Vsaas And HIPAA?

Does cloud based video storage violate any HIPAA compliance laws?


John, good question.

I have not heard of a VSaaS provider making that claim (of course there may be some out there). I checked online specifically for Axis AVHS (since they are one of the oldest) but found no matches for HIPAA.

Question to all: How does one certify one's surveillance system as HIPAA conformant / compliant?

That is a good question. I have contemplated switching to cloud services myself. This link might offer some help.

Daniel, thanks for sharing. That link is informative. I just want to emphasize that list is about storage in general, not about VSaaS applications that might run on top of those storage services. You would definitely need verification / assurances from the VSaaS provider directly on HIPAA conformance.

"Does cloud based video storage violate any HIPAA compliance laws?"

I don't know nearly as much about HIPAA as PCI or NIST, et al., but from what I understand HIPAA would be looking for information assurance for any data related to patient privacy no matter where it's stored. That is, if you stored video of patients on a DVR in your hospital you'd need to be able to show the video data was secure (as per HIPAA guidelines). Likewise if you shoved that data to cloud storage or engaged a VSaaS provider you'd need to provide assurance the data was secure in transit and at rest with them as well.

Since cloud based storage is a service, you'd need to work with the service provider to achieve HIPAA conformance.

Ironically, a lot of the data security standards say things about the use of video to keep data secure (i.e, you need to have video of your data storage servers and secure areas), but say little if anything about the secure storage of that video itself. In and around HIPAA I think you'd have to consider images of patients as being private, and would want to limit how much video of patients you actually generate in order to lessen your liabilty there.

This is a complex answer, but in short I would say "yes".

It's been a few years since I worked much with HIPAA, and it was more in an IT security sense. But take for example a medical facility that specializes in cancer treatments. Simply identifying a patient of this facility can violate some facets of HIPAA, since you could reaonably assume they are not there to receive a flu vaccine, they are there for a specific medical condition. So in some sense, any video of patients that could be corellated to a specific facility, or specifc treatment area in a larger hospital could be considered PII in some cases.

Personally, I wouldn't try to promote current VSaaS products in hospital settings.

Hospitals of any size tend to have high camera counts, probably making them poor applications for VSaaS anyway. VsaaS could potentially be used at smaller medical offices and clinics, but most of these have so many other HIPAA non-compliance issues that the vulnerability of video surveillance data would be far from the top of the list. (Remember those medical records stored on open shelves that you saw the last time that you visited your doctor?)

Not saying that precautions shouldn't be taken, but in reality, this is probably a non-issue.