Televisit Vital Signs: A Security Checklist for CIOs

Health system CIOs are inheriting a new category of protected health information they did not have to govern five years ago: vital signs captured directly from a patient's camera during a video visit. As camera-based measurement of heart rate, respiratory rate, and blood pressure trends moves from pilot programs into enterprise virtual care, televisit vital signs security has become a board-level question rather than a technical footnote. The video stream that once carried only a conversation now carries physiological data and, in many architectures, facial biometric signal. That changes the threat model, the regulatory exposure, and the diligence burden on every leader who signs off on a deployment.

In 2024 the HHS Office for Civil Rights recorded 663 large breaches affecting 500 or more individuals, exposing the protected health information of roughly 242 million people, with hacking and IT incidents responsible for 81 percent of those events. Source: HIPAA Journal analysis of OCR breach data, 2024.

That backdrop matters because remote photoplethysmography (rPPG), the optical technique behind most camera-based vitals, does not just produce a number. It processes video of a patient's face to detect subtle color changes tied to blood flow. The raw input is biometric, the output is clinical, and both deserve protection from capture through storage to disposal.

Why televisit vital signs security is a distinct problem

Traditional telehealth security models were built around two assets: the video session and the clinical note written afterward. Camera-based vitals introduce a third asset class that sits between them. Depending on architecture, a platform may transmit raw facial video to a cloud inference engine, run analysis on the device, or pass derived signal data through a vendor pipeline before it lands in the EHR. Each path carries a different exposure profile, and a CIO cannot evaluate televisit vital signs security without first knowing which one a vendor uses.

The regulatory environment has tightened around exactly this question. The HHS Notice of Proposed Rulemaking issued December 27, 2024 and published in the Federal Register January 6, 2025 would remove the long-standing distinction between "required" and "addressable" safeguards in the HIPAA Security Rule. Under the proposal, encryption of electronic protected health information at rest and in transit, plus multi-factor authentication for systems holding that data, would become mandatory rather than discretionary. At the same time, state biometric privacy statutes in Illinois, Texas, Washington, and Colorado impose consent and retention obligations on facial data that operate independently of HIPAA. A camera-based vitals deployment can be HIPAA-aligned and still create state-law liability if facial signal handling is not governed.

The three architectural patterns differ sharply on risk. The table below frames the trade-offs a CIO should weigh during vendor diligence.

| Architecture | Where facial video is processed | Data at rest | Primary security exposure | CIO diligence focus | | --- | --- | --- | --- | --- | | Cloud raw-video inference | Vendor cloud | Raw video may persist | Largest attack surface; biometric data leaves the network | BAA scope, retention limits, encryption keys, breach history | | On-device or edge processing | Patient device or local edge | Only derived vitals stored | Smaller; raw video never transmitted | Device integrity, signal transport, EHR write path | | Hybrid signal extraction | Local extraction, cloud refinement | Derived signal, not raw face | Moderate; depends on what leaves the device | Definition of "derived," de-identification proof |

Reading the table as a buyer

The pattern that minimizes exposure keeps raw facial video off the wire entirely and transmits only the extracted physiological signal. Cloud raw-video inference can still be compliant, but it widens the surface and raises the stakes on every downstream control. The questions a CIO asks should map directly to the architecture in front of them rather than to a generic security questionnaire.

A working checklist for virtual visit data protection

Virtual visit data protection for camera-based vitals breaks into governance, technical, and contractual controls. The following items map to the safeguards OCR enforcement actions most frequently cite, and to the mandatory controls anticipated under the 2025 rulemaking.

• Confirm a signed Business Associate Agreement that explicitly names facial video and derived vital signs as covered data, not just "session metadata."
• Verify encryption in transit (TLS 1.2 or higher) and at rest (AES-256), and ask who holds and rotates the keys.
• Require multi-factor authentication for every administrative and clinical access point to the vitals pipeline.
• Establish a documented data retention and deletion schedule for raw video; the strongest posture is to never retain raw facial frames.
• Demand a current technology asset inventory and network map from the vendor, a control the 2025 NPRM would make mandatory.
• Obtain the vendor's most recent independent security assessment (SOC 2 Type II or HITRUST) and breach disclosure history.
• Validate patient consent flows against applicable state biometric laws, including explicit notice that the camera is measuring physiology.
• Confirm the EHR write path uses authenticated, audited interfaces so vitals enter the record without an unsecured intermediary.

Patient vitals privacy also depends on what patients are told. Consent language drafted for a generic video visit rarely discloses that the camera is performing physiological measurement. Updating notice and consent is low-cost insurance against both regulatory action and erosion of patient trust.

Industry applications and where the risk concentrates

Primary care and chronic disease programs

High-volume hypertension and chronic care programs generate the largest standing pool of camera-derived vitals. The risk here is cumulative: thousands of patients measured repeatedly create a longitudinal dataset that is valuable to attackers and heavily regulated. CIOs running these programs should prioritize retention minimization and segmentation so a single breach cannot expose an entire panel.

Behavioral health and specialty visits

Behavioral health televisits increasingly capture stress and heart rate variability signals derived from the same facial video. Because behavioral health records carry additional confidentiality protections under 42 CFR Part 2 in some contexts, the sensitivity of the derived data climbs even when the technical pipeline is identical to primary care. HIPAA telehealth vitals governance in these settings should account for the heightened classification of the underlying encounter.

Rural and access-focused deployments

Programs that extend care into low-connectivity regions sometimes lean on cloud processing to offload computation from older patient devices. That convenience pushes raw video off the network, which is precisely the pattern that demands the strictest contractual and encryption controls. Secure camera vitals in these settings is an architecture decision before it is a procurement decision.

Current research and evidence

The research base now spans both clinical performance and privacy engineering. A 2023 systematic review of camera-based vital sign monitoring published in PMC documented heart rate, respiratory rate, and oxygen saturation estimation from standard cameras across dozens of studies, establishing that the clinical signal is real and the data therefore worth protecting. On the privacy side, work indexed in PubMed under the heading of facial privacy protection for remote photoplethysmography demonstrates anonymization methods that strip identifiable facial features while preserving the physiological signal, an approach that directly addresses the biometric exposure CIOs worry about.

Legal analysis from firms including Morgan Lewis and Foley & Lardner, published in early 2025, agrees that the proposed HIPAA Security Rule changes would convert encryption and multi-factor authentication from addressable to mandatory, eliminating the discretion many organizations previously exercised. Industry reporting through 2024 and 2025 also tracks the expansion of state biometric statutes, with several states adding informed-consent and retention requirements that reach facial video regardless of HIPAA coverage. The consistent message across clinical and legal sources is that camera-derived vitals are simultaneously useful enough to deploy widely and sensitive enough to demand controls beyond a standard telehealth security baseline.

The Future of televisit vital signs security

Three shifts will shape the next procurement cycle. First, mandatory encryption and authentication will become table stakes rather than differentiators once the HIPAA rulemaking finalizes, expected in late 2025 with enforcement phasing into 2026. Vendors that treat these as optional today will not survive enterprise diligence tomorrow. Second, privacy-preserving processing, where raw facial frames never leave the device and only de-identified signal moves downstream, will move from research papers into product requirements. Third, biometric-specific consent will become a standard line item in virtual care intake, driven by state law rather than federal action.

For CIOs, the strategic posture is to treat camera-based vitals as a governed data product with a defined lifecycle, not as a feature bolted onto a video platform. The organizations that document architecture, minimize retention, and contract precisely will deploy faster because their security reviews will already be answered. The organizations that defer these questions will find them surfacing during an audit or a breach investigation, which is the most expensive possible time to address them.

Frequently asked questions

Is camera-based vital sign data considered PHI under HIPAA? Yes. When a covered entity or its business associate captures vital signs that are tied to an identifiable patient during a clinical encounter, the data is electronic protected health information. The facial video used to derive those vitals is also biometric data and may carry additional obligations under state law even where HIPAA already applies.

What is the single most important control for secure camera vitals? Minimizing retention of raw facial video is the highest-use control. If raw frames are processed and discarded rather than stored, the most sensitive asset never sits at rest, which shrinks both the attack surface and the breach-notification exposure. Encryption and multi-factor authentication are essential complements, and both are slated to become mandatory under the 2025 HIPAA Security Rule proposal.

Do state biometric privacy laws apply if we are already HIPAA compliant? They can. Statutes in states such as Illinois, Texas, Washington, and Colorado impose consent and retention duties on biometric data that operate independently of HIPAA. A deployment can satisfy HIPAA and still need updated consent language and retention policies to meet state biometric requirements, so legal review should cover both regimes.

What should we ask a vendor first during diligence? Ask where facial video is processed and whether raw frames ever leave the patient's device. That single answer determines the architecture pattern, the attack surface, and the rest of your diligence checklist, including BAA scope, encryption key custody, and independent security attestations.

Circadify is building camera-based vital signs capture for health systems with these governance questions designed in rather than retrofitted, including EHR-integrated workflows and a security posture aligned to evolving HIPAA requirements. CIOs and clinical informatics leaders can request a health system demo and a walkthrough of clinical and compliance workflows for camera-based vitals at circadify.com/solutions/telehealth.