HIPAA Physical Safeguard Requirements: Complete Guide and Checklist

HIPAA Physical Safeguard Requirements set the standards for protecting Electronic Protected Health Information (ePHI) against unauthorized physical access, tampering, and theft. This guide explains each safeguard in plain language and provides actionable checklists you can use to operationalize compliance.

Use these steps to translate policy into day‑to‑day practices. The goal is simple: ensure only authorized people can reach systems and media that handle ePHI, and prove you consistently apply Physical Security Protocols across your environment.

Facility Access Controls

Control who can enter buildings, suites, and rooms where ePHI is created, received, maintained, or transmitted. Implement Access Control Mechanisms that match risk—keycards, PIN pads, or biometrics—and define emergency access so care continues safely during outages or disasters.

Document how you validate identity, grant/modify/revoke rights, and monitor entry points. Pair door hardware with Surveillance Systems and alerting so you can investigate anomalies and demonstrate oversight during audits.

Checklist

• Define secure areas that house ePHI (data rooms, nurses’ stations, telehealth booths) and label them as restricted.
• Deploy Access Control Mechanisms (badges, PINs, biometrics) with role-based rules and automatic deprovisioning on termination.
• Maintain visitor procedures: sign-in, government ID verification, issued badges, escort requirements, and exit checks.
• Enable Surveillance Systems covering entrances, server closets, and media storage; retain footage per policy and protect it from tampering.
• Establish contingency access for emergencies, including documented break-glass steps and post-event review.
• Keep maintenance logs for locks, readers, cameras, and alarms; investigate and remediate failures promptly.
• Perform periodic access reviews comparing authorized lists to actual badge activity and door logs.

Workstation Use and Security

Create clear workstation use rules that specify permitted functions, acceptable locations, and the required physical surroundings. Place screens to prevent shoulder surfing, enforce Privacy Screen Usage where the public could view data, and set automatic screen locks to reduce unattended exposure.

Train your workforce to handle printed materials, conversations, and portable devices near workstations. Align daily behavior with Physical Security Protocols so ePHI stays protected even in busy clinical spaces.

Checklist

• Publish a workstation use policy covering authorized tasks, session lock timeouts, and prohibited activities near ePHI.
• Position monitors away from public sightlines; add privacy filters in registration, triage, and waiting areas.
• Prohibit shared generic logins; require user authentication before resuming a session.
• Restrict local printing of ePHI and require immediate pickup; secure shred bins at the point of use.
• Ban unattended carts or laptops in hallways; store devices in locked locations when not in use.
• Conduct spot checks for compliance and remediate with coaching and updated procedures.

Device and Media Controls

Manage the full lifecycle of hardware and media that store ePHI—acquisition, movement, reuse, and disposal. Apply Data Sanitization Procedures before reuse or retirement, and formalize Media Disposal Policies so destruction is consistent, verifiable, and documented.

Track custody from issuance to return. When transferring devices between sites or service providers, encrypt contents and use tamper-evident packaging with receipt confirmation.

Checklist

• Maintain an asset inventory for servers, laptops, drives, tapes, and removable media that may contain ePHI.
• Require manager approval and chain-of-custody logs for any device or media leaving a secure area.
• Implement standardized Data Sanitization Procedures (clear, purge, destroy) matched to media type and risk.
• Define Media Disposal Policies: approved methods (shredding, degaussing, certified destruction) and retention timelines.
• Obtain certificates of destruction from vendors and reconcile them with asset records.
• Validate sanitization effectiveness with sample testing and documented sign-off.
• Back up critical data prior to disposal or service, storing backups in controlled, access-restricted locations.

Workstation Security

Physically secure each workstation so only authorized users can access it. Combine location-based controls with hardware protections like cable locks, lockable docks, and port blockers, especially for devices used in semi-public areas.

Reinforce security with Privacy Screen Usage, tamper-evident seals on chassis, and secure storage after hours. Regularly verify that safeguards remain in place and functional.

Checklist

• Place workstations in controlled zones; avoid positioning near patient waiting spaces or public corridors when possible.
• Use cable locks or locking mounts for desktops, thin clients, and kiosks; secure power and network cabling.
• Install privacy filters on displays and set short inactivity locks; disable unused ports or apply port locks.
• Store mobile workstations in locked rooms or cabinets; inventory them at the start and end of each shift.
• Apply tamper seals to cases and record serial numbers; investigate any seal breakage immediately.
• Review physical controls during rounding and include findings in corrective action tracking.

Facility Security Plan

Build a written plan that maps risks to controls across your campus. Define secure zones, Access Control Mechanisms, Surveillance Systems, environmental safeguards, incident response, and testing routines, with owners and review cycles for each element.

Integrate the plan with business continuity so emergency mode operations keep ePHI protected. Use metrics—door exceptions, visitor trends, and camera uptime—to drive improvements and demonstrate ongoing compliance.

Checklist

• Create a site diagram showing restricted areas, camera coverage, alarm points, and device/media storage locations.
• Assign responsibilities for access provisioning, visitor management, monitoring, and incident handling.
• Set preventive maintenance schedules for locks, readers, cameras, alarms, UPS, and environmental controls.
• Define incident workflows: detection, containment, evidence preservation, notifications, and after-action reviews.
• Run drills for evacuation, power loss, and emergency access; document outcomes and corrective actions.
• Review the plan at least annually and after major changes, audits, or security events.

In summary, align policies with practical safeguards at the door, desk, and device level. When you consistently apply access controls, workstation protections, and disciplined media handling—then prove it with records—you meet HIPAA Physical Safeguard Requirements and measurably reduce risk to ePHI.

FAQs

What are the key HIPAA physical safeguard requirements?

The core requirements cover facility access controls, workstation use, workstation security, and device and media controls. You must restrict physical access to areas and assets handling ePHI, guide how workstations are used and positioned, secure each workstation against unauthorized hands-on access, and govern the lifecycle of devices and media with documented sanitization and disposal.

How can facilities control access to ePHI areas?

Define restricted zones and apply role-based Access Control Mechanisms like badges, PINs, or biometrics. Pair them with visitor sign-in, escort rules, Surveillance Systems, and periodic access reviews. Include contingency access for emergencies and maintain maintenance and activity logs to prove controls work as intended.

What procedures are required for media disposal under HIPAA?

You need formal Media Disposal Policies and Data Sanitization Procedures that match media type and sensitivity. Common practices include shredding or pulverizing drives and paper, degaussing magnetic media, validated wiping for reuse, chain-of-custody documentation, and certificates of destruction from approved vendors.

How should workstations accessing ePHI be physically secured?

Place them in controlled locations, add privacy filters, enforce automatic screen locks, and use cable locks or lockable docks. Disable unused ports or add port blockers, store mobile units in locked rooms after hours, and inspect tamper seals and mounts regularly to verify protections remain intact.