No, HIPAA Compliance Doesn't Require 90 Days of Video Surveillance Footage

Recently, a competitor started claiming that "HIPAA compliance requires 90 days of Security Camera Footage." We can't find any evidence of this storage requirement - honestly, the law does not mention security cameras at all. (Most facilities still might need them to be compliant).

What's the claim?

There's a security camera company that has been claiming that HIPAA compliance requires having 90 days of security camera footage.

At no point does the oringinal HIPAA legislation, the updated "Security Rule" of 2003, nor any other rule changes that we could locate ever mention "cctv," "cameras," "surveillance," or "footage" at all. There's no framerate, resolution or retention requirements like in other regulated industries.

In most cases, it is best practice to have security cameras in order to be compliant with the "security incident" reporting requirements of HIPAA, but they are not specifically required.

Who is Making the Claim

This claim is part of a section of their sales pitch which, depending on the salesman, implies or directly states, that only their equipment is compliant. This is absolutely not the case. Additionally, this company has made several claims that are part of this series and directly markets towards enterprise, corporate, and government focused clients.

There's an Implied Case that some Entities Need Cameras

HIPAA guidelines are for the entire industry, so they are written in very general language. In particular, HIPAA regulations say that if you have a security breach, you must, within 90 days, inform your patients, the government, and the public (through a notice on your website that you keep up for 90 days), of what data was breached. This is the only mention of a 90 day requirement for anything in HIPAA regarding security.

It could easily be argued that informing all these parties of a security incidents requires one to monitor for security breaches. If you don't have cameras, how would you know if someone entered a sensitive area where medical files are stored without permission?

Although there's no explicit camera requirement, cameras are a good way to remaining in compliance with this reporting requirement. It's hard to know if you had a physical security breach if you don't have any video evidence.

Not Everyone Needs Security Cameras

In earlier versions of HIPPA, camera were not mentioned but it was stated that companies needed an "access control verification process." This language was later removed and replaced with language about monitoring for and reporting "security incident(s)." Part of this change was explained in the 2006 HIPAA security guidelines memo, in which several scenarios are mentioned where physical security has no effective meaning:

 A home health nurse collecting and accessing patient data using a PDA or laptop during a home health visit;

 A physician accessing an e-prescribing application on a PDA, while out of the office, to respond to patient requests for refills;

 A health plan employee transporting backup enrollee data on a media storage device, to an offsite facility.

There's many more examples of physical security not having a lot of meaning in more modern times, including telemedicine, cloud-based medical records, etc. It would probably be a good idea if the cloud storage provider has video surveillance, but the makers and users of iOS or Android medical apps don't exactly need cameras following them 24/7 to remain compliant with the law. They do however still have to comply with the monitoring of and reporting "security incidents" which for an App maker, would have a lot more to do with hacking than traditional B&E. This was why the law was changed to use more universal and less specific language.

Misinformation Harms the Industry by Creating Mistrust

Telling a customer half-truths isn't the way to earn customer trust and using misinformation to create fear of non-compliance is a bad sales practice.

Here's the Truth

If you store HIPAA qualified medical records in a physical location, you should get an access control system and security cameras. This is probably the best and most cost effective way to secure locally stored or accessable medical info. However, a 24/7 bouncer checking IDs at every door seems like an equally compliant, although not as cost effective, solution.

There's absolutely no regulation that you face about how long you have to store footage.

Other HIPAA Compliance Best Practices

Privacy and Confidentiality

The majority of HIPAA compliance deals with patient confidentiality. It is important that you continue to adhere to these rules when installing your security camera system.

Unlike many other installations, you should not install a customer facing CCTV monitor in a hospital or doctor's office. HIPA requires all patient's identities and diagnoses must remain private and out of public view. Make sure that your security office is private and secure. If a monitor with access to the cameras is in a public place, use a privacy screen.

Your facility should have policies in place that restrict access to the video surveillance on a need to know basis.


  1. The 4MP Imperial Series (4MP is 2 x 1080P) - 100 Channel HD Customizable Security Camera System




    Cameras


    4MP @ 25 FPS: 2560 x 1440

    80.8° or 101° options
    IP67 Weatherproof
    Infrared night vision up to 100 FT
    -31°F to 140 °F temp rated
    True Wide Dynamic Range (120dB)



    4MP vs 4K.


    Software


    VCA: Motion Detection, Line Crossing, Face Detection, Intrusion Detection, People Counting, Vandalism Detection
    Video Content Analytics (VCA) Search
    VCA Event based Email Alerts
    Remote Footage Download
    1 Click Firmware Update

    Learn when you would use VCA


    Remote Viewing


    Smartphone Apps
    Tablet Apps
    Windows Apps
    Mac Viewing Apps
    Internet Explorer Viewing

    How Patent Wars have changed Browser Support


    Hardware


    Cat5e (RJ45) Ethernet to Network
    Standard 3-Prong Wall Plug
    POE Switches for flexibility in cable runs
    VGA Monitor Out
    4K HDMI Out for TVs/Monitors
    Footage Download via USB

    Learn about automatic backup footage options



  2. The 4MP Motorized Imperial Series - 100 Channel HD Customizable Security Camera System




    Cameras


    4MP @ 25 FPS: 2560 x 1440

    Motorized Varifocal: 2.8 - 12mm
    91° - 27° of coverage
    IP67 Weatherproof
    Infrared night vision up to 100 FT
    -31°F to 140 °F temp rated
    True Wide Dynamic Range (120dB)



    4MP vs 4K.


    Software


    VCA: Motion Detection, Line Crossing, Face Detection, Intrusion Detection, People Counting, Vandalism Detection
    Video Content Analytics (VCA) Search
    VCA Event based Email Alerts
    Remote Footage Download
    1 Click Firmware Update

    Learn when you would use VCA


    Remote Viewing


    Smartphone Apps
    Tablet Apps
    Windows Apps
    Mac Viewing Apps
    Internet Explorer Viewing

    How Patent Wars have changed Browser Support


    Hardware


    Cat5e (RJ45) Ethernet to Network
    Standard 3-Prong Wall Plug
    POE Switches for flexibility in cable runs
    VGA Monitor Out
    4K HDMI Out for TVs/Monitors
    Footage Download via USB

    Learn about automatic backup footage options



  3. The 4K Motorized Imperial Series - 100 Channel HD Customizable Security Camera System




    Cameras


    4K (8MP) UHD @ 30 FPS: 3840 x 2160

    Motorized Varifocal: 2.8 - 12mm
    91° - 27° of coverage
    IP67 Weatherproof
    Infrared night vision up to 325 or 100 FT
    P-Iris Lens or IK10 impact rating
    Extreme Cold Temperature rated from -40°F to 140 °F
    True Wide Dynamic Range (120dB)



    4MP vs 4K.


    Software


    VCA: Motion Detection, Line Crossing, Face Detection, Intrusion Detection, People Counting, Vandalism Detection
    Video Content Analytics (VCA) Search
    VCA Event based Email Alerts
    Remote Footage Download
    1 Click Firmware Update

    Learn when you would use VCA


    Remote Viewing


    Smartphone Apps
    Tablet Apps
    Windows Apps
    Mac Viewing Apps
    Internet Explorer Viewing

    How Patent Wars have changed Browser Support


    Hardware


    Cat5e (RJ45) Ethernet to Network
    Standard 3-Prong Wall Plug
    POE Switches for flexibility in cable runs
    VGA Monitor Out
    4K HDMI Out for TVs/Monitors
    Footage Download via USB

    Learn about automatic backup footage options



  4. The 4K Imperial Series - 100 Channel HD Customizable Security Camera System



    100 Camera 4K Imperial Series

    Starting at: $35,576.99


    Cameras


    4K (8MP) UHD @ 15 FPS: 3840 x 2160

    92° or 118° options
    IP67 Weatherproof
    Infrared night vision up to 100 FT
    -31°F to 140 °F temp rated

    4MP vs 4K.


    Software


    VCA: Motion Detection, Line Crossing, Face Detection, Intrusion Detection, People Counting, Vandalism Detection
    Video Content Analytics (VCA) Search
    VCA Event based Email Alerts
    Remote Footage Download
    1 Click Firmware Update

    Learn when you would use VCA


    Remote Viewing


    Smartphone Apps
    Tablet Apps
    Windows Apps
    Mac Viewing Apps
    Internet Explorer Viewing

    How Patent Wars have changed Browser Support


    Hardware


    Cat5e (RJ45) Ethernet to Network
    Standard 3-Prong Wall Plug
    POE Switches for flexibility in cable runs
    VGA Monitor Out
    4K HDMI Out for TVs/Monitors
    Footage Download via USB

    Learn about automatic backup footage options