HIPAA and security cameras: what 45 CFR 164 actually requires

HIPAA's Security Rule (45 CFR 164.308 + 164.310) requires physical safeguards including video surveillance for facilities that store protected health information. The rule names facility access controls, workstation security, and device controls as required categories. Cameras are not banned in healthcare. They're expected at entry points, server rooms, and pharmacies. Footage capturing identifiable patients can itself qualify as PHI, so retention, access, and cloud storage need controls.

What HIPAA's Security Rule says about cameras

The Security Rule lives at 45 CFR Part 164, Subpart C. Two sections drive camera decisions: 164.308 (Administrative safeguards) and 164.310 (Physical safeguards). 164.310(a)(1) is the load-bearing one. Every covered entity must "implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed."

That sentence doesn't say "install cameras." It says facility access has to be controlled and authorized access has to be provable. OCR (the HHS Office for Civil Rights) and accrediting bodies treat camera coverage of access points, plus matching badge logs, as the realistic way to satisfy the rule for areas storing electronic PHI. A door log without video shows who badged in. Video without a log shows who walked in. Neither alone proves authorized access. HHS's own Security Rule Crosswalk to NIST 800-53 PE-3 and PE-6 maps facility access controls to monitored ingress and egress, which is where the requirement comes from.

Where cameras go in a HIPAA-covered facility

Public entry and exit points get cameras by default: the main lobby, ED ambulance bay, and after-hours staff entrances, with retention long enough to support an incident review. The server room or data closet hosting the EHR gets a camera on the door, ideally with a second inside facing the rack. The pharmacy and any drug-storage area gets coverage of the cabinet and the room, not just the corridor. Loading docks need coverage as a known social-engineering vector. Perimeter cameras cover parking, the ambulance bay, and any unmonitored side door. This list is drawn from OCR settlement language, Joint Commission survey reports, and published health-system facility-security plans.

Where cameras don't go: patient treatment rooms (clinical-purpose exception with documented consent only), exam rooms, restrooms (illegal in every state), locker rooms (illegal in most states), employee break rooms (varies by state, written notice typically required), and chapels or quiet rooms. Behavioral-health units sit in the middle. Cameras in seclusion-room corridors are common; cameras inside the seclusion room are a clinical decision documented in the chart, not a default. Same for ICU patient-monitoring cameras: those are clinical equipment on a separate network with separate consent and access rules.

Camera retention: HIPAA vs state law

HIPAA sets no video-retention window. 45 CFR 164.316(b)(2) requires policies and procedures be retained six years, but that covers the written camera policy, not the footage. State law and accreditation standards fill the gap. New York hospitals retain footage 30 days minimum under DOH 405.10. California sets retention by documented risk analysis, with most acute-care hospitals at 90 days. Texas sets no specific window. Illinois under HFSRB rules requires enough to investigate reported incidents, in practice 30 to 90 days. Florida usually 30 days. Massachusetts hospitals follow DPH guidance, commonly 60 days.

The defensible default across most healthcare systems is 60 to 90 days. Shorter than 30 days makes incident response hard, because patient complaints often arrive weeks after the event. Longer than 180 days creates privacy exposure the facility can't justify under a documented purpose. The retention number lives in your written camera policy and matches the longest specific requirement across your sites.

Joint Commission EC.02.01.01 for accredited hospitals

For Joint Commission accreditation, the Environment of Care standards add operational requirements on top of HIPAA. EC.02.01.01 requires the hospital to "manage safety and security risks," including risk-based access control of security-sensitive areas: the pharmacy, ED, behavioral-health unit, infant-care unit, and morgue. Surveyors want a written security management plan, evidence of camera coverage of those areas, infant or vulnerable-population protection workflows, and test documentation. Hardware alone doesn't pass. A camera offline for six months without anyone noticing is a finding even if the rest of the install is solid.

EC.04.01.01 requires the hospital to monitor environmental conditions, which gets read into camera-system uptime. Camera health monitoring (the integrator's NOC or the VMS flagging cameras that go offline) becomes part of the evidence package. Tec-Tel monitoring agents handle that for healthcare customers as a standard inclusion.

DEA Part 1300 for facilities with Schedule II storage

Hospital pharmacies, methadone clinics, oncology infusion suites, and any DEA controlled-substances handler get a second overlay. 21 CFR 1301.71 sets the requirement; 1301.72 through 1301.76 spell out the implementation. The storage area must be "substantially constructed" with continuous monitoring suitable for the schedule stored. For Schedule II: motion-activated continuous video of the cabinet (not just the room), an alarm signaling a 24-hour monitored station, and a badge-plus-PIN credential tying each access event to a person. Inventory and access logs must be retrievable for two years per 1304.04. DEA inspectors look for the chain connecting access event to person to inventory record. Most legacy installs produce one or two of the three; DEA wants all three on the same audit trail.

Methadone clinics get an additional layer under 42 CFR Part 8. Oncology infusion suites handling Schedule II hazardous drugs need the same DEA controls as the main pharmacy, even in a separate building. We've installed those controls on hospital-owned infusion centers.

Cloud cameras vs on-prem under HIPAA

Both models are HIPAA-permissible; the compliance work differs. Cloud cameras require a Business Associate Agreement before any footage that could capture identifiable patients lands in the vendor's tenant. Under 45 CFR 164.504(e), the vendor commits to safeguard PHI, report breaches inside 60 days, and sign a similar BAA with any subcontractor that touches the data. The BAA attaches to your facility's HIPAA documentation.

On-prem (NVR or VMS rack) needs no vendor BAA because no third party handles the footage. The compliance work moves to your IT team: encrypted-at-rest storage, network segmentation from clinical systems, role-based VMS access, an audit log of every footage retrieval, and a documented disposal process when drives retire. The wrong move is a cloud deployment without a BAA, the gap OCR finds in settlement reviews.

Most mature healthcare systems run hybrid: on-prem NVR at each acute-care campus where camera density is high and IT already manages a hardened SAN, plus cloud video at branch clinics where local IT is thin. Same VMS pane of glass at the central security team, same retention policy on both. The BAA covers only the cloud-side footage; on-prem footage is governed by the customer's own written information security program.

Frequent buyer questions

Does HIPAA require security cameras at hospitals and clinics?

HIPAA doesn't name cameras as a literal requirement, but 45 CFR 164.310(a)(1) requires facility access controls and 164.308(a)(1) requires a written risk analysis. For the rooms that store electronic PHI (servers, pharmacy, medical-records storage), the only realistic way to satisfy facility access controls is camera coverage paired with badge access and audit logs. OCR settlements regularly cite missing or unmonitored physical safeguards.

What does a HIPAA-compliant camera install actually cost?

A single ambulatory clinic with 16 to 40 cameras runs $25,000 to $140,000 turnkey, midpoint around $65,000 (ASIS Healthcare Security Council 2024). A single acute-care hospital runs $500,000 to $3.5M. Cloud video with a Business Associate Agreement adds $25 to $80 per camera per month for hosted storage. On-prem NVR storage avoids the recurring fee but requires a segmented network, encrypted-at-rest disks, and a documented disposal process when drives retire.

What is a Business Associate Agreement and which camera vendors sign one?

A BAA is a written contract under 45 CFR 164.504(e) where a vendor handling PHI agrees to safeguard it and report breaches. Many leading cloud video providers publish a healthcare BAA. It gets signed before any footage that could capture patients lives in the cloud tenant. On-prem deployments don't need a vendor BAA because no third party handles the footage.

How long does HIPAA require us to keep video footage?

HIPAA sets no specific video retention window. The documentation rule (164.316(b)(2)) requires policies and procedures be retained six years, but that covers the written policy, not the footage. State law fills the gap. New York hospitals retain a minimum of 30 days under DOH 405.10. California requires retention sufficient for the facility's risk analysis, commonly 30 to 90 days. Most healthcare systems land at 60 to 90 days as a defensible default.

Can we put cameras in patient treatment rooms?

Generally no. Cameras in a treatment or exam room create near-certain HIPAA exposure and run into state privacy law, often stricter than federal. The accepted exceptions are ICU and behavioral-health monitoring with explicit written patient or guardian consent, signage, a documented clinical purpose, and state-law review. Restrooms and locker rooms are off-limits in every state. A patient room camera is a clinical decision documented in the chart, not a default.

What does DEA Part 1300 add on top of HIPAA?

If you store Schedule II controlled substances (hospital pharmacies, methadone clinics, oncology infusion suites), 21 CFR 1301.71 to 1301.76 require a substantially constructed storage area with continuous monitoring. Most facilities meet that with motion-activated continuous video plus an alarm and badge-with-PIN access. Inventory and access logs must be retrievable for two years. DEA inspectors expect footage of the cabinet, not just the corridor leading to it.

Free HIPAA gap consultation.

Bring your camera footprint, retention policy, and any open OCR or Joint Commission findings. We'll walk it with you and produce a documented gap list for your compliance counsel.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Talk to our team 855-577-0400

HIPAA and security cameras: what 45 CFR 164 actually requires

What HIPAA's Security Rule says about cameras

Where cameras go in a HIPAA-covered facility

Camera retention: HIPAA vs state law

Joint Commission EC.02.01.01 for accredited hospitals

DEA Part 1300 for facilities with Schedule II storage

Cloud cameras vs on-prem under HIPAA

Frequent buyer questions

Healthcare security hub

Biotech and pharma

Compliance quick reference

Hospital security AI guide

Senior living

Free HIPAA gap consultation.

How can we help?