There are many laws both local and national governing where you can and cannot place video security cameras. Virtually nothing is said about video security when it comes to patient privacy and with the ubiquity of video security cameras in hospitals, nursing homes, and even doctor’s offices is there cause to be worried?
The answer is both yes and no.
Health Insurance Portability and Accountability Act (HIPAA) does not specifically mention video security in its protections for patient records, however, most hospitals choose to treat video records of patient visits as a patient record.
Information gathering depends on location of cameras and capabilities of the system. So, let’s take a look at what patient information can be gleaned from video security footage.
Who: Obviously, it provides picture of the patient, however, it does not give a full name or other identifying information.
What: Unless the reason for the visit is visible, it provides little else.
When: Video is time-stamped so date and time can be determined.
Where: Video is at a specific location but, unless there are identifying items in the video, someone unfamiliar with the location may only know it is a medical facility of some kind.
The information you can glean from a properly installed system is limited, nevertheless, it should be treated with care. Let’s go through some examples of how this has been done at some facilities.
Most hospitals will air-gap video security systems or use a virtual network (VLAN) to protect DVR systems from outside attack. This virtually eliminates internet-based attacks.
Modern video security systems will overwrite and destroy recorded information automatically after so many days on the system. After so many days stored video will not be a concern.
Archive video – that is, video taken of a specific incident and stored – might be depend on where the archive is. Most places will store it on removable media. Usually the incidents worthy of archiving are of major events. When this is done at a medical facility, it should be as secure as patient records. It should never be stored on any device that will leave the facility.
If you are thinking of installing a video security system at a facility governed by HIPAA, here is what you should do.
- No cameras looking at computer monitors. This can be the source of a dangerous information leak.
- Cameras in common areas only. Cameras are not allowed in patient rooms already, however, keep them out of anywhere that a patient is escorted. This will help ensure patient privacy.
- Air-gap the machines when possible. This is the best defense against hacking attacks.
- If remote access is required, use a secure connection like a VPN. Gigastrand can help with that.
Gigastrand has experience dealing with camera installations at HIPAA compliant facilities. Contact us for a free consultation.