HIPAA privacy compliance

We need a camera system throughout our mental health clinic, but it cannot violate HIPAA privacy laws. This is why I am wary of ANY cloud-stored system. Does anyone out there use Wyze cams in a HIPAA regulated facility? How do you get past the concern of the account being hacked and having your patients’ privacy rights violated? Thank you!

1 Like

All I can say about hippa/banking, etc., is nothing more than garbage. Hippa is no more safe than a public conversation. Contractors working from third party services and other countries, are not controlled by the hiring company. As an agency can hire whomever and assign to projects/on going IT maintenance without our knowledge or approval. So, I take all this security with a grain of salt. All I need to say security breeches happen everyday.

1 Like

It is doubtful that these cameras will pass a HIPAA Compliance check by a third-party auditor. Especially since they are marketed as hobbyist level devices. Even with SD cards, as those are easily removable. Maybe if they implement storage to NAS and you can successfully block them from internet access.

Even then, you will most likely need something that can be used on a closed ethernet circuit.


We can only be expected to go to reasonable lengths to support HIPAA. We can’t monitor our employees and their conversations offsite, for example. But we can try to find camera systems that are not likely to be hacked. If using a closed circuit recorder is the only option, so be it, but I would like to find something with a little more functionality if possible.

Agreed, but everyone’s definition of “reasonable” is similar to the definition of “soon”.

“Agreed, but everyone’s definition of “reasonable” is similar to the definition of “soon”.”

Good point! HAHA.

You can flash the official WYZE RTSP firmware on your cameras, then take them off the WYZE cloud servers. You will need a third-party software to view all the cameras. There are free viewing software, but they only show one feed at a time. Then then don’t forward their LAN ports . That way, they’re only accessible inside your own LAN.

Not sure if that’s enough to satisfy HIPAA privacy requirements.

1 Like

Possibly. Really comes down to how the data is stored and who has access to it. Using SD cards, makes the data mobile and accessible to everyone with physical access to a camera.

In this case, you don’t use SD cards at all. They are a security risk. Most commercial security software can write to a network-attached drive. And most will accept RTSP feeds.

Of course, you can opt for a real security system like Axis, but they are at a different (higher) price point.

HIPAA is a sticky subject because very few specifics are laid out in the actual regulations. In general HIPAA requires “reasonable and appropriate” physical and/or technical safeguards to be in place for any storage or transmission of PHI or ePHI. That includes knowledge of which patients were treated at your facility and when, so recording them coming or going is technically PHI and must be protected.

In the case of video surveillance you would be asking for trouble by placing cameras in exam rooms, but other common areas should be fine as long as there are appropriate technical safeguards in place to prevent unauthorized access. All hospitals and many medical provider offices have CCTV security.
This is where the sticky part comes in, since with cloud services a single password is the only thing protecting access to the cameras from anywhere in the world. As previously mentioned, keeping your video local is much safer from a HIPAA regulation standpoint since you can say you physically limited access to the local facility and had technical safeguards in place to limit which users could access live and recorded video.

If the Wyze (or any other cloud service) account were compromised due to a poor password, etc, you would have to prove that no videos were exfiltrated, otherwise you’d be looking at a fine for every video that contained patients, and possibly for every patient that visited the facility during the time period that the account was compromised.

1 Like

This is all really valuable feedback, you guys. Thank you! I think that Wyze might be perfectly acceptable for exterior security coverage, but I’ll probably have to go with a wired solution indoors. That sucks cuz we never pay contractors to do such work… it’s all me, and I’m already way behind on my to-do list. Lol

So do any of you have a recommendation on a DVR (or similar recording device) that has a very simple user interface and is easy to set up?