Understanding

HIPAA Compliance for PHI and eHI in Access Control and Security Camera Systems

Video surveillance and access controls also are your best way of checking HIPAA compliance

HIPAA Compliance

We're here for you:

Below is some pretty technical content on exactly what HIPAA rules are and how to comply with them. We're happy to work it out with you, with one of our consultants. Don't worry, we're up to the challenge.

HIPAA protects eHI and PHI

Both Electronic Health Information (eHI) data and Protected Health Information (PHI) is protected by HIPAA

Electronic Health Information is a digital version of the type of information in a patient’s paper chart, such as patient’s medical history, diagnoses, medications, treatment plans, immunization dates, allergies, radiology images, and laboratory and test results.

Protected Health Information (PHI) is a physical or digital version of anything that can identify a person, including names, phone numbers, dates, addresses, license plate numbers, biometric information, and even photographs of faces, that connect that person with a diagnosis

Some Examples of eHI / PHI

  • A patient's bill
  • A patient's prescription
  • A camera that records a computer screen that displays a prescription
  • A photo of a person that enters a chemo or cancer treatment center that does not accept visitors

Are camera and physical access control systems required by HIPAA?

Technically, no, but functionally, yes.

HIPAA was written to be inclusive of every medical record including those in the cloud or those created by remote work telehealth providers over something like Zoom, so the laws do not mention requiring any specific technologies. When they do mention "access control" they mean it holistically in every scenario, they do not just mean magnetic locks and bluetooth readers, but they also mean things like password and user accounts on workstations in those restricted areas. Many HIPAA compliant pharmacies only have a counter between the pharmacists' workstations and the shopping for the general public, and this counter is considered adequate "access control." For most providers, however, a counter is simply not enough physical security for their non-HIPAA related security needs and so they opt for automatic locking systems with an audit logs.

Likewise, cameras are not required at all, but audits are. It is unclear how you would audit wether employee A's workstation login was used by someone else if you don't have visuals on who was logging in at that time. Not part of HIPAA itself, although certainly regulated by HIPAA, there are also many state and local medication management and storage laws, that require you to check for theft or falsification of records regarding regulated medicines, like Opioids.

Physical Safeguards - § 164.310

One sentence summary: don't let unauthorized people in to where your information systems, workstations or other devices, medications, are stored.

Rules About Limiting Access

Access Control, [45 C.F.R. § 164.30(a)]

Compliance:

Access Control systems should be deployed to prevent unauthorized access to PHI or eHI information systems, workstations, and devices by situating them outside of doors.

Camera(s) will typically need to be deployed to provide visual confirmation that the user of the access control system has not be coerced into letting another person in, that the credentials used match the identity of the person, that no additional people have "tailgated" into the area, and that nothing improper is taking place (such as copying of PHI records).

These camera recordings will not need to be treated as PHI / eHI, as they only observe what employees are going into areas where HIPAA data is stored. They are intentionally positioned as to not record patient data.

HIPAA and Medication Storage Laws

There are many state and local medication management and storage laws that also require limiting access and confirming proper distribution and control of regulated medicines.

Compliance:

Access Control systems should be deployed to only allow appropriate access by authorized personnel.

Camera(s) will need to be deployed to provide visual confirmation that the user of the access control system has not be coerced into letting another person in, that the credentials used match the identity of the person, that no additional people have "tailgated" into the area, and that nothing improper is taking place (such as theft of medications or falsification of records).

These camera recordings may or may not need to be treated as PHI / eHI, depending on your operating process, use of privacy masks, and angle of view.

If these cameras are recording PHI / eHI, we recommend using an airgapped (no ability to connect to these camera recordings remotely or over the network) NVR with local storage.

Reminder: video surveillance software is also regulated. Because the legal system needs to know that footage presented to a court isn't being manipulated, we aren't allowed to let users delete individual clips. This means that if PHI has been recorded and a request received for it to be deleted, the only option is to format the whole device. This is why we suggest using privacy masks to prevent accidental PHI collection and isolated systems if you implementing a solution that is going to be recording PHI.

Three Different Uses, with Different Rules

Next we are going to talk about the administrative control requirements in HIPAA and the types of uses of surveillance cameras and, to a lesser extent, access control systems.

Administrative Safeguards - § 164.308

One sentence summary: restrict info on a need to know basis.

Rules About Accounts

Security Management Process, [45 C.F.R. § 164.306(e)]

Security Personnel, [45 C.F.R. § 164.308(a)(2)]

Information Access Management, [45 C.F.R. § 164.308(a)(4)(i)]

Compliance:

SCW Cameras and NVRs, Openpath Access Control, and the Survail Platform all have role-based account creation processes.

Openpath Access Control enables access to unlock electronic locks on a door-by-door basis.

Camera level viewing restrictions are coming soon in survail. SCW already has camera-level restrictions.

In addition to role based accounts for employees, Survail also two types of temporary external user accounts:

Survail has a active emergency user account that is token-based and allows provincial access accounts in the case of an emergency. This is meant to enable first responders to quickly see what event initiated the security presence. This accounts expire within 24 hours and do not allow users to save footage.

Survail also has a more long term third party access to specific recorded events and incident logs called "Vault." Vault is intended for use by legal teams, court systems, HR record keeping, insurance adjustors, and investigators. Vault provides long term storage, footage integrity checks, and proof of chain of custody. Vault users cannot use the rest of the Survail system and can be granted access on a record-by-record basis.

If you wanted to share footage with first responders, investigators, or legal teams from a SCW NVR system, you would use a USB thumb drive to download that footage and give it to them.

Rules About Device Data Integrity

Workstation and Device Security, [45 C.F.R. § 164.308(a)(2)]

Compliance:

Although you can factory reset all devices, you cannot selectively delete footage or events or change logs in any of our system.

Rules About Accessing Devices

Information Access Management, [45 C.F.R. § 164.308(a)(4)(i)]

Facility Access and Control, [45 C.F.R. § 164.310(a)]

Compliance:

With an SCW NVR, which has a video monitor output, you need to make sure that monitors can only be seen by those with a "need to know'' basis. Survail does not have a video monitor output. (You put survail in a server closet and lock the door).

Many hospitals have hallway safety monitoring protocols that require visitors to be let in to each wing of the hospital. These stations use cameras in the hallway and intercom access control reader pairs can help prevent hostile, lost, or unauthorized visitors. Often these stations are at the receptionist desk and can sometimes be visible to patients or visitors. In these cases, only the hallway security cameras should be allowed on these devices to prevent them from capturing eHI. Ideally, they should be positioned where visitors cannot see them.

Security Users

The first is the actual security of the building and its occupants. This type of video may be seen by third party monitoring companies, first responders, and on-site security guards.

These cameras might be able to be seen on monitors that hospital visitors or patients that may pass by, such as a guard station that checks visitors before they can move from one wing of the hospital from going to another wing.

Ideally, none of these people should be viewing eHI data, so the cameras that these users can view should be limited to places like parking lots, hallways, and waiting rooms.

Healthcare and Life-Safety Users

In many medical environments, nurses are expected to observe several patients at once. This may be to prevent self-harm, visual confirm health status to double check instrument data, discover escalating medical needs, or prevent behaviors that could compromise care.

These monitoring stations for these cameras should not be visible to visitors.

Ideally, you can use privacy masks or position of the camera so that it cannot viewing eHI data, like a patient chart.

Some providers choose not to record cameras designed to improve patient care, opting to only allow the live feed of these cameras, reducing regulatory compliance, but this can make retraining and managerial/HR more difficult. Recording, but not to allow non-managerial or HR personnel to view the recordings could be a good compromise.

Compliance Officers

HIPAA compliance requires auditing that eHI / PHI is not being accessed by unauthorized individuals. Ideally, you want to be able to do this without creating more eHI or PHI that also needs its own compliance check. With proper system design, this can be done.

For example, a camera could be setup that watches the doorway to a PHI storage room, allowing the user to compare the access control badges to the images of the person outside the door.

As another example, a camera could be setup that records the images of the person using a eHI workstation to the user activity logs of that workstation, while using a privacy mask to not capture what eHI they were viewing.

Although not recording footage that will classify your cameras as eHI is certainly easier, it isn't the only way to do things and sometimes there is a compelling reason to record PHI. Sometimes recording PHI is unavoidable and accidental. An example of this is protecting medics and ER doctors. Nearly half of all ER doctors and nearly all medics reported being assaulted last year, so there's a employee retention and legal liability to protect them, but an ER environment is often hard to predict and control. Likewise, sometimes recording PHI is the entire purpose of small camera deployment, such as visually checking to confirm that regulated or lethal medicines are not being mis-dosed, over administered, or pocketed.

Technical Safeguards - § 164.312

One sentence summary: If you are recording eHI data, then you will need to make sure that you have network and cyber security protocols put in place to make sure that hackers or malicious users cannot delete, steal, or alter it.

Rules About Data Integrity

Integrity Controls, [45 C.F.R. § 164.312(c)]

Compliance:

Users cannot selectively alter footage or logs.

Although you can factory reset all devices, you cannot selectively delete footage, logs, or events in any of our platform.

Rules About Cyber / Network Security

Transmission Security, [45 C.F.R. § 164.312(E)]

Compliance:

Encryption is a recommendation and not a requirement. There are good reasons both to and against encrypting video surveillance feeds.

Encryption increases latency in live video, which can lower response times for security teams. Encrypting a feed and then decrypting it at the viewing stations adds about a second of latency, which can make guard stations that require visitors to push a button to request access and then the guard visually confirm that they want to let this person in before allowing access nearly inoperable.

SCW cameras and NVRs do not have encryption enabled out of the box but you can supply your own certificate - although self-signed certificates are not ideal for internet broadcasts, they are fine for internal use. SCW cameras and NVRs do not send customer data to the cloud - however, they will check the cloud for firmware updates. SCW cameras and NVRs are on-premises networking devices and are not SCW services. We cannot see your footage or access your device, so there's no need for a BAA. Like all security cameras and NVRs, they inherit the cyber security provisions of your internal network. In a HIPAA environment, you should not allow unfettered internet based access and instead limit access to local viewing or use a VPN connection to reach your internal network, if remote viewing is required. VLANs are highly recommended to segregate camera traffic from general network traffic. VLANs segregate network traffic making it so devices and users on the physical security network cannot see or interact with devices on the computing network and vise-versa.

Survail adds additional security measures such as SAML 2.0 identity support, integrated VPN, and and a cloud-authenticated, secure endpoint for login security. Survail can deliver a BAA, as it is a service.

Survail adds banking-level encrypted video feeds from ICVR to cloud but not from camera to local viewing station(s). This is ideal as it only increases latency for remote viewers. Survail includes and an integrated physical hardware segregation and a VLAN for the unencrypted video streams and viewing stations.