HIPAA Security Rule Physical Safeguards: Complete List (with Examples)

The HIPAA Security Rule Physical Safeguards protect Electronic Protected Health Information (ePHI) by limiting who can touch systems and media and under what conditions. Below is the complete list of standards and implementation specifications, explained in plain language with practical examples you can apply.

Use these controls to formalize Facility Access Procedures, set Workstation Security Standards, and define Media Disposal Protocols. Where a safeguard is “Addressable,” it still requires you to implement a reasonable equivalent or document why an alternative meets your risk environment.

Facility Access Controls

This standard establishes Physical Access Limitations for buildings, server rooms, network closets, and other spaces housing systems that create, receive, maintain, or transmit ePHI. The goal is to prevent unauthorized entry while enabling authorized operations, including emergencies.

Implementation specifications (all Addressable)

• Contingency operations (A): Define how authorized personnel gain physical access to facilities during disasters to restore ePHI services. Example: emergency badges and a call-down list enabling IT and facilities to enter the data center during a power failure.
• Facility security plan (A): Document how you protect physical areas and equipment from tampering or theft. Examples: layered badge zones, mantraps for server rooms, door alarms, CCTV coverage, and escort-required policies for visitors.
• Access control and validation procedures (A): Verify identity and role before granting entry. Examples: role-based badges for clinical, billing, and vendor staff; two-factor entry for high-risk rooms; visitor sign-in with government ID and visible badges.
• Maintenance records (A): Keep logs of repairs and changes to doors, locks, cameras, walls, and cabling. Examples: documenting a lock rekey, replacing ceiling tiles after cabling work, and recording a camera lens replacement.

What to document

• Written Facility Access Procedures, zone maps, and critical-room inventories.
• Visitor logs, access reviews, and badge issuance/termination records.
• Maintenance and change records for physical security components.

Workstation Use Policies

This Required standard defines how workstations are used and where they are placed to protect ePHI. It covers desktops, laptops, thin clients, tablets, and shared kiosks accessible to workforce members.

Example policy clauses

• Permitted functions: only job-related use; no personal storage of ePHI.
• Physical surroundings: position screens away from public view; use privacy filters in semi-public areas.
• Session management: short auto-lock timers; log off when unattended; prohibit sharing accounts.
• Peripheral controls: restrict local printing, external drives, and camera use near ePHI.
• Location rules: avoid placing workstations in patient waiting areas; secure mobile carts when not attended.
• Remote and telehealth use: approved locations, encrypted connections, and secure storage during travel.
• Training and enforcement: annual acknowledgment of Workstation Security Standards and spot audits.

Workstation Security Measures

This Required standard focuses on physical protections that restrict workstation access to authorized users. Combine location choices, hardware protections, and quick lockout to reduce shoulder-surfing and walk-up risks.

Controls and examples

• Secure placement: orient screens away from foot traffic; add privacy filters at nurses’ stations.
• Physical locking: cable locks or lockable docks for laptops; locked carts for mobile clinical workstations.
• Secure rooms and enclosures: badge-controlled offices or cabinets for devices storing cached ePHI.
• Port and device protections: USB port blockers, lockable drawers for scanners, and secure cradles for tablets.
• Rapid lockout: short inactivity timeouts and proximity-card screen locks to prevent casual viewing.
• Clean desk practices: remove paper with ePHI from around workstations; secure shredding consoles nearby.

Device and Media Controls

This Required standard governs the receipt, movement, reuse, and disposal of hardware and electronic media containing ePHI. It ensures nothing leaves or re-enters the environment without proper tracking, sanitization, and backups.

Implementation specifications

• Disposal (Required): Define Media Disposal Protocols for drives, tapes, and devices. Examples: physical destruction (shred/pulverize), crypto-erase for SSDs, verified wipe for laptops, and certificates of destruction from vetted vendors.
• Media re-use (Required): Establish Electronic Media Reuse Controls before redeploying or returning leased equipment. Examples: full sanitization and reimage, verification logs, and manager sign-off prior to reassignment.
• Accountability (Addressable): Track movements of hardware/media and identify responsible persons. Examples: chain-of-custody forms, sign-out logs for loaner laptops, and barcode asset tracking tied to users and locations.
• Data backup and storage (Addressable): Create a retrievable, exact backup of ePHI before moving or servicing equipment. Tip: pair backups with accountability records—“Data Backup Accountability”—to prove who created the backup, where it resides, and when test restores were performed.

Operational examples

• Loaner device workflow: issue from a locked cabinet, record to the asset system, sanitize upon return, and verify reimage.
• End-of-life workflow: inventory device, back up ePHI, sanitize or destroy media, capture certificate, and update asset status.
• Vendor service workflow: remove or encrypt storage before service, escort vendor, and log custody changes.

Physical Security Management

Strong outcomes come from managing safeguards as a program, not isolated tasks. Align controls with risk, measure performance, and maintain evidence that your environment limits physical access to ePHI appropriately.

Program checklist

• Risk assessment: map facilities, classify rooms by sensitivity, and identify Physical Access Limitations.
• Policies and procedures: publish Facility Access Procedures, Workstation Security Standards, and Media Disposal Protocols.
• Asset and location inventory: tie devices to rooms, owners, and protection levels; review quarterly.
• Access lifecycle: approve, provision, review, and revoke badges/keys; investigate anomalies.
• Vendor and visitor management: pre-approve, escort, and log activities; maintain NDAs where applicable.
• Monitoring and testing: camera/door audit trails, surprise walkthroughs, and periodic restore tests of backups.
• Incident response: define steps for lost devices, tailgating, or unlogged work; document and retrain.
• Facilities coordination: integrate maintenance records, environmental controls, and change management.

Conclusion

Implementing Facility Access Controls, Workstation Use Policies, Workstation Security Measures, and Device and Media Controls—supported by disciplined physical security management—creates layered protection for ePHI. Document what you do, test it, and keep evidence current to meet HIPAA’s requirements confidently.

FAQs.

What are the key physical safeguards under the HIPAA Security Rule?

The core safeguards are Facility Access Controls, Workstation Use Policies, Workstation Security Measures, and Device and Media Controls. Together they limit physical access, guide proper workstation behavior, protect devices, and manage the movement, reuse, and disposal of media containing Electronic Protected Health Information.

How do facility access controls protect ePHI?

They implement Physical Access Limitations through a facility security plan, identity validation at doors, emergency access steps, and maintenance documentation. These Facility Access Procedures prevent unauthorized entry to rooms and equipment that store or process ePHI while ensuring authorized operations can continue.

What policies govern workstation use in HIPAA compliance?

Workstation Use Policies specify permitted functions, physical placement, screen privacy, session lock behavior, and restrictions on peripherals and printing. These Workstation Security Standards ensure only authorized users can view or handle ePHI at a workstation and that risky configurations are avoided.

How should electronic media containing ePHI be disposed of safely?

Follow Media Disposal Protocols that render data irretrievable, such as shredding or pulverizing drives, verified wiping, or crypto-erase for solid-state media. Track custody and document destruction, and before moving or servicing devices, ensure backups exist and are tied to clear accountability records—Data Backup Accountability.