What Are HIPAA Physical Safeguards? Examples and How to Stay Compliant

Facility Access Controls

What this means

Facility access controls limit who can enter spaces where Electronic Protected Health Information (ePHI) is stored or accessed. They cover buildings, server rooms, closets, and any area where systems handling ePHI reside. Strong Physical Security Policies define how you prevent unauthorized entry, verify identities, and respond to incidents.

Practical examples

• Badged entry with role-based permissions for clinical areas, records rooms, and data closets.
• Two-door vestibules or locked suites with reception desks to prevent tailgating.
• Visitor sign-in, government ID checks, badges labeled “Visitor,” and escorted access.
• Locked doors for after-hours access with automated re-lock and door-ajar alerts.
• Separate contractor entrances with preauthorized access windows.

How to stay compliant

• Perform Facility Access Validation: confirm each person’s need-to-enter before granting badges or keys and review privileges at defined intervals.
• Document access procedures, including emergency overrides, in Physical Security Policies and train staff on enforcement.
• Maintain a current floor plan identifying ePHI locations and required security levels.
• Revoke credentials immediately during offboarding; audit key and badge inventories regularly.

Workstation Security

What this means

Workstation security protects any endpoint used to view or handle ePHI—desktops, laptops, tablets, thin clients, and nursing stations. Controls address placement, use, configuration, and supervision to ensure only authorized users view ePHI.

Practical examples

• Auto-lock screens after brief inactivity and require strong authentication for re-entry.
• Position monitors away from public view; add privacy screens in semi-public areas.
• Secure devices with cable locks or docking stations; prohibit unattended logins.
• Restrict local data storage; route access to ePHI through managed, encrypted sessions.
• Disable unused ports (for example, USB) to prevent unauthorized copying.

How to stay compliant

• Publish workstation use standards as part of your Physical Security Policies and enforce them with technical controls and rounding checks.
• Maintain an approved software and patch baseline; monitor for configuration drift.
• Provide role-based training and spot checks to ensure staff follow lock, logoff, and clean-desk expectations.

Device and Media Controls

What this means

Device and media controls track the lifecycle of hardware and removable media that may store ePHI, from acquisition through transfer, reuse, and disposal. The goal is to prevent data exposure when devices move, change hands, or reach end-of-life.

Practical examples

• Asset inventories with serial numbers and assigned custodians for laptops, scanners, copiers, and backup media.
• Chain-of-custody forms when shipping or relocating devices containing ePHI.
• Sanitization before reuse using approved wipe methods and validation reports.
• Secure media storage in locked containers with access logs.

How to stay compliant

• Define and document Electronic Media Disposal Procedures: specify approved sanitization methods, verification steps, and when to physically destroy drives.
• Encrypt data at rest on portable devices; prohibit unencrypted removable media.
• Vet disposal vendors; obtain certificates of destruction and keep records for audits.
• Train staff to report lost or misplaced media immediately and initiate incident response.

Security Cameras and Alarms

What this means

Surveillance Systems and alarm controls deter, detect, and help investigate unauthorized physical access. They supplement—not replace—locks, guards, and visitor procedures.

Practical examples

• Camera coverage of entrances, loading docks, reception, data closets, and server rooms.
• Door contacts, glass-break sensors, and motion detectors with centralized monitoring.
• Retention of footage for a defined period; restricted, logged access to recordings.
• Privacy-by-design: avoid cameras in treatment rooms or other sensitive areas.

How to stay compliant

• Document camera placement, retention, and access rules in Physical Security Policies.
• Test alarms and failover power routinely; repair blind spots promptly.
• Correlate camera events with badge access logs to speed investigations.

Equipment Security

What this means

Equipment security protects the physical IT assets that process or store ePHI—servers, switches, backup systems, and medical devices with computing components. Controls focus on locking, hardening, and environmental safety.

Practical examples

• Locked server rooms and network racks; keyed or badged access limited to authorized staff.
• Tamper-evident seals on critical devices and secure mounting or anchoring of equipment.
• Environmental safeguards: temperature and humidity monitoring, leak detection, UPS and generator power.
• Spare parts and on-call vendor arrangements to minimize downtime.

How to stay compliant

• Maintain equipment inventories with locations, owners, and maintenance schedules.
• Control and log vendor access; escort service personnel in sensitive spaces.
• Include physical equipment risks in your risk analysis and mitigation plan.

Access Logs and Audits

What this means

Access logging creates a record of who entered protected areas and when. Audits verify that controls are working and that entries align with job duties. Together they enable effective Audit Trail Maintenance for physical access.

Practical examples

• Badge system reports showing door, time, and user; visitor logs with entry and exit times.
• Video review to validate suspicious entries or after-hours activity.
• Exception workflows for lost badges, door-forced-open events, or tailgating alerts.

How to stay compliant

• Schedule routine reviews of access logs; investigate anomalies and document outcomes.
• Reconcile logs with HR changes to remove access quickly when roles change.
• Define retention periods for physical and video logs consistent with policy and law.

Emergency Access Procedures

What this means

Emergency Access Protocols ensure you can reach ePHI during crises—power loss, fire, flood, cyber incident, or building closures—without sacrificing security. Plans define who can invoke emergency measures and how access is controlled, tracked, and rolled back.

Practical examples

• “Break-glass” keys or codes for server rooms, stored in sealed, logged locations.
• Downtime procedures with secured paper forms and locked storage for later reconciliation.
• Alternative work areas or mobile carts with encrypted devices and hotspot failover.
• Grab-and-go kits: contact lists, badge reissuance process, and instructions for manual check-in.

How to stay compliant

• Run drills and tabletop exercises; document lessons learned and update procedures.
• Limit emergency overrides to specific roles; review and revoke temporary access promptly.
• Back up critical configurations for access control and surveillance to speed recovery.

Conclusion

HIPAA physical safeguards protect people, places, and equipment so ePHI stays secure and available. By enforcing Facility Access Validation, hardening workstations, managing devices and media, deploying well-governed Surveillance Systems, logging activity, and practicing Emergency Access Protocols, you create a defensible, audit-ready posture.

FAQs.

What are physical safeguards under HIPAA?

Physical safeguards are measures that protect facilities, workstations, devices, and media that handle ePHI. They include access controls, workstation standards, device and media governance, surveillance and alarms, equipment protections, logging, auditing, and emergency procedures that keep ePHI secure yet available when needed.

How do you implement facility access controls?

Start with a risk assessment that maps ePHI locations, then set role-based access, visitor procedures, and after-hours rules. Use badges and locks, verify identity through Facility Access Validation, monitor with cameras and alarms, and review privileges and logs on a regular schedule.

What procedures ensure secure disposal of electronic media?

Create written Electronic Media Disposal Procedures that specify approved sanitization or destruction methods, verification steps, custody tracking, and recordkeeping. Encrypt portable devices, sanitize before reuse, physically destroy media when required, and obtain certificates of destruction from trusted vendors.

How can staff be trained on HIPAA physical safeguards?

Provide role-specific training that covers Physical Security Policies, workstation use, visitor handling, device and media rules, and Emergency Access Protocols. Reinforce learning with quick-reference guides, drills, signage at entry points, and periodic refreshers tied to audits and incident lessons learned.