HIPAA Physical Safeguards Checklist: Facility Security, Access Controls, Training

Use this HIPAA physical safeguards checklist to harden buildings, work areas, and equipment that create, receive, maintain, or transmit ePHI. The steps below help you demonstrate ePHI physical security in daily operations and during audits.

For each area, you will find clear objectives, a practical checklist, and the evidence auditors typically request. Apply the items proportionally to your risk profile and facility type.

Facility Access Controls

Objectives

Limit physical entry to authorized personnel, prevent unauthorized viewing or tampering, and preserve operations during emergencies. Document how you grant, validate, and revoke access to areas where ePHI resides.

Checklist

• Publish facility access policies that define secure areas (data rooms, records rooms, imaging suites) and who may enter, when, and under what conditions.
• Implement layered controls: locked perimeters, badged doors, PIN/biometric readers for sensitive zones, and door alarms for propped entries.
• Manage visitors: verify identity, issue labeled temporary badges, log purpose/time, and require escorts in restricted areas.
• Deter tailgating with anti-passback, security awareness signage, and regular spot checks by supervisors or security staff.
• Establish emergency access procedures that grant controlled entry during outages while preserving auditability.
• Maintain maintenance records for locks, cameras, and access systems; record vendor access and work performed.
• Protect off-site storage and clinics with equivalent controls; review landlord and building security arrangements annually.

Evidence to Keep

• Facility security plan, floor maps of restricted areas, and access approval matrices.
• Badge and visitor logs, exception approvals, and incident reports.
• Maintenance records and change logs for physical security systems.

Workstation Security

Objectives

Prevent unauthorized viewing or use of ePHI at desktops, laptops, kiosks, and mobile carts. Align workspace layout and hardware with workstation privacy safeguards.

Checklist

• Position screens away from public sight lines; use privacy filters in reception, triage, and high-traffic areas.
• Enforce automatic screen lock and short idle timeouts; require secure sign-out for shared workstations.
• Physically secure devices with cable locks, lockable carts, or docking stations in semi-public areas.
• Restrict local printing and require secure print release near patient care zones; implement clean desk practices for paper containing ePHI.
• Define home/remote workstation rules: no use of personal devices for ePHI, work in a private space, and store devices in locked locations when unattended.
• Harden kiosks with whitelisted apps, blocked USB ports, and limited local storage.

Evidence to Keep

• Workstation configuration standards, photos/layout diagrams for screen placement, and device lock deployment lists.
• Training acknowledgments for staff using shared or mobile workstations.

Device and Media Controls

Objectives

Track, protect, and securely dispose of hardware and media that store ePHI. Ensure safe movement, reuse, and end-of-life handling, including hardware media sanitization.

Checklist

• Maintain an asset inventory with unique IDs, owners, locations, and ePHI capability; include drives, copiers, scanners, and removable media.
• Require chain-of-custody forms for device transfer, repair, or shipping; seal equipment and use locked cases for transport.
• Back up required data before servicing or disposal; verify backups are restorable.
• Sanitize before reuse or disposal using approved methods: secure wipe/overwrite, cryptographic erase for encrypted drives, degauss (where applicable), or physical destruction (shred/pulverize).
• Control removable media: restrict or disable USB storage; if allowed, require encryption and check-in/out tracking.
• Obtain certificates of destruction from vendors and reconcile them against the asset inventory.

Evidence to Keep

• Asset inventory, transfer logs, and chain-of-custody records.
• Sanitization checklists, destruction certificates, and reuse authorization forms.

Access Controls

Objectives

Align physical identity (badges) with logical identity to ensure only authorized users can access ePHI on systems within your facilities. Emphasize least privilege and strong user authentication protocols.

Checklist

• Issue unique user IDs; prohibit shared accounts except narrowly defined kiosk functions with compensating controls.
• Require multi-factor authentication for administrative roles and remote access; bind badge issuance to account provisioning and role approval.
• Apply role-based access and least privilege to applications handling ePHI; review entitlements at least quarterly.
• Set short automatic logoff for clinical kiosks and public-facing terminals to reduce shoulder-surfing risk.
• Implement emergency access procedures with strong oversight and post-event review.
• Follow joiner-mover-leaver processes: same-day termination of badges and accounts; reconcile HR, badge, and directory lists.

Evidence to Keep

• Provisioning/termination tickets, access review attestations, and MFA enrollment records.
• Exception approvals for shared or emergency access with documented compensating controls.

Training and Policies

Objectives

Build consistent behaviors that support physical safeguards and demonstrate security training compliance. Ensure staff know how to prevent, detect, and report issues that could expose ePHI.

Checklist

• Provide onboarding and annual refresher training covering tailgating prevention, visitor handling, device locking, and clean desk practices.
• Run targeted micro-trainings for high-risk roles (registration, imaging, field staff, facilities, third-party technicians).
• Publish concise, accessible policies and quick-reference guides for emergencies, lost/stolen devices, and after-hours access.
• Conduct drills and tabletop exercises for evacuation, power loss, and emergency access; document outcomes and improvements.
• Track completion, measure comprehension, and remediate non-compliance promptly.

Evidence to Keep

• Policy versions with approval dates, training rosters, quiz results, and remediation records.
• Drill schedules, after-action reports, and updated procedures.

Audit Controls

Objectives

Create auditable trails of access to facilities, systems, and devices that handle ePHI. Use logs to detect anomalies and prove that controls operate as intended.

Checklist

• Retain building access logs, visitor logs, and video coverage for sensitive zones; define retention aligned to risk and regulatory needs.
• Log device removal/return, media transport, and service activities; reconcile with inventory.
• Enable system audit logs on workstations and applications in restricted areas; correlate physical entry with logical access where feasible.
• Review logs on a set cadence (e.g., weekly for restricted areas, monthly organization-wide) and document findings and responses.
• Alert on high-risk events: after-hours door openings, repeated denied entries, rapid badge use across locations, or device removal without work orders.

Evidence to Keep

• Log review reports, alert tickets, and incident response records.
• Camera retention schedules, access system configuration exports, and exception approvals.

Third-Party Compliance

Objectives

Ensure vendors, contractors, and hosted service providers protect ePHI to your standards, both on-site and off-site. Contractually obligate controls and verify they operate.

Checklist

• Execute business associate agreements with vendors that create, receive, maintain, or transmit ePHI; specify physical security, breach notification, and subcontractor obligations.
• Perform risk-based due diligence: security questionnaires, documentation reviews, and site visits for high-impact vendors.
• Control vendor access: pre-approve tasks, issue time-limited badges, require escorts in restricted areas, and log all entries.
• Require secure transport and hardware/media sanitization when vendors service or replace components; obtain certificates of destruction when applicable.
• Flow down policies for incident reporting, lost/stolen equipment, and media handling to all contractors working on-site.

Evidence to Keep

• Executed agreements, due diligence reports, and risk decisions.
• Vendor access logs, escort records, and destruction certificates tied to work orders.

Summary and Next Steps

Treat physical safeguards as a living program: set clear facility access policies, harden workstations, control devices and media, align identities and user authentication protocols, train continuously, audit relentlessly, and hold third parties accountable. Schedule periodic reviews, test emergency procedures, and keep evidence organized for swift audit readiness.

FAQs

What are the key components of HIPAA physical safeguards?

The core components are facility access controls, workstation security, and device and media controls. In practice, you also align logical access with physical protections, train staff on secure behaviors, maintain audit controls for logs and surveillance, and ensure vendors meet equivalent standards. Together, these measures reduce unauthorized access to ePHI and prove ongoing compliance.

How often should HIPAA physical safeguards training be conducted?

Provide training at onboarding, then at least annually, and whenever policies, technology, or facilities change. High-risk roles may need more frequent refreshers and drills. Track completion, test comprehension, and promptly remediate gaps to maintain security training compliance.

What procedures ensure secure disposal of electronic media?

Follow a documented process: verify that retention requirements are met and backups exist, approve disposal, sanitize media using an approved method (e.g., overwrite or cryptographic erase for reuse; shred or pulverize for end-of-life), and record results with chain-of-custody and certificates of destruction. Reconcile every item against the asset inventory before closing the ticket.