Risk of HIPAA Violation on Security Surveillance Cameras
_{September 15, 2018}

Healthcare providers are experiencing significant challenges in protecting patient data. These challenges are more apparent and magnified in small rural or community hospitals which sometimes are also troubled by the lack of staff and lack of expertise. One of these challenges relates to the use of security surveillance cameras within and outside the community hospital’s facility. There are several benefits that these video equipment can give aside from it is an inexpensive means of addressing the ever-increasing security concerns in a hospital.  Also, these video images can be used for research, educational as well as quality management purposes with every patient-physician interactions. Nevertheless, health care providers have the critical role of ensuring that these video equipment be used without compromising the privacy of their patients’ protected health information.

The Health Insurance Portability and Accountability Act of 1996 protect the privacy and security of patient protected health information (PHI) transmitted and maintained in any form or medium. Patient authorization for use and disclosure of PHI is required except during serious threat to health and safety of patient under the HIPAA Privacy Rule.  PHI does not only encompasses a patient social security number or individual names but rather also covers biometric identifiers, including finger and voice prints, full face photographic images and any comparable images and more (read complete list here). Moreover, business associates (BA) which might have access to such PHI shall also make the necessary precaution under the HITECH extensions of HIPAA.

How do these video cameras post a risk to HIPAA violation and breach to patient privacy?

1. Installing the video cameras in the wrong places

In a case of a community hospital where operating rooms are equipped with video cameras to check staff location and activities, check the status of ongoing procedures, and assist with the development of educational materials, these cameras were monitored at the nurses’ station located just inside the operating room.  The monitors were visible to anyone who enters the OR and any passerby can peek and see confidential procedures or activities inside the OR. Such constitute a breach of privacy should any passerby see the ongoing procedure and identify the patient inside.

2. Not performing any risk assessment on security measures on the installation, use, and management of these surveillance video cameras and use, storage as well as management of the recorded video, images or audio on these video cameras
3. Inability to set up and implement controls, policies, and procedures, to remove or at least mitigate the identified and potential risk to patient privacy using this equipment
4. Failure to review information security and privacy policies on a regular basis especially if there are major organizational changes
5. Failure to provide adequate and appropriate training to the facility’s workforce especially those who have access to the PHI involved or might be taken from these video cameras
6. Failure to provide adequate and appropriate HIPAA training and awareness to staff involved in the installation, monitoring, use, storage of not only the video equipment but also its recordings

Such risks to patient privacy and breach to protected health information security can be prevented or managed if the following best practices can be put in place:

1. Perform Risk Analysis for video and audio recording to identify potential patient privacy risks of installing, using, managing and disposal of security surveillance cameras and its product
2. Ensure policies and procedures are in place for these video cameras & its products (video, images, audio etc.) in regards to access, use, management, control, and disposal
3. Try to degrade the images (blur facial images and other patient information identifiers) and avoid the use of sound as well as display and monitor these videos, audio, and images only in restricted areas of the facility or if there is the possibility of public viewing
4. Remove patient identifiers from charts or other documents associated with the products of the surveillance video cameras and access are limited to these records
5. Store the products of these video cameras via a protected or encrypted account in the cloud or saved in a CD locked with the key for as long as required for analysis or other usage mentioned earlier before destroying by degaussing or other HIPAA compliant methods of disposing materials with PHI
6. Provide appropriate and adequate training related to the access, use, monitoring, management and disposal of these surveillance cameras and its products
7. Provide appropriate and adequate HIPAA training and awareness to staff involved in the installation, monitoring, use, storage of not only the video equipment but also its recordings with the goal of ensuring patient privacy is protected and secured

Always remember that security and privacy of protected health information (PHI) are not and will never be optional. Security breaches can also harm patients and may lead to hefty HIPAA violation penalties. Community hospitals must figure out how to upscale their security efforts and initiatives without spending a lot more money on healthcare IT.