How Many Physical Safeguards Are Required by HIPAA? The 4 Standards Explained

If you are asking, “How many physical safeguards are required by HIPAA?” the answer is four. Under the HIPAA Security Rule, these physical safeguards protect electronic protected health information (ePHI) by controlling buildings, rooms, workstations, and the movement of devices and media. Each standard focuses on reducing physical access risks and proving that only authorized people can reach systems holding ePHI.

The four standards are Facility Access Controls, Workstation Use Policies, Workstation Security Measures, and Device and Media Controls. All four are required, and each has implementation specifications—some required, some addressable—that you must evaluate and document.

Facility Access Controls

What this standard covers

Facility Access Controls require you to limit physical access to locations housing systems that create, receive, maintain, or transmit ePHI, while ensuring authorized access is available. This includes data centers, network closets, imaging rooms, and any space where servers, workstations, or storage that hold ePHI reside.

Practical controls you can implement

• Physical access limitations: badged entry, locks, visitor escorts, and monitored entrances for server rooms and wiring closets.
• Contingency operations: procedures for accessing facilities during emergencies to support patient care without compromising security.
• Access control and validation: role-based badges, photo ID checks, and visitor logs with start/stop times.
• Facility security plan: diagrams of sensitive areas, camera coverage, alarm points, and approved ingress/egress paths.
• Maintenance records: documentation of door hardware service, lock changes, and security system tests.

Documentation essentials

Keep a facility security plan, access rosters, visitor logs, and maintenance records. Review them at least annually and after any renovation, relocation, or incident affecting physical security.

Workstation Use Policies

Scope and intent

Workstation Use Policies define the appropriate functions, operating posture, and physical surroundings for any workstation that can access ePHI. A “workstation” includes desktops, laptops, tablets, thin clients, and clinical kiosks in nursing stations, exam rooms, registration, and remote sites.

Policy elements to include

• Permitted uses and locations: where devices may be placed, who may use them, and conditions for shared stations.
• Environmental controls: screen orientation away from public view, privacy screens, and limits on printing where passersby could see ePHI.
• Handling practices: clean desk rules, secure storage when unattended, and prohibition of sticky notes or labels revealing credentials.
• Conversation and display etiquette: no discussing or displaying ePHI in public areas or within earshot of unauthorized individuals.
• Remote and home use: requirements for private work areas, locked storage, and restrictions on use in public spaces.

Training and accountability

Train your workforce on the policy, capture acknowledgments, and audit compliance during rounding. Align exceptions to a risk-based process and document the rationale.

Workstation Security Measures

Physical protections

• Secure placement: position workstations in controlled rooms or behind supervised desks; use anchored mounts or cable locks.
• Room controls: locked doors, badge readers, and surveillance in areas with persistent ePHI access.
• Secure peripherals: locked printer bins, covered fax trays, and shredders located near print areas to prevent stray ePHI exposure.

Access restrictions and monitoring

• Role-based physical access: limit areas with ePHI-capable workstations to authorized roles; use signage to deter tailgating.
• Monitoring: cameras in high-risk areas and routine walk-throughs to verify clear screens and secured devices.

Remote and mobile considerations

• Home offices: dedicate a private room, prevent household access, and store devices in locked cabinets when not in use.
• Travel: never leave devices unattended in vehicles; use hotel safes or maintain constant possession.

Verification and upkeep

Use checklists during unit rounding to confirm privacy screens, workstation placement, and physical locks. Record corrective actions and retest to show continuous improvement.

Device and Media Controls

Scope of device and media handling

This standard governs the lifecycle of hardware and electronic media that store or transport ePHI: servers, laptops, drives, copiers, scanners, removable media, and smart devices. Controls cover acquisition, movement, reuse, storage, and final disposal.

Disposal (Required)

Implement procedures to render ePHI unrecoverable when devices or media reach end of life. Use methods such as certified physical destruction, cryptographic erasure for encrypted drives, or NIST-guided sanitization. Keep certificates of destruction and chain-of-custody records.

Media Re-use (Required)

Before redeploying or returning equipment, remove ePHI using validated wiping tools or reimage with a trusted baseline. Affix tags indicating sanitization date, method, and technician.

Accountability (Addressable)

Track the movement of hardware and media with asset IDs, custody logs, and transfer approvals. If another control achieves the same protection, document the alternative and your risk assessment.

Data Backup and Storage (Addressable)

Create a retrievable, exact copy of ePHI before moving equipment so data is not lost in transit or during service. Store backups securely and verify restorability with routine test restores.

Implementation Specifications for Physical Safeguards

How the standards break down

• Facility Access Controls (Addressable specifications):
  • Contingency operations
  • Facility security plan
  • Access control and validation procedures
  • Maintenance records
• Workstation Use Policies: standard with no separate implementation specifications; you must define and enforce appropriate use and surroundings.
• Workstation Security Measures: standard with no separate implementation specifications; you must restrict physical access to authorized users.
• Device and Media Controls:
  • Disposal (Required)
  • Media re-use (Required)
  • Accountability (Addressable)
  • Data backup and storage (Addressable)

“Required” vs. “Addressable” in practice

“Required” specifications must be implemented as written. “Addressable” items must be implemented if reasonable and appropriate; if not, you must adopt an equivalent alternative or document why the specification is not reasonable in your environment, including your risk analysis and compensating controls.

Compliance Strategies for HIPAA Physical Safeguards

A practical roadmap

• Map ePHI locations: identify rooms, closets, and devices where ePHI exists; maintain diagrams with sensitivity labels.
• Perform a physical risk analysis: evaluate threats like theft, tailgating, shoulder surfing, fire, flood, and equipment loss.
• Select controls: align physical access limitations, visitor management, workstation security, and device/media processes with identified risks.
• Write concise procedures: make steps actionable—who does what, when, and how evidence is captured.
• Train and test: deliver role-based training, conduct drills for contingency operations, and perform periodic rounds.
• Audit and log evidence: retain visitor logs, access reports, sanitization certificates, backup tests, and maintenance records.
• Manage vendors: require documented device sanitization, secure transport, and proof of destruction from service providers.

Metrics that demonstrate control effectiveness

• Visitor discrepancies per quarter and time-to-remediation.
• Percentage of workstations with privacy screens in high-traffic areas.
• Asset tracking accuracy and on-time removal of decommissioned devices.
• Backup restore success rates before equipment moves.

Common pitfalls to avoid

• Unlogged vendor access to data closets or imaging rooms.
• Shared workstations facing public walkways without privacy screens.
• Returning leased copiers or drives without documented ePHI sanitization.
• Failing to update facility security plans after renovations or relocations.

Conclusion

HIPAA’s four physical safeguards work together to protect ePHI: control who gets into facilities, define how workstations are used, secure those workstations, and govern device and media handling. By tying your controls to the implementation specifications and documenting decisions, you can meet the HIPAA Security Rule while making access both secure and practical.

FAQs.

What are the four physical safeguards required by HIPAA?

The four physical safeguards are Facility Access Controls, Workstation Use Policies, Workstation Security Measures, and Device and Media Controls. Together they limit physical access to systems handling ePHI and define how devices and work areas are used and protected.

How do facility access controls protect ePHI?

They establish physical access limitations so only authorized individuals can enter areas housing ePHI systems. Typical measures include badge-controlled doors, visitor logs, escorts, surveillance, a facility security plan, and documented maintenance of locks and alarms, all while enabling authorized access during normal and emergency operations.

What policies govern workstation use under HIPAA?

Workstation Use Policies specify allowed functions, approved locations, and environmental safeguards such as privacy screens, screen positioning, clean desk practices, and restrictions on printing or displaying ePHI in public view. They also address remote use, storage when unattended, and etiquette to prevent unauthorized observation.

How should device and media controls be implemented?

Apply lifecycle controls: inventory and track assets, create backups before moving equipment, sanitize media before reuse, and ensure secure disposal with certificates of destruction. Use chain-of-custody for transfers, document exceptions for addressable items, and routinely test that backups are restorable.