HIPAA Physical Safeguards List: Requirements, Examples, and Checklist

This HIPAA Physical Safeguards List translates regulatory expectations into practical steps you can implement today. You will find clear requirements, real-world examples, and actionable checklists to protect Electronic Protected Health Information (ePHI) across facilities, workstations, and devices.

Use these access control measures to reduce risk, strengthen accountability, and demonstrate due diligence during audits. Each section integrates related concepts such as Physical Access Controls, Inventory Tracking, Secure Media Disposal, Encryption Standards, and Multifactor Authentication where appropriate.

Facility Access Controls

Control who can enter areas where ePHI is created, received, maintained, or transmitted. Start with a facility security plan that maps sensitive zones (records rooms, server closets, imaging suites) and defines required protections for each zone.

Layered defenses work best: exterior barriers, locked interior doors, restricted rooms, and locked racks or safes. Combine badges, keys, or biometrics with surveillance, alarms, and documented visitor handling to create verifiable Physical Access Controls.

Requirements

• Documented facility security plan, emergency mode operations, and contingency procedures.
• Authorized access based on role; periodic review and removal of access for job changes or terminations.
• Environmental protections for critical rooms (power, HVAC, water/leak detection) and tamper-evident measures.

Examples

• Badge readers with role-based door schedules and anti-tailgating devices at records rooms.
• Video surveillance with time-synced footage and privacy-aware camera placement.
• Key management logs for file cabinets and locked shelving where ePHI is stored.

Checklist

• Define sensitive zones; assign Access Control Measures for each.
• Implement dual verification for high-risk rooms (badge + PIN or biometric).
• Enable alarmed doors and maintain camera retention with regular log reviews.
• Run quarterly access recertifications and immediate offboarding revocations.
• Test emergency access procedures and document results.

Workstation Use and Security

Formalize how staff use workstations that access ePHI. Establish acceptable use, approved applications, data handling, and session standards. Short, specific rules reduce errors and make enforcement straightforward.

Define storage and transmission rules: no ePHI on local desktops unless business-justified and encrypted; use secure network shares or virtual desktops; mandate automatic screen locks and privacy screens in public or semi-public areas.

Requirements

• Written workstation use policy covering login, session timeout, and data storage rules.
• Restriction of software, peripherals, and websites to reduce exposure.
• Training and acknowledgment for all users before system access.

Examples

• Two-minute screen lock, 15-minute session timeout, and prohibiting local downloads of ePHI.
• USB mass storage disabled by policy with exceptions tracked and approved.
• Privacy filters in registration and nursing stations to prevent shoulder surfing.

Checklist

• Publish a concise workstation standard; require re-acknowledgment annually.
• Configure automatic lock and inactivity logoff on all endpoints.
• Restrict local save locations; route ePHI to secure, encrypted repositories.
• Deploy privacy screens and position monitors away from public view.
• Audit compliance monthly; remediate deviations promptly.

Device and Media Controls

Control the lifecycle of hardware and media that store ePHI—from acquisition and assignment to transfer, repair, reuse, and disposal. Centralized Inventory Tracking is essential for accountability and incident response.

Apply Encryption Standards to portable devices and ensure chain-of-custody during moves. Require formal authorization for any media leaving secure areas, and verify that data is protected in transit and at rest.

Requirements

• Accurate inventory for endpoints, removable media, and medical devices that handle ePHI.
• Procedures for authorization, transfer logging, and return of devices.
• Backup, restoration testing, and sanitization prior to reuse or disposal.

Examples

• Asset tags linked to users/locations with custody dates and status.
• Full-disk encryption on laptops and tablets aligned to recognized encryption standards.
• Signed media checkout forms for imaging CDs and encrypted USB drives.

Checklist

• Maintain a real-time asset register with ownership, encryption, and patch status.
• Require approvals for device movement; log chain-of-custody events.
• Encrypt portable devices; verify encryption before offsite use.
• Sanitize devices before reassignment; document the methods used.
• Reconcile inventory quarterly and upon staff departures.

Workstation Security

Physically protect workstations to prevent theft, tampering, and unauthorized viewing. Placement, mounting, and port controls reduce the likelihood of data exposure even if policies are followed inconsistently.

Combine physical locks with configuration hardening. For high-risk locations, use locked enclosures, cable locks, and port control to block unauthorized peripherals.

Requirements

• Secure placement that limits public visibility and physical access.
• Hardware protections for devices in public or shared spaces.
• Controls to prevent booting from external media and to protect BIOS/UEFI.

Examples

• Thin clients in wall-mounted, lockable housings in hallways.
• Docking stations with keyed locks and anchored cables in clinics.
• Port blockers for USB, disabled external boot, and BIOS passwords.

Checklist

• Position screens away from foot traffic; add privacy filters as needed.
• Anchor equipment; inventory lock keys and combinations.
• Disable unused ports; enforce secure boot configurations.
• Inspect high-traffic workstations weekly for tamper evidence.

Secure Disposal Procedures

Ensure Secure Media Disposal so ePHI cannot be recovered from retired or failed media. Choose methods appropriate to the medium and data sensitivity, and record each action for auditability.

Define who approves destruction, how vendors are vetted, and what proof is required. Maintain logs and certificates that tie each asset to a verified sanitization or destruction method.

Requirements

• Documented sanitization and destruction procedures for all media types.
• Verification and recordkeeping (date, method, serial/asset ID, witness).
• Vendor management for offsite destruction, including contractual safeguards.

Examples

• Cryptographic erase for self-encrypting drives, then physical shredding.
• Degaussing or pulverizing failed backup tapes with witnessed destruction.
• Secure bins for paper PHI with locked transport to on-site shredders.

Checklist

• Classify media and select approved sanitization methods per type.
• Require two-person verification for destruction events.
• Collect certificates of destruction; reconcile against inventory.
• Audit vendors annually; test sample media for successful sanitization.

Access Monitoring and Logging

Monitor and log entry to sensitive areas and access to systems that control physical security. Correlate door logs, visitor records, and camera footage to reconstruct events and detect anomalies.

Protect the logging systems themselves with strong authentication and role separation. Use Multifactor Authentication for administrators of physical access systems and encrypt logs in transit and at rest consistent with your encryption standards.

Requirements

• Time-synchronized logging for doors, alarms, and surveillance systems.
• Periodic review of logs with documented follow-up on exceptions.
• Retention aligned to risk tolerance and legal requirements.

Examples

• Alerts on after-hours door openings for non-on-call staff.
• Weekly reconciliation of badge logs with HR rosters and offboarding lists.
• Camera footage checks when high-risk doors are accessed.

Checklist

• Enable alerting on risky events; define escalation paths.
• Retain logs for an appropriate period; protect integrity with backups.
• Review exceptions at least monthly and track remediation.
• Restrict admin access using Multifactor Authentication and least privilege.

Visitor Management Practices

Control visitor presence anywhere ePHI could be exposed. A consistent process—verify, badge, escort, log, and collect—prevents accidental access and supports investigations.

Extend the same rigor to contractors and vendors. Define what areas require escorts, what devices visitors may bring, and how deliveries are handled to avoid unmonitored access.

Requirements

• Visitor identification, purpose verification, and pre-authorization where applicable.
• Distinct, expiring badges and escorts for restricted areas.
• Visitor logs that capture time in/out and host information.

Examples

• Front-desk identity check with temporary photo badges for contractors.
• Escort-only access to server rooms; no photography or recording allowed.
• Package intake at a controlled dock with inspection and logging.

Checklist

• Implement sign-in/sign-out with government ID verification where appropriate.
• Issue expiring badges; collect at exit and reconcile daily.
• Require escorts in restricted zones; train staff to challenge unbadged individuals.
• Record exceptions and conduct periodic spot checks.

Conclusion

By combining strong Physical Access Controls, disciplined workstation practices, robust Inventory Tracking, and Secure Media Disposal aligned to clear Encryption Standards, you create a defensible, auditable HIPAA physical safeguards program. Use the checklists to operationalize controls and review them regularly as facilities, staff, and technology change.

FAQs.

What are the main types of HIPAA physical safeguards?

The main types include Facility Access Controls (planning, access authorization, contingency and emergency operations), Workstation Use and Security (acceptable use and session standards), Workstation Security (physical protections for devices), Device and Media Controls (inventory, transfer, reuse, and disposal), Access Monitoring and Logging, Secure Disposal Procedures, and Visitor Management practices.

How can organizations secure workstations that access ePHI?

Define strict use policies, enforce automatic locks and session timeouts, deploy privacy screens, restrict local storage, disable unauthorized peripherals, and physically secure devices with locks or enclosures. Pair these with encryption on endpoints, regular audits, and user training to ensure controls are consistently followed.

What procedures are required for disposal of media with ePHI?

Maintain a documented process that selects approved sanitization or destruction methods by media type, verifies results, and records details (date, method, serial/asset ID, and witnesses). Use Secure Media Disposal techniques such as cryptographic erase, shredding, degaussing, or pulverizing, and retain certificates or logs for audit evidence.

What physical access controls are recommended by HIPAA?

HIPAA expects risk-based Access Control Measures such as locked doors, role-based badging with dual verification for high-risk areas, tamper-evident protections, surveillance and alarms, emergency access procedures, and periodic recertification of access. Combine these with monitoring and logging to detect and investigate anomalies.