The Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States fosters health insurance coverage for workers and their families, and requires national standards for electronic health care transactions.


The law’s privacy provisions include protection of information related to any individual’s health status, provision of health care, or payment for health care. There are also additional health privacy laws specific to California. Internationally, there is a patchwork of health privacy laws around the world, from Argentina to Uruguay, including laws throughout Europe, Central Asia and Australia.  

Role of physical security in safeguarding data 

Physical security systems can play a big role in helping to keep patient information safe and private, as required by various laws. For example, AMAG has developed new capabilities within its Symmetry family of products that allow healthcare institutes to demonstrate their compliance with HIPAA. Compliance reporting is a key area and has been a focus for AMAG, says Dave Ella, Vice President of Product Marketing, AMAG Technology. 

Hospitals and healthcare facilities install AMAG’s Symmetry access control system and Symmetry CompleteView Video Management to manage and control access and provide HIPAA compliance throughout their buildings and campuses. Security plan policies and procedures need to protect a healthcare facility, says Ella. Automatically reviewing access permissions for employees, contractors and visitors on a regular basis is a key aspect of the plan, and AMAG’s Symmetry CONNECT product is designed for that purpose. Also, capabilities within the system make documentation of adds and changes to the security system more straightforward. They include the ability to add drawings, documents and notes to any device within the system.  
Demanding regulatory environment

Legislation like HIPAA, which establishes U.S. standards for privacy and security, impacts hospital access control policies and procedures, says Sheila Loy, Director Healthcare Strategies, North America, HID Global. In fact, HIPAA is just one element in a demanding regulatory environment. The need to comply is complicated in hospitals by security threats in an environment with high traffic volumes and complex staffing requirements, Loy adds. For instance, in California, hospitals must report any security breach event, after which the California Department of Public Health (CDPH) checks policies, practices and audit trails, and executes inspections and assesses fines. 

Today’s access control
platforms enable hospitals to
improve risk management and
comply with new legislation
or regulatory requirements

Often, hospital administrators must also follow federal guidelines established by the Centers for Medicare and Medicaid Services (CMS) that, at times, conflict with state rules and result in fines.

Other entities that set security guidelines include the Joint Commission accreditation and certification body, which has oversight for physical building security, water, safety, fire, and other security processes; and the Det Norske Veritas (DNV), an independent foundation that works with healthcare authorities and providers to manage risk and improve healthcare delivery. Today’s access control platforms enable hospitals to improve risk management and comply with new legislation or regulatory requirements. For instance, HIPAA imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.  

HID Global offers comprehensive healthcare security solutions to create a safe, compliant environment for patients and employees. The company’s solutions: provide secure access to healthcare facilities and supplies; enable hospitals to identify and manage hospital visitors; provide electronic audit trails to protect patients and staff; ensure HIPAA compliance for patient records; and enable organisations to leverage existing access control cards for additional services to offer convenience and create operational efficiencies. 

Need for versatile authentication platform 

Health data is at least as valuable as financial data in the online banking industry, where a layered system approach is used to ensure that appropriate risk mitigation levels can be applied, says Loy. Even though patients don’t access healthcare information as frequently as do online banking customers, and aren’t protected by the same regulatory compliance requirements, they can benefit from the same multi-layered authentication mechanisms, both inside and outside the hospital. Healthcare organisations need a versatile authentication platform with real-time threat detection capabilities in order to effectively implement the critical five layers of security including user authentication, device authentication, transaction authentication with pattern-based intelligence, browser protection, and application security, says Loy.  

 Hospital CCTV system
With video surveillance, cameras must be positioned in such a way that they don't violate HIPAA laws

Access control systems can be used to help protect access to patient records and other controlled materials, adds Robert Laughlin, President, Galaxy Control Systems. By using higher-security credentials for access control readers, such as biometrics, medical facilities can increase their confidence levels that they are only providing access to authorised individuals and creating an audit trail for reporting or review. Galaxy access control systems can be integrated with a wide range of readers, including high security biometric readers.  

Ensuring privacy with video surveillance 

Video systems are also impacted by HIPAA in the United States and by similar privacy legislation around the world. When a physical security system is installed in a healthcare environment, patients’ privacy must be protected according to HIPAA’s specific rules, says Jason Ouellette, Product Line Director – Access Control, Tyco Security Products. A patient’s PII – or personally identifiable information – must be protected. PII is any information that can be used to uniquely identify, contact or locate an individual, or that can be used with other sources to uniquely identify a person.  

With video surveillance, cameras must be positioned in such a way that they don’t violate HIPAA laws, says Ouellette. If a camera is pointed to a computer screen or something else that contains a patient’s PII, there must be an option to draw a privacy window within the frame so that a patient’s sensitive information isn’t easily accessed or compromised. 

HIPAA and similar
requirements can indirectly
impact video systems in
ways not thought of before
the advent of megapixel
surveillance cameras

Challenge of megapixel cameras 

Furthermore, the use of megapixel cameras can increase the challenge. HIPAA and similar requirements can indirectly impact video systems in ways not thought of before the advent of megapixel surveillance cameras, says Jeff Whitney, Arecont Vision’s Vice President of Marketing. On one hand, video surveillance systems are more effective than ever at protecting medical records storage and access to other confidential information.  

On the other hand, it is now equally important to consider the field of view of a high-megapixel camera, says Whitney. A camera placed over a cashier may yield images with discernible credit card numbers of a screen within the field of view, of documents, or of the credit card itself. Medical records may similarly be picked up in detail by a high megapixel camera. Therefore, it is necessary to ensure that the integrator selected to install a video surveillance system understand the objective of each area of coverage, and what should not be included.  

Integrated security systems aid faster compliance 

Faced with a number of local, state and national regulatory guidelines, security directors within healthcare facilities must be able to improve hospital security and insulate the organisation from potential liability claims, says Kyle Cusson, Business Development Manager, Healthcare, Pelco by Schneider Electric. “That means implementing a surveillance system that allows multiagency cooperation and response,” he says. “Keeping all of this in mind, having a video surveillance system that integrates with the necessary emergency and fire alarm systems, access control and other systems can promote an institution’s compliance with regulatory agencies by providing proof that the organisation’s assets are safe and secured.”  

Finally, there is the issue of access to video. In today’s regulation-focused market, healthcare organisations must strictly control who has access to video, says Brandon Reich, Senior Director of Surveillance Solutions, Pivot3. Servers and storage are typically easier to secure because these devices are traditionally deployed in controlled locations, sometimes on closed networks and often under the supervision of IT. Client access is more difficult to control – security personnel, management and even first responders need access to video, and their devices are typically unsecured. This can translate into a potential HIPAA violation, especially if data is access by unauthorised people. 

Read Part 10 of our Security in Healthcare series here




Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Larry Anderson Editor, &

An experienced journalist and long-time presence in the US security industry, Larry is's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

Wire-free, mobile first and data rich? The future of access control is within almost anyone’s reach
Wire-free, mobile first and data rich? The future of access control is within almost anyone’s reach

The 2020s will be a wireless decade in access control, says Russell Wagstaff from ASSA ABLOY Opening Solutions EMEA. He examines the trends data, and looks beyond mobile keys to brand new security roles for the smartphone. The benefits of wire-free electronic access control are well rehearsed. They are also more relevant than ever. A wireless solution gives facility managers deeper, more flexible control over who should have access, where and when, because installing, operating and integrating them is easier and less expensive than wiring more doors. Battery powered locks Many procurement teams are now aware of these cost advantages, but perhaps not their scale. Research for an ASSA ABLOY Opening Solutions (AAOS) benchmarking exercise found installation stage to be the largest contributor to cost reduction. Comparing a typical installation of battery-powered Aperio locks versus wired locks at the same scale, the research projected an 80% saving in installers’ labour costs for customers who go cable-free. Battery powered locks all consume much less energy than traditional wired locks Operating costs are also lower for wireless: Battery powered locks all consume much less energy than traditional wired locks, which normally work via magnets connected permanently to electricity. Wireless locks only ‘wake up’ when presented with a credential for which they must make an access decision. AAOS estimated a 70% saving in energy use over a comparable lock’s lifetime. Find out more about wireless access control at ASSA ABLOY's upcoming 29th June webinar Deploying wireless locks In short, every time a business chooses a wireless lock rather than a wired door, they benefit from both installation and operating cost savings. A recent report from IFSEC Global, AAOS and Omdia reveals the extent to which the advantages of wireless are cutting through. Responses to a large survey of security professionals — end-users, installers, integrators and consultants serving large corporations and small- to medium-sized organisations in education, healthcare, industrial, commercial, infrastructure, retail, banking and other sectors — suggest almost four locations in ten (38%) have now deployed wireless locks as a part or the whole of their access solution. The corresponding data point from AAOS’s 2014 Report was 23%. Electronic access control Electronic access control is less dependent than ever on cabling Without doubt, electronic access control is less dependent than ever on cabling: Even after a year when many investments have been deferred or curtailed, the data reveals fast-growing adoption of wireless locks, technologies and systems. Is mobile access control — based on digital credentials or ‘virtual keys’ stored on a smartphone — an ideal security technology for this wire-free future? In fact, the same report finds mobile access is growing fast right now. Among those surveyed, 26% of end-users already offer mobile compatibility; 39% plan to roll out mobile access within two years. Before the mid-2020s, around two-thirds of access systems will employ the smartphone in some way. The smartphone is also convenient for gathering system insights Driving rapid adoption What is driving such rapid adoption? The convenience benefits for everyday users are obvious — witness the mobile boom in banking and payments, travel or event ticketing, transport, food delivery and countless more areas of modern life. Access control is a natural fit. If you have your phone, you are already carrying your keys: What could be easier? IBM forecasts that 1.87 billion people globally will be mobile workers by 2022 Less often discussed are the ways mobile management makes life easier for facility and security managers, too. Among those polled for the new Wireless Access Control Report, almost half (47%) agreed that ‘Mobile was more flexible than physical credentials, and 36% believe that mobile credentials make it easier to upgrade employee access rights at any time.’ IBM forecasts that 1.87 billion people globally will be mobile workers by 2022. Workers in every impacted sector require solutions which can get the job done from anywhere: Access management via smartphone offers this. Site management device The smartphone is also convenient for gathering system insights. For example, one new reporting and analytics tool for CLIQ key-based access control systems uses an app to collect, visualise and evaluate access data. Security system data could contribute to business success. The app’s clear, visual layout helps managers to instantly spot relevant trends, anomalies or patterns. It’s simple to export, to share insights across the business. Reinvented for learning — not just as a ‘key’ or site management device — the phone will help businesses make smarter, data-informed decisions. The smartphone will also play a major role in security — and everything else — for an exciting new generation of smart buildings. These buildings will derive their intelligence from interoperability. Over 90% of the report’s survey respondents highlighted the importance of integration across building functions including access control, CCTV, alarm and visitor management systems. Genuinely seamless integration They offer greater peace of mind than proprietary solutions which ‘lock you in’ for the long term Yet in practice, stumbling blocks remain on the road to deeper, genuinely seamless integration. More than a quarter of those polled felt held back by a lack of solutions developed to open standards. ‘Open standards are key for the momentum behind the shift towards system integration,’ notes the Report. As well as being more flexible, open solutions are better futureproofed. Shared standards ensure investments can be made today with confidence that hardware and firmware may be built on seamlessly in the future. They offer greater peace of mind than proprietary solutions which ‘lock you in’ for the long term. Open solutions and mobile management are critical to achieving the goals which end-users in every vertical are chasing: scalability, flexibility, sustainability, cost-efficiency and convenience.

What are the latest trends in perimeter security technology?
What are the latest trends in perimeter security technology?

Perimeter security is the first line of defence against intruders entering a business or premises. Traditionally associated with low-tech options such as fencing, the field of perimeter security has expanded in recent years and now encompasses a range of high-tech options. We asked this week’s Expert Panel Roundtable: What are the latest trends in perimeter security technology?

Secure access control is helping to shape the post-pandemic world
Secure access control is helping to shape the post-pandemic world

With the continued rolling back of COVID restrictions in the UK, there is a palpable sense of relief. A mixture of mass vaccinations, widespread testing, and track and tracing of the infection is helping to enable a healthy bounce back for businesses – with secure access control taking an important role in facilitating this. However, rather than just being a reaction to the wake of the pandemic, there is every sign that the economy, and consequently the security sector as well, are both rebuilding and reshaping for the long-term new normal. Prioritising Safety Already deemed an essential service even during the first wave of the pandemic, the security industry has of course taken a vital role in protecting people and property throughout the crisis. Now that venues in the UK are starting to reopen again, our services are key to occupancy management and ensuring that disease transmission is limited as far as possible. Access control is also key in reassuring people that their safety is a priority. Making the upgrade It’s all been about choosing the most suitable components and technology that already existed with a few “tweaks”  Businesses and organisations have a duty of care to their employees and the safety of visitors – so controlling access, employing lateral flow testing, and deploying suitable Track & Trace mechanisms are all key components. I think those outside our industry are surprised to learn that most of the technology being deployed and used hasn’t just magically developed since COVID appeared – it’s all been about choosing the most suitable components and technology that already existed albeit with a few development “tweaks” or adjustments for the situation at hand. This includes using or installing facial recognition readers rather than using fingerprint or contact tokens, it is swapping to automatic request to exit sensors instead of buttons; it is using powered secure doors rather than having people all grab the same handle. Using mobile credentials is also a key technology choice – why not use the highly secure, easy to manage, cost-effective, and of course contact-free benefits of this approach? Touchless solutions We have seen a clear shift in organisations looking to protect their staff and visitors. For instance, we have a big utility customer in Southeast Asia that has just replaced close to 200 sites using fingerprint readers with an additional facial recognition capability. We have also seen a big rise in demand for touchless request to exit sensors and Bluetooth Low Energy Readers for use with smartphone authentication. Working together Integration of security systems is of course nothing new, but in the post-pandemic or endemic age, it has perhaps never been more important. Installations need to be simple, straightforward, and rapid to help maintain safe distancing but also to ensure systems can be deployed as soon as they are needed. The world is changing and developing rapidly and there is simply no place for systems that don’t work with others or cause the end-user considerable cost and inconvenience to upgrade. This flexible delivery of security solutions perfectly matches the evolving and increasing demands of the market. It’s clear that end-users want systems that work well and can easily integrate with their existing systems – not only security but all the other business components which work in unison with each other over a shared network. Great opportunities ahead The recent work-from-home trend is also clearly changing the way organisations and businesses interact with the built environment. Lots of companies are downsizing, offices are being split up, there is lots of revitalisation and reuse of existing office space – all of which creates considerable opportunities for security providers. UK inflation more than doubled in April 2021 with unemployment figures dropping and the Pound rising in value There are also, in the UK at least, clear signs that the construction industry is rapidly growing again -with a forecast of 8% rebound and growth this year. UK inflation more than doubled in April 2021 with unemployment figures dropping and the Pound rising in value – all positive signs for UK-based security providers. Undoubtedly the highly successful UK vaccination rollout has helped considerably, but there are signs that the Eurozone looks set to improve considerably over the next few months as well. Using integrated access control Undoubtedly the pandemic has made security markets around the world more aware of the benefits of integrated access control in managing the needs of the new normal COVID endemic environment. For example, as a business, we have always had keen interest from the UK healthcare sector, but over the last 12 months, we have seen a big growth in previously modest international markets including Morocco, Kuwait, Bahrain, Thailand, Singapore, Hong Kong, and Thailand – all of which are very keen to adopt improved access control solutions. Learning the lessons Nobody would deny the last year or so has been unprecedentedly tough on everyone, as a society we have had to make huge changes and sacrifices. Governments, organisations, and businesses all need to be better prepared in the future, to understand the things that went wrong and those that were successful. However, there is a world beyond the immediate pandemic and its effects. Flexible working practices and the changes these will have to the way we live and work will undoubtedly present great opportunities for the security sector in helping the world evolve. The pandemic has been a wake-up call for many organisations with regards to their duty of care to employees – particularly when it comes to mental health and providing a sensible work/life balance. Where we work and the safety of these facilities has received far more scrutiny than before. Flexible security systems Integrated security solutions have a vital role to play in not only protecting the safety of people during the post-lockdown return to work but also in the evolution of the built environment and move towards smart cities - which inevitably will now need to consider greater flexibility in securing home working spaces rather than just traditional places of work. Importantly, powerful access control and integrated security systems need to be flexible to the uncertainties ahead. The COVID pandemic has shown that nothing can be considered certain, except the need for greater flexibility and resilience in the way we operate our professional and personal interactions.