HIPAA Physical Safeguards for PHI: A Practical Compliance Checklist

Use this practical checklist to implement HIPAA Physical Safeguards for PHI across facilities, workstations, devices, and people. The goal is to prevent unauthorized physical access, tampering, loss, or theft while enabling reliable operations during routine work and emergencies.

As you work through each section, document decisions, assign owners, and schedule reviews. Integrate facility access policies, workstation privacy controls, and mobile device encryption into daily workflows so protections are consistent, auditable, and easy to maintain.

Facility Access Controls

Checklist

• Create and maintain facility access policies that define authorized roles, access levels, business hours, and after‑hours procedures.
• Implement badge or key control with unique credentials; disable access immediately upon role change or termination.
• Segment sensitive areas (server rooms, wiring closets, records storage) and enforce least‑privilege entry validation.
• Maintain entry, exit, and maintenance records; review access logs at defined intervals.
• Harden physical perimeters: monitored doors, door‑prop alarms, tamper‑evident seals, and CCTV where appropriate.
• Define contingency operations for safe building entry during outages and disasters, including disaster recovery access procedures.

Implementation tips

• Map access levels to job functions; use time‑based access for contractors and vendors.
• Conduct quarterly access recertifications and reconcile badges/keys to your HR roster.
• Document a facility security plan showing zones, controls, and equipment locations.
• Store spare keys and master codes in sealed, logged containers with dual custody.

Documentation to retain

• Facility security plan, access provisioning/deprovisioning records, access log review sign‑offs.
• Visitor policies, maintenance logs, and corrective actions for door or camera issues.

Workstation Use and Security

Checklist

• Publish workstation use rules covering acceptable use, session timeouts, and prohibited behaviors.
• Apply workstation privacy controls: screen positioning away from public view and use of privacy filters.
• Enforce automatic lock after short inactivity; require strong authentication at unlock.
• Securely anchor devices in semi‑public areas; restrict local ports where feasible.
• Disable unattended printing and ensure secure print release in shared spaces.

Implementation tips

• Risk‑rank areas (lobbies, nurses’ stations, exam rooms) and tailor controls to exposure.
• Standardize base images with lock policies, USB restrictions, and audit agents.
• Post concise, location‑specific reminders near screens in high‑traffic zones.

Documentation to retain

• Signed workstation use policy, asset inventory with locations, and screenshots of enforced settings.
• Physical inspection checklists and remediation tickets for observed risks.

Device and Media Controls

Checklist

• Maintain a full inventory of electronic media (laptops, removable drives, tapes, imaging equipment).
• Protect data at rest; for portable media, require encryption and strict checkout procedures.
• Define and follow electronic media disposal processes: sanitize, verify, and document.
• Establish media reuse procedures that include verified wipe before reassignment.
• Track chain of custody for devices leaving secure areas for repair or vendor service.
• Back up critical data before service, transfer, or disposal, with recovery verification.

Implementation tips

• Adopt a standard sanitization method set (e.g., clear, purge, destroy) and train staff to execute it.
• Use tamper‑evident containers and locked transit for offsite media handling.
• Schedule recurring audits comparing inventory to physical counts and ticket history.

Documentation to retain

• Certificates of destruction, wipe logs, and approval records for electronic media disposal.
• Media checkout logs, chain‑of‑custody forms, and inventory reconciliations.

Environmental Safeguards

Checklist

• Perform environmental risk mitigation for areas housing PHI systems: UPS, generator coverage, surge protection, and HVAC monitoring.
• Install fire detection and suppression appropriate for electrical rooms; add water leak sensors where relevant.
• Secure racks and cabling; use locked cabinets for network and storage equipment.
• Keep aisles clear, label power circuits, and maintain safe temperature/humidity ranges.
• Test alarms and monitoring; define on‑call escalation for environmental events.

Implementation tips

• Document power and cooling dependencies and set recovery priorities for critical systems.
• Record routine maintenance and results of periodic failover tests.

Documentation to retain

• Environmental monitoring reports, maintenance schedules, and incident response notes.
• Change records for moves, additions, and modifications within protected spaces.

Mobile Device Management

Checklist

• Require MDM enrollment for all smartphones and tablets that access ePHI.
• Enforce mobile device encryption, strong authentication, and automatic lock/timeout.
• Enable remote locate, lock, and wipe; block access if a device is out of compliance.
• Prohibit unmanaged apps from storing PHI; use secure containers for clinical apps.
• Keep OS and security patches current; detect and block jailbroken or rooted devices.
• Use signed BYOD agreements that specify support boundaries and privacy expectations.

Implementation tips

• Create device posture rules (encryption on, PIN complexity, no sideloading) tied to access.
• Segment mobile traffic with VPN or private access gateways for sensitive services.

Documentation to retain

• MDM compliance reports, wipe confirmations, and user acknowledgement forms.
• Exception approvals and remediation timelines for noncompliant devices.

Visitor Control

Checklist

• Establish a front‑desk process with government ID verification where appropriate.
• Issue temporary badges that visually distinguish visitors from staff.
• Maintain visitor access logs capturing name, company, host, purpose, and timestamps.
• Escort visitors in restricted areas; prohibit photography in sensitive zones.
• Route deliveries to designated locations; supervise vendor work and record entry/exit.

Implementation tips

• Train staff to challenge unbadged individuals and report tailgating attempts.
• Rotate visitor logbooks or use digital kiosks to protect prior entries from view.

Documentation to retain

• Visitor policies, access logs, badge issuance records, and vendor confidentiality acknowledgements.

Emergency Access Procedures

Checklist

• Define disaster recovery access steps for facilities and systems, including who authorizes emergency entry and when.
• Maintain emergency keys, codes, and contact lists in sealed, audited locations with dual control.
• Pre‑stage alternate work areas and minimum equipment to access ePHI when primary sites are unavailable.
• Establish procedures to retrieve, protect, and relocate critical hardware and media safely.
• Create a call tree and escalation matrix for 24/7 incident response and facility coordination.

Drills and testing

• Run tabletop and live access drills at least annually; document timing, issues, and fixes.
• Verify that emergency routes, lighting, and signage support safe and controlled access.

Documentation to retain

• Emergency access playbooks, drill reports, after‑action items, and approvals for temporary access deviations.

Conclusion

Physical safeguards work when policies, spaces, devices, and people align. By enforcing facility access policies, workstation privacy controls, mobile device encryption, and disciplined electronic media disposal—plus clear disaster recovery access—you create consistent, auditable protection for PHI with minimal disruption to care or operations.

FAQs

What are physical safeguards under HIPAA?

Physical safeguards are measures that protect electronic protected health information (ePHI) by securing buildings, rooms, equipment, and media. They include facility access controls, workstation use and security, device and media controls, environmental protections, mobile device management, visitor control, and emergency access processes.

How do physical safeguards protect PHI?

They minimize risks of unauthorized viewing, theft, tampering, or loss by restricting who can enter sensitive areas, how workstations are positioned and locked, how devices and media are tracked and sanitized, and how emergencies are handled. Consistent logging, monitoring, and reviews make the protections verifiable.

What measures ensure secure disposal of electronic media?

Use a documented process that inventories the item, backs up needed data, sanitizes using approved methods (clear, purge, or destroy), verifies the result, and records proof such as wipe logs or certificates of destruction. Maintain chain of custody throughout transit and storage.

How can visitor access be controlled to protect ePHI?

Verify identity at entry, issue distinct visitor badges, log details in visitor access logs, and provide escorts in restricted areas. Train staff to challenge unbadged individuals, prohibit photography where ePHI may be exposed, and supervise vendors with documented entry and exit.