HIPAA Security Rule Physical Safeguards Requirements: What You Need to Know (Compliance Checklist)

The HIPAA Security Rule’s Physical Safeguards set expectations for how you protect the places, equipment, and media that store or process electronic protected health information (ePHI). These controls reduce the risk of theft, loss, damage, and unauthorized viewing by establishing physical access limitations, secure workstation practices, and device/media handling procedures.

Use the following sections as a practical compliance checklist. For each area, implement controls proportionate to your environment, document decisions, and validate that safeguards work as designed.

Facility Access Controls

Facility Access Controls limit who can enter buildings, data closets, and server rooms where ePHI resides. You should define authorized roles, enforce identity validation at entry points, and establish procedures for emergencies without opening the door to unnecessary risk. Documenting a facility security plan ensures consistency during staff turnover or incidents.

Support these controls with auditable logs—badges, biometrics, or keys tied to named individuals—plus video retention aligned to policy. Include processes for maintenance and repairs so contractors never gain unescorted access to sensitive areas.

Compliance checklist:

• Document a facility security plan that maps sensitive areas and physical access limitations.
• Use role-based authorization with badges, keys, or biometrics and keep issuance/return logs.
• Maintain visitor sign-in, escort requirements, and video coverage for critical zones.
• Record door events and review logs; investigate anomalies such as tailgating.
• Control and audit facility maintenance, repairs, and after-hours access.
• Define emergency access procedures that preserve security while enabling safe entry.

Workstation Use Policies

Workstation use policies describe acceptable use and placement of desktops, laptops, and kiosks that may display ePHI. Specify locations to prevent shoulder-surfing, require privacy screens where needed, and prohibit storing ePHI locally unless justified and encrypted.

Define session behavior, including inactivity timeouts, screen locking, and restrictions on personal software or external media. Train staff on clean desk and clear screen habits to reduce incidental exposure.

Compliance checklist:

• Publish written rules for workstation placement, acceptable use, and data handling.
• Require automatic screen lock and short inactivity timeouts.
• Mandate privacy screens or positioning to block public viewing of ePHI.
• Prohibit local storage of ePHI unless approved; require encryption if permitted.
• Limit peripheral use (USBs, printers) and define workstation access control expectations.

Workstation Security

Workstation Security focuses on physical safeguards for devices themselves. Secure endpoints with cable locks or locked offices, and separate kiosks from public traffic to prevent tampering. For telehealth or remote work, provide guidance on securing home offices and transporting laptops.

Pair physical restraint with logical protections like boot protection and restricted BIOS access so an attacker cannot bypass controls by removing drives or changing startup settings.

Compliance checklist:

• Physically secure workstations (locks, anchors, secured rooms) based on risk.
• Restrict BIOS/UEFI, disable boot-from-external-media, and require full-disk encryption.
• Harden kiosks: block ports, disable local admin, and enable tamper-evident seals.
• Provide secure transport procedures for laptops and field devices.
• Inspect high-risk workstations regularly and document results.

Device and Media Controls

Device and Media Controls govern the lifecycle of hardware and storage that may contain ePHI—acquisition, movement, reuse, and disposal. Before relocating or repurposing equipment, back up necessary data, then sanitize media to an approved standard.

Establish media disposal procedures for drives, tapes, USB devices, and printers/MFPs with onboard storage. Sanitize using validated wiping, cryptographic erase, degaussing, or physical destruction, and keep certificates of destruction or chain-of-custody records.

Compliance checklist:

• Require data backup and verification before moving or reusing devices.
• Track custody when devices leave secure areas; log transfers and recipients.
• Standardize media disposal procedures with approved sanitization methods.
• Document sanitization/destruction outcomes; retain receipts and attestations.
• Remove or sanitize embedded storage in copiers, scanners, and medical equipment.

Mobile Device Policies

Mobile Device Policies cover smartphones, tablets, and laptops used to access ePHI. Adopt mobile device management (MDM) to enforce encryption, passcodes, remote lock/wipe, and containerization that separates organizational data from personal data on BYOD devices.

Set rules for offline caching, tethering, hotspot use, and app installation. Require immediate reporting of loss or theft so you can trigger remote wipe and document the incident.

Compliance checklist:

• Enroll devices in MDM with enforced encryption and strong authentication.
• Enable remote wipe, jailbreak/root detection, and policy compliance checks.
• Use secure containers for ePHI and disable unapproved cloud backups.
• Prohibit local ePHI downloads unless justified; define offline access limits.
• Require prompt incident reporting for lost or stolen devices.

Hardware Inventory

A reliable hardware inventory underpins accountability for any system that may process or store ePHI. Use hardware asset tracking to identify ownership, location, purpose, data classification, and support contacts for each asset.

Maintain lifecycle records from procurement to disposal, linking serial numbers and asset tags to assigned users and systems. Accurate inventory enables fast incident response and efficient recalls, patches, or retirement.

Compliance checklist:

• Maintain a centralized inventory for all ePHI-capable devices and media.
• Assign unique asset IDs, owners, locations, and system relationships.
• Record lifecycle events: assignment, movement, repair, and disposal.
• Reconcile inventory with physical audits; investigate discrepancies.
• Integrate inventory with ticketing and change management for traceability.

Environmental Controls

Environmental controls protect facilities and equipment from fire, water, extreme temperature, and power issues. Deploy environmental risk safeguards such as smoke detection, clean-agent suppression where appropriate, water-leak sensors, temperature and humidity monitoring, and protective cable routing.

Uninterruptible power supplies and generators keep critical systems online; surge protection, grounding, and orderly shutdown plans prevent data corruption. Monitor conditions and alert staff when thresholds are exceeded.

Compliance checklist:

• Install temperature, humidity, smoke, and water-leak monitoring in critical areas.
• Use appropriate fire suppression (e.g., clean agent) for server rooms.
• Provide UPS, surge protection, and generator coverage for essential systems.
• Document preventive maintenance for HVAC, power, and detection systems.
• Test alerts and response procedures; log and resolve environmental incidents.

Visitor Control

Visitor control prevents unauthorized individuals from viewing or accessing ePHI and sensitive equipment. Require sign-in, government-issued identification where appropriate, visible visitor badges, and escorts within secure zones.

Use cameras, access logs, and periodic reviews to confirm monitoring compliance. Limit photography and recording in clinical and data areas, and revoke access immediately if behavior violates policy.

Compliance checklist:

• Implement a sign-in process capturing identity, purpose, host, and time stamps.
• Issue distinctive badges and require escorts in restricted areas.
• Prohibit recording devices in sensitive zones unless explicitly approved.
• Retain visitor logs and video for a policy-defined period; review regularly.
• Train staff to challenge unbadged persons and report anomalies.

Access Control Mechanisms

Access control mechanisms translate policy into enforceable barriers. Combine badges, PINs, and biometrics where appropriate, and segment facilities into zones that reflect job duties. Rotate keys, revoke badges promptly, and maintain audit trails for investigations.

Align physical controls with workstation access control and identity governance so that physical and logical access change together when roles or employment status change.

Compliance checklist:

• Deploy multi-factor access for high-risk rooms and racks.
• Define zoned access based on least privilege; review access lists regularly.
• Manage keys/cards lifecycle: issuance, renewal, rotation, and revocation.
• Correlate door logs with identity systems and security events.
• Test fail-safe and fail-secure modes for doors during outages or emergencies.

Contingency Operations Plan

A contingency operations plan describes how you will access facilities and systems that store ePHI during emergencies while preserving security. Define alternate sites, prioritized entry to critical areas, and procedures for restoring power, networking, and environmental services.

Exercise the plan, coordinate with emergency responders and facilities teams, and document lessons learned. Keep kits on hand—spare keys, access cards, contact lists, and procedures—to support rapid, secure recovery.

Compliance checklist:

• Document emergency-mode operations and roles for physical access during incidents.
• Designate alternate processing locations and secure transport of essential media.
• Test contingency access to server rooms, cages, and telecom spaces.
• Stage recovery supplies (badges, keys, PPE) and maintain up-to-date contacts.
• Review and update plans after drills, incidents, and organizational changes.

Bringing these safeguards together—facility controls, workstation governance, device/media handling, and resilient environmental measures—creates layered protection for ePHI. Regular testing, documentation, and staff awareness keep controls effective as your operations evolve.

FAQs

What are the key physical safeguards in the HIPAA Security Rule?

The core areas are facility access controls, workstation use and security, device and media controls, and supporting mechanisms like visitor control, environmental risk safeguards, and access control mechanisms. Together they create layered, auditable protection around ePHI.

How should organizations control access to workstations containing ePHI?

Place workstations to prevent casual viewing, require privacy screens, enforce short timeouts and automatic locks, and restrict ports and peripherals. Pair physical placement with workstation access control, full-disk encryption, and strong authentication to reduce exposure.

What procedures are required for disposing of ePHI on media devices?

Back up needed data, remove from service, then sanitize with approved methods such as cryptographic erase, validated overwriting, degaussing, or physical destruction. Record chain of custody and outcomes to prove compliance with media disposal procedures.

How can facilities ensure visitor control and monitoring compliance?

Require sign-in and identity verification, issue visible visitor badges, escort visitors in restricted areas, and retain logs and video for review. Train staff to challenge unbadged individuals and prohibit recording in zones where electronic protected health information is present.