Does HIPAA apply when video recording patients?

Video recording has become increasingly prevalent in various healthcare settings, from surveillance cameras in clinics to recordings of patient-provider consultations. However, the use of video recordings in the medical field raises important questions about patient privacy and the applicability of HIPAA regulations. 

Understanding HIPAA's stance on video recordings

The HIPAA regulations are clear in their mandate to protect a patient's protected health information (PHI), which includes any data that can be used to identify an individual's medical condition or treatment. When it comes to video recordings, HIPAA's guidelines are multifaceted, addressing both indoor and outdoor surveillance, as well as footage that may contain sensitive PHI.

Indoor surveillance

HIPAA allows healthcare facilities to install surveillance cameras in public areas, such as entrances, exits, waiting rooms, and hallways, to monitor foot traffic and detect potential threats. However, the placement of cameras is strictly prohibited in areas where patients have a reasonable expectation of privacy, such as bathrooms and changing rooms.

Outdoor surveillance

For outdoor areas like parking lots and garages, HIPAA permits the use of visible surveillance cameras to monitor staff, patients, and vehicles entering and leaving the facility. This helps healthcare organizations maintain security and detect any criminal activity.

Footage with access to PHI

In areas where PHI is accessible, such as laboratories or operating rooms with computer screens displaying sensitive information, HIPAA requires additional security measures. This may include restricting access to the footage or implementing privacy masks to obscure the sensitive data.

Read also: HIPAA compliance for photos, audio, and video recordings 

When does HIPAA apply to video recording?

HIPAA's regulations on video recording apply when the footage is used for purposes other than a patient's diagnosis, treatment, or identification. In such cases, healthcare providers must obtain consent from the patient or an authorized family member before using the recordings, ensuring that the patient is aware of how the videos or images will be utilized.

If the recordings are primarily for educational purposes, HIPAA requires the removal of any patient identifiers. Additionally, the Institutional Review Board (IRB) must approve the use of video surveillance for research purposes. However, consent may not be necessary in cases where the footage is needed to protect patient security, such as in instances of neglect or abuse.

Read more: Patient consent: What you need to know 

Ethical and legal implications 

Recording interactions between patients and healthcare staff can pose risks, including the loss of control over the use of the footage and potential breaches of patient confidentiality.

Privacy concerns

Patients may feel their sensitive information is compromised due to data breaches or unauthorized access to the recordings. Hackers could potentially use the information from the videos for fraudulent activities, and private conversations may be captured without the patient's knowledge, leading to a breach of confidentiality.

Loss of control over the recording

Despite HIPAA's efforts to protect patient privacy, healthcare facilities maintain control over the recorded footage. This raises concerns about the potential for the recordings to be edited, tampered with, or shared on social media platforms without the patient's consent, which could be a form of coercion or intimidation.

HIPAA compliant best practices

Healthcare organizations must implement security measures and adhere to best practices when handling video recordings of patients to ensure compliance with HIPAA regulations.

Conduct a risk analysis

Before installing video surveillance cameras, healthcare providers should perform a risk assessment to identify any vulnerabilities associated with patient privacy. This will help them develop remediation plans and revise their security policies and procedures accordingly.

Secure video storage and access

Surveillance monitors should be placed in restricted areas accessible only by authorized personnel. Measures such as automatic log-off when the monitors are not in use and the blurring of patient faces can further protect patient identity.

Encrypt video footage

Employing encryption algorithms to secure video recordings can help safeguard private information against malicious actors. This additional layer of protection ensures that only authorized individuals with the decryption key can access the video content.

Implement strong access controls

Healthcare organizations should enable multi-factor authentication and password protection to secure their video surveillance software. Access should be limited to security personnel and management staff, with unique login credentials for each authorized individual.

Establish audit controls

Administrators should maintain detailed audit logs of all employees accessing the video recordings. This allows for the tracking of suspicious activities and the implementation of timely response measures to mitigate risks and potential damages.

Train staff on HIPAA compliance

Training for healthcare staff on the importance of HIPAA compliance and the proper handling of video recordings is necessary. This training should cover privacy practices, the legal and ethical implications of HIPAA violations, and the organization's policies and procedures for video recording.

Penalties for non-compliance

Failure to adhere to HIPAA's regulations regarding video recording can result in severe penalties. Accidental disclosure of PHI on video recordings can lead to fines ranging from $127 per violation to $63,973, depending on the severity of the infraction.

In cases of data breaches resulting in the leakage of videos and images, violators may face up to five years in jail and up to $63,973 in monetary fines. If there is clear willful neglect, such as ignoring the proper placement of cameras within the hospital, covered entities may suffer up to 10 years in jail with a fine of $63,973.

In the news

A notable example of a HIPAA violation involving video recording occurred at Sharp Grossmont Hospital in California. Between 2012 and 2013, the hospital secretly recorded 1,800 patients without their consent using motion-activated cameras in operating rooms. These recordings captured patients during sensitive procedures, including childbirth and surgery. The hospital claimed the intent was to catch drug thefts by staff, but the recordings inadvertently included extensive footage of patients' private moments.

This incident led to a class-action lawsuit against the hospital, which settled in 2019 for $1 million. The case shed light on a serious breach of patient privacy and indicated the necessity of obtaining explicit consent before recording in medical settings, adhering strictly to HIPAA regulations to protect patient information. 

FAQs

Does HIPAA apply to video recordings of patients?

Yes, HIPAA applies to video recordings if they capture protected health information (PHI) that could be used to identify a patient and relate to their medical condition, treatment, or care.

Are there any exceptions where video recordings can be made without patient consent?

Exceptions are limited and typically pertain to situations required by law, such as certain public health activities or law enforcement purposes. Even in these cases, the recordings must comply with HIPAA's minimum necessary standard.

How should video recordings be handled in telehealth under HIPAA?

In telehealth, video recordings should be made using secure, HIPAA compliant platforms that ensure the confidentiality and integrity of PHI. Patients should be informed and provided consent for any recordings made during telehealth sessions.

Can video recordings of patients be used for training or educational purposes?

Yes, but only if the patient has provided explicit consent and appropriate measures are taken to de-identify the patient’s information or additional protections are put in place to ensure compliance with HIPAA.

Are video recordings made by patients or family members subject to HIPAA?

Video recordings made by patients or their family members for personal use are not subject to HIPAA. However, if these recordings capture PHI in a healthcare setting, healthcare providers should ensure these recordings do not inadvertently violate the privacy of other patients.

Learn more: HIPAA Compliant Email: The Definitive Guide