In this Ask MGMA episode, Senior Editor Daniel Williams and Senior Advisor Cristy Good explore the legal and ethical issues around using security cameras in medical practices. They cover camera placement rules, HIPAA risks, audio recording concerns, compliance best practices, and why legal consultation is critical. Practice leaders also get actionable steps and key resources to stay compliant.
00:50 Introduction to the Ask MGMA Podcast
01:56 Understanding Security Camera Placement in Healthcare
02:46 Audio Recording and Compliance Risks
03:41 Defining PHI and Compliance Steps
04:58 Third-Party Vendors and Compliance
05:35 Signage and State Laws
07:18 Key Steps for Practice Leaders
08:11 Resources and Final Thoughts
Additional Resources:
Email us at dwilliams@mgma.com if you would like to appear on an episode. If you have a question about your practice that you would like us to answer, send an email to advisor@mgma.com. Don't forget to subscribe to our network wherever you get your podcasts.
Podcast Sponsor Boost Lingo
This episode is brought to you by Boost Lingo, the language services platform behind MGMA Translate, interpreter delays and high agency fees, strain budgets, and staff morale. Boost lingo on demand fixes both tap once and a qualified medical interpreter joins in about 13 seconds. Video or phone on any device. No steep learning curve. It just works. Tap, connect, care. Choose from 14,000 interpreters covering over 300 languages. Fully HIPAA compliant. Your staff will love the ease and your patients will too. Plus MGMA members save 20%. Visit https://boostlingo.com/mgma/ to see it in action today.
Podcast Sponsor MGMA Analytics
Are you making decisions based on gut instinct—or on real data?
With MGMA Analytics, you get the benchmarking and business intelligence tools to drive smarter strategies.
From provider compensation to operational costs, MGMA Analytics gives you access to the most trusted data in the industry.
So whether you’re adjusting staffing, setting salaries, or planning for growth, make your next move with confidence.
Visit MGMA Analytics to learn more.
Episode Transcript
Well, hi, everyone, and welcome to the ask
MGMA podcast. I'm senior editorat MGMA, Daniel Williams, along
with senior adviser, ChristieGood, also with MGMA. And we are
here to discuss a reallyinteresting topic. As Christie
was telling me offline, it'ssomething we haven't really done
a lot with wise, but it came inthrough the ask MGMA, it's
(01:15):
dealing with security cameras inmedical practices. When are they
allowed?
When do they cross into HIPAAterritory? And how can practices
protect themselves while stillprotecting patient privacy? What
an interesting this is like oneof those CSI or some topic like
that. But, Christy, welcome, andthanks for bringing this topic
(01:36):
to us.
Cristy Good (01:37):
Thanks for having me in. I thought it was a very
interesting topic to discussbecause we haven't really looked
at it. And so I did somedigging, and I just wanted to
share the information.
Daniel Williams (01:47):
Alright. This is gonna be short and sweet, and
we're gonna develop an articleas well, everybody, where you
can just have some calls toaction, some tips, some tools.
So let's start with the basics.Where can security cameras be
legally and ethically placed ina health care setting under
HIPAA?
Cristy Good (02:05):
So that's a great question. And we know that as
more and more people have putcameras or have video in their
workplaces, it's important toknow where cameras can be placed
is in public, nonprivate areas,such as lobbies, hallways,
entrances, exits, and parkinglots. The key is that there's no
(02:26):
reasonable expectation ofprivacy in those areas, but
cameras should not be installedin places like exam rooms,
treatment areas, restrooms, oranywhere that PHI, which is
Protective Health Information,might be visible or discussed
because then that could likelybe a HIPAA violation.
Daniel Williams (02:46):
Okay. For question two, let's look into
the audio part. So if a camerarecords both video and sound,
does that change things at all?
Cristy Good (02:56):
And that is actually the key when the member
reached out to me is that it wasrecording some audio. And it
definitely adds the complexitybecause audio can capture
conversations between staff andpatients, which could include
that PHI, and that would elevateyour compliance risk. Some
states even say that audiorecordings without all parties
(03:20):
consent is illegal, so even ifyour video is okay under HIPAA,
recording sound may violatestate law or require informed
consent from patients and staff.So it's definitely something you
need to pay attention to.
Daniel Williams (03:33):
This is an episode of CSI I wanna watch.
This is really cool. I love thistrue crime kind of stuff, and
that's where it's going. Nextquestion. So when we look at
this, when does a recordingbecome PHI under HIPAA?
Cristy Good (03:49):
So a recording is considered PHI if it captures
individually identifiable healthinformation. That could be
names, faces, or even overheardconversations about treatment.
So even a check-in conversationwith a front desk person could
be considered PHI if it includesidentifiable details such as
that. Once that happens, HIPAA'sfull privacy and security
(04:12):
requirements apply to thefootage.
Daniel Williams (04:15):
Okay. So when we look at this, if a practice
is recording video or audio thatmight include PHI, what steps
does the practice need to taketo be compliant?
Cristy Good (04:27):
You'll need to encrypt the footage, and then
you have to also restrict accessto authorized personnel only and
implement role based controls.You have to make sure the
footage is stored on the secureserver, access is logged, and
there's a defined retentionpolicy such as like thirty to
ninety days, which is typical.And importantly, monitors
(04:49):
shouldn't be viewable in publicareas. So all ties into HIPAA.
It all ties into the HIPAAsecurity role at that point.
Daniel Williams (04:57):
Okay. Now let's look at it from the third party
vendor perspective. If that getsinvolved, if there is a third
party vendor who is storing ormonitoring the video, does that
trigger anything from acompliance perspective?
Cristy Good (05:11):
Yes. If that is what's going on, then you have
to have a BAA or a businessassociate agreement in place. So
if that vendor stores oraccesses any recording that
might require the PHI, they'reconsidered a business associate.
And then under HIPAA, they haveto sign a BAA outlining how
(05:32):
they'll safeguard that data.
Daniel Williams (05:34):
Okay. What about signage then? Do you need
to notify patients that camerasare being used?
Cristy Good (05:41):
Yes. It is always best practice to always notify
patients and staff throughvisible signage. Even if it's
not strictly required by HIPAAin every case, it's about
transparency and trust. I knowthis member had a sign that said
that recordings were happeningin the check-in area or the
waiting area. And it's alsoimportant though, to have a
(06:02):
written policy on camera use andmake sure your staff are trained
on it annually because you wantto make sure that everyone knows
what's appropriate and what'snot appropriate and where
cameras should be or theyshouldn't be.
Daniel Williams (06:15):
Okay. We have a couple more questions before we
sign off. Earlier, you touchedon state laws. So how might
those differ from federal HIPAArules?
Cristy Good (06:24):
When I was doing my research, I did find out there
are some states like Californiathat have stricter rules about
recording audio. It's called thetwo party consent. So even if
HIPAA doesn't require it, yourstate might. Also, some
behavioral health units haveadditional protection under
federal law, like 42 CFR Parttwo, that says that you need to
(06:46):
be careful when doing suchrecording. And that's why it's
really important to consult alegal counsel before installing
your cameras.
And I did bring that up, eventhough the member was asking me,
I kept telling him that eventhough I have all this
information for you and here'syour HIPAA stuff, you really
still need to make sure thatyour legal counsel in your area
(07:09):
or for your practice or yourorganization is on the same page
with you before doing anythingwith cameras.
Daniel Williams (07:16):
Okay. So last question that I have. If a
practice leader is just gettingstarted with this or they're
reviewing an existing system,what are their key first steps
they want to take?
Cristy Good (07:27):
Sure. First, you wanna conduct a privacy and
security analysis, riskanalysis. Review where your
cameras are placed and whatthey're capturing. We also will
have, like, a little checklistin our email that goes along
with this article that justtells you about places to think
about where your cameras are andwhat that risk looks like. Is it
a low risk?
Is it a high risk? Then alsoreview your state laws, update
(07:51):
your signage and writtenpolicies, and make sure your
staff are well trained. And thenif you are using someone other
to record and store your audioand video, you just need to make
sure that you lower your riskwherever you can in these
instances.
Daniel Williams (08:08):
Okay. Those are a lot of great insights,
Christie. So I did say that wasthe last question, but I do want
to follow-up and just ask youfor any recommendations on
resources for practice leaders.
Cristy Good (08:21):
Yes. So we know, and we'll link to some of these,
that the HHS has the HIPAAprivacy rule that we'll link to,
that'll be helpful. The AMA codeof medical ethics is another
link we can link to. And we dohave a HIPAA journal that has
some of the like our securitycameras, a HIPAA violation link
(08:44):
that might help give you somemore guidance on it. But
anything around HIPAA, you canalways go to the HHS website on
HIPAA to get more guidancearound it as well.
Daniel Williams (08:56):
Okay. Perfect. Christie, thank you so much for
sharing this really cool topic.We really did do a CSI sort of
deep dive here. Really neatstuff.
Everybody, we're gonna providedirect links again, resources,
how to get in touch withChristy, and also how to ask her
a question. If you wanna justshare that with us real quick,
(09:17):
what is the best way to reachyou to ask a question and if
they're on the website?
Cristy Good (09:22):
Sure. You could either send an email to
adviser@mgma.com or on ourwebsite, we did have some
changes. So where the littlegreen button used to be where it
said ask MGMA and now says Ithink ask AI, you would have to
go into practice resources andthen you could go and send us a
(09:45):
question through that. Sothere's a link under those
practice resources that wouldlead you to ask MGMA.
Daniel Williams (09:53):
Okay. Perfect. And again, everyone, we'll put
all that in the episode shownotes. We'll also create an
article for you. So until then,thank you all for being MGMA
podcast listeners.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com