Privacy & Compliance

HIPAA-Compliant Video Processing

Healthcare video — telehealth recordings, surgical footage, patient monitoring — contains Protected Health Information (PHI) and requires HIPAA compliance. This guide covers the technical, administrative, and physical safeguards needed for HIPAA-compliant video processing.

When Video Is PHI

Video is considered Protected Health Information (PHI) when it:

  • Shows identifiable patients (faces, unique tattoos, etc.)
  • Contains audio with patient information
  • Displays medical records, charts, or screens
  • Captures diagnostic imagery (X-rays, scans)
  • Records clinical procedures

Importantly, video can be PHI even without explicit medical content. A video showing a recognizable patient in a hospital gown, in a clinical setting, is PHI.

The Incidental PHI Problem

Video captures incidental PHI:

  • Other patients in the background
  • Medical records visible on screen
  • Staff conversations
  • Room numbers and locations

This means video processing requires treating the entire frame as potentially PHI.

Technical Safeguards (§164.312)

HIPAA requires specific technical controls:

Access Controls (§164.312(a)(1))

  • Unique user identification for all access
  • Emergency access procedures
  • Automatic logoff
  • Encryption and decryption

BetterVideo implementation: Per-customer API keys, automatic session expiry, AES-256 encryption.

Audit Controls (§164.312(b))

  • Record and examine activity in systems containing PHI

BetterVideo implementation: Complete audit logs of every API call, processing job, and data access. Logs retained 90 days, exportable for compliance.

Integrity Controls (§164.312(c)(1))

  • Protect PHI from improper alteration or destruction

BetterVideo implementation: SHA-256 hashes of input and output, processing logs showing exactly what operations were applied.

Transmission Security (§164.312(e)(1))

  • Protect PHI transmitted over electronic networks

BetterVideo implementation: TLS 1.3 required, certificate pinning in SDKs, no unencrypted transmission paths.

Business Associate Agreements

If a vendor handles PHI on your behalf, you need a Business Associate Agreement (BAA).

What a BAA Covers

  • Permitted uses and disclosures of PHI
  • Safeguards the BA will implement
  • Reporting obligations for breaches
  • Subcontractor requirements
  • Termination and return/destruction of PHI

BetterVideo BAA

BetterVideo signs BAAs on all paid tiers. Our BAA:

  • Covers all processing through our API
  • Specifies zero-retention architecture
  • Includes breach notification procedures
  • Addresses subprocessors (cloud infrastructure)

Contact sales@bettervideo.io for BAA execution.

Implementation Checklist

Before Processing

  • ☐ BAA signed with video processing vendor
  • ☐ Risk assessment completed
  • ☐ Minimum necessary determination documented
  • ☐ Patient authorization obtained (if required)

During Processing

  • ☐ Encryption in transit verified
  • ☐ Access logged
  • ☐ Minimum necessary scope enforced

After Processing

  • ☐ Deletion verified (or justified retention)
  • ☐ Audit logs retained
  • ☐ Any disclosures documented

Frequently Asked Questions

Yes — if you're processing PHI, you need a BAA. BetterVideo provides BAAs on all paid tiers.

If it shows an identifiable patient in a clinical context, yes. Even without medical discussion, a recognizable patient in a video call with a provider is PHI.

Properly de-identified video (per 45 CFR 164.514) is not PHI. But video de-identification is complex — face blurring alone may not be sufficient.

HIPAA doesn't mandate specific retention periods, but requires retention only as long as necessary. State laws may impose minimums (often 7 years for medical records).

Ready to get started?

Try BetterVideo's privacy-first video enhancement API — free sandbox, no credit card required.