Transcript and Recording: HIPAA + Security Cameras Webinar
Below is a transcript of our webinar with Nick Weil of Weil Consulting on the HIPAA implications of security cameras. You can access the full recording at this link.
For additional information, contact us or Nick at weilconsulting.com.
Transcript
Nelson
All right, everyone. Thanks for joining. My name is Nelson. I'm the owner of Settler Security. We provide security cameras, alarms, and access control to the Dallas Fort Worth commercial market. Nick Weil here with us is a data security consultant, health privacy attorney in practice for over a decade, managing member of Weil Consulting and a lawyer with Meade, Roach, and Annullis.
Disclaimer for this webinar, Nick is not your lawyer. This webinar is not attorney-client privileged and should not be construed or interpreted as legal advice to you. We're going to have a recorded main session with some prepared topics that Nick and I have put together, and then we'll have an off-the-record Q&A session after recording is stopped for all the participants afterward. Nick, anything you'd like to add to start us off?
Nick
Yeah, thanks for having me, Nelson, and I appreciate everybody joining. As Nelson said, I've been doing sort of HIPAA compliance and law work for over 10 years now. Now I sort of do consulting and law for small to mid-size and large sort of healthcare providers. In a prior life, I was actually sort of a privacy and security officer for hospitals. in the HIPAA compliance space. So for hospitals, for physician offices. And so I like to think in those 10 years, I've seen most, if not all, of these sorts of things. But as we'll probably get into, there's a lot of questions and a lot of scenarios that I can't even dream up. So looking forward to the discussion and any questions that folks might have.
Nelson
All right. So to start off with, Nick, what are some big misconceptions people have about HIPAA?
Nick
Yeah, I think the funniest one is, so I just actually had a client yesterday put in a meeting on my calendar, said, you know, HIPAA assessment discussion, but he did the classic spelled HIPAA with two P's.
Nelson
Don't tell everyone how many times you had to correct my spelling while we were planning this.
Nick
Yeah, I didn't want to call you out too much, Nelson, but this is actually a very common mistake. HIPAA has one P. And I actually think this is sort of a learning exercise here because people really expect there to be more privacy in HIPAA than there really is. Keep in mind, right, that there actually is only one P in HIPAA, not two. I got you on it. The P that is in HIPAA doesn't stand for privacy at all. People don't realize this, but it actually stands for portability. So HIPAA is the Health Information Portability and Accountability Act. And believe it or not, it was passed in the 90s to actually make data more accessible, not less accessible. So the portability piece of it was the federal government needed to sort of basically standardize how electronic claims moved between healthcare providers, healthcare payers. And so, the idea was to make protected health information more accessible, more movable from entity to entity, from government to private sector. And really the privacy and security that we have come to sort of think, is synonymous with HIPAA was really more of an afterthought in the statute, in the HIPAA rule. There's literally one line about privacy and security. And all it says is the Department of Health and Human Services will make rules related to the privacy and security of protected health information. And that's all that HIPAA itself says about privacy and security. Now, after that congressional statute, there have been hundreds of pages of regulations issued by HHS in response to that, but actual HIPAA is really more about how can we move data more easily. And I think that's a helpful transition into the topic of the webinar here because it turns out healthcare organizations themselves have a lot more leeway with what they can do with health data than I think most patients and even many providers now.
Nelson
So what are some of those, what are some of those options that people might not be considering, particularly in a security and site surveillance context?
Nick
Yeah, I think the biggest is: HIPAA as a privacy rule basically has one rule with a ton of exceptions to it. So the one rule is you can't use protected health information without a patient's authorization, right? So a patient has to sign an authorization saying you can use their protected health information. Except... and the exceptions that follow are about 50 pages long. So there are tons of exceptions where a healthcare organization can use, I'll just give you a couple of examples. I think the biggest one relevant here is what's called healthcare operations. So in order for a healthcare organization to run its business, to administer its services, to pay its employees, to do any number of things that it needs to run its business, it can use PHI, it can disclose PHI, and it doesn't actually need to get authorization from the patient to do this.
There are other exceptions related to law enforcement. So if a crime is committed on your premises, right, you can disclose PHI to police if somebody robs your store, right? If somebody graffitis your building, you can share that, even if it was a patient that did that, right, or it's potentially a patient that did that. Law enforcement, there are big exceptions related to law enforcement and the use that a healthcare organization can make to PHI.
Obviously, if somebody in law enforcement has a subpoena or a court order, right? You can respond in that sort of way. So there are dozens, I think, that could sort of apply to why you might want a security camera and what you might do with that data later on that I think we can get into as we get into the webinar.
Nelson
Yeah, that's it. So we do have clients and we have prospects who, you know, look at, you know, in medical fields, they're operating offices or practices and we're talking with them about their security systems and they're worried about, um, their security systems violating HIPAA. Some believe they can't have security cameras at all, but it sounds like, from what you're saying, that's, that's not true.
Nick
That's right. Yeah. So you absolutely can have security cameras. I worked for a number of hospitals that had not only had dozens or hundreds of security cameras, they had security officers. Healthcare can unfortunately be a dangerous place, depending on the clientele you serve. And, you covered entities - that's the technical definition for an entity that is covered by HIPAA is a “covered entity” - covered entities have employees that they have to keep safe. They have assets they need to protect. And there's very legitimate reason to need to record people within reason. And I'm sure we'll get into what exactly that means in a second. But yeah, but the short answer is, you know, HIPAA does not prohibit the use of security cameras and in hospitals or healthcare providers or physician offices or chiropractor's offices or dentist's office can absolutely have a security camera and as many as they deem necessary.
Nelson
But there are still, there are still things that should be considered in how that video is being managed and how it's being shared, including with law enforcement or security partners, correct?
Nick
That's right. So I think that the way to think, so once we get over the hump of can you have a security camera at all, right? There's one other sort of standard under HIPAA that I always like to bring up in most contexts, and that's what's called the “minimum necessary rule.”
So built into the HIPAA standard is, yes, there are dozens of pages of exceptions where you as a legitimate healthcare provider can collect, use, or disclose PHI, in this case in a security context, perfectly permissible. However, the important addendum to that is you need to only do it to the minimum necessary to actually accomplish the legitimate purpose. So what that means in practice is, you really should be thinking in terms of, okay, what is reasonable for what I want to do? Okay, I'm putting up a security camera because I want to secure my store from break-ins. Okay, well then that should probably inform where you're actually putting your cameras, right? By the front door, makes sense. By the back door as well. Perimeter, makes sense. So if that's your purpose, if that's the legitimate purpose that you want to accomplish with the security camera, then, then just making sure that the uses, the collections, the disclosures that you're making of that PHI are only what's necessary to accomplish that purpose.
Nelson
Does that include who has access to that system?
Nick
Yes, it does. It's a great question. So The HIPAA also has what's called a “role-based access requirement.” This is, as the name suggests, that who has access to PHI should depend on their job functions at the organizations, right? So if you have a physician, they're naturally going to need access to your medical record, and they're probably going to need access to the whole medical record because you don't know which patient they're going to see on a particular day. And so they need sort of full unmitigated access. At the same time, the owner of the store may not need, if they're not also the physician, right, may not need access to the medical record, or they may need sort of like limited access to the medical record in order to accomplish their job.
The store manager or what have you might not need the same level of access that a physician would have. So we can apply that standard to something like a security camera where the administrator of the building, right, probably is going to need access to the security cameras. But the physicians who work in the building, unless they're also an administrator, probably don't need access to the recordings that are occurring - at least not every recording. Maybe there was an incident and the physician, because the physician was involved, needs to review it. We could kind of come to a minimum necessary standard there.
But generally speaking, that there's a limiting factor around like who should have access to data based off of what is their actual, the function they need to perform for the organization.
Nelson
Makes sense. So while we're on records themselves, one of the big concerns that comes up when we talk with clients, particularly in a HIPAA or in a healthcare context, is records retention. So, we've had clients who have been really worried that their video is going to be protected health information and they're going to have to retain it for seven years, which is really expensive for video. What video recordings, if any, are considered medical records under HIPAA and how do we think about how long clients should keep that?
Nick
Yeah, it's a great question. And my answer is going to be counterintuitive. I'm actually going to say you should keep those recordings for as little time as is practical from your standpoint.
Because in fact, what's happening is: the longer you hold that data, the riskier it is. We'll talk maybe a little bit later in the webinar about risks around breach of data and these sorts of things. But basically, the longer you hold data, the more data you have that you don't need, you're just a bigger target for a bad guy, right, or for a misstep.
There's actually not a requirement under HIPAA to keep medical records for any amount of time. There is a record retention requirement in HIPAA. But it's particularly for what we would call compliance documentation. There's a six-year requirement that you keep compliance documentation related to HIPAA. So, this would be like your privacy notice, the thing that you hand to patients saying, “hey, these are your rights related to HIPAA.” That you need to keep for six years, right?
You might need to keep, if you have or if you've done a HIPAA security risk assessment, -which I recommend all healthcare providers do - that documentation should be kept for six years because if you're ever investigated, if HHS ever asks to see that they're going to expect to be able to go back six years. That doesn't include medical records generally, and it certainly wouldn't include recordings of patients.
I suspect that recordings of patients would be PHI in most contexts. When we talk about PHI, we typically think in terms of two sort of criteria. One would be, is it identifiable, right? So is there something within the data set that actually identifies an individual? In this case, since it's getting their face, it's probably going to be identifiable. Maybe not if it's the only getting the back of their head, but like you should probably presume that people on your video cameras are going to be identifiable. Then it also has to be health information.
Critically, health information can even just be the fact that they're coming to you for their healthcare. It's not the same level of risk in terms of PHI, like if you had an HIV diagnosis or mental health records; it wouldn't be that level in terms of the risk of the PHI. It wouldn't be as risky as those, but it would probably qualify as PHI. But again, PHI is not required to be kept for six years, that's specifically compliance documentation. And again, going back to earlier point, I would really recommend you and, and healthcare providers only keep data, you know, probably max for a month in terms of actual, the actual raw recordings.
Now, if you have an incident and you need to keep a particular day or a particular week or a particular hour for longer than that, that makes a lot of sense. You can justify that under the minimum necessary rule, but in terms of just security, we talk about reducing the attack surface of your organization in a lot of different ways. And one of the ways you can reduce the attack surface of your organization is to shrink the surface. And by shrinking the amount of data that you actually retain, you're making yourself a smaller target.
Nelson
Great. That matches very well what we discuss with most of our other clients. A 30 day retention period is pretty typical in most other industries that we work in because that's long enough to identify that an incident has happened and archive the video if you need it, save it somewhere, share it to police or attorneys, but not so long that you're stuck with this big attack surface or really outrageous retention costs.
So if you've got a security camera somewhere and it's somewhere that could be recording a patient - whether that's coming into the office or whether that's a treatment area - maybe that's PHI, but maybe you don't need to retain it.
How should medical providers think about where cameras can be placed in their practice, in their operations?
Nick
Yeah, this is where it gets a little tricky, right? You'd think with dozens of pages of regulation, HHS can describe every situation possible, but it just turns out that - this is, I guess, job security for people like me - there are any number of scenarios that you can think of that are sort of on the edge of that minimum necessary requirement, right?
I'll give you an example: I was advising a client related to they wanted to set up a camera in their office right behind their registration desk because there was a safe there. I can't remember if it was for money or valuables, but in any case, there was a safe underneath the office desk and they wanted to have a camera on it in case somebody tried to steal it, in case there were allegations of things missing, these sorts of things. They wanted to be able to quite reasonably record access to that safe.
And so we walked through with them, “okay, well, let's look into examples of the footage. Can you see patients' faces from that? Probably not. It looks like it's too grainy. How long are you going to keep that data? What is the position of the camera? Is it such that we can avoid getting too much patient information?”
So, I think once you get into those sort of grayer areas around within this clinic itself, I think it's still possible to be permitted under some sort of legitimate use or minimum necessary rule, but you'd want to think a little bit more clearly about “how can I most reduce the risk?” Not only to yourself, but also to your patients. You don’t want to be recording them in a situation where they don't really need to be recorded.
Nelson
Yeah, that makes sense. We have - for any industry that we work with - areas where people have an expectation of privacy. We're never going to be involved with putting a camera in a bathroom or a changing room. But there may be some gray areas here with things like treatment areas. I talked to a prospect once who was a chiropractor who wanted to use cameras in the treatment room to mitigate risk from false sexual assault claims. Would that be something that he would be allowed to do?
Nick
Yeah, I would think so. I mean, you can hear from my voice, I'm proceeding a little bit cautiously. You mentioned changing rooms and these sorts of things. Unfortunately, treatment areas can sometimes... function like changing rooms. I'm thinking about like, my own family doc. Sometimes they ask you to pull down your pants and cough and that sort of thing. So you would want to be conscientious of those sorts of things because you're right.
Apart from HIPAA, there's also what's called this “expectation of privacy.” This has more to do with somebody who might complain or they might try to sue you because you're violating their expectation of privacy. The law in that area is much more vague, much more sort of vibes based, you might say. And there's not a good standard of like, where do people expect to have privacy? Obviously, bathrooms are a great example. People expect to have privacy there. You should never put a camera in a bathroom. You said that. I say that.
But allegations of assault, unfortunately, can happen to people. So if there's a credible concern related to that - maybe because there was a history of that or because somebody has threatened that - and the organization needs to take steps to protect not only its employees, but also its patients. I think if it presents that way, what can be done to mitigate the amount of data that's being collected?
This is also the sensitive nature of data with camera positioning, retention of data. And then to the extent appropriate, posting something in the room saying, “hey, you may be recorded for safety purposes” or something like that, so that people don't have that expectation of privacy, right? Then you're kind of mitigating, you're kind of reducing the expectation that they have because you've told them that, for one reason or another, they may be recorded. This is why when you jump on the phone call with a customer service agent, the first thing you hear is typically “this call may be recorded for whatever purposes.” They are reducing your expectation of privacy with those sorts of notices. So if it became necessary to do something like that, that's probably how I would advise a client to reduce the exposure to A) just somebody complaining and B) any potential HIPAA violations.
Nelson
That's good to know. It's interesting you mentioned telephones. You could use a microphone instead of a camera potentially, but many modern cameras can also record sound. Is there a difference in how audio and video recordings are treated in this context?
Nick
Yeah, I think so, because, this will naturally depend on what is actually captured on the in the recording, right? For the most part, voice isn't as identifiable as face right now, but if on the recording I say, “hey, this is Nick Weil and I'm here to get my colonoscopy,” okay, well, there's probably then an identifier and you've got health information.
It would seem to me that the type of data is going to impact how risky that is to be collecting it. So, I would think about audio in the same way that I would think about visual. I would think about minimum necessary retention and like, are you are you in a sensitive area? And if you are, if you're collecting data like health information by accident, just because you're recording voices, then then you need to do what you can to mitigate that and really be sure that the purpose is necessary for your business.
Nelson
Okay. And do these guidelines change by practice type? So you've worked with some big institutions. We've worked with a couple of medium-sized hospitals as well as some really small independent practices. Do those have different levels [of compliance] that they need to hit?
Nick
Yeah, 100% they do. HIPAA is intentionally designed to be sort of scalable, especially the security rule. There are some hard and fast rules, right? Whether you're a small mom-and-pop physician or a dozen hospitals across the country, you can't sell PHI. It's a pretty hard and fast rule. It doesn't matter how big you are for that.
But in terms of security practices, in terms of what you need to be doing to protect patient data from unauthorized access, that does scale. Going back to that attack surface area: You're naturally, as a smaller organization, you're going to have a smaller attack surface. And so the expectations around what you would have in place to protect data [will be smaller.] There's still going to be sort of some floor. Like, you should always be encrypting data. You should have backups where appropriate. But in terms of what technology you need to have in place or how you're monitoring or what sort of threat landscape you're reviewing, yeah, there are large hospital systems that have dozens of employees just in their IT security office. And I wouldn't expect a small physician’s practice have something like that.
So the short answer there is it does scale and you can expect the sort of obligations around particularly security to scale with your organization.
Nelson
Gotcha. One of the things we discussed as we were planning this was as those standards change in scale, how does that impact how you store your video and your audio records? What are the bare minimum things that even that independent office needs to say, “hey, these are what we need in a camera system or an alarm system or whatever it is?”
Nick
There'd be two things to keep in mind, maybe three, when storing any PHI, but in this case, because we're talking about security footage, PHI related to that. You want [your data to be] what's called “encrypted at rest” and “encrypted in transit.” Encrypted rest is just when the data, wherever the data is sitting - if it's sitting within the camera itself, if it's being stored in a server, if it's being stored in a cloud, as a backup - that data needs to be encrypted in such a way that so that if somebody just walks up behind the camera one day and yanks out the hard drive or walks into your medical office (after being recorded doing it) and yanks out the hard drive from your server where the data is stored, they have access to the raw data. But if it's encrypted, it's stored in such a way that without the password, it's basically gibberish to them, right? It's unavailable to them because of one the various encryption standards that you can apply to data, basically using cryptography and these sorts of things. So I would say at a minimum in the storage of that data, you should make sure that it's encrypted at rest.
The corollary to that is also encryption in transit. So while the data is sitting on your server at your practice and then going to the cloud, the transmission of that data should also be encrypted. There are various ways that you can accomplish that. It’s probably for your IT team to work out, but it’s essentially just making sure those data flows are just as secure. So that in case there's a man in the middle attack or somebody watching your network for a nefarious reason, and they intercept that traffic, just like the thief who walks in and steals the hard drive, it's going to mean nothing to them because it's encrypted.
The last thing I would say would be use backups. HIPAA also requires you to maintain backups of your data. That is really most often used for critical medical record purposes. Now, you should probably have backups of your security footage, but the amount of redundancy you can expect to need is going to be different than you would expect for backups for your medical record, right?
Obviously, if your medical records go down, you're going to be in a lot of trouble, and so are your patients, and so you're going to have more backups related to that data. Whereas if your if your security camera footage goes down, it's probably not make or break for the business. What the rule suggests is a risk assessment approach, where you basically look at your data, you look at the kind of PHI you have, and you figure out, “okay, what, if it goes really wrong, what am I really going to need?” And you design your backup system to correspond to that.
I think that those would be sort of the three things off the top of my head that I would think would apply to the actual security of the data in the security camera itself.
Nelson
Yeah, good thoughts. It's not common, but we do have bad guys steal NVRs. I have encountered that a couple of times. And it's worth noting as well, if you're particularly a small or medium-sized practice, you don't necessarily need a big IT department. You can get this from your security system. We carry and represent several solutions that are that are encrypted, that do backups. And we can help you scope that “minimum necessary,” help you assess what kind of resolution those cameras are going to capture, and identify what you might need to to keep track of.
Nick
Yeah, and I guess I'll provide a little case study from my own experience to make clear why you need to encrypt this data.
I had a client some years ago, it was a hospital client, they were moving hospitals, they were moving from one building to another, and - in the process of doing that - they were moving computer systems, they were moving servers, and this was a months-long process. And when they got into the new building, they realized that they were missing a server. They were missing a server. Nobody knew if somebody had stolen it, if it had ended up in the garbage by accident, or what happened to it. But, this server, unfortunately, had PHI on it, it was unencrypted, and was missing.
And under HIPAA, you need to presume that anything like that has gotten into the wrong hands, that would be what we call the “B word.” It would be a breach. And because it's a breach, there are all these requirements about who you have to notify and when you have to notify them. We've probably all gotten these letters in the mail from Blue Cross Blue Shield or our local hospital systemand they're vague about what happened but they say something about maybe calling your credit agency, those sorts of things. You're getting those because there's a requirement under HIPAA that if there's anything like a breach - even in the situation I just described, even where you don't really know that there was a breach, you just know that the server walked off and you don't know where it is - you have to presume there's a breach.
So, this would be the same situation if you had a security camera incident, right? If the server, security logs, the camera logs, were stolen or lost or that sort of thing. If you were my client, we might try to come up with some reasons why that wasn't PHI or why there was a low risk of probability of a breach. But, you might just have to consider that a breach. Because if it's unencrypted, anybody could just yank out the hard drive and see all of your patients right there.
And in that case, there were, there were millions of patients on that server. And so they had to notify all those people by letter. They had to notify HHS, the federal government. There's a threshold in the rule that says if your breach is more than 500 people, you have to notify the media. So you can imagine what happened next, right? Not only did this get into the media, the local media, they also - and this almost always happens in these breach situations - they also ended up a couple months later with a demand letter from a plaintiff law firm saying they were suing the hospital on the behalf of the class of people who had been impacted by this breach, and therefore you need to pay them off. And so, I'm kind of listing off the parade of terribles that in many cases may not end up happening if you just accidentally lose a server, but could happen.
And this has happened in my own experience, and it happens, frankly, every day that somewhere in the healthcare industry that some breach happens either because something is stolen or - more often - because there's a ransomware attack or there's some cyber pirate doing something he shouldn't do. And so not only does the victim have to try to recover from this disruption in their business and this impact to their patients. They also have to contend with a potential lawsuit. And then the government's going to come in and probably investigate, “Did you have all of this HIPAA compliance?” because that's basically just an invitation for them to come in and say, “okay, well, were you doing what you should have been doing, or was this negligent?” Again, a parade of terribles, but it can't happen, and I've seen it happen for any number of healthcare organizations who are not encrypting their data and kind of taking the sort of reasonable approaches that you were describing in in securing your patient's information.
Nelson
It could stack up quick.
Nick
Right.
Nelson
So how does that change if, say, somebody on the call contacts me and says, “hey, we've got this old security camera system. It's probably capturing PHI. Pretty sure it's not encrypted. We need to get rid of it and put something new in.” How does that change when hose devices are taken out intentionally instead of being hacked or stolen?
Nick
There's a standard under HIPAA about how to destroy PHI that is unencrypted. How do you make sure that any device that had PHI on it, encrypted or unencrypted, has since been wiped? And there are a number of vendors who will certify that they've done this. You probably at least want your IT guys to be very certain that any server that or any device or any computer that previously had PHI on it is wiped and completely factory reset and that there's nothing left over in these on these devices. Again, you can typically get vendors who will even certify that to you so that you can rely on their representation that this has actually been done. But, I would make sure that if you're reusing devices, if you're ditching devices, if you're transitioning devices, that you make sure you do everything possible when it comes to the actual destruction of that data.
Nelson
This has all been great. Hopefully, all of our listeners have come away with some more confidence on how to approach these things. And it sounds like there are not as many areas to be scared of as people might assume. But what are the areas that a health care provider should contact somebody like you before going ahead with a security project? Are there red flags somewhere that say, this is risky, we're going to need to dig into this a little deeper?
Nick
So, hopefully, the thrust of this whole conversation was, you should be able to get a security camera from Settler Security - or from anybody else - without a heart attack. I don’t want to convince you not to get one. The actual intent of this was the opposite: that you can get a a security camera, but you do need to think about what’s PHI and make sure it has the appropriate controls around it.
If you're trying to record sensitive areas or it might be something with what people might consider a sensitive area, you should get a second opinion or you should talk through what might be alternatives, what other mitigation efforts can you make in this area.
The one area also that I neglected to mention was that whenever you work with a vendor who is holding PHI for you, right, if they're doing what's called “processing” PHI, if they're using it, if they're disclosing it, if they're doing it on your behalf, you need to get what's called a business associate agreement with that that vendor, that service provider. This is basically just an agreement that says, “hey, you, the vendor, you, service provider, will comply with HIPAA in the same way that I, as the covered entity, have to comply with HIPAA.” And so, if you're storing, for example, PHI in the Google Cloud, Google will sign a BAA - a business associate agreement - with you to do that. They'll probably charge you a premium to do it, but they will. That's a step you need to take if Google is processing your PHI on your behalf - if they're storing it, if they're using it, if they're disclosing it. Io's the same sort of thing with backups, with those vendors, if they actually are going to have access to your PHI as part of their services to you. So that that would be the other thing for which I would think about getting either an attorney or a consultant specialized in this area: If you find yourself having to get into business associate agreements with your vendor vendors related to related to processing of PHI.
Nelson
Thanks. This has been super useful. I'm going to end the recording, and then we will open this up for questions from our attendees.