DEA-Compliant Security Cameras and Pharmacy Surveillance Systems for Oklahoma and North Texas Independent Pharmacies
Every independent retail, hospital, and compounding pharmacy operates under one of the most layered compliance burdens in any healthcare adjacent industry. The federal
Drug Enforcement Administration regulates controlled substance handling under
21 CFR Part 1301, with specific physical security standards in
§1301.71 through
§1301.76 — secure storage construction, alarm system requirements, restricted access controls, biennial inventories, perpetual Schedule II inventory tracking, and theft and loss reporting on
DEA Form 106 with initial written notification to the DEA Field Division within
one business day of discovery.
State boards of pharmacy add another layer on top. The
Oklahoma State Board of Pharmacy, under Title 535 of the Oklahoma Administrative Code, updated its physical security rules effective September 2023 —
OAC 535:15-3-4(8) now
explicitly requires an electronic alarm and video recording system to provide protection against theft and diversion. The
Texas State Board of Pharmacy regulates Class A community pharmacies, Class B nuclear pharmacies, Class C institutional pharmacies, and Class E non-resident pharmacies under 22 TAC Chapter 291, with operational standards in
§291.33 requiring at minimum a basic alarm system with off-site monitoring, perimeter and motion sensors, and explicit provision for additional surveillance camera systems. Texas pharmacies must also produce records to the Board within 72 hours of an authorized request — and
“we’d have to call the cloud company” is not a 72-hour answer.
HIPAA and the
Texas Medical Records Privacy Act under Chapter 181 of the Texas Health and Safety Code apply on top of all of it.
PCI DSS 4.0 applies to every pharmacy running card payments.
The compliance stack is genuinely four agencies deep, and the penalty for getting it wrong is the license — and in serious cases, criminal exposure under the Controlled Substances Act.
The DEA reported nearly 900 pharmacy burglaries involving controlled substance theft in 2023 alone. In May 2024, Palm Care Pharmacy in San Diego paid $350,000 to resolve allegations of controlled substance mishandling traced to inventory and recordkeeping failures from 2018 through 2022 —
a four-year compliance gap that surfaced in a single DEA investigation. Robberies and after-hours break-ins are not abstract risks for independent pharmacies. They are the operational reality, and the surveillance posture either documents the event or fails to.
Most independent pharmacies we walk through are running consumer-grade DVR systems with thirty days of retention and no integration between cameras, alarms, and the access control on the controlled substance vault.
That is a single-stack defense against a four-agency compliance burden, and it does not survive the first DEA Diversion Investigator who asks for footage from sixty days ago.
Red River Integration deploys the
Ubiquiti UniFi ecosystem — enterprise infrastructure used in hospitals, universities, and critical-care facilities worldwide — engineered specifically for the pharmacy operation. The dispensing counter. The Schedule II vault. The compounding hood. The drive-through. The back door where wholesalers deliver. Every system we install is designed around DEA requirements, state board expectations, HIPAA technical safeguards, and the audit posture that protects the license when an investigator walks in unannounced.
What DEA and State Boards Actually Require. What We Build.
Continuous Surveillance of Vault, Dispensing, and Compounding Areas
DEA security factors under
21 CFR §1301.71(b) explicitly evaluate the adequacy of detection systems, supervision over employees with controlled substance access, and procedures for handling visitors and service personnel. Oklahoma’s
OAC 535:15-3-4(8) makes video recording an
explicit requirement. Texas
§291.33 strongly encourages it as additional security on top of mandated alarms.
UniFi Protect delivers commercial-grade camera coverage across every operationally relevant zone — controlled substance vault interior and exterior, dispensing counter, compounding areas, will-call shelves, drive-through windows, back-door receiving, and customer-facing retail.
AI-based detection identifies people and vehicles. License plate recognition logs every wholesaler delivery and every after-hours visitor. Recording is continuous to local NVR hardware
regardless of internet status — the cameras keep recording whether the internet is up or down.
All footage records to storage hardware you own, inside the pharmacy, accessible only by personnel you authorize.
Retention That Survives the Investigation Timeline
DEA Diversion Investigators routinely reference incidents that occurred sixty, ninety, or more days before the inspection. Robbery footage matters in the days, weeks, and sometimes months of follow-up investigation. Internal diversion cases often surface in cycle counts that flag discrepancies traceable back to a specific shift weeks earlier. UniFi Protect is configured with retention windows sized for actual investigation timelines —
typically 90 to 180 days, longer where the operation’s risk profile or carrier requirements warrant it.
Footage is organized and searchable by date, time, camera, and event. When DEA, the Oklahoma or Texas State Board of Pharmacy, or law enforcement requests recordings of a specific date or shift, you produce them from your own storage in minutes — and you produce them
within the 72-hour window Texas explicitly requires.
Restricted Access to the Vault and Prescription Department
21 CFR §1301.75 requires controlled substances to be stored in securely locked, substantially constructed cabinets, and the §1301.71(b) security factors require accountability measures around employee access. Texas
§291.33 requires pharmacist-in-charge documentation of every individual authorized to enter the prescription department, with written records of any non-employee who accessed the area while a pharmacist was off-site. Oklahoma applies analogous restrictions through OAC Title 535.
UniFi Access enforces and documents every one of those requirements at the physical layer. Every door to the vault, the prescription department, the compounding area, and the after-hours staff entry is logged with timestamp, credential, and a camera-linked video record. Time-based permissions automatically restrict access outside authorized hours. Credentials revoke from the management console in seconds when an employee separates —
no rekeying, no lock changes, no exposure window between termination and access removal.
When DEA asks who accessed the Schedule II vault on a specific date and time, you produce a timestamped, video-confirmed answer in seconds. When an internal diversion investigation begins, you have the credential trail and the footage from the same platform.
Alarm System Integration and Central Station Monitoring
The DEA’s
§1301.71(b) security factors evaluate the adequacy of alarm and detection systems. Oklahoma’s updated
OAC 535:15-3-4(8) reinforces this with explicit electronic alarm requirements. Texas
§291.33 requires at minimum a basic alarm system with off-site monitoring.
UniFi Protect integrates intrusion detection, glass break sensing, and motion-triggered alerting into the same platform that runs cameras and access control. After-hours triggers transmit alerts
with embedded video to your central station monitoring service or directly to the pharmacist-in-charge.
Police arrive with footage already captured. Robbery and burglary insurance claims are filed with documented evidence in hand, not reconstructed from memory.
The Cloud Camera Problem in a HIPAA-Covered Environment
Most cloud-based camera and access control vendors
do not sign a Business Associate Agreement. A camera at the dispensing counter that captures a patient’s name on a prescription bottle, a label visible during fill, or an identifying conversation between the pharmacist and the patient is capturing PHI-adjacent imagery. If that footage is stored on a third-party cloud server without a BAA — which is the default for nearly every consumer-grade and prosumer-grade surveillance product — the pharmacy is, technically, transmitting PHI to a third party with no compliant agreement in place.
For Texas pharmacies,
Chapter 181 of the Texas Health and Safety Code defines covered entity more broadly than HIPAA — extending to virtually any organization that
assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI of a Texas resident. Your cloud camera vendor is almost certainly a covered entity under Texas law whether they know it or not. The pharmacy is responsible for the relationship.
Every system Red River Integration deploys records and stores locally. Footage lives on Network Video Recorder hardware
you own, inside the pharmacy, on a network segment isolated from your dispensing system and your business network. No third-party cloud. No vendor servers.
No BAA gap because there is no third party in the loop.
Network Infrastructure for Dispensing Systems and PCI DSS
UniFi enterprise networking provides the foundation — managed switches, enterprise routers, professionally configured wireless coverage — with proper VLAN segmentation that isolates dispensing systems, point-of-sale, surveillance and access control, e-prescribing infrastructure, guest Wi-Fi, and back-office systems from each other.
PCI DSS 4.0 now requires segmentation between the cardholder data environment and the rest of the pharmacy network, and UniFi makes that segmentation straightforward to implement and document.
Network segmentation is also
the technical safeguard most overlooked in independent pharmacy IT. A flat network — where every device sees every other device — means a compromised guest device or a compromised IoT thermostat
can reach your dispensing system. Proper segmentation eliminates that path entirely.
Cellular Failover for Uninterrupted Access and Alerts
UniFi Protect records continuously to local NVR hardware on your network
regardless of internet status — that footage is captured and retained on infrastructure inside the pharmacy, not dependent on a cloud connection. What an internet outage
does compromise is everything that depends on a working connection: alarm signal transmission to central station monitoring, e-prescribing and PMP submission, point-of-sale and insurance claim adjudication, real-time alert delivery to the pharmacist-in-charge, and the management plane for surveillance and access control.
UniFi 5G Max provides automatic dual-SIM cellular failover — the moment your primary connection drops, the system fails over without manual intervention and your alarm signaling, e-prescribing, point-of-sale, and management capabilities
stay online without interruption. For pharmacies in rural service areas across Southwest Oklahoma and North Texas where wired internet reliability is inconsistent, 5G Max can also serve as the primary connection —
the difference between a continuous compliance posture and an alarm signal that didn’t transmit.
Why Local, Private Infrastructure Matters Specifically for Pharmacies
Cloud-based surveillance vendors create a uniquely poor fit for pharmacies. Your operational data — every dispensing event, every customer interaction, every employee shift in proximity to controlled substances, every after-hours alarm — is stored on servers owned and operated by a third party, in jurisdictions you do not control, accessible to parties beyond the pharmacy under terms accepted without legal review. When a vendor is breached, your footage and your access logs are exposed. When a vendor changes pricing or sunsets a product line, your access to your own footage is at their discretion. When a subpoena lands on the vendor instead of you, you may never know it was served.
For a DEA-registered facility operating under HIPAA — and, in Texas, under Chapter 181 — that architecture is
exactly the wrong choice.
Every system Red River Integration deploys records and stores locally.
Footage stays on hardware you own, inside the pharmacy, accessible only by personnel you authorize. Access logs stay on systems you control. When DEA, a state board investigator, an insurance carrier, or law enforcement requests footage with a proper legal basis, you produce it from your own storage on your own systems — and only in response to that legal basis.
Built for Your Pharmacy Type
- Independent Community Pharmacies (Class A in Texas) — Independent retail pharmacies are the largest pharmacy category and the most common DEA inspection target. We design surveillance, access control, and alarm infrastructure that satisfies DEA Diversion Investigator expectations, state board inspection standards, and insurance carrier requirements from a single integrated platform.
- Compounding Pharmacies (Sterile and Non-Sterile) — Compounding operations layer USP 795 (non-sterile) and USP 797 (sterile) compliance on top of standard pharmacy regulation, with specific cleanroom access documentation and chain-of-custody requirements for compounded preparations. We design infrastructure that documents every entry to the cleanroom and every step of the compounding workflow.
- Hospital and Institutional Pharmacies (Class C in Texas) — Hospital pharmacy operations carry 24/7 dispensing requirements, automated dispensing cabinet integration, and the additional layer of accreditation body expectations on top of DEA and state board oversight. We engineer infrastructure for the operational profile of a hospital pharmacy without imposing enterprise IT overhead.
- Long-Term Care and Closed-Door Pharmacies — Pharmacies serving long-term care facilities, nursing homes, and correctional institutions face unique transport documentation, chain-of-custody, and bulk controlled substance handling requirements. We design systems engineered for the volume and the documentation burden.
- Specialty and Infusion Pharmacies — Specialty pharmacies handling oncology, hemophilia, transplant, and infusion therapies manage high-value inventory under strict cold-chain and chain-of-custody requirements. The combination of DEA, state board, manufacturer, and payer audit expectations is genuinely demanding. We deliver infrastructure engineered for that combined posture.
Every Installation Is Engineered for That Pharmacy. Not Adapted From a Template.
We don’t sell a standard pharmacy package. We assess your pharmacy class, your DEA schedules, your state board posture, your facility layout, your insurance carrier requirements, and the gaps in your current infrastructure — and we engineer a system that satisfies every regulator, every carrier, and every audit from a single integrated platform.
Built on the
Ubiquiti UniFi ecosystem — enterprise infrastructure deployed in hospitals, universities, and critical-care facilities worldwide — installed and configured by a team that understands the difference between equipment a vendor calls “DEA-compliant” and a system that
actually satisfies 21 CFR Part 1301,
OAC 535:15-3-4,
22 TAC §291.33, and the additional protections in HIPAA and
Chapter 181 of the Texas Health and Safety Code.
Serving Southwest Oklahoma and North Texas
Red River Integration serves independent pharmacies, compounding operations, and institutional pharmacy departments across Southwest Oklahoma — including Lawton, Duncan, Altus, Chickasha, Anadarko, Ardmore, and the surrounding counties — and across North Texas, including Wichita Falls and the surrounding communities.
Ready to Talk About Your Pharmacy?
Your DEA registration, your state board license, and your patients’ trust are too valuable to trust to consumer-grade equipment and a cloud you don’t control.
Call us at
(580) 289-8181 or fill out the form on our
contact page. Consultations are confidential and there’s no obligation.
