Are close circuit cameras mandated by HIPAA security Rule True or false?

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule lays out national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. It requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Quick Answer

False. The use of close circuit cameras is not mandated by the HIPAA Security Rule. The security rule does not specifically require or prohibit the use of video surveillance or close circuit cameras. However, entities covered by HIPAA must implement reasonable safeguards to protect the privacy and security of protected health information, which may include the use of video surveillance in some cases.

Is the Use of Video Surveillance Addressed in the HIPAA Security Rule?

No, the HIPAA Security Rule does not specifically address or require the use of video surveillance or closed circuit television cameras. The security rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity or business associate.

It requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of electronic protected health information. However, it does not prescribe or prohibit specific technologies or systems for meeting these safeguard requirements.

Key Points

  • The HIPAA Security Rule does not mandate or prohibit the use of video surveillance or CCTV cameras.
  • It sets standards for securing electronic protected health information, but does not dictate specific methods.
  • Covered entities must implement reasonable safeguards but have flexibility in how this is achieved.

What Safeguards Does the HIPAA Security Rule Require?

The HIPAA Security Rule requires covered entities and business associates to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the privacy, integrity and availability of electronic protected health information (ePHI) that they create, receive, maintain, or transmit.

Required safeguards include:

  • Administrative safeguards like security management processes, workforce training, and policies and procedures to manage selection and execution of security measures.
  • Physical safeguards like facility access controls, workstation and device security, and media controls.
  • Technical safeguards like access controls, audit controls, integrity controls, and transmission security.

The flexibility in the rule allows covered entities and business associates to tailor their information security programs based on their size, complexity and capabilities. There are always reasonable and appropriate safeguards that can be applied in any organization.

Key Takeaway

The HIPAA Security Rule requires a comprehensive information security program with administrative, physical, and technical safeguards. It does not mandate specific technologies like video surveillance, but they may be implemented as appropriate based on an organization’s risk analysis.

When Can Video Surveillance be Used Under HIPAA?

Although not expressly required or prohibited, video surveillance may be implemented as part of a covered entity or business associate’s security program if reasonable and appropriate. Some examples of when CCTV may be allowable under HIPAA include:

  • Monitoring facility access points or restricted areas to prevent unauthorized physical access.
  • Alerting security personnel to any potential security incidents or threats inside the facility.
  • Deterrence and investigation of potential security breaches.
  • Monitoring of work areas to deter insider wrongdoing.

However, the following precautions should be taken:

  • Conduct risk analysis to determine if CCTV is reasonable and appropriate for protecting ePHI based on the environment.
  • Install and operate CCTV in a manner that minimizes invasion of privacy of patients and workforce members.
  • Post notice that surveillance is in use where cameras are located.
  • Limit surveillance to public areas and access points rather than patient care areas.
  • Reduce ability to identify individuals if not necessary.
  • Adhere to video retention limits and access controls.

Key Considerations

Video surveillance may support a HIPAA security program but should be implemented judiciously based on necessity and with controls to minimize privacy risks.

Are There any Situations Where Video Surveillance Would Not be Allowed?

Yes, there are some circumstances where the use of video surveillance would likely not be permissible under HIPAA privacy and security rules.

Examples include:

  • Monitoring or recording areas where patients are receiving treatment or undergoing medical examinations, like clinic exam rooms or operating rooms.
  • Using cameras in areas where health professionals are having confidential conversations with patients.
  • Recording areas where health professionals are reviewing or discussing patient health information.
  • Unnecessarily capturing images in great detail or focusing on individual faces when reasonable safeguards could prevent this.
  • Retaining surveillance footage longer than reasonably needed.
  • Allowing too broad access to live or recorded surveillance footage.

In summary, HIPAA would prohibit surveillance that captures more than the minimum amount of PHI necessary for security purposes. Surveillance should never intrude on expected privacy in treatment settings.

Key Takeaway

Video surveillance should not be used in patient care areas or to excessively capture PHI when reasonable alternatives exist to support security.

What Requirements Apply to Surveillance Footage Under HIPAA?

If video surveillance is implemented, the recorded footage may meet the definition of protected health information, especially if it contains recognizable patient images. As PHI, it is subject to HIPAA requirements:

  • Notice – Post signage alerting people that surveillance is in use.
  • Minimum Necessary – Only collect footage necessary for security purposes.
  • Retention – May only keep footage as long as needed, but at least 6 years under HIPAA.
  • Access Controls – Implement safeguards for accessing footage such as passwords, logs, etc.
  • Integrity – Protect footage against alteration or deletion.
  • Transmission Security – Encrypt surveillance footage if transmitting.

Having clear policies and procedures for the use and handling of recorded surveillance footage is important for HIPAA compliance.

Key Takeaway

Surveillance footage that contains PHI must be safeguarded in accordance with HIPAA security and privacy requirements.

Does HIPAA Permit Camera Surveillance in Hospitals?

HIPAA allows the use of video surveillance cameras in hospitals provided their implementation is reasonable and appropriate for protecting health information security. Typical uses in a hospital may include:

  • Monitoring key entry points and restricted areas like pharmacies, server rooms, medical records, etc.
  • Enhancing physical security in vulnerable areas like emergency departments, psychiatric wards, nurseries.
  • Deterring threats and investigating security incidents.
  • Identifying individuals accessing facilities during non-business hours.

However, HIPAA would restrict surveillance in direct patient care areas like operating rooms, patient wards, private exam rooms, etc. Notice of surveillance should be posted and footage securely stored and accessed.

Key Points on Hospital Surveillance

  • Surveillance reasonable for security purposes is allowable.
  • Cameras should not intrude on patient care and private areas.
  • HIPAA requirements like notice, access controls, etc. must be met.
  • State hospital regulations may impose additional restrictions.

What Entities are Subject to HIPAA Requirements for Surveillance Cameras?

Any healthcare entity that qualifies as a HIPAA covered entity or business associate must comply with applicable HIPAA regulations for the use of surveillance cameras, including:

  • Healthcare providers like doctors, clinics, psychologists, pharmacies, nursing homes, etc.
  • Health plans like health insurance companies, HMOs, company health plans.
  • Healthcare clearinghouses that process nonstandard health information.
  • Business associates that perform services for covered entities involving PHI.

Public health agencies, law enforcement, life insurers and other entities that do not engage with PHI are generally not subject to HIPAA requirements for surveillance cameras.

Key Points

  • Covered entities and business associates must comply with HIPAA for surveillance cameras.
  • Other types of organizations generally do not have to meet HIPAA standards.
  • Always check status to determine if organization is covered by HIPAA.

Can Patients Decline to be Recorded by Security Cameras Under HIPAA Privacy Rule?

Under the HIPAA Privacy Rule, patients have certain rights with regards to their protected health information, including the right to request restrictions on uses and disclosures of their PHI. However, this right is limited.

Key considerations on patient requests to decline recording by security cameras include:

  • Right to request restrictions applies only to uses/disclosures of PHI for treatment, payment and healthcare operations (TPO) purposes.
  • Recording by security cameras is typically for facility security, not TPO.
  • Covered entities are not required to agree to restriction requests that impact their operations.
  • Patients cannot request complete restriction of PHI uses/disclosures required by law or regulation.

Therefore, in most cases, covered entities would not be obligated under HIPAA to allow patients to decline security camera recording within a healthcare facility.

Key Points

  • Right to restrict PHI use has limits and usually does not apply to facility security measures.
  • Covered entities are not required to agree to requests that are infeasible or disrupt operations.
  • Security camera recording for HIPAA compliance is likely required by law.

Can Employees Decline to be Recorded by Security Cameras Under HIPAA Privacy Rule?

The HIPAA Privacy Rule protects the individually identifiable health information of patients – not employees of covered entities. However, employees may have privacy protections under other federal or state laws that could come into play with security camera recording.

Key considerations on employee requests to decline recording by cameras:

  • Employees do not have rights under HIPAA Privacy Rule, which protects patient PHI.
  • Labor laws may protect certain reasonable expectations of privacy for employees.
  • Employers may be required to discuss/negotiate surveillance measures with employee representatives.
  • Controversial surveillance locations may need to be justified based on necessity.
  • Employers may need to provide notice and disclosures about surveillance to employees.

Therefore, while HIPAA itself does not restrict employee surveillance, covered entities need to tread carefully based on other labor, employment and privacy laws.

Key Points

  • HIPAA Privacy Rule does not cover employees – only patient PHI.
  • Labor, employment and privacy laws may impact employee surveillance.
  • Employers should proceed cautiously and seek legal guidance when needed.

Can Business Associates Institute Video Surveillance Under HIPAA?

Yes, business associates of covered entities can implement video surveillance systems under HIPAA, provided the following conditions are met:

  • Surveillance is reasonable and appropriate for safeguarding electronic PHI based on their risk analysis.
  • Implementation is scoped to the minimum extent needed for security purposes.
  • HIPAA requirements like notice posters, access controls, etc. are satisfied.
  • The business associate agreement with their covered entity customer permits video surveillance to support security.
  • Any surveillance footage containing PHI is used and disclosed only as permitted by the business associate contract.

Business associates should especially consider necessity, minimum necessary capture, and the scope of their contract when instituting video surveillance systems related to their HIPAA compliance obligations.

Key Considerations for Business Associates

  • Surveillance should be reasonable and appropriate based on risk analysis.
  • Scope capture of PHI to minimum necessary for security.
  • Comply with all applicable HIPAA safeguards.
  • Ensure business associate agreement authorizes surveillance activities.

Do HIPAA Regulations Differ from State Laws on Security Cameras?

Yes, HIPAA establishes national standards for protecting health information that preempt any contrary provisions of state law. However, HIPAA does not override state laws that provide additional privacy protections or requirements. Key differences may include:

  • Consent – Some states require patient consent for recording within healthcare facilities.
  • Notice – States may specify requirements for surveillance notice posters.
  • Location – States may prohibit surveillance in types of rooms prohibited under HIPAA (e.g. operating rooms).
  • Retention – States may require shorter retention periods for footage than HIPAA’s 6 year standard.
  • Statutes – Specific state surveillance and privacy statutes may impose stricter regulations.

When state laws are more stringent than HIPAA, the state law prevails. HIPAA standard is the minimum requirement that must be met.

Key Points

  • HIPAA preempts less stringent state laws, but not more stringent laws.
  • Always check state statutes for additional protections or restrictions on surveillance cameras.
  • Comply with whichever law sets the higher standards for PHI privacy and security.


In summary, the HIPAA Security Rule does not specifically require or prohibit the use of video surveillance or CCTV cameras by covered healthcare entities. Their use may be permissible and appropriate if implemented judiciously to enhance physical security and deter threats, without unnecessarily capturing PHI or intruding on patient privacy. Entities that use surveillance cameras must comply with applicable HIPAA safeguards and state privacy laws. In general, the minimum necessary standard should apply to any surveillance practices to balance privacy and security.