HIPAA Physical Security Risk Assessment Guide: Steps, Examples, and Checklist

This HIPAA Physical Security Risk Assessment Guide walks you through a practical, auditable process to protect PHI in real-world facilities. You will scope what is in play, rate risks with clear examples, close gaps with targeted controls, and finish with a usable checklist and documentation set.

Define the Scope of PHI

Pinpoint where PHI lives and moves

List every place PHI may be present: reception desks, exam rooms, nurse stations, server rooms, network closets, offsite storage, and transport paths. Include paper, workstations, mobile carts, portable media, badge printers, and backup devices to cover PHI protection requirements end to end.

Set boundaries and stakeholders

Map facilities, suites, and co-located areas. Identify owners for each space (facilities, IT, security, clinical, and compliance). Include vendors under business associate agreements that host records storage, shredding, or colocation so their physical controls are assessed alongside yours.

Scope outputs

• Asset and location inventory tied to PHI flows.
• Critical areas list (e.g., server room, records room, mailroom, loading dock).
• Assumptions and exclusions to anchor the security risk analysis report.

Identify and Analyze Risks

Use a consistent method

For each area, evaluate threats (intrusion, theft, tailgating, environmental damage), vulnerabilities (unlocked doors, poor camera angles), existing access control mechanisms, and impact if PHI is exposed. Score likelihood and impact (e.g., 1–5) and compute inherent risk to prioritize action.

Concrete examples

• Unlocked network closet near a public corridor; shared keypad code. Likelihood: High; Impact: High; Example controls: rekey to unique badges, add door contacts and logs, enforce code rotation.
• Workstations facing public check-in with visible screens. Likelihood: Medium; Impact: Medium; Controls: privacy filters, screen timeout, reposition desks, enforce workstation security rules.
• Unescorted visitors in back office during deliveries. Likelihood: Medium; Impact: High; Controls: escort requirement, visitor badges, training, camera coverage at doors.
• Media disposal bins without locks. Likelihood: Medium; Impact: High; Controls: locked consoles, chain-of-custody receipts, shred-on-site options.
• Server room cooling failure risk. Likelihood: Low; Impact: High; Controls: environmental sensors, alerts, redundant HVAC, periodic tests.

Correlate activity and logs

Compare physical access logs with EHR security logs to spot anomalies, such as EHR access after-hours without badge entries. This helps validate that controls deter misuse and that monitoring detects suspicious patterns.

Perform Gap Analysis

Map controls to requirements

Compare current controls to PHI protection requirements for facility access, workstation security, and device/media controls. Note where policies exist but are not enforced, or where enforcement exists without written procedures.

Evidence and verification

Collect proof: door and camera logs, access reviews, visitor logs, equipment lists, floor plans, and training records. Confirm document retention policies define how long each record type is kept and who owns it.

Prioritize gaps

• High risk, low cost: fix immediately (e.g., rekey, install privacy screens).
• High risk, higher cost: plan as projects with interim safeguards.
• Low risk: monitor and revisit during audits.

Develop and Implement Mitigation Measures

Quick wins

• Reinforce badge-only entry and disable shared keypad codes.
• Add door-ajar alerts and camera views for critical rooms.
• Deploy privacy filters and auto-lock settings on high-traffic workstations.
• Introduce tamper-evident, locked shred consoles and train staff.

Projects and engineering controls

• Segment critical spaces with higher-grade locks and multi-factor access.
• Harden server rooms: environmental monitoring, UPS, fire suppression.
• Improve visitor management: pre-registration, badges, escort policy, signage.
• Reconfigure layouts to reduce shoulder surfing and tailgating.

Risk management action plan

Create a plan that ties each gap to a control, owner, budget, start/end dates, and target risk reduction. Note residual risk and approvals when full mitigation is not feasible. Extend requirements to vendors via business associate agreements and verify their implementation.

Document the Assessment Process

Build the security risk analysis report

Document scope, methodology, inventories, floor plans, risk ratings, selected controls, and acceptance decisions. Include how you validated assumptions and how you will measure effectiveness over time.

Include supporting artifacts

• Access control mechanisms and settings snapshots (doors, cameras, alarms).
• Visitor logs, incident reports, vendor attestations, and training records.
• Change records for code rotations, key revocations, and badge audits.

Follow document retention policies

Store the report and supporting evidence according to your document retention policies, typically at least six years. Keep version history, review dates, and sign-offs to demonstrate continuous compliance.

Conduct Regular Audits

Cadence and triggers

Schedule comprehensive reviews annually, with targeted spot checks quarterly. Trigger an interim assessment after incidents, facility changes, vendor changes, or new equipment deployments.

What to test

• Door integrity, badge revocation timing, and code rotation logs.
• Camera coverage and retention; alert tuning and response times.
• Escort compliance and visitor badge returns.
• Device and media disposal chain-of-custody checks.
• Correlation between physical access and EHR security logs.

Metrics that matter

• Unauthorized access attempts and tailgating rates.
• Mean time to revoke access and to resolve alerts.
• Audit exceptions closed by due date and residual risk trend.

Use Comprehensive Security Checklists

Facility access controls

• Entry points secured with unique credentials; no shared codes.
• Critical rooms have alarms, door contacts, and monitored cameras.
• Visitor management requires IDs, badges, logs, and escorts.
• Emergency egress maintained without weakening security.

Workstation security

• Screens positioned away from public view; privacy filters installed as needed.
• Auto-lock and inactivity timeouts enforced and tested.
• Cable locks or secure mounts for kiosks and high-risk locations.

Device and media controls

• Locked storage for paper charts and portable media; sign-in/out process.
• Sanitization and destruction verified; shred bins are locked and serviced.
• Transport procedures for PHI include sealed containers and chain-of-custody.

Monitoring and response

• Access logs and video retained per policy; alerts reviewed promptly.
• After-hours access reviewed and compared with EHR security logs.
• Incident response playbooks include physical breaches and evidence handling.

Documentation and vendor management

• Policies and procedures align with PHI protection requirements.
• Security risk analysis report and updates are versioned and approved.
• Risk management action plan tracked to closure with owners and dates.
• Business associate agreements define physical safeguards and audit rights.
• Document retention policies specify records, owners, and timelines.

Summary

By scoping PHI precisely, rating and prioritizing risks, closing gaps with strong physical and administrative controls, and documenting everything, you create a defensible program. The checklist, action plan, and audits keep protections effective as your environment changes.

FAQs.

What are the key steps in a HIPAA physical security risk assessment?

Define PHI scope and locations, identify and rate risks, perform a gap analysis against requirements, implement prioritized mitigations via a risk management action plan, document everything in a security risk analysis report, and audit regularly to verify effectiveness.

How do you identify vulnerabilities in physical security for HIPAA compliance?

Walk each area where PHI exists, test access control mechanisms, review visitor handling, and inspect workstation and media protections. Analyze incidents and correlate physical access logs with EHR security logs to uncover behavioral gaps that walkthroughs may miss.

What documentation is required after conducting a HIPAA physical security risk assessment?

Maintain a security risk analysis report, inventories and floor plans, risk register and ratings, the risk management action plan with owners and deadlines, logs and evidence (access, camera, visitor, destruction), vendor attestations tied to business associate agreements, and retention details per your document retention policies.