Ask MGMA: Are Security Cameras HIPAA-Compliant in Medical Practices?
Download MP3Well, hi, everyone, and welcome to the ask MGMA podcast. I'm senior editor at MGMA, Daniel Williams, along with senior adviser, Christie Good, also with MGMA. And we are here to discuss a really interesting topic. As Christie was telling me offline, it's something we haven't really done a lot with wise, but it came in through the ask MGMA, it's dealing with security cameras in medical practices. When are they allowed?
Daniel Williams:When do they cross into HIPAA territory? And how can practices protect themselves while still protecting patient privacy? What an interesting this is like one of those CSI or some topic like that. But, Christy, welcome, and thanks for bringing this topic to us.
Cristy Good:Thanks for having me in. I thought it was a very interesting topic to discuss because we haven't really looked at it. And so I did some digging, and I just wanted to share the information.
Daniel Williams:Alright. This is gonna be short and sweet, and we're gonna develop an article as well, everybody, where you can just have some calls to action, some tips, some tools. So let's start with the basics. Where can security cameras be legally and ethically placed in a health care setting under HIPAA?
Cristy Good:So that's a great question. And we know that as more and more people have put cameras or have video in their workplaces, it's important to know where cameras can be placed is in public, nonprivate areas, such as lobbies, hallways, entrances, exits, and parking lots. The key is that there's no reasonable expectation of privacy in those areas, but cameras should not be installed in places like exam rooms, treatment areas, restrooms, or anywhere that PHI, which is Protective Health Information, might be visible or discussed because then that could likely be a HIPAA violation.
Daniel Williams:Okay. For question two, let's look into the audio part. So if a camera records both video and sound, does that change things at all?
Cristy Good:And that is actually the key when the member reached out to me is that it was recording some audio. And it definitely adds the complexity because audio can capture conversations between staff and patients, which could include that PHI, and that would elevate your compliance risk. Some states even say that audio recordings without all parties consent is illegal, so even if your video is okay under HIPAA, recording sound may violate state law or require informed consent from patients and staff. So it's definitely something you need to pay attention to.
Daniel Williams:This is an episode of CSI I wanna watch. This is really cool. I love this true crime kind of stuff, and that's where it's going. Next question. So when we look at this, when does a recording become PHI under HIPAA?
Cristy Good:So a recording is considered PHI if it captures individually identifiable health information. That could be names, faces, or even overheard conversations about treatment. So even a check-in conversation with a front desk person could be considered PHI if it includes identifiable details such as that. Once that happens, HIPAA's full privacy and security requirements apply to the footage.
Daniel Williams:Okay. So when we look at this, if a practice is recording video or audio that might include PHI, what steps does the practice need to take to be compliant?
Cristy Good:You'll need to encrypt the footage, and then you have to also restrict access to authorized personnel only and implement role based controls. You have to make sure the footage is stored on the secure server, access is logged, and there's a defined retention policy such as like thirty to ninety days, which is typical. And importantly, monitors shouldn't be viewable in public areas. So all ties into HIPAA. It all ties into the HIPAA security role at that point.
Daniel Williams:Okay. Now let's look at it from the third party vendor perspective. If that gets involved, if there is a third party vendor who is storing or monitoring the video, does that trigger anything from a compliance perspective?
Cristy Good:Yes. If that is what's going on, then you have to have a BAA or a business associate agreement in place. So if that vendor stores or accesses any recording that might require the PHI, they're considered a business associate. And then under HIPAA, they have to sign a BAA outlining how they'll safeguard that data.
Daniel Williams:Okay. What about signage then? Do you need to notify patients that cameras are being used?
Cristy Good:Yes. It is always best practice to always notify patients and staff through visible signage. Even if it's not strictly required by HIPAA in every case, it's about transparency and trust. I know this member had a sign that said that recordings were happening in the check-in area or the waiting area. And it's also important though, to have a written policy on camera use and make sure your staff are trained on it annually because you want to make sure that everyone knows what's appropriate and what's not appropriate and where cameras should be or they shouldn't be.
Daniel Williams:Okay. We have a couple more questions before we sign off. Earlier, you touched on state laws. So how might those differ from federal HIPAA rules?
Cristy Good:When I was doing my research, I did find out there are some states like California that have stricter rules about recording audio. It's called the two party consent. So even if HIPAA doesn't require it, your state might. Also, some behavioral health units have additional protection under federal law, like 42 CFR Part two, that says that you need to be careful when doing such recording. And that's why it's really important to consult a legal counsel before installing your cameras.
Cristy Good:And I did bring that up, even though the member was asking me, I kept telling him that even though I have all this information for you and here's your HIPAA stuff, you really still need to make sure that your legal counsel in your area or for your practice or your organization is on the same page with you before doing anything with cameras.
Daniel Williams:Okay. So last question that I have. If a practice leader is just getting started with this or they're reviewing an existing system, what are their key first steps they want to take?
Cristy Good:Sure. First, you wanna conduct a privacy and security analysis, risk analysis. Review where your cameras are placed and what they're capturing. We also will have, like, a little checklist in our email that goes along with this article that just tells you about places to think about where your cameras are and what that risk looks like. Is it a low risk?
Cristy Good:Is it a high risk? Then also review your state laws, update your signage and written policies, and make sure your staff are well trained. And then if you are using someone other to record and store your audio and video, you just need to make sure that you lower your risk wherever you can in these instances.
Daniel Williams:Okay. Those are a lot of great insights, Christie. So I did say that was the last question, but I do want to follow-up and just ask you for any recommendations on resources for practice leaders.
Cristy Good:Yes. So we know, and we'll link to some of these, that the HHS has the HIPAA privacy rule that we'll link to, that'll be helpful. The AMA code of medical ethics is another link we can link to. And we do have a HIPAA journal that has some of the like our security cameras, a HIPAA violation link that might help give you some more guidance on it. But anything around HIPAA, you can always go to the HHS website on HIPAA to get more guidance around it as well.
Daniel Williams:Okay. Perfect. Christie, thank you so much for sharing this really cool topic. We really did do a CSI sort of deep dive here. Really neat stuff.
Daniel Williams:Everybody, we're gonna provide direct links again, resources, how to get in touch with Christy, and also how to ask her a question. If you wanna just share that with us real quick, what is the best way to reach you to ask a question and if they're on the website?
Cristy Good:Sure. You could either send an email to adviser@mgma.com or on our website, we did have some changes. So where the little green button used to be where it said ask MGMA and now says I think ask AI, you would have to go into practice resources and then you could go and send us a question through that. So there's a link under those practice resources that would lead you to ask MGMA.
Daniel Williams:Okay. Perfect. And again, everyone, we'll put all that in the episode show notes. We'll also create an article for you. So until then, thank you all for being MGMA podcast listeners.
