HIPAA-Compliant Surveillance Buying Checklist

HIPAA CHECKLIST

HIPAA-Compliant Surveillance Buying Checklist

HIPAA compliance is more about how footage is handled than what cameras are installed. This checklist walks through the 24 questions we work through on every healthcare surveillance proposal.

Browse Healthcare Solutions Talk to a Specialist Table of Contents

Bottom Line

A healthcare surveillance proposal is ready when you can answer yes to every question below. Placement boundaries (no exam rooms), role-based VMS access, BAA with cloud vendor, and DEA-grade pharmacy coverage are the priorities most often missed.

Our team runs this checklist on every healthcare proposal.

Best For

  • Medical office managers
  • Clinic administrators
  • Healthcare compliance officers
  • Dental practice managers

Not For

  • Inpatient hospital systems
  • Retail pharmacy
  • Residential

Healthcare-Specific Priorities

HIPAA-aware placement (no exam rooms), DEA-grade pharmacy coverage, role-based VMS access for minimum-necessary compliance, BAA-signing vendor if cloud is involved, audit-trail logging, 90+ day retention for DEA-subject areas, and ambulance-bay coverage for emergency operations.

Recommended Healthcare Products

Anchor picks for a healthcare deployment.

Reception / Corridor
Hanwha QND-7082R 4MP Indoor IR Dome Camera

Hanwha

Hanwha QND-7082R 4MP Indoor IR Dome Camera

QND-7082R

Discreet indoor dome.

Pharmacy
Hanwha PND-A9081RF 4K Indoor AI IR Dome IP Camera

Hanwha

Hanwha PND-A9081RF 4K Indoor AI IR Dome IP Camera

PND-A9081RF

4K AI for DEA coverage.

Back-of-House
Hanwha QND-6010R 2MP Network IR Dome Camera

Hanwha

Hanwha QND-6010R 2MP Network IR Dome Camera

QND-6010R

Budget staff areas.

Clinic NVR
Hanwha XRN-1620B2 16-Channel 4K NVR

Hanwha

Hanwha XRN-1620B2 16-Channel 4K NVR

XRN-1620B2

16-channel standard.

The 24-Question HIPAA-Compliant Surveillance Checklist

Walk through before approving any healthcare surveillance proposal.

Are cameras explicitly excluded from exam and treatment rooms?

Near-universal HIPAA expectation.

Are bathrooms, locker rooms, and medical lounges excluded?

Privacy law requirement.

Is the pharmacy / drug safe covered with 4K AI camera?

DEA-grade detail.

Is the ambulance bay / emergency entry covered?

Patient intake and staff safety.

Is reception/waiting area covered with appropriate angle?

Patient-privacy aware.

Is role-based VMS access configured?

HIPAA minimum-necessary principle.

Are individual named VMS accounts used?

Shared accounts fail HIPAA audit.

Is the audit trail logged for every access, playback, export?

HIPAA audit response.

Is a BAA signed with the cloud VMS or storage vendor (if used)?

PHI in cloud requires BAA.

Is retention 90+ days for DEA-subject areas?

DEA audit response.

Is retention 30-60 days for general common-area coverage?

Standard healthcare practice.

Is access control integrated for restricted area cameras?

Camera + badge audit trail.

Is there a written surveillance policy for the practice?

HIPAA compliance documentation.

Is staff trained on HIPAA surveillance handling?

Employee awareness.

Is posted signage at public entries specified?

Disclosure requirement.

Is audio recording disabled?

Patient conversations are PHI; audio creates liability.

Is storage RAID-configured?

Redundancy requirement.

Is UPS coverage specified?

Power loss creates gaps.

Is cable-plant labor included?

30-40% of hardware cost.

Is commissioning labor included?

Per-camera HIPAA-compliance tuning.

Is cybersecurity baseline configured?

Non-default passwords, certs, firmware.

Is warranty explicit?

1-5 year commercial.

Is spare-camera plan in place?

Compliance gaps during failures.

Is post-install support contact clear?

HIPAA-aware support partner.

Frequently Asked Questions

What makes surveillance HIPAA-compliant?

Role-based VMS access with individual accounts, audit-trail logging, BAA-signing cloud vendors (if cloud is used), posted signage, appropriate placement boundaries (no exam rooms), and staff training on PHI handling.

Can we use a general commercial VMS for healthcare?

Yes if it supports individual user accounts, role-based access, and audit logging. Milestone XProtect, Genetec Security Center, and Hanwha Wisenet WAVE all meet these requirements.

Do we need a BAA with our camera vendor?

Only if the vendor handles PHI — typically only cloud storage or cloud VMS vendors. On-premise-only deployments do not require a BAA with the camera manufacturer.

What retention period for healthcare?

30 days baseline for general common areas; 90+ days for DEA-subject areas (pharmacy, controlled substances). Many operators standardize on 90 days everywhere for simplicity.

Can we use Axis and Hanwha for HIPAA-aware healthcare?

Yes. Both are NDAA-compliant and have enterprise VMS integration with HIPAA-appropriate features.

No Bots, Just Experts

No bots, just experts. Free pre-sales support for every customer — product questions, BOM quotes, compatibility checks, price confirmation — typically answered within one business day. Paid services available like full system design, remote installation, and more. Got a list of products? Free BOM quote. Need help figuring out what to buy? Buy engineering time by the hour — $175/hour, qty 1 = 1 hour. Tell us about your project, we scope how many hours it needs, you purchase that quantity. Hardware buyers get up to one hour ($175) credited back against their order as a thank-you.

Get Free BOM Quote Buy Design Hours ($175/hr)

!