PHI in Video Recordings: What Counts and How to Stay HIPAA Compliant

Video is now part of everyday care—telehealth consults, procedure capture, patient monitoring, even cameras in hallways. When those recordings can identify a person and relate to their care, they may contain PHI. This guide explains what counts as PHI in video recordings and how to stay compliant with the HIPAA Privacy Rule and Security Rule Safeguards.

Definition of PHI in Video Recordings

Under HIPAA, PHI is Individually Identifiable Health Information created or received by a covered entity or business associate that relates to a person’s health, care, or payment. In video, PHI can appear in the image, audio, overlays, or metadata.

• Visual identifiers: faces, distinctive tattoos, room assignment boards, wristbands, license plates, or name badges tied to care.
• Clinical context: EHR screens, monitor readouts, lab forms, medication labels, or whiteboards visible in frame.
• Audio identifiers: a patient or family member stating a name, date of birth, diagnosis, or insurance details.
• Metadata: filenames, user IDs, timestamps, geolocation, and device identifiers when linked to a specific patient encounter.

Security cameras may record areas not used for care, but footage becomes PHI if it identifies a patient and relates to treatment, operations, or payment. De-identifying video is challenging because faces, voices, and backgrounds often reveal identity; use expert determination or rigorous redaction when needed.

HIPAA Privacy Rule and Video Recordings

The HIPAA Privacy Rule governs how covered entities and business associates use and disclose PHI in video. Uses and disclosures for treatment, payment, and health care operations (TPO) are generally permitted without written authorization, subject to the minimum necessary standard for operations.

Common permitted uses include clinical consultation review, internal quality improvement, coding and claims support, and workforce training inside the organization. Apply reasonable safeguards—limit who can record, restrict locations, and prevent unnecessary capture of bystanders—to reduce incidental disclosures.

Disclosures beyond TPO—such as external training, media filming, or marketing—typically require HIPAA Authorization. For research, you need either patient authorization or an IRB/Privacy Board waiver consistent with the Privacy Rule.

Patient Authorization Requirements

A valid HIPAA Authorization is required when video will be used or disclosed for purposes not otherwise permitted by the Privacy Rule. Typical scenarios include publishing patient stories, public-facing education outside your workforce, media productions, or vendor use beyond contracted services.

• Core elements: a description of the video PHI, who may disclose and receive it, the purpose, an expiration date or event, the individual’s signature, and the right to revoke.
• Key statements: notice of potential redisclosure, that treatment will not be conditioned on signing (except in limited cases), and how to exercise revocation.
• Special cases: for minors, a parent or legal representative generally signs; some services grant minors additional privacy rights under applicable law.

Do not confuse general consent for treatment with HIPAA Authorization. If a use is not TPO or otherwise permitted by the HIPAA Privacy Rule, obtain a written authorization before recording or sharing.

Security of Video Recordings under HIPAA

The Security Rule Safeguards apply to electronic video containing PHI. Start with a risk analysis covering capture, transfer, storage, viewing, editing, and deletion, then implement risk management and workforce training aligned to those risks.

• Administrative safeguards: policies that govern who may record, approved devices and apps, retention schedules, incident response, and vendor oversight.
• Physical safeguards: controlled recording areas, secured servers, protected workstations, and procedures for lost or stolen devices.
• Technical safeguards: unique user IDs, role-based access, multi-factor authentication, integrity controls, transmission security, and Audit Trails for access, playback, export, and deletion.

Establish secure backup and recovery for recordings that are part of the designated record set. When media is reused or retired, apply secure deletion and documented chain-of-custody to prevent unauthorized recovery.

Patient Rights Over Recorded Video

Patients have Privacy Rule rights over PHI that appears in video when the recording is part of the designated record set (for example, when it is used to make decisions about the individual). Pure facility security footage may fall outside the designated record set unless used for care-related decisions.

• Access and copies: provide the video in the requested format if readily producible; if not, agree on a readable alternative. Fees must be reasonable and cost-based.
• Amendment: you generally do not alter the original file; instead, append an explanatory statement or link the amendment to the recording.
• Accounting of disclosures: maintain logs for disclosures not related to TPO; your Audit Trails should support these reports.
• Requests for restrictions and confidential communications: honor feasible limits and accommodate reasonable requests for alternative contact methods.

Business Associate Agreements for Video Recordings

Any vendor that creates, receives, maintains, or transmits video PHI—cloud storage, telehealth platforms, transcription, analytics, media redaction tools—requires a Business Associate Agreement (BAA) before access is granted.

• Define permitted and required uses/disclosures, minimum necessary, and prohibition on unauthorized use.
• Require appropriate safeguards, Electronic PHI Encryption, and prompt breach reporting with cooperation on investigation and mitigation.
• Flow-down obligations to subcontractors, right to audit or obtain security assurances, and limits on offshore storage if applicable.
• Specify data return or destruction at termination and ongoing support for access requests and legal holds.

Evaluate vendors against your risk analysis findings—security architecture, key management, access controls, resilience, and Audit Trails—then document selection and monitoring.

Encryption and Access Controls

Apply Electronic PHI Encryption in transit and at rest. Use modern protocols (for example, TLS 1.2+ for transport and strong ciphers such as AES-GCM for storage) with keys protected by sound management practices—separation of duties, rotation, revocation, and secure backup.

• Access control: least privilege and role-based access; multi-factor authentication for administrators and remote access; time-bound, reviewable entitlements.
• Playback security: signed URLs or tokens, session timeouts, watermarking, and download restrictions to limit uncontrolled distribution.
• Monitoring: centralized Audit Trails that log user, time, patient, action (view, export, delete), source IP, and outcome, with alerts for anomalous activity.
• Integrity and availability: hashing to detect tampering, redundant storage, and tested restoration procedures to meet continuity needs.

By treating video like any other sensitive system—clear policies, strong encryption, disciplined access control, and reliable Audit Trails—you reduce risk and demonstrate consistent HIPAA compliance across capture, storage, use, and disclosure.

FAQs.

What constitutes PHI in video recordings?

Any recording that includes Individually Identifiable Health Information—such as a recognizable face, voice, name, room board, EHR screen, or metadata tied to a patient encounter—counts as PHI when it relates to the person’s health, care, or payment.

When is patient authorization required for video use?

Obtain HIPAA Authorization when using or disclosing video beyond permitted TPO purposes—examples include media projects, public-facing education outside your workforce, marketing, or research without an approved waiver. Authorization must include required elements and may be revoked.

How must video recordings containing PHI be secured?

Implement Security Rule Safeguards: risk analysis, workforce policies, physical protections, and technical controls such as Electronic PHI Encryption, role-based access, multi-factor authentication, and comprehensive Audit Trails. Use secure backups, retention rules, and verified deletion.

What rights do patients have over their recorded video data?

When a recording is part of the designated record set, patients may access and obtain a copy, request an amendment (usually via an addendum), receive an accounting of certain disclosures, and request restrictions or confidential communications under the HIPAA Privacy Rule.