Can Medical Practices Use a Security Camera in the Waiting Room?

Medical practices hoping to increase security often consider installing a security camera in the waiting room for video surveillance, but they usually are not sure what is permitted by HIPAA or state law. Understanding how audio and video footage captured by a security camera might be treated under HIPAA and state law can help practices decide whether a security camera makes sense for their office. This article discusses the main considerations under HIPAA and state law for practices contemplating the use of a security camera, plus recommendations for what to include in a security camera policy.

What are the Main HIPAA Considerations for Medical Practices Using a Security Camera?

Under the HIPAA Privacy Rule, the very fact that an individual received medical care is considered protected health information (PHI). Since any footage is likely to show that an individual received care at their office, practices should treat all footage captured by the security camera as PHI.

This means that before using or disclosing a video to a third party such as law enforcement, practices generally must comply with HIPAA authorization requirements. MICA recommends that practices address the use of a security camera in their HIPAA policies and procedures for safeguarding patients’ PHI.

Practices should also determine whether footage will be transmitted to or stored by a cloud company or other third-party service provider. If yes, then HIPAA likely requires a business associate agreement with the cloud company or third-party service provider.

How Does Arizona Law Impact the Use of Security Cameras in a Medical Practice?

Arizona has several laws that might apply depending on whether the system captures audio in addition to video data.

Video-Only Recordings

Arizona law makes it illegal to knowingly photograph, videotape, film, digitally record, or in any way secretly view another person in a location where the person has a reasonable expectation of privacy.¹ Courts usually examine the facts of a specific case and determine on a case-by-case basis whether someone has a reasonable expectation of privacy. But, courts usually do not find a reasonable expectation of privacy in common areas, such as a waiting room. To make sure the video cameras do not view anyone in a location where someone might have a reasonable expectation of privacy, like a restroom or exam room, practices should develop a comprehensive policy governing the use of security cameras.

Audio Recordings

Arizona has separate laws that apply if the camera captures audio in addition to video footage. In general, Arizona law permits recording a conversation with the consent of one person involved in the conversation.²

Practices might assume that a patient’s signed acknowledgement regarding the use of audio recording means the patient consents under Arizona law. However, it is unclear whether courts will consider this sufficient consent, so it is difficult to predict what a court would say if someone challenged the legality of an audio recording in the medical practice setting. Given the legal uncertainty, MICA strongly discourages audio recordings.

What Should Practices Include in Their Policy Regarding the Use of Security Cameras?

Before using a security camera, practices should develop a written policy that protects patients’ PHI and aligns with state laws. The security camera policy should include the following:

• • Cameras should be visible and not concealed. Make sure cameras cannot view locations where patients and staff might have a reasonable expectation of privacy, including in employee lunch or break rooms. Point cameras away from exam rooms, restrooms, computer screens, and patient records.
    
    
  • Ask patients to sign an acknowledgement about the use of cameras. Let patients know how long you will keep the footage before it is destroyed. The acknowledgement might state that the patient, parent, or guardian understands that security cameras are in place in certain public areas of the practice.
    
    
  • Post signs stating there is a security camera in use. Consider placing signs in the waiting room and on the front door so people can avoid entering if they do not want to be recorded. Consider the languages spoken by your patient population and whether to include signage in more than one language.
    
    
  • Consult the practice's business or health care attorney for advice on obtaining employees' consent regarding the use of security cameras and for maintaining documentation of employees' consent.
    
    
  • Decide how long to keep archived footage. Decide who will manage the system, who can access the footage, and under what circumstances they can access the footage. Decide how to audit who has accessed the footage.
    
    
  • Secure the system physically and digitally. The system should be locked in a room or cabinet, and it should be password protected.
    
    
  • Decide how to conceal the identities of bystanders in the footage if you need to disclose the footage to anyone. This includes disclosing video footage to law enforcement and responding to patient requests for the footage.

Overall, practices considering the use of a security camera should evaluate the pros and cons. Cameras might create a sense of security, but they also require careful adherence to HIPAA policies and procedures to protect patients’ PHI.

^{[1] See A.R.S. § 13-3019.}

^{[2] See A.R.S. § 13-3005 and A.R.S. § 13-3012.}