What is HIPAA? Cameras, Access Control + Physical Safeguards

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is the US federal law that governs how covered entities (hospitals, clinics, insurers, health plans) handle protected health information (PHI). The HIPAA Security Rule (45 CFR 164.300-318) requires administrative, physical, and technical safeguards. Cameras and access control fall under physical safeguards: facility access controls, workstation security, device and media controls. Vendors handling PHI footage must sign a Business Associate Agreement (BAA). HIPAA breaches over 500 records require Office for Civil Rights (OCR) notification within 60 days.

The short definition

Enacted 1996, expanded by HITECH 2009 and the Omnibus Final Rule 2013, HIPAA covers two domains: portability (continuity of insurance coverage) and accountability (privacy and security of health information). The Privacy Rule defines who can access PHI and under what conditions; the Security Rule mandates safeguards on electronic PHI (ePHI). Enforcement runs through the HHS Office for Civil Rights (OCR), which audits covered entities and pursues settlements after breaches.

For security integrators, HIPAA shows up in three places: camera placement and access control at healthcare facilities, BAA execution with cloud video and access vendors, and breach notification when an incident exposes PHI.

The Security Rule's three categories

Administrative safeguards. Risk analysis, workforce training, access management, contingency planning, audit controls. Camera and access-control system administration falls here.
Physical safeguards. Facility access controls, workstation security, device and media controls. Cameras and badge readers are physical safeguards. Camera placement decisions, retention, and access to footage are governed under this category.
Technical safeguards. Encryption, access controls on data, audit controls, integrity monitoring, transmission security. Cloud video platforms must encrypt footage at rest and in transit; on-prem VMS deployments must enforce role-based access on user logins.

Camera placement at healthcare facilities

Five rules of thumb that keep camera deployments HIPAA-defensible.

Avoid patient-care areas. Exam rooms, ICU bedside, surgical suites, mental-health treatment areas. Common areas (waiting rooms, hallways, parking lots) carry far less PHI exposure.
Mask the screen-capture problem. Cameras pointed at workstations can record EHR screens. Re-aim the camera or mask the screen region in the VMS.
No microphones in PHI zones. Audio of patient conversations is a HIPAA risk multiplier. Disable camera audio wherever PHI conversations occur.
Restrict access to footage. Role-based VMS access. Security operators see camera live; clinical staff have no VMS access. Audit-log every export.
Document the design in the HIPAA risk assessment. Annual or biennial. Justifies each camera's placement and the PHI exposure considered.

See the hospital security AI entry for the analytics-layer angle.

BAA requirements and vendor selection

Any vendor whose service might handle PHI must sign a BAA. For commercial security:

Cloud VMS vendors. Verkada, Eagle Eye Networks, Avigilon Alta, Genetec Stratocast all sign BAAs. Confirm in writing before deployment.
Cloud access-control platforms. Brivo, Avigilon Alta Access, Verkada Access. BAA required if logs include PHI-related access events.
Verified monitoring services. Central station agents may see PHI in dispatch footage. BAA required.
Integrators (Tec-Tel and peers). If we touch the system, we sign a BAA. Standard practice.

Penalties and recent enforcement

HIPAA penalties tier by culpability:

Tier 1: did not know. $137 to $68,928 per violation, capped at $2,067,813 per year per identical provision (2024 adjusted figures).
Tier 2: reasonable cause. $1,379 to $68,928 per violation, same annual cap.
Tier 3: willful neglect, corrected. $13,785 to $68,928 per violation, same cap.
Tier 4: willful neglect, uncorrected. $68,928 per violation, capped at $2,067,813 per year.

OCR settlements have ranged from $25K to over $115M. The willful-neglect tier hits hardest at organizations that ignored repeated audit findings or skipped the HIPAA risk assessment.

When to ask Tec-Tel about HIPAA-compliant security

Healthcare security designs land or fall on the HIPAA risk assessment. We'll walk a facility, scope the camera and access plan with HIPAA in mind, sign the BAA, and document the placement decisions for the audit. Free scoping call.

Frequent buyer questions

Does HIPAA ban cameras in healthcare facilities?

No. HIPAA doesn't prohibit cameras; it requires reasonable safeguards on systems that may capture or store PHI. Common practices: avoid camera placement that captures patient charts, screens, or treatment-area audio; encrypt footage at rest and in transit; restrict footage access to a need-to-know list; sign BAAs with cloud video vendors; document the camera plan in the facility's HIPAA risk assessment.

What's a BAA and when do I need one?

A Business Associate Agreement (BAA) is a contract between a HIPAA-covered entity and any vendor whose service might create, receive, maintain, or transmit PHI. Cloud VMS vendors (Verkada, Eagle Eye Networks, Avigilon Alta, Genetec Stratocast) sign BAAs because their systems hold footage that may capture PHI. Without a signed BAA, the relationship violates HIPAA. Get the BAA before deployment, not after.

What are HIPAA physical safeguards?

Four required standards under 45 CFR 164.310. (1) Facility access controls: limit physical access to facilities holding PHI. (2) Workstation use: policies for proper workstation usage. (3) Workstation security: physical safeguards for workstations accessing PHI. (4) Device and media controls: rules for receipt, removal, reuse, and disposal of devices holding PHI. Cameras at server rooms, access control at records areas, and badge audit at workstation zones all fall under these standards.

How long should healthcare facilities retain camera footage?

HIPAA itself doesn't specify a retention period for video. State medical records retention laws and Joint Commission accreditation drive the answer. Common practice: 30 to 90 days continuous, with longer retention on incident-tagged footage (litigation, OCR investigation). Footage that captures PHI inherits the medical-records retention rules of the state, which range from 6 to 25 years depending on the state and patient age. Most facilities pull and archive incident clips separately to avoid bulk retention compliance complexity.

What happens if a camera system is breached and PHI footage is exposed?

If the breach affects 500 or more individuals, the covered entity must notify HHS Office for Civil Rights (OCR) within 60 days, plus affected individuals and prominent media. Settlement amounts for HIPAA breaches involving cameras have ranged from $200K to $5M (Anthem $115M settlement is the high-water mark, though that was data not video). Insurance underwriters now ask about video-system encryption and BAA coverage in renewal questionnaires. Hikvision and Dahua-equipped systems are increasingly flagged in the underwriting review.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400

What is HIPAA?

The short definition

The Security Rule's three categories

Camera placement at healthcare facilities

BAA requirements and vendor selection

Penalties and recent enforcement

When to ask Tec-Tel about HIPAA-compliant security

Frequent buyer questions

Hospital security AI

Biometric authentication

Industries

Full glossary

Start with a free consultation.

How can we help?