HIPAA and Use of Surveillance Video
Many organizations use surveillance video to maintain the security of their business. However, if you are a healthcare organization, you must consider the HIPAA implications of doing so. To provide guidance on this, HIPAA and use of surveillance video is discussed.
HIPAA Compliant Surveillance Video: Security Implications
Before determining whether or not your organization should use surveillance video, you must consider the security implications of doing so. Since HIPAA requires the confidentiality of protected health information (PHI), installing video cameras can cause a HIPAA violation if they are not placed in the correct location, and they’re not utilized in the proper manner.
HIPAA and use of surveillance video require the following:
Risk Analysis. Before installing surveillance video cameras it is important to conduct a risk analysis to determine the risks to patient privacy with their use. Any vulnerabilities determined through the conduction of a risk analysis must be addressed with remediation plans, safeguards, policies and procedures, and employee training.
Encryption. To ensure that video surveillance is protected from access by individuals with malintent, such as a hacker, video footage should be encrypted. Encryption secures data by preventing access to individuals who don’t possess a decryption key.
Access Controls. To prevent unauthorized users from viewing video surveillance, it is essential to password protect your surveillance software. Each employee that requires access should be granted unique login credentials to access video surveillance.
Audit Controls. To ensure that unauthorized users are not accessing your video surveillance, or authorized users are not abusing their privileges, audit controls must be established. Audit controls are enabled through the use of unique login credentials, allowing administrators to track employee access to data. By keeping an audit log, administrators can establish regular data access patterns for each employee, allowing them to easily identify when data is being accessed outside the norm. When data access is outside the norm, this usually means that either the employee is abusing their privileges and therefore violating HIPAA, or an unauthorized user, such as a hacker, has gained access to the employee’s login credentials.
Location of Surveillance Monitors. To prevent accidental breaches of PHI, surveillance monitors should be housed in a restricted area so that only employees that require access to the videos, such as security guards or management staff, have access. Video surveillance should always be viewed in a private secure location, and audio from videos should not be able to be heard by passersby.
Automatic Logoff. After a period of inactivity, it is important for computer monitors to automatically log off. This way should an unauthorized user have access to an unattended device, they will not be able to access any sensitive information.
Image Quality. To protect the anonymity of patients, when possible, video images should be degraded. This protects the identity of patients by blurring their faces and preventing them from being identified.
HIPAA and Use of Surveillance Video: Administrative Considerations
To ensure the proper use of surveillance video, there are certain administrative considerations.
Policies and Procedures. To ensure HIPAA compliant surveillance video usage, it is important to develop policies and procedures surrounding their use, access, control, management, and disposal.
Employee Training. The best way for you to ensure the proper use and disclosure of video surveillance is through employee training. Employee training should include your organization’s policies and procedures for the proper use and disclosure of video surveillance, and the procedures for employees to report suspected violations.