§164.312 mandates automatic logoff and workstation session controls — but a standard screen timeout only satisfies part of the requirement. PHI visual protection means detecting threats before a screen is left unattended.
Three provisions together define what HIPAA compliant screen security looks like. Each has distinct enforcement risk.
"Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity." This is the core screen lock requirement — and in 2026 it loses its "addressable" opt-out.
Physical safeguards must specify the physical surroundings of each workstation. OCR expects you to control who can see the screen — not just who can log in.
"Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI." Screen events must be logged to survive an OCR investigation.
A screen timeout only responds after inactivity. HIPAA requires you to prevent unauthorized viewing — which can happen in seconds, with the authorized user still present.
PHI visual protection means covering all four vectors — not just the unattended screen case.
Authorized user leaves — ScreenStop detects absence and locks within seconds, logging departure time and session context.
Unauthorized face detected near screen — session terminates immediately. Works while the authorized user is still seated.
Phone aimed at screen triggers instant display blackout and USB disable — before any image can be captured or transmitted.
Confirms the right person remains at the workstation throughout the session. Catches credential sharing and unauthorized access switching.
What OCR expects to see documented in your next audit.
ScreenStop runs on-device, requires no cloud connection, works with existing webcams, and generates the audit log OCR expects to find. Deployment takes hours, not months.
References 45 CFR §164.312 and §164.310. Consult qualified HIPAA counsel for organization-specific guidance.