In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was created in order to establish modern standards to regulate the maintenance and access of healthcare information. HIPAA, also known officially as the Kennedy-Kassenbaum Act, consists of five titles that each provide stipulations for a specific area of the Healthcare and Health Insurance industries. The most notable of these is Title II, which serves as the basis for security and privacy protections over personally identifiable patient records. The Department of Health and Human Services stipulates that HIPAA must be followed by “all entities” including:
• Healthcare Providers (including hospitals, medical centers, clinics, physicians, pharmacies and nursing homes)
• Health Plans (including company health insurers, health plans, health maintenance organizations (HMOs) and government programs that pay for healthcare)
• Healthcare Clearinghouses
• Business Associates who sign a specific legal agreement with one of these organizations
In addition, with the Covid-19 pandemic vaccination documentation being required in most schools and government organizations, HIPAA has taken a proactive approach and brought these public institutions under this wide umbrella when it comes to student and staff health records being protected.
Title II – The Administrative Simplification Provisions
Title II of HIPAA codifies rules for maintaining the security and privacy of individually identifiable health information. These provisions, known as the Administrative Simplification rules, require the Department of Health and Human Services (HHS) to establish specific standards for the protection and use of healthcare information. Accordingly, the HHS created a number of rules that have become the basis for what most refer to as HIPAA compliance. Since the adoption of HIPAA, the HHS has established a number of regulations for the access and disclosure of Protected Health Information (PHI). These regulations are collectively known as standards for privacy of individually identifiable health information, or simply “the privacy rule.”
Is Surveillance Footage Considered Protected Health Information?
In some cases, yes.
While Protected Health Information usually refers to secure records such as medical history and payment information, the HHS defines it as “individually identifiable health information […] in any form or media, whether electronic, paper, or oral.” So, generally speaking, if footage can be used to directly identify an individual and their treatment, it must be protected under Title II of HIPAA. This could include footage from a patient’s room or from another treatment area such as an operating room. Footage of common areas such as entranceways, waiting rooms, or storage closets are thus not considered HIPAA and can be shared or stored with fewer restrictions. See www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
The basic tenet of this rule is defined by the HHS: “A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.” Cases where PHI can be disclosed are listed for reference on the HHS website. In 2009, Title II was amended by the HITECH Act to extend to Business Associates who handle PHI as well. Previous to this, only Covered Entities themselves were required to adhere to HIPAA regulations.
The Security Rule
In order to protect and ensure the privacy afforded to patients by the Privacy Rule, the HHS published the Security Standards for the Protection of Electronic Protected Health Information, also referred to as “The Security Rule.” As the title implies, the Security Rule extends protections of the Privacy Rule to records that are stored and transferred electronically rather than physically. From the HHS website: “The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that [Covered Entities] must put in place to secure individuals’ electronic protected health information (e-PHI). Specifically, covered entities and their business associates must:
1. Ensure the confidentiality, integrity and availability of all e-PHI they create, receive, maintain or transmit
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information
3. Protect against reasonably anticipated, impermissible uses or disclosures
4. Ensure compliance by their workforce
The Security Rule lists a number of safeguards to guide organizations in how they manage and protect data. Global CTI’s video solutions are designed specifically with features that comply with each:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
To learn more about compliance and how you can safely add video surveillance to your organization, contact Global CTI.