Does it violate HIPAA to have security cameras in the dental office?

By Olivia Wann

We’ve addressed this support question regularly over the years when dental offices inquire whether their surveillance system violates HIPAA compliance and patient privacy.

Let’s explore the topic balancing HIPAA compliance and job safety. 

Surveillance cameras are beneficial for the security of the dental office.  This may be part of the employer’s job safety plan. According to the International Association for Healthcare Security and Safety (IAHSS) Foundation, the types of crimes reported in hospital settings include violent acts by criminals who entered the facility to commit robbery or another crime. Several years ago, IAHSS reported ten types of crimes in hospital settings:

• Murder
• Rape
• Robbery
• Aggravated Assault
• Simple Asssault
• Burglary
• Theft
• Motor Vehicle Theft
• Vandalism
• Disorderly Conduct[1]

Granted, hospitals and dental offices are different types of healthcare settings; however, take a look at recent violent crimes that occurred in dental offices. In February of this year, a young dentist was stabbed multiple times by a patient. In March of this year, we learned of a California dentist gunned down by a disgruntled patient. These incidents do not take into account other crimes occurring in dental practices such as theft and vandalism. Recently I worked in a dental office that had a full-time security officer on duty.

Surveillance cameras can promote greater security of the dental office grounds. On the other hand, are the cameras a risk for patient privacy and a potential violation of HIPAA? First, let’s consider the three main safeguards under the Security Rule.  The basic compliance with the HIPAA Security Rule includes:

1) Administrative safeguards,

2) Technical safeguards, and

3) Physical safeguards.[2]

As far as physical safeguards are concerned, having physical safeguards in place could be part of your HIPAA compliance.  Physical safeguards involve limiting access to the facility to ensure that only authorized access. For example, unauthorized persons should not be able to access the file server closet. The video surveillance is proof of who accessed these restricted areas. 

However, there is a stark contrast to videoing public areas such as the parking lot, parking garage, entrance and exit doorways, reception area and hallways where there is no reasonable expectation of privacy versus a treatment room where people expect  privacy. Therefore, if you incorporate surveillance cameras, placement of the cameras is critical to avoid violating HIPAA. 

Caution must be exercised to ensure that protected health information (PHI) is not recorded near or around the reception area without built in security protections. For example, if the camera footage captures the front desk area, the computer monitors should not be visible and audio being recorded, if any, should not capture PHI. 

Any PHI that is captured triggers HIPAA compliance and this includes whether the patient consented to the camera footage, who can access the footage, and how the video data is stored.

Ensure end-to-end encryption and incorporate evaluation of the surveillance systems as part of your HIPAA Security Risk Assessment to detect any system vulnerabilities.

In summary, if you are going to incorporate surveillance cameras, placement is critical to avoid violating a patient’s PHI. Work with a reputable HIPAA-compliant security professional who understands the parameters of compliance.