When Does Video Footage Count as PHI Under HIPAA?
A patient walks through your waiting room. Your CCTV captures their face, the time of their visit, and the clinic name on the wall behind them. Is that footage Protected Health Information (PHI) under HIPAA?
If that individual is a patient seeking care, yes. Footage that links an identifiable person to the receipt of healthcare at a covered entity fundamentally meets the HIPAA definition of PHI. Because of this reality, automated video redaction is increasingly becoming a standard operational workflow for healthcare compliance teams.
What is PHI?
Under HIPAA, Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate.
Healthcare organisations now work with video across a wide range of settings. Waiting room cameras, body-worn cameras on security staff, telehealth recordings, and clinical training footage all raise the same underlying challenge: when does a recording trigger HIPAA safeguards, and what obligations follow?
What Makes Video Footage PHI?
Video footage constitutes PHI when two conditions are simultaneously met:
Identifiability: The footage contains information that could identify a specific individual - whether through their face, voice, gait, clothing, or unique environment.
Medical Nexus: That identifying information is linked to their health status, the provision of healthcare, or payment for healthcare.
Does waiting room CCTV count as PHI?
This is the scenario where organisations most often mistakenly assume footage is exempt.
The test is not whether the footage was intended to capture clinical health information; the test is whether it captures an individual's status as a patient. If your waiting room camera records an individual entering a specialist clinic, that footage inherently links a recognisable face to the fact that they are receiving a specific type of care.
According to guidelines from the Department of Health and Human Services (HHS), the visual evidence of a patient inside a treatment facility is automatically PHI. It does not need to be actively merged with an electronic health record (EHR) or appointment database to trigger HIPAA protections. (Note: Non-patients captured on camera, such as couriers or job applicants, do not fall under HIPAA, but because they are intertwined in the same video files, the entire feed must practically be secured as PHI).
Body-worn cameras on clinical and security staff
Telehealth recordings are the most clear-cut case. A recorded video consultation between a clinician and a patient contains the patient's face, voice, and explicit clinical discussions in a single electronic file.
Under the HIPAA Security Rule, distinct obligations apply depending on the state of this data:
Data in Transit: While the session is live or being transmitted, it must be secured via transmission encryption under 45 CFR §164.312(e).
Data at Rest: Once that telehealth recording is saved and stored on a local server or cloud drive, it must be protected by robust access controls and storage encryption under 45 CFR §164.312(a)(2)(iv).
If your telehealth platform automatically archives sessions, those files require strict access controls, immutable audit trails, and formal data-destruction procedures. Retention periods must follow your organisation's "minimum necessary" standard and applicable state laws, many of which are more stringent than the federal HIPAA floor.
Training and Quality Assurance Footage
Clinical training videos that feature identifiable patients are PHI. Using footage from an actual patient encounter for educational or quality assurance purposes requires a valid, signed HIPAA authorisation from the patient.
Alternatively, the footage must be fully de-identified. This requires removing all 18 personal identifiers listed under the Safe Harbor method in 45 CFR §164.514(b)(2).
Facial blurring handles the most obvious visual identifier, but Safe Harbor also covers names, full dates (such as dates of birth or admission), geographic data smaller than a state, and voiceprints. Audio redaction is strictly required if the patient's voice or verbal identifiers appear in the recording.
Pimloc’s Secure Redact platform can automatically detect and redact faces, voices, and on-screen text from video. However, determining which contextual identifiers must be removed remains a definitive compliance decision for your internal privacy team.
Redaction Requirements Before Footage Can Be Shared
Before disclosing video footage that contains PHI to external third parties, a covered entity must establish a lawful basis under HIPAA. Your primary paths are:
A signed patient authorisation.
A recognised disclosure exception (such as treatment, payment, or operations).
Complete de-identification of the footage.
De-identification under the Safe Harbor method requires the definitive removal of all 18 categories of identifiers. While the alternative "Expert Determination" method (45 CFR §164.514(b)(1)) allows a qualified statistician to certify that the risk of re-identification is minimal, that route requires extensive documentation and is rarely practical for routine video disclosures.
For litigation discovery, subpoenas, or public records requests (which apply to public and state-funded health systems), utilizing de-identified footage is the standard defensive protocol. Redaction software automates the removal of faces and voices at scale - a critical asset when a legal request demands hours of multi-camera footage.
What redaction does and does not solve
Redaction permanently modifies pixel and audio data to bring footage within the Safe Harbor standard, removing the need for individual patient authorisations before a video is shared externally.
However, redaction does not absolve an organisation of its internal data management duties. While the video remains in your custody prior to redaction, it is active ePHI. You must maintain strict access controls, encryption at rest, and comprehensive audit logs. Redacting a copy of a video for a legal team does not mean the original, unredacted file can sit unprotected on an unencrypted network.
Furthermore, AI detection accuracy is governed by environmental constraints. Platforms like Secure Redact utilize advanced machine learning to detect faces and audio identifiers, but success rates depend on lighting, camera resolution, and frame rates. On legacy analog systems or low-resolution footage (below 720p), a manual quality-assurance check is a mandatory step before formal legal disclosure.
A Practical Strategy for Healthcare Privacy Teams
Conduct a Video Inventory: Map every video-generating system across your infrastructure, including telehealth architectures, body-worn camera initiatives, waiting room CCTV, and clinical training vaults.
Review Vendor Compliance: For any system processing or storing this video data, ensure your Business Associate Agreements (BAAs) are legally executed and up to date under 45 CFR §164.308(b). Any software vendor touching this footage - including cloud redaction platforms- must operate under a BAA.
Automate the Workflow: As telehealth utilization and security footage volumes expand annually, relying on manual, frame-by-frame video editing is a compliance bottleneck. Failing to respond to legal discovery or patient access requests due to manual editing delays exposes the organization to regulatory friction.
Pimloc’s Secure Redact processes video and audio at scale, generating the verifiable audit trails and strict access logs required for enterprise healthcare compliance. To learn more about managing healthcare video pipelines responsibly, visit the Secure Redact website.
Automated video, audio and text redaction for healthcare teams
Try Secure Redact for free.
Frequently Asked Questions
-
No. CCTV footage only qualifies as Protected Health Information (PHI) when it meets two criteria: it must identify an individual (or provide enough context to make them identifiable) and it must connect them to their health status, the receipt of healthcare, or the payment for healthcare. A security camera recording an employee-only corridor or a general parking lot is unlikely to meet this threshold. However, a camera capturing patients inside a clinic waiting room or at a treatment intake desk automatically does.
-
Yes. If your redaction provider processes or hosts video footage that qualifies as PHI, they are legally considered a "Business Associate" under HIPAA. According to 45 CFR §164.308(b), any vendor handling, storing, or processing ePHI on your behalf must execute a formal BAA. This mandate applies to cloud-based automated redaction platforms just as strictly as it does to electronic health record (EHR) vendors.
-
No. You cannot use identifiable patient footage for educational or training purposes unless you obtain a valid, signed HIPAA authorization from the patient. If obtaining authorization is impossible, the footage must be fully de-identified before use. Simply blurring a face is usually insufficient on its own if the patient’s voice, name, unique tattoos, or specific medical conditions are still recognizable or mentioned in the audio track.
-
To fully de-identify video data, organizations most commonly use the Safe Harbor method under 45 CFR §164.514(b)(2), which requires the definitive removal of all 18 specified identifier categories (including faces, voices, names, biometric identifiers, and explicit dates). The alternative route, Expert Determination, allows a statistical expert to verify that the risk of re-identification is minuscule, but this requires unique documented methodology and is rarely practical for everyday video disclosures.
-
Encryption is a critical piece of the puzzle, but it does not achieve compliance on its own. While encryption protects data "at rest" under the HIPAA Security Rule, stored telehealth recordings also require strict user access controls, immutable user audit trails, secure data-disposal protocols, and legally binding BAAs with whatever cloud platform hosts or processes the files. Furthermore, your data retention schedules must comply with applicable state medical record laws.
