- Consider having your patients sign consent forms that indicate video security is in place. Include on this form how long you intend to store video data that could include recordings of patients.
- Ensure that the system uses end-to-end encryption and other strong security safeguards. Put audit controls in place to ensure no unauthorized user can access your video surveillance.
- Blur or degrade the images if possible.
- Conduct a regular audit on the system to check for potential issues.2
For information related to patients wishing to record audio or video in healthcare practices, see MedPro's Risk Q&A: Audio/Video Recording in Healthcare Practices. For video surveillance laws by state, see World Population Review: Video Surveillance Laws by State 2024.
Endnotes
1 Justia. (2018). Recording phone calls and conversations. Retrieved from www.justia.com/50-state-surveys/recording-phone-calls-and-conversations/
2 California Dental Association. (2019, October 31). Before recording, protect private patient information. Retrieved from www.cda.org/Home/News-and-Events/Newsroom/Article-Details/before-recording-protect-private-patient-information; HIPAA Guard. (2018, September 5). Risk of HIPAA violation on security surveillance cameras. Retrieved from https://hipaa-guard.com/risk-of-hipaa-violation-on-security-surveillance-cameras/; Compliancy Group. (n.d.). HIPAA and use of surveillance video. Retrieved from https://compliancy-group.com/hipaa-and-use-of-surveillance-video/; Trujillo, N. (2023, January 25). HIPAA compliant video surveillance for healthcare facilities. Security 101. Retrieved from www.security101.com/blog/hipaa-compliant-video-surveillance-for-healthcare-facilities