HIPAA-Compliant Video Processing
Healthcare video — telehealth recordings, surgical footage, patient monitoring — contains Protected Health Information (PHI) and requires HIPAA compliance. This guide covers the technical, administrative, and physical safeguards needed for HIPAA-compliant video processing.
When Video Is PHI
Video is considered Protected Health Information (PHI) when it:
- Shows identifiable patients (faces, unique tattoos, etc.)
- Contains audio with patient information
- Displays medical records, charts, or screens
- Captures diagnostic imagery (X-rays, scans)
- Records clinical procedures
Importantly, video can be PHI even without explicit medical content. A video showing a recognizable patient in a hospital gown, in a clinical setting, is PHI.
The Incidental PHI Problem
Video captures incidental PHI:
- Other patients in the background
- Medical records visible on screen
- Staff conversations
- Room numbers and locations
This means video processing requires treating the entire frame as potentially PHI.
Technical Safeguards (§164.312)
HIPAA requires specific technical controls:
Access Controls (§164.312(a)(1))
- Unique user identification for all access
- Emergency access procedures
- Automatic logoff
- Encryption and decryption
BetterVideo implementation: Per-customer API keys, automatic session expiry, AES-256 encryption.
Audit Controls (§164.312(b))
- Record and examine activity in systems containing PHI
BetterVideo implementation: Complete audit logs of every API call, processing job, and data access. Logs retained 90 days, exportable for compliance.
Integrity Controls (§164.312(c)(1))
- Protect PHI from improper alteration or destruction
BetterVideo implementation: SHA-256 hashes of input and output, processing logs showing exactly what operations were applied.
Transmission Security (§164.312(e)(1))
- Protect PHI transmitted over electronic networks
BetterVideo implementation: TLS 1.3 required, certificate pinning in SDKs, no unencrypted transmission paths.
Business Associate Agreements
If a vendor handles PHI on your behalf, you need a Business Associate Agreement (BAA).
What a BAA Covers
- Permitted uses and disclosures of PHI
- Safeguards the BA will implement
- Reporting obligations for breaches
- Subcontractor requirements
- Termination and return/destruction of PHI
BetterVideo BAA
BetterVideo signs BAAs on all paid tiers. Our BAA:
- Covers all processing through our API
- Specifies zero-retention architecture
- Includes breach notification procedures
- Addresses subprocessors (cloud infrastructure)
Contact sales@bettervideo.io for BAA execution.
Implementation Checklist
Before Processing
- ☐ BAA signed with video processing vendor
- ☐ Risk assessment completed
- ☐ Minimum necessary determination documented
- ☐ Patient authorization obtained (if required)
During Processing
- ☐ Encryption in transit verified
- ☐ Access logged
- ☐ Minimum necessary scope enforced
After Processing
- ☐ Deletion verified (or justified retention)
- ☐ Audit logs retained
- ☐ Any disclosures documented
Frequently Asked Questions
Yes — if you're processing PHI, you need a BAA. BetterVideo provides BAAs on all paid tiers.
If it shows an identifiable patient in a clinical context, yes. Even without medical discussion, a recognizable patient in a video call with a provider is PHI.
Properly de-identified video (per 45 CFR 164.514) is not PHI. But video de-identification is complex — face blurring alone may not be sufficient.
HIPAA doesn't mandate specific retention periods, but requires retention only as long as necessary. State laws may impose minimums (often 7 years for medical records).
Ready to get started?
Try BetterVideo's privacy-first video enhancement API — free sandbox, no credit card required.