Get a Quote Renew Now
Print Friendly and PDF Print or Download

Role of video surveillance in pharmacies

Video surveillance in pharmacies can be a powerful tool for security, regulatory compliance (for example, meeting Drug Enforcement Administration requirements for theft prevention controls), and detecting drug diversion, but it also raises ethical, legal, and operational concerns. By understanding these concerns and taking steps to address them, pharmacists and business owners can ensure smooth operations within the pharmacy and avoid legal and ethical issues. 
 

Potential surveillance issues

A major issue related to surveillance is compliance with the Health Insurance Portability and Accountability Act (HIPAA). Compliance requires that surveillance data be secured. This includes limiting access, regular audits of what is being recorded, and secure transmission protocols. Data security is particularly important given that cameras may inadvertently capture protected health information (PHI) such as prescription details.

Not retaining video for more than 30 to 45 days or poor image quality can hamper an investigation should an incident occur. For example, many diversion schemes are discovered through monthly statistical reports; however, in practice, these reports are not reviewed immediately.

Recording sound in addition to video can be problematic because patients have a reasonable expectation of privacy when they are having conversations with pharmacists. Most states have wiretapping laws that prohibit the recording of audio by video surveillance systems unless the person being recorded have given their informed consent.
 

Action steps

Pharmacists and business owners can take several steps to avoid potential problems with video surveillance.

Involve staff.
Pharmacists play an important role in fostering a positive culture that includes accountability. Staff may first be reluctant to have cameras in the pharmacy area, so pharmacists can serve as role models and ensure that staff receive education on privacy policies and understand the role of surveillance in maintaining security and compliance. Education should include ethical boundaries and legal responsibilities related to patient confidentiality and data protection. Understanding this information can help reduce the risk of liability that would occur if a staff member inadvertently violated a patient’s rights.

Staff also can be involved when video reveals operational areas that could be improved by changes in work processes.

Collaborate.
Pharmacists and business owners should work closely with IT, legal, and security teams to implement surveillance systems that are both effective and compliant with regulations. For example, Steve Alder, editor-in-chief of The HIPAA Journal, notes that if data is communicated via the cloud or a third-party provider, it is necessary to ensure secure transmission and to have a HIPAA Business Associate Agreement. Collaboration also can help in determining where to place cameras. Entrances, exits, dispensing areas, drive-throughs, and narcotic storage areas may be considered.

Collaboration should extend to patients. Being clear about surveillance practices helps build trust and reinforces the pharmacy’s commitment to ethical care. For example, posting signs that recording is in progress is not only an important legal protection; it conveys transparency to patients. 

Protect privacy.
Position cameras in a way that does not compromise patient confidentiality by recording sensitive patient information. Take particular care in consulting areas and registers, where sensitive interactions often occur, and do not record sound. It is also important to be aware of state laws and regulations related to video surveillance and data storage. For instance, Alder noted that Virginia requires surveillance cameras to have an auxiliary power source.

Access to video should be limited to those who legitimately need it, such as members of a drug diversion team. 

Check function.
Check  the function of a surveillance system at least quarterly, citing the example of a case of suspected injectable tampering in which no one knew the camera had stopped working, so no footage was available.  

Report security breaches.
If a breach occurs, such as recording of PHI, report it online. The timing for reporting breaches varies based on the number of individuals affected. If more than 500 people are impacted, the breach must be reported “without reasonable delay” and no later than 60 calendar days from the date of discovery. If fewer than 500 people are affected, notification must occur “within 60 days of the end of the calendar year in which the breach was discovered.” Failure to report breaches may result in fines for both the pharmacist and the business owner, as well as disciplinary action or even loss of license for the pharmacist.

In addition, if surveillance reveals theft, diversion of controlled substances, or unethical behavior, and the pharmacist fails to take action, they may be liable for negligence or complicity. This includes both internal staff misconduct and external criminal activity.
 

Use with caution

Video surveillance can be valuable for security and compliance purposes, but only if used appropriately. Pharmacists and business owners must involve their staff, collaborate, protect patient privacy, ensure proper functioning, and report security breaches to help avoid ethical and legal issues.  
 

Cynthia Saver, MS, RN, of CLS Development, is a medical writer in Columbia, Md.

 

Sidebar #1

HIPAA checklist

A checklist can help ensure a pharmacy complies with HIPAA requirements; adhering to the requirements helps avoid problems related to video surveillance. Here are some items typically found on a checklist.

  • Completion of annual audits, such as security risk assessment and privacy assessment
  • Identification and documentation of gaps uncovered in audits
  • Creation of written plans to address deficiencies; plans updated annually, and re-annually documented plan retained for six years
  • Annual HIPAA training of staff and documentation of training
  • Policies and procedures related to annual HIPAA privacy, security, and breach notification rules are in place
  • Staff are updated on these policies annually, and the update is documented
  • Business Associate Agreements in place as needed and reviewed annually
  • Confidentiality agreements with non-Business Associate vendors
  • Process for handling data breaches, including required reporting and the ability of staff to report anonymously.

Download a free sample checklist

Source: Alder S. HIPAA and video surveillance. HIPAA J. 2025.

 

 

References

Alder S. HIPAA and video surveillance. HIPAA J. 2025. https://www.hipaajournal.com/hipaa-and-video-surveillance

New K. Camera surveillance. Association of Healthcare Internal Auditors. 2019. https://ahia.org/wp-content/uploads/2022/08/Camera-Surveillance-by-Kim-New.pdf

The HIPAA Journal. HIPAA checklist. 2025.

U.S. Department of Health and Human Service. Submitting notice of a breach to the secretary. 2023. https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html

U.S. Department of Health and Human Services. Summary of the HIPAA Privacy Rule. n.d. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html#intro


Get in the know with HPSO

 

Stay up to date on industry insights, trends, and tips when you sign up to receive risk management materials from HPSO - all conveniently delivered to your inbox.
 

Fill out my online form.
*Required field. By submitting this form, I agree to receive marketing communications from Healthcare Providers Service Organization (HPSO) at the email address provided.
This publication is intended to inform Affinity Insurance Services, Inc., customers of potential liability in their practice. This information is provided for general informational purposes only and is not intended to provide individualized guidance. All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy. Any references to non-Aon, AIS, NSO, HPSO websites are provided solely for convenience, and Aon, AIS, NSO and HPSO disclaims any responsibility with respect to such websites. This information is not intended to offer legal advice or to establish appropriate or acceptable standards of professional conduct. Readers should consult with a lawyer if they have specific concerns. Neither Affinity Insurance Services, Inc., HPSO, nor CNA assumes any liability for how this information is applied in practice or for the accuracy of this information.

Healthcare Providers Service Organization is a registered trade name of Affinity Insurance Services, Inc., a licensed producer in all states (TX 13695); (AR 100106022); in CA, MN, AIS Affinity Insurance Agency, Inc. (CA 0795465); in OK, AIS Affinity Insurance Services, Inc.; in CA, Aon Affinity Insurance Services, Inc., (CA 0G94493), Aon Direct Insurance Administrators and Berkely Insurance Agency and in NY, AIS Affinity Insurance Agency.