HIPAA Physical Safeguards Checklist: A Complete, Printable List by Facility Area

Use this HIPAA physical safeguards checklist to quickly assess ePHI physical security across each facility area. Work through every section, verify controls, and document evidence as you go.

The items below focus on practical access control mechanisms, physical layouts, and day-to-day behaviors that reduce risk. Apply them consistently, then retain proof for audits and internal reviews.

Facility Access Controls

Protect areas where ePHI is created, stored, or processed by restricting entry and monitoring use. Align doors, badges, keys, and escorts to your risk analysis and workforce roles.

Checklist

• Document a written facility access policy covering normal hours, after-hours, and emergency access.
• Grant role-based entry to ePHI locations using layered access control mechanisms (badges, PINs, keys).
• Implement biometric authentication HIPAA contexts permit when risk justifies it (e.g., server rooms).
• Maintain a visitor process: identity verification, temporary badges, escorts, and sign-in/sign-out logs.
• Prevent tailgating with door closers, anti-passback rules, and clear “no piggybacking” signage.
• Secure delivery and loading areas; inspect packages before they enter controlled spaces.
• Record and review door access logs; reconcile them with current workforce rosters at least quarterly.
• Install video surveillance on critical entrances; retain footage per policy and risk tolerance.
• Lock rooms, cabinets, and cages containing devices or media that store ePHI.
• Control and audit keys; rekey or revoke credentials immediately when lost or when roles change.
• Coordinate facility maintenance procedures HIPAA requires: pre-approved work orders, escorted access, and sign-offs.
• Test emergency access procedures and document results after each drill or real event.

Records to Keep

• Policies, access rosters, badge/door logs, visitor logs, camera retention settings, and floor plans with restricted zones.

Secure Workstations

Workstations often sit closest to patients and the public. Position and protect them to prevent casual viewing, tampering, or theft while supporting clinical workflows.

Checklist

• Place screens away from public view; add privacy filters in semi-public areas.
• Anchor desktops and docking stations with locks; secure cables to deter unplugging.
• Use automatic screen-lock timers and lockable offices or cubicles for high-risk roles.
• Keep a clean-desk environment; store paper with PHI in locked drawers when unattended.
• Control peripherals; use port blockers for unused USB ports and secure shared printers.
• Post simple reminders to lock screens before leaving and to clear printers immediately.
• Sanitize whiteboards and patient status boards promptly after use.

Records to Keep

• Workstation location map, privacy filter inventory, lock/anchor inventory, and spot-check logs with photos where appropriate.

Server Rooms and Data Centers

These areas require heightened control and monitoring. Apply environmental controls HIPAA data centers typically maintain alongside strict entry governance.

Checklist

• Use dedicated, locked rooms with minimal entry points and clearly marked restricted areas.
• Require multi-factor entry (e.g., badge + PIN or biometric) with continuous access logging.
• Install 24/7 CCTV covering doors, aisles, and critical assets; verify recording and retention.
• Lock racks and cabinets; apply tamper-evident seals to critical panels or media drawers.
• Implement environmental monitoring: temperature/humidity sensors, leak detection, and clean-agent fire suppression.
• Harden for continuity: UPS, generator, fuel contracts, and scheduled load tests with results recorded.
• Secure cabling with managed pathways; protect demarcation points and cross-connects.
• Maintain an asset ledger with serials, locations, and responsible owners; reconcile quarterly.
• Apply facility maintenance procedures HIPAA-aligned: escorted vendors, tool control, and post-work inspections.

Records to Keep

• Access logs, surveillance checks, environmental trend reports, power test results, and asset inventories.

Mobile Device Protection

Laptops, tablets, and smartphones expand care but heighten exposure. Combine physical handling rules with encryption for mobile devices to reduce breach impact.

Checklist

• Maintain an up-to-date inventory of all mobile devices that can access or store ePHI.
• Store devices in locked carts or cabinets when not in use; secure carts when transporting.
• Never leave devices unattended in vehicles or public areas; use hotel safes during travel.
• Apply privacy filters to mobile screens used in patient-facing or public spaces.
• Use tethers or locking mounts for tablets at nursing stations and registration areas.
• Implement check-in/check-out logs for shared devices with condition and user attestation.
• Pair physical safeguards with encryption for mobile devices and rapid remote lock/wipe capability.

Records to Keep

• Asset lists, check-out logs, storage assignments, travel attestations, and incident reports for lost or recovered devices.

Media Disposal Procedures

Prevent data recovery by rendering media unreadable at end of life or before reuse. Follow secure media disposal HIPAA practices tailored to each media type.

Checklist

• Publish a media sanitization and destruction policy covering paper, drives, tapes, and embedded storage.
• Use locked, labeled bins for pending disposal; restrict and log access to staging areas.
• Apply appropriate destruction: cross-cut shredding for paper; shredding/disintegration/pulverization or degaussing for magnetic and solid-state media.
• Sanitize devices before repair, return, or reassignment; verify with spot tests.
• Maintain chain-of-custody from collection to destruction; reconcile items against inventory.
• Use vetted vendors; obtain certificates of destruction and verify processes periodically.
• Document exceptions and remediation when destruction deviates from policy.

Records to Keep

• Sanitization logs, chain-of-custody forms, destruction certificates, vendor due diligence, and inventory reconciliations.

Backup Storage Security

Backups preserve care continuity. Physically safeguard on-site and off-site copies so recovery never introduces new risks.

Checklist

• Store on-site backups in locked, fire-rated cabinets or safes away from plumbing and exterior walls.
• Use secure off-site facilities with controls comparable to primary data centers, including environmental monitoring.
• Transport media in tamper-evident containers; log custody transfers end-to-end.
• Separate backup storage geographically to mitigate the same-event impact on primary and secondary copies.
• Barcode and inventory all backup media; perform periodic counts and reconciliation.
• Restrict retrieval with a two-person rule for high-risk media.
• Test restorations routinely; record dates, results, and corrective actions.

Records to Keep

• Storage maps, custody logs, inventory lists, reconciliation reports, restoration test results, and off-site contracts.

Network Equipment Safeguards

Routers, switches, and firewalls often reside in overlooked closets. Treat these spaces as sensitive to uphold ePHI physical security.

Checklist

• Lock network closets and control keys/badges; maintain visitor and access logs.
• Protect patch panels with locked covers; apply port blockers to unused jacks.
• Mount network gear securely; use security screws and locked rack doors.
• Provide adequate ventilation and temperature monitoring; add leak detection where needed.
• Use UPS for graceful shutdown and to protect against power fluctuation.
• Secure and inventory spare transceivers, SFPs, and cables; lock storage drawers.
• Label cables clearly and manage pathways to reduce accidental disconnects.

Records to Keep

• Closet access logs, key control records, equipment inventories, environmental checks, and UPS maintenance logs.

Workstation Use Policies

Define how staff physically interact with workstations to keep PHI out of sight and out of reach of unauthorized individuals.

Checklist

• Adopt clear-screen and clear-desk rules for any area where PHI is present.
• Prohibit photographing screens or documents in clinical or registration areas.
• Collect prints promptly; use secure release printing near patient care areas.
• Forbid passwords on sticky notes; secure any written reference material in locked storage.
• Position monitors thoughtfully and apply privacy filters where needed.
• Keep food and drinks away from devices to avoid damage and downtime.

Records to Keep

• Policy acknowledgments, awareness materials, spot-audit results, and remediation tracking.

Device and Media Controls

Track devices and media from acquisition through disposal. Strong custody reduces loss, theft, and unauthorized reuse.

Checklist

• Maintain a comprehensive asset inventory with unique IDs, locations, and responsible custodians.
• Control receipt and shipping with tamper-evident packaging and documented chain-of-custody.
• Sanitize devices before transfer or reassignment; mark items as “sanitized” with date and method.
• Integrate secure media disposal HIPAA steps when retiring assets that store ePHI.
• Escort and log vendor repairs; sanitize or remove storage components prior to service.
• Define a lost/stolen response: immediate reporting, location review, and mitigation steps.
• Audit inventory regularly; reconcile serial numbers and investigate discrepancies.

Records to Keep

• Asset ledgers, custody logs, transfer forms, sanitization attestations, repair tickets, and audit reports.

Consistently applying these checklists strengthens physical safeguards, supports compliance evidence, and reduces real-world risk to patients and operations.

FAQs

What are physical safeguards under HIPAA?

Physical safeguards are policies, procedures, and tangible protections that secure facilities, equipment, and media housing ePHI. They include facility access controls, workstation security measures, device and media controls, and data center protections against environmental and unauthorized access risks.

How do you secure workstations according to HIPAA?

Position screens to prevent viewing, add privacy filters, lock devices and docking stations, enforce automatic screen locks, control peripherals with port blockers, and keep a clean-desk environment. Combine these steps with access logging and routine spot checks to verify compliance.

What procedures must be followed for media disposal under HIPAA?

Follow secure media disposal HIPAA practices: lock and log staged items, sanitize per media type, maintain chain-of-custody, use vetted destruction vendors, and obtain certificates of destruction. Reconcile disposals with your asset inventory and document exceptions with corrective actions.

How is access to server rooms controlled under HIPAA physical safeguards?

Restrict entry by role, use layered access control mechanisms such as badges, PINs, and biometrics, log every access, and monitor with CCTV. Protect racks, apply environmental controls, and review access lists and logs regularly to ensure only authorized personnel can enter.