HIPAA applies when a HIPAA Covered Entity or Business Associate video records patients and the recording contains protected health information, which includes images or audio that identify the patient or can reasonably be used to identify the patient in connection with healthcare. Video recordings used for diagnosis, treatment, documentation, education, quality activities, security, or operations can be protected health information when they are created or maintained by the covered entity or business associate and relate to the individual’s past, present, or future physical or mental health or condition, the provision of healthcare, or payment for healthcare. A recording can be protected health information even without a name if the face, voice, room board, monitor display, or other contextual details identify the patient.
Recording for treatment and healthcare operations can be permissible under the HIPAA Privacy Rule without a separate written authorization, but the recording must be limited to the intended purpose and safeguarded under the HIPAA Minimum Necessary Rule when the purpose is not treatment. Recording for marketing, public relations, fundraising, media, social media, or general promotional content generally requires the patient’s valid HIPAA authorization and must not be conditioned in a way that restricts access to treatment when authorization is declined. When recordings involve third-party production crews, photographers, or platform vendors that handle protected health information for the covered entity, a business associate agreement is required unless an exception applies. State consent, wiretapping, and patient rights laws may impose separate consent requirements for audio recording and may be more restrictive than HIPAA.
Security safeguards apply when video is stored or transmitted electronically. Under the HIPAA Security Rule, access controls should restrict who can view, copy, edit, download, or share recordings, and audit controls should support review of access and administrative activity. Transmission protection and storage protection should address encryption and secure transfer methods, and retention and disposal controls should prevent indefinite storage, unauthorized reuse, or improper disposal of media containing protected health information. Devices used for recording, including mobile phones, tablets, body-worn cameras, and fixed cameras, should be managed through configuration controls, account controls, and inventory and deprovisioning processes.
A compliant recording process includes documented decision criteria for when recording is permitted, where recording can occur, and how patients are informed. Consent and authorization documentation should match the intended use, including any external disclosures, educational reuse, or publication. Workforce HIPAA training should address recording boundaries, prohibition on personal device use when not authorized by policy, and restrictions on sharing recordings through texting, consumer cloud storage, or social platforms. Incident response procedures should address loss, misdirection, unauthorized access, and unauthorized posting of recordings, including assessment and documentation under the HIPAA Breach Notification Rule when an impermissible use or disclosure occurs.