Lobby / waiting area
Cameras OK. Public space. Standard motion alerts after hours.
Camera-zoning rules for HIPAA-aware sites
The hardest part of a healthcare camera install is not the cameras — it's the zone exclusions. Here is what gets recorded and what does not.
Front desk / check-in
Cameras OK with caveat: never include the screen of the staff workstation in the field of view (PHI on monitors).
Parking lot & building entry
Cameras OK. Helpful for after-hours alerts, slip-and-fall liability, vandalism documentation.
Server & med-storage rooms
Cameras OK. Often required by insurer/regulator. Add temperature contact + door-open contact too.
Exam rooms / operatories
NEVER. Patient-undressed area. Recording here is an immediate HIPAA violation.
Bathrooms / changing rooms
NEVER. Patient privacy regardless of HIPAA.
Hallways with PHI sightlines
If a camera in a hallway can see a record-room shelf or an open chart on a counter, the zone needs masking or repositioning.
Workstation screens
If the camera FOV picks up an unobscured monitor (even at distance), patient data is being recorded. Reposition or mask.
Audit pack: Every healthcare install gets a written zone-exclusion document signed by the operator and the practice principal. Hand it to your HIPAA compliance reviewer or insurer.
IT hygiene checklist (beyond cameras)
Most HIPAA risk is digital, not physical. Here is the dental-/medical-office IT hygiene pass that comes with the camera install.
- Workstation-locked-on-leave check. Verify Group Policy or local equivalent enforces auto-lock after 5 minutes idle. The single biggest dental-office HIPAA finding is unlocked workstations.
- Stale local-admin inventory. Scan every workstation for old local-admin accounts (former staff, prior IT contractor, vendor "service" accounts) and disable.
- Endpoint encryption. BitLocker enabled on every laptop. Lost-laptop incident playbook documented (what to tell patients, what to tell HHS).
- Bloatware + obsolete-software audit. Adobe Flash players, EOL Java runtimes, ancient TightVNC instances — all common in dental practices, all liability.
- Quarterly restore-tested backups. Most practices have backups. Few have ever restored from one. We restore once per quarter to a temp folder and verify.
- Network segmentation. Guest Wi-Fi on its own VLAN so a patient's phone can't browse to the practice's NAS or imaging server.
- Imaging-system isolation. Dental panoramic / x-ray PACS systems often run on Windows 7 or older — we put them on an isolated VLAN with no internet egress so the EOL OS is not internet-reachable.
- EHR / PMS access audit. Inventory who has admin in Eaglesoft / Open Dental / Dentrix / etc. Revoke former staff. Document who-has-what for the next HIPAA audit.
What a typical healthcare engagement looks like
- 1-2 hour walk-through with the practice principal. Camera zones, server room, workstation count, HIPAA checklist review.
- Written scope + audit pack draft before any cabling. Includes the zone-exclusion document the principal signs.
- Cabling outside business hours so patient flow is not disrupted.
- Camera commissioning + IT hygiene pass over 1-2 days during a slow weekday or Saturday.
- 30-day check-in + follow-up workstation-lock and backup-restore verification.
- Annual re-audit option — many practices add this as an ongoing engagement so the audit pack stays current for renewals.
Common questions from healthcare practices
Can the AI vision system see exam rooms?
No. AI vision processes only the cameras you point it at, and per the zone rules above, exam-room cameras don't exist. The AI can't see what isn't recorded.
Do I need a Business Associate Agreement (BAA)?
Yes — with TCG Solutions / Gary Amick. The BAA template is in the engagement packet; we sign it before any system credentials are handed over.
What about teledentistry / telehealth video?
Out of scope for the camera install. For HIPAA-compliant video sessions, separate workflow — happy to advise but not the focus of this engagement.
Can I keep my existing IT contractor for day-to-day?
Absolutely. The camera + audit-pack engagement is independent of who manages your IT day-to-day. Many practices keep their existing IT and just bring me in for the camera install + annual re-audit.