45 CFR 164.310 Explained: HIPAA Physical Safeguards Requirements and Examples

Facility Access Controls

What this standard requires

45 CFR 164.310(a) directs you to limit physical access to facilities and systems that store or process electronic protected health information (ePHI), while ensuring authorized access remains available. Your objective is to prevent unauthorized entry, tampering, and theft without impeding clinical operations or disaster recovery.

Implementation specifications (addressable)

• Contingency operations: Define how authorized personnel gain facility access during emergencies to support disaster recovery and emergency-mode operations.
• Facility security plan: Document physical protections—locks, alarms, cameras, guards, barriers—covering all areas where ePHI systems reside.
• Access control and validation procedures: Verify role-based authorization for employees, contractors, vendors, and visitors; manage badges, keys, and visitor escorts.
• Maintenance records: Track repairs and modifications to doors, locks, walls, cages, UPS units, and other security-relevant components.

Practical examples of physical access controls

• Badge readers and unique IDs at data closets; automatic door re-locking and anti-tailgating signage.
• Visitor management with government ID verification, reason-for-visit logging, time-bound badges, and mandatory escort protocols.
• Segregated server rooms with CCTV coverage, locked racks, and environmental sensors for temperature, humidity, and water.
• Key control procedures, spare-key logs, and quarterly audits of who holds physical access to restricted zones.
• Emergency access kits that include contact trees, alternate entry points, and generator start procedures.

Documentation essentials

• Written facility security plan aligned to your risk assessment and HIPAA Security Rule compliance objectives.
• Up-to-date floor plans, asset locations, and access zones mapped to job roles.
• Change and maintenance records, including vendor work orders and completion attestations.

Workstation Use Policies

Scope and intent

This standard specifies how workstations that can access ePHI are used, the functions performed on them, and the physical attributes of their surroundings. You define boundaries so daily work does not expose ePHI to passersby, visitors, or unauthorized staff.

Minimum policy elements

• Permitted and prohibited uses tied to job duties; no personal use where it could risk ePHI.
• Physical placement rules to minimize shoulder-surfing; mandate privacy screens in public or semi-public areas.
• Session management expectations (e.g., lock screen when unattended) as part of workstation security protocols.
• Data handling rules: no storing ePHI locally when central systems are available; approved encryption if local caching is necessary.
• Remote and telehealth provisions covering home offices, shared spaces, and mobile carts.
• Printing, scanning, and faxing procedures with immediate pickup and secure output trays.

Role- and location-based examples

• Registration desks: privacy screens, counters positioned away from waiting rooms, quick-lock keyboard shortcuts.
• Clinical pods: monitors angled inward, minimal paper notes near terminals, carts docked to lockable stations.
• Home use: separate workspace, no smart speakers nearby, family/guest access restrictions, and secure Wi‑Fi configurations.

Awareness and enforcement

Publish concise rules, demonstrate proper behavior during onboarding, and refresh training annually. Reinforce expectations with spot checks and visible reminders near high-risk work areas.

Workstation Security Measures

Physical safeguards you can deploy

• Secure placement: keep screens out of public view; use privacy filters, monitor hoods, and wall mounts.
• Hardware protections: cable locks, lockable docking stations, port blockers, and locked drawers for peripherals.
• Secure carts and tablets: lockable charging cabinets, tether points, and asset tags with tamper seals.
• Environmental controls: limit workstation density in public areas; restrict after-hours access to rooms with ePHI terminals.

Workstation security protocols

Establish daily behaviors that reduce risk: lock screens when stepping away, store badges securely, and avoid writing passwords near devices. Combine these with periodic inspections to ensure technical and physical measures remain effective.

Verification and upkeep

• Quarterly walk-throughs to confirm privacy filters, placement, and lock integrity.
• Inventories that reconcile assigned devices, asset tags, and user roles.
• Prompt remediation of findings, with evidence retained for audits.

Device and Media Controls

What the standard covers

You must manage the receipt, movement, re-use, and final disposition of hardware and electronic media containing ePHI. That includes drives, tapes, workstations, servers, USB media, and backup media moving into, within, or out of your facilities.

Required implementation specifications

• Disposal (Required): Use secure eradication methods—cryptographic erasure, degaussing where applicable, shredding or pulverizing. Capture certificates of destruction for audit evidence.
• Media re-use (Required): Sanitize devices before re-deployment. Standardize procedures and verification steps for imaging, wiping, and validation.

Addressable implementation specifications

• Accountability (Addressable): Maintain chain-of-custody logs for media movement; track who has custody, when, and for what purpose.
• Data backup and storage (Addressable): Create a retrievable, exact backup before moving or servicing equipment that contains ePHI.

Device/media handling procedures

• Label assets with unique IDs; record location changes; reconcile logs monthly.
• Restrict portable media; if approved, require encryption and check-in/out tracking.
• Use locked bins for end-of-life devices; segregate to-be-wiped from wiped hardware.
• Vet disposal vendors, bind them contractually, and sample-verify destruction outcomes.

Implementation Specifications for Safeguards

How implementation specifications relate to standards

Each 45 CFR 164.310 standard sets the objective; safeguard implementation specifications describe one or more ways to meet it. Some specifications are “required,” while others are “addressable,” giving you room to tailor controls to your environment based on risk and feasibility.

Mapping of 164.310 implementation specifications

• Facility Access Controls: Contingency operations (Addressable); Facility security plan (Addressable); Access control and validation procedures (Addressable); Maintenance records (Addressable).
• Workstation Use: No implementation specifications; comply through clear policies and training.
• Workstation Security: No implementation specifications; implement physical safeguards to restrict access to authorized users.
• Device and Media Controls: Disposal (Required); Media re-use (Required); Accountability (Addressable); Data backup and storage (Addressable).

Documentation that demonstrates compliance

• Risk analysis that justifies chosen controls and any alternatives for addressable items.
• Policies and standard operating procedures that describe who does what, when, and how.
• Evidence repositories: logs, tickets, maintenance records, training rosters, and test results.

Addressable Versus Required Safeguards

What “addressable” really means

Addressable does not mean optional. You must implement the specification as written, implement an effective alternative, or document a justified reason—based on your risk analysis—why implementation is not reasonable and appropriate. Your decision must reduce risk to an acceptable level.

What “required” means

Required specifications must be implemented as stated. If technology changes, you may improve or modernize the method, but you may not omit the underlying control objective without violating the rule.

Examples of sound decisions

• Small clinic without 24/7 security: choose hardened locks, visitor logs, and motion-activated cameras as an addressable alternative to staffed guards.
• Mobile care units: implement lockboxes and GPS-tracked carts to satisfy accountability and data backup needs during transit.
• High-risk data closet: implement both badge and key controls plus CCTV, even though only addressable items are specified, due to elevated risk.

How to record your choice

• Reference the safeguard implementation specifications by citation and name.
• Summarize the risk, selected control or alternative, rationale, and residual risk.
• Note the approval authority and review cadence; update after incidents or major changes.

Physical Security Risk Management

Apply a practical risk management framework

Use a repeatable risk management framework to guide selection and operation of physical safeguards. Start with a current asset inventory, assess threats and vulnerabilities, score likelihood and impact, and then choose controls that drive HIPAA Security Rule compliance while supporting care delivery.

Steps to operationalize

• Catalog facilities, rooms, devices, and media that handle ePHI; map data flows and custody points.
• Identify threats (theft, tampering, outage, water leak, tailgating) and vulnerabilities (unlocked rooms, poor sightlines, weak visitor checks).
• Rate risk and determine control priorities for facility access controls, workstation protections, and device/media handling procedures.
• Implement controls, train users, and test through drills—lost device tabletop, emergency access test, and disposal spot audits.
• Monitor with metrics: door access anomalies, unescorted visitor exceptions, missing asset tags, and destruction certificate rates.
• Continuously improve after incidents, mergers, renovations, and technology changes.

Common pitfalls to avoid

• Relying solely on badges without role validation, visitor controls, or anti-tailgating measures.
• Placing ePHI workstations where screens face public areas without privacy filters.
• Releasing or redeploying devices before verified sanitization and documentation.

Conclusion

45 CFR 164.310 focuses on the physical layer of protecting ePHI: who can get near systems, how workstations are used and secured, and how devices and media are controlled throughout their lifecycle. By pairing clear policies with risk-based, well-documented safeguards, you can meet the rule’s intent and sustain compliance in dynamic clinical environments.

FAQs

What are the key physical safeguards under 45 CFR 164.310?

The four standards are Facility Access Controls, Workstation Use, Workstation Security, and Device and Media Controls. Together, they govern how you restrict physical access, define appropriate workstation behavior, secure terminals and their surroundings, and manage hardware and media containing ePHI from acquisition through final disposal.

How are addressable specifications different from required ones?

Required specifications must be implemented as written. Addressable specifications must also be addressed, but you may implement them as stated, implement a reasonable and appropriate alternative, or document—based on risk analysis—why the specification is not implemented. Addressable never means “ignore it.”

What policies are necessary for workstation use?

Define permitted tasks, physical placement, privacy measures, session management, data storage rules, printing/scanning practices, and remote-use expectations. Train staff on these rules and reinforce them with periodic checks to keep workstation use aligned with HIPAA Security Rule compliance.

How should devices and media containing ePHI be controlled?

Track custody and location, restrict portable media, require encryption where feasible, sanitize before re-use, and ensure secure destruction with documented proof. Create retrievable backups before equipment moves, and use chain-of-custody logs to maintain accountability throughout the device or media lifecycle.