November 30, 2015

employee surveillance and big brother is watching concept shown as a security camera monitoring the public with a large eye spying, a symbol for privacy rights issues, isolated on a white background

Secret Agent Doctor, Secret A…gent Man! Office Spy Cams and Employee Surveillance

What would you do if you witnessed upsetting team behavior on your office’s security cameras? I recently got a question similar to the following. (Details changed to protect the innocent and confuse the guilty.)

“I’ve just reviewed some recorded audio and video and learned something upsetting, and I think I might have to fire someone.

What would you do if you were me? Let them know I watched and listened to the footage? Or not? Would knowing that I check the footage change their behavior?”

This is not a simple question to answer. I have a couple of observations to share, and some notes of caution.

First, I’m concerned because you said you “watched and listened to the footage”—and it is not legal, under almost all circumstances, to record audio on security cameras. There are exceptions to the rule which can be addressed on a case-by-case basis. If you do record audio, many states require that the storage device for the audio be kept under lock and key and that the recordings be purged on a regular basis. As in, monthly.

Remember that when you record the audio of the employees at the front desk, you are also recording patient conversations (this means that your disclaimers and obligations to inform and gain consent will likely need to extend to your patients). How will you handle this? As soon as a patient states why they are there, and you have a name, face, and the issue on audio—what then?

Are you creating a HIPAA violation?

As with all activities in your office, you must be ever vigilant about HIPAA compliance. Aside from the data wiping and notification issues just mentioned, remember that if you capture Protected Health Information on your cameras or audio, the devices and system must also be HIPAA compliant. Failing to notice that you have captured HIPAA-protected information is not an excuse.

As HIPAA experts ourselves, via CEDR’s sister company, we have trained more than 5000 employees and 1000s of HIPAA compliance officers. We also work with another company to have them scan your IT system for vulnerabilities—it’s part of the new HIPAA requirements. We find that the off-the-shelf port systems on self-installed cameras are EXTREMELY vulnerable to back-end access.

This means that hackers could easily gain access through the camera and then get into your systems. We also find that a fair amount of the professionally installed versions have the same back port vulnerability. If you don’t know for sure that your device and recording practices are OK and not creating HIPAA compliance issues, you need to find out.

Cameras as theft deterrent and detection: Verdict, “meh”

While there are exceptions to the rule, it has generally been well documented that cameras do not prevent embezzlement, nor do they do much to detect it. Embezzlers embezzle, thieves steal. Cameras make them creative about it.

Employee privacy is also an issue

Catching the negative aspects of employee privacy (i.e., unauthorized activities going on in your office) on tape isn’t all you have to worry about. Keep in mind that recording your employees’ conversations may also result in you learning things that you are not supposed to know and cannot act upon.

For instance, you might overhear an employee’s after-hours call to her friend to discuss her own cancer treatment. (And that list goes on and includes all sorts of topics.) Too much information can cause legal problems for YOU, if you make employment decisions based on that knowledge.

Also, note that security cameras should not be placed in private areas. If you capture an employee changing clothes and revealing herself because she thinks she is off the clock and has a reasonable expectation of privacy—you have a problem. There are federal and state laws that also apply when you record a conversation without consent or the subject’s knowledge.

Let me sum this up for HR nerds, managers, and doctors/owners

State and federal laws often have something to say about whether you can record the audio of your employees or not—and they often include provisions that include securing servers and purging recordings.

State and federal laws also address wiretapping and eavesdropping, so while listening to live audio may be OK if proper notices are posted about the camera and audio, actually recording the audio is a separate matter.

HIPAA requires that you keep all of your patient information secure. Allowing your cameras to record audio and video and also store it means that you must also protect and encrypt the device you record it to. Loss of this data could cost you up to $50,000 per patient.

Are you excited about being able to check your cameras from your phone? Cameras are often linked via a network. Make sure that your camera’s internet ports are properly set up and that they do not expose you to back door hacking.

So…to spy, or not to spy?

I’m all for video cameras without sound or recording, so long as they are conspicuous and your state allows it. They can be a valuable tool when it comes to monitoring all sorts of things in your office.

BUT—there is a big “but,” and I cannot lie! Just slapping a set of cameras up one weekend is probably not your best approach to solving the management problems you think you might be experiencing.

I leave you with this bubble-popper. In the two biggest embezzlement cases I have ever seen—I’m talking more than a million dollars each time—there were cameras in the office. In both instances, the cameras were of no use, as the embezzler did what embezzlers do: they find a way to embezzle outside of the obvious controls.

Please be careful about putting cameras in, and know the limitations.

Friendly Disclaimer: This information is general in nature, and is not intended to replace good counsel about a specific issue with either your attorney or your favorite HR expert.

Friendly Disclaimer: This information is general in nature and is not intended to provide legal advice or replace individual guidance about a specific issue with an attorney or HR expert. The information on this page is general human resources guidance that is believed to be current as of the date of publication. Note that CEDR is not a law firm, and as the law is always changing, you should consult with a qualified attorney or HR expert who is familiar with all of the facts of your situation before making a decision about any human resources or employment law matter.

Leave a Reply

Please note: CEDR Solutions specializes in providing expert HR support to owners and operators of independently owned medical and dental practices.