Screenshot PHI Handling

Background

The NVS VA management application has an incoming feature that takes screenshots of VA sessions. Because VA sessions interact with the NHC Django API and may display patient data, screenshots may contain PHI.

HIPAA Scope Note

Even though screenshots are stored in the NVS account (internal tooling), the S3 bucket holding them is in HIPAA scope because it may contain PHI. NHC-equivalent encryption and access controls apply.

Data Flow

VA Session (browser/app)
    │
    ▼ Screenshot taken
NVS Screenshot Service (EC2)
    │
    ▼ PUT (server-side, never client-direct)
S3 Bucket: nvs-screenshots-phi (SSE-KMS encrypted)
    │
    ▼ Access
Authorized IAM roles only (no public access)

Technical Controls Required

Control	Implementation	Status
Encryption at rest	SSE-KMS with NVS KMS CMK	❌ Pending
Block all public access	S3 Block Public Access = true	❌ Pending
IAM-only access	Bucket policy denies non-IAM access	❌ Pending
Access logging	S3 server access logs → separate log bucket	❌ Pending
Versioning	Enabled (supports retention policy)	❌ Pending
CloudWatch anomaly alert	Alert on unusual GetObject volume	❌ Pending
Lifecycle policy	Align with data retention policy	❌ Pending

Access Control

Only the following principals may access the screenshot bucket:

Principal	Access Level	Justification
NVS Screenshot Service IAM role	PutObject	Write screenshots
NVS App IAM role (specific users)	GetObject	View screenshots in app
DevOps admin role	Full (break-glass only)	Incident investigation
No other principals	Denied	Enforce least privilege

Policy Requirements

• Screenshots must not be downloaded to personal devices
• Screenshots must be deleted per the Data Retention Policy
• Any screenshot containing PHI must be treated as PHI — same handling rules apply
• Access to screenshots must be logged and auditable

Incident Trigger

If the CloudWatch anomaly alarm fires on the screenshot bucket, treat it as a potential PHI breach and follow the Incident Response Plan.