Physical Safeguards for PHI: HIPAA Compliance Checklist and Facility Security Controls

Physical safeguards for PHI protect the places, equipment, and people that handle Electronic Protected Health Information (ePHI). This HIPAA compliance checklist translates requirements into practical facility security controls you can implement, verify, and maintain across sites.

Facility Access Controls

Objectives

Limit physical entry to areas where ePHI is created, received, maintained, or transmitted. Your Access Control Policies should define who may enter, when, and under what conditions, including emergency access and maintenance.

Checklist

• Segment spaces into public, controlled, and restricted zones; label doors and enforce “no tailgating.”
• Use badge readers or biometrics at restricted doors; enable anti-passback and lost-badge revocation.
• Deploy monitored locks for server rooms, records rooms, and telecom closets; log openings and alarms.
• Install cameras covering entrances, badge points, and sensitive corridors; define retention and review.
• After-hours controls: alarm arming, automatic door lock schedules, and security patrols.
• Emergency access: break-glass keys or codes with sealed access logs and documented approvals.

Evidence and Maintenance

• Access logs and badge reports reviewed monthly against Access Control Policies.
• Door/lock and camera preventive maintenance entries to support Maintenance Records Compliance.
• Quarterly spot checks for door integrity, signage, and camera uptime.

Workstation Use and Security

Workstation Privacy Measures

Protect on-screen ePHI and prevent unauthorized use. Place workstations to reduce shoulder-surfing and apply privacy filters in high-traffic areas.

Checklist

• Auto-lock after 5–10 minutes idle; require unique logins and prohibit shared accounts.
• Restrict local data storage; default to encrypted network locations.
• Disable boot from external media; enforce full-disk encryption on laptops and kiosks.
• Use cable locks or secured mounts for devices in public or semi-public spaces.
• Adopt clean desk rules; secure documents and removable media when unattended.

Operational Controls

• Standard workstation builds with hardened settings; documented Workstation Privacy Measures.
• Screen placement review during moves, adds, and changes; capture results in floor plans.

Device and Media Controls

Asset Lifecycle

Track every device that may store ePHI—from acquisition to disposition. Maintain a current inventory tied to owners, locations, and data classification.

Checklist

• Provisioning: record serials, encryption status, and assigned custodian at issuance.
• Media reuse: secure wipe using approved methods; document verification of sanitization.
• Disposal: shred, pulverize, or degauss; retain certificates of destruction and chain-of-custody.
• Transport: lockboxes for drives; tamper-evident seals for offsite movement.
• Incident response: immediate quarantine and report for lost/stolen devices.

Evidence and Controls

• Signed handoffs for repairs and RMA; entries support Maintenance Records Compliance.
• Random audits comparing inventory to physical counts and system management data.

Access Control and Validation Procedures

Identity Verification

Validate each person’s need to access locations where ePHI exists. Align physical authorization with job roles and Access Control Policies to prevent privilege creep.

Checklist

• Onboarding: manager-approved requests; identity proofing before badge issuance.
• Role-based access: restrict server rooms, imaging suites, and file rooms to authorized roles.
• Revalidation: quarterly reviews of active badges; immediate deprovisioning on role change.
• Vendor/contractor access: time-bound badges, background checks, and escort requirements.
• Emergency override: tightly controlled process with post-event review.

Monitoring and Testing

• Badge analytics for anomalies (after-hours entries, multiple door denials).
• Walkthroughs to test guard procedures and challenge responses at controlled doors.

Contingency Operations

Disaster Recovery Plans

Enable safe, rapid restoration of operations after fire, flood, cyber events, or utility outages without exposing ePHI. Integrate physical steps within your Disaster Recovery Plans.

Checklist

• Backup power: UPS for critical systems; generator testing with logged run results.
• Alternate site readiness: defined locations, access methods, and minimum equipment lists.
• Environmental controls: temperature/humidity monitoring with alerts and documented response.
• Emergency communications: on-call trees, mass notification, and contact lists for responders.
• Recovery drills: tabletop and live tests covering physical access, equipment staging, and safety.

Evidence

• Exercise reports with corrective actions; updates folded into Disaster Recovery Plans.
• Service tickets and maintenance logs for generators, UPS, and sensors.

Facility Security Plan

Plan Structure

Document how your Facility Security Plans translate risk assessments into controls, staffing, and procedures. Include diagrams of zones, critical rooms, ingress/egress paths, and surveillance coverage.

Checklist

• Governance: owners, review cadence, and approval workflow.
• Controls mapping: doors, locks, alarms, cameras, and guard posts mapped to risks.
• Preventive maintenance: schedules for locks, cameras, alarms, and generators.
• Training: annual refreshers for staff and guards on physical safeguard procedures.
• Records: centralized repository for policies, floor plans, drills, and inspections.

Maintenance Records Compliance

• Standardize entries with asset ID, work performed, parts used, technician, and timestamp.
• Retain logs per policy; sample monthly for completeness and signatures.
• Cross-reference maintenance events with incidents to spot control weaknesses.

Visitor Access Management

Visitor Access Procedures

Control and record non-workforce presence to prevent unintended exposure of ePHI. Apply consistent rules for clients, vendors, auditors, and regulators.

Checklist

• Reception controls: ID verification, sign-in/out, purpose of visit, and contact host.
• Badging: color-coded visitor badges with expiration; no unescorted access to restricted zones.
• Escorts: trained hosts for tours, repairs, and audits; defined maximum visitor-to-escort ratios.
• Prohibitions: no photography in restricted areas; secured storage for personal bags if required.
• Deliveries: screened at designated points; maintain custody until staged in approved areas.
• Log retention: preserve visitor records per policy for investigations and audits.

Conclusion

By embedding clear Access Control Policies, rigorous Workstation Privacy Measures, disciplined device handling, robust Facility Security Plans, and orderly Visitor Access Procedures, you create layered physical safeguards for PHI. Maintain evidence, test routinely, and update controls as operations change to keep ePHI secure and HIPAA-compliant.

FAQs.

What are physical safeguards for PHI?

They are facility and equipment protections—locks, badges, cameras, workstation standards, device/media handling, and documented procedures—that prevent unauthorized physical access to systems and locations where ePHI resides. They work alongside administrative and technical safeguards to create a complete defense-in-depth program.

How do facility access controls protect ePHI?

They restrict entry to sensitive zones, validate identities, and record access events. With role-based badges, monitored locks, and surveillance, only authorized people reach systems holding Electronic Protected Health Information, reducing theft, tampering, and viewing risks.

What is the role of visitor access management in HIPAA compliance?

Visitor controls ensure non-workforce individuals are identified, badged, escorted, and logged. Clear Visitor Access Procedures limit where visitors can go and provide auditable records that demonstrate adherence to HIPAA’s physical safeguard requirements.

How should maintenance records be kept for facility security?

Use a centralized log tied to asset IDs capturing date, technician, work performed, test results, and approvals. Retain records per policy, sample routinely for quality, and link them to incidents; this Maintenance Records Compliance trail proves that door locks, cameras, alarms, and power systems are maintained and functioning as designed.