No, HIPAA Compliance Doesn't Require 90 Days of Video Surveillance Footage

Recently, a competitor started claiming that "HIPAA compliance requires 90 days of Security Camera Footage." We can't find any evidence of this storage requirement. Honestly, the law does not mention security cameras at all (Most facilities still might need them to be compliant).

surveillance industry shortchange

What's the claim?

There's a security camera company that has been claiming that HIPAA compliance requires having 90 days of security camera footage.

At no point does the original HIPAA legislation, the updated "Security Rule" of 2003, nor any other rule changes that we could locate ever mention "CCTV," "cameras," "surveillance," or "footage" at all. There are no framerate, resolution, or retention requirements as there are in other regulated industries.

In most cases, it is best practice to have security cameras in order to be compliant with the "security incident" reporting requirements of HIPAA, but they are not specifically required.

Who is Making the Claim

This claim is part of a section of a specific company’s sales pitch which, depending on the salesman, implies or directly states that only their equipment is compliant. This is absolutely not the case. Additionally, this company has made several claims that are part of this series and directly markets towards enterprise, corporate, and government-focused clients.

There's an Implied Case that some Entities Need Cameras

HIPAA guidelines are for the entire industry, so they are written in very general language. In particular, HIPAA regulations say that in the event of a security breach, you must, within ninety days, inform your patients, the government, and the public (through a notice on your website that you keep up for ninety days), of what data was breached. This is the only mention of a ninety-day requirement for anything in HIPAA regarding security.

It could easily be argued that informing all these parties of security incidents requires one to monitor for security breaches. In the absence of cameras, how would it be known if someone entered a sensitive area where medical files were stored without permission?

Although there's no explicit camera requirement, cameras are a good way to comply with this reporting requirement. It's hard to ascertain a physical security breach without any video evidence.

Not Everyone Needs Security Cameras

In earlier versions of HIPPA, cameras were not mentioned but it was stated that companies needed an "access control verification process." This language was later removed and replaced with language about monitoring for and reporting "security incident(s)." Part of this change was explained in the 2006 HIPAA security guidelines memo, in which several scenarios are mentioned where physical security has no effective meaning:

 A home health nurse collecting and accessing patient data using a PDA or laptop during a home health visit;

 A physician accessing an e-prescribing application on a PDA, while out of the office, to respond to patient requests for refills;

 A health plan employee transporting backup enrollee data on a media storage device, to an offsite facility.

There are many more examples of physical security not having a lot of meaning in more modern times, including telemedicine, cloud-based medical records, etc. It would probably be a good idea if the cloud storage provider has video surveillance, but the makers and users of iOS or Android medical apps don't exactly need cameras following them 24/7 to remain compliant with the law. They do however still have to comply with the monitoring of and reporting "security incidents" which for an App maker, would have a lot more to do with hacking than traditional breaking and entering. This was why the law was changed to use more universal and less specific language.

Misinformation Harms the Industry by Creating Mistrust

Telling a customer half-truth isn't the way to earn customer trust and using misinformation to create fear of non-compliance is a bad sales practice.

Here's the Truth

If you store HIPAA qualified medical records in a physical location, you should get an access control system and IP security cameras. This is probably the best and most cost-effective way to secure locally stored or accessible medical info. However, a 24/7 security guard checking IDs at every door seems like an equally compliant, although not as cost-effective, solution..

What is important to understand is that there's absolutely no regulation about how long video surveillance footage storage is required for HIPPA compliance.

Other HIPAA Compliance Best Practices

Privacy and Confidentiality

The majority of HIPAA compliance deals with patient confidentiality. It is important that you continue to adhere to these rules when installing your security camera system.

Unlike many other installations, you should not install a customer-facing CCTV monitor in a hospital or doctor's office. HIPA requires all patients’ identities and diagnoses must remain private and out of public view. Make sure that your security office is private and secure. If a monitor with access to the cameras is in a public place, use a privacy screen.

Your facility should have policies in place that restrict access to video surveillance on a need-to-know basis.

Not sure what you need?

Lean on the experts

We'd be happy to work up a custom quote or take your floorplan and create a security coverage map.

Get a Custom Quote

View as Grid List

2 Items

per page
Set Descending Direction