Under current law, unattended screens showing patient data are an OCR enforcement risk. In 2026, the rules get stricter — and the opt-outs disappear entirely.
Every safeguard becomes fully mandatory — no opt-outs, no alternatives. Final rule expected May 2026, with a 180-day compliance window. Organizations that wait for the final rule are already behind.
OCR expects every covered entity to implement session termination on unattended workstations — or produce written justification.
"Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity."
"Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation."
Auditors cite unattended screens as a root cause of reportable breaches: a patient seeing another's chart, a visitor at an unlocked terminal, an employee accessing records without authorization. Any of these can open an investigation. An investigation can open a fine.
The gap isn't your policy. It's the absence of screen threat detection.
Four automated protection modes — each producing the audit trail §164.312 requires.
No authorized user detected → session locks within seconds
Unauthorized face near screen → session terminates immediately
Confirms the right person stays at the workstation throughout the session
Phone aimed at screen → display and USB ports disabled instantly
This entry demonstrates automated detection + response — exactly what §164.312 compliance requires.
The fine for willful neglect starts at $71,000 per violation and reaches $2.19M. The reputational cost of a photographed patient record has no ceiling.
Early customers receive Founding Customer pricing + complimentary OCR audit simulation.