Tech Support : support@biometrica.com

Contact
Healthcare

How Safience Works in Your Hospital

One sensor. One image. One question answered in 60 seconds: is the person entering this facility a known threat or a known victim? Here is exactly how the architecture works, from edge capture to informed action — without ever creating Protected Health Information.

Schedule a Technical Architecture Review Back to Healthcare
<100KB
Per Event

Single encrypted JPEG face crop per entry event — no video, no audio, no continuous monitoring inside clinical spaces

60 sec
Response Time

From edge capture to human-verified, actionable alert delivered to hospital security and, when appropriate, local law enforcement

5
Architecture Layers

Sensor, Platform, RAC, Data, and QAPLA layers — each independent with separate access controls

Zero
Data for Non-Matches

99.99%+ of patients, visitors, and staff generate zero data — image deleted instantly upon no-match determination

Five Layers. Each Independent. All Privacy-by-Architecture.

Layer 1: Sensor Layer (RTIS/RVIS Edge Devices)

Dedicated edge sensors deployed at emergency department entrances, pediatric wings, behavioral health units, pharmacy areas, and main facility entry points. Purpose-built hardware, not repurposed CCTV cameras. Single <100KB JPEG face crop per entry event. No video recording. No audio capture. No on-device watchlist storage. No on-device data retention. Images are encrypted, transmitted, and deleted from the device immediately. Power over Ethernet — single cable for power and data. A compromised sensor reveals nothing because it stores nothing. Architecturally incapable of capturing exam rooms, patient beds, or clinical procedures.

Layer 2: Platform Layer (Matching Engine)

Cloud-hosted matching infrastructure where all identity comparison occurs. SOC 2-compliant. Encrypted in transit and at rest. Simultaneous RTIS threat and RVIS victim matching on every image. Non-match images deleted immediately upon no-match determination. No persistent storage of non-match data at any point in the pipeline. No clinical context attached. No patient identifier attached. The platform compares faces against law-enforcement-sourced identities — it never knows or cares whether the person walked into the ED, the lobby, or a parking garage.

Layer 3: RAC Layer (Human Verification)

The Rapid Action Center — a 24/7 staffed operations center where trained analysts verify every candidate match before any alert is generated. Analysts confirm visual match against the source law enforcement record. Verified matches generate documented alerts with analyst identification and timestamp. Rejected matches result in image deletion and zero notification. RAC analysts cannot access hospital systems, EHR records, or any clinical data. This step is mandatory, not optional — no autonomous decisions reach hospital security.

Layer 4: Data Layer (UMbRA, X-LST, eMotive)

Three distinct data stores with separate access controls, separate purposes, and separate data handling rules. UMbRA provides 56M+ law-enforcement-sourced identities updated hourly. X-LST enables facility-controlled compartmented watchlists — banned patients, individuals subject to trespass orders, former employees with restraining orders — that Safience cannot see. eMotive delivers FCRA-compliant continuous criminal monitoring with patented dual face+name matching for clinical staff, contractors, volunteers, and vendors.

Layer 5: QAPLA Layer (Investigative Tool)

A standalone, browser-based 1:1 facial image comparison tool for authorized investigators. Strictly 1:1 comparison — one reference photo vs. one trigger image. No database search, no one-to-many matching. Does not connect to UMbRA, X-LST, RTIS, or RVIS. Human-initiated, human-interpreted. Used by hospital security investigators and partnered law enforcement when they need to confirm whether a specific individual in one image is the same person in another image — an active baby-abduction case, an infant-swap inquiry, an identity dispute on a discharge record.

  • Instant non-match deletion — 99.99%+ of patients, visitors, and staff generate zero data. Image captured at the entry point, compared, no match found, deleted instantly. No record, no log, no metadata.
  • No video, no audio, no continuous monitoring — a single still image per entry event. No monitoring inside exam rooms, patient rooms, behavioral health units, treatment areas, or staff break rooms.
  • No biometric templates stored — no faceprint database, no biometric identifier archive. Nothing to breach, subpoena, or regulate under BIPA, CCPA, or any state biometric privacy statute.
  • No Protected Health Information created — no patient identifier is attached to a face crop, no clinical context is captured, and no record is ever associated with a diagnosis, treatment, or visit. The platform is architecturally incapable of creating PHI.
  • Exceeds NIST OSAC Technical Guidance Document 0008 — non-match deletion is a hard architectural constraint, no video exists at any system tier, and third-party algorithm providers receive zero identity data.
  • Law enforcement data only — UMbRA contains only law-enforcement-sourced, verified identities. No social media scraping, no commercial data aggregation, no DMV photos, no patient ID photos, no EHR data.

Network Impact and Deployment for Your CISO

Your CISO will ask three questions: how much bandwidth does this consume, how does it sit on our network, and how does it interact with clinical systems and the EHR. Here are the answers.

  1. Bandwidth and Network Load

    Single <100KB JPEG per event (typical ~30KB). Encrypted transmission over HTTPS. No video or audio streaming. VLAN-segmented — sensors operate on a dedicated network segment isolated from clinical networks, EHR traffic, and medical device VLANs. A sensor generating 100 events per hour transmits approximately 3MB per hour total. Sensor traffic never touches PHI-bearing systems.

  2. Peak Load Capacity

    A large academic medical center with multiple ED entrances, ambulatory clinics, pediatric wings, and tower lobbies: each entry sensor processes events independently. Total bandwidth across the entire campus remains in the single-digit megabytes per hour range. No bottleneck. No queuing. Sensor performance is unaffected by clinical network load during code events, mass casualty incidents, or shift change.

  3. IoT Device Management

    Purpose-built edge sensor, not a repurposed IP camera. Power over Ethernet (PoE). No on-device storage or watchlist data. Firmware updates managed remotely by Safience with no in-house IT labor required. Tamper-resistant housing with indoor models suited for clinical environments and outdoor models for ambulance bays and parking entrances. Sensors do not appear on the same network as infusion pumps, monitors, or other connected medical devices.

  4. Zero On-Premises Infrastructure

    No on-premises server infrastructure. No local database. No video management system. The entire Safience platform is cloud-hosted and SOC 2-compliant. No integration with the EHR. No integration with ADT feeds. No integration with patient registration. Your facility provides network connectivity and physical mounting points. Safience provides everything else.

HIPAA Data Flow Summary

Data Flow Stage Data Created Data Stored HIPAA Classification
Edge Capture Single <100KB face crop JPEG None — image deleted from sensor immediately after encrypted transmission Not Protected Health Information — no patient identifier attached, no clinical context, no association with treatment or visit
Platform Matching (Non-Match) Comparison result: no match None — image deleted immediately Not Protected Health Information — data does not exist after deletion
Platform Matching (Candidate Match) Comparison result: candidate match to LE record or facility watchlist Temporarily held pending human verification Not Protected Health Information — data relates to criminal history or facility restriction, never to a clinical encounter
Human Verification (Rejected) Verification decision: match rejected None — candidate image deleted Not Protected Health Information — no data retained
Human Verification (Confirmed) Verification decision: match confirmed Alert documentation with LE source data, timestamp, and analyst ID Not Protected Health Information — documentation relates to criminal identity intelligence, not a patient record
Alert Delivery Alert notification to authorized hospital security personnel Alert record in audit trail Not Protected Health Information — notification concerns criminal history or safety restriction and is never written back to the EHR by Safience

60 Seconds from Hospital Entry to Informed Action

Every Safience deployment — whether at an emergency department entrance, a pediatric wing, a behavioral health unit, or a main lobby — follows the same architecture and the same timeline. The scenario changes. The process does not.

  1. Edge Capture

    0:00

    An RTIS sensor at the facility entrance captures a single face-crop image as an individual enters. Approximately 30KB, never exceeding 100KB. No video. No audio. No continuous monitoring. The sensor captures one image per entry event, encrypts and transmits it, and deletes it from the device immediately. The patient, visitor, or staff member is never inconvenienced and never stopped.

  2. Platform Matching

    0:05

    Two matching operations run simultaneously on every image. RTIS compares against UMbRA’s 56M+ law-enforcement-sourced identities and X-LST watchlists. RVIS simultaneously searches NCMEC, NamUs, and LE-designated missing persons. If no match: image deleted instantly. Zero data. Zero record.

  3. Human Verification at the RAC

    0:15

    A trained analyst at the Safience Rapid Action Center reviews and confirms the candidate match. No autonomous decisions. No automated alerts. This step is mandatory on every candidate match — RTIS, RVIS, and X-LST alike. False-positive liability is eliminated here, before any notification reaches hospital security or clinical leadership.

  4. Documentation

    0:30

    A verified match is documented with the matched identity record, verification decision and analyst identifier, timestamp of detection, and supporting evidence sufficient for a defensible security or law enforcement response. This audit trail supports Joint Commission Workplace Violence Prevention standards, OSHA documentation requirements, and litigation defense.

  5. Informed Action

    0:60

    A verified, documented alert is delivered to the appropriate facility personnel. Warrant matches route to hospital security and, when policy dictates, local law enforcement. Sex offender matches route to security with awareness of pediatric and behavioral health proximity. X-LST matches — banned patients, trespass orders, former employees with restraining orders — route only to authorized personnel for that watchlist category. RVIS matches route to security and law enforcement with case details. Alert routing is compartmented — no cross-contamination, no clinician interruption.

See the Dual Mission in Action

Dual Mission: Threat Detection + Victim Recovery

See How RTIS Protects the Emergency Department

Emergency Department

Back to the Healthcare Hub

Healthcare

See the Architecture. Ask the Hard Questions.

Schedule a Technical Architecture Review with your CISO, General Counsel, Chief Compliance Officer, and Director of Security in the room. Walk through the data flows, the privacy architecture, the network specifications, and the HIPAA alignment documentation. We built this platform for the people who ask the hardest questions. Bring yours.

Schedule a Technical Architecture Review Contact Us