What Are HIPAA Physical Safeguards? The Complete List Explained

HIPAA physical safeguards are the Security Rule’s requirements for controlling real‑world access to places, workstations, devices, and media that store Electronic Protected Health Information (ePHI). They ensure only authorized people can reach systems and records, and that equipment is protected from theft, tampering, and environmental hazards to maintain Security Rule Compliance.

HIPAA uses a risk‑based approach. Some implementation specifications are “addressable,” meaning you must assess reasonableness, implement the control or a comparably effective alternative, and document your decision. Below, you’ll find the complete list and practical steps you can apply to your environment.

Facility Access Controls

This standard requires policies and procedures that limit physical access to facilities where ePHI systems are housed, while ensuring that authorized access is available when needed. It ties directly to your Access Control Policies and on‑site Physical Security Measures.

Scope and implementation specifications

• Contingency Operations (Addressable): Procedures to enable facility access during disaster recovery and emergency mode operations.
• Facility Security Plan (Addressable): A documented plan describing safeguards to protect the facility and critical areas.
• Access Control and Validation Procedures (Addressable): Role‑based mechanisms to verify a person’s authority before granting entry.
• Maintenance Documentation (Addressable): Records of repairs and modifications to doors, locks, walls, and related security components.

Core Physical Security Measures to consider

• Layered access zones (public, staff‑only, secure, and server rooms) with locked doors and badge readers.
• Visitor management: sign‑in, government ID verification, disposable badges, and escorts in secure zones.
• Video monitoring, door contact sensors, and alarmed emergency exits in high‑risk areas.
• Environmental protections for data rooms (fire suppression, temperature/humidity monitoring, leak detection).
• After‑hours controls: auto‑arming, reduced access lists, and real‑time alerts for off‑schedule entry.

Maintenance Documentation

Keep dated records of construction changes, lock replacements, keying schedules, badge system updates, camera placements, and vendor work that could impact security. This Maintenance Documentation proves due diligence and supports audits and investigations.

Evidence for Security Rule Compliance

• Facility diagrams and zone maps with access points marked.
• Written Access Control Policies and procedures covering normal, after‑hours, and emergency access.
• Access request/approval forms, termination checklists, and periodic access review reports.
• Visitor logs and access control system logs with defined retention periods.

Facility Security Plan

The Facility Security Plan translates your risk analysis into site‑specific controls. It documents how you protect entrances, server rooms, telecom closets, archives, and any location where ePHI systems or backups reside.

What to include

• Site risk assessment: threats, likelihood, and safeguards for each area.
• Zone classification and entry criteria (who may enter, when, and how validation occurs).
• Physical controls: locks, badges, biometrics, cameras, alarms, mantraps, and reception procedures.
• Emergency egress, muster points, and alternate access paths for outages.
• Contractor/vendor rules and escort expectations inside secure areas.
• Change control: how updates to doors, walls, ceilings, cabling, or racks are reviewed and recorded.

Governance and review

• Ownership and roles: who approves changes, who audits logs, and who investigates incidents.
• Testing cadence: walkthroughs, door and alarm tests, and camera coverage reviews at least annually or after major changes.
• Alignment with Contingency Planning Procedures to ensure continuity during disruptions.

Access Control and Validation Procedures

These procedures ensure only authorized individuals can enter defined areas and that access aligns with job duties. They operationalize least privilege in the physical world and prevent tailgating, social engineering, and misuse of shared credentials.

Core elements

• Role‑based access profiles: default deny; grant only the zones a role needs (e.g., clinicians vs. IT vs. facilities).
• Identity validation: photo badges, PINs/biometrics for sensitive rooms, and challenge procedures for unbadged persons.
• Visitor workflow: pre‑authorization, ID verification, badges with expiration, and mandatory escorts in secure zones.
• Contractor controls: limited‑duration access, signed acknowledgments, and post‑work access removal.

Lifecycle and oversight

• Onboarding: documented approvals before issuing keys/cards; proof of training.
• Offboarding: same‑day revocation; key/badge return; incident reporting if items are missing.
• Periodic revalidation: at least quarterly for high‑risk zones; reconcile access lists against HR rosters.
• Logging: retain door access logs long enough to support investigations and legal holds.

Contingency Operations

Contingency Operations cover how you enable facility access to support disaster recovery and emergency mode operations, so teams can restore ePHI systems safely and quickly. The focus is controlled, accountable entry when normal processes are disrupted.

Before an emergency

• Pre‑authorize an emergency access team; maintain an updated call list and alternate contacts.
• Stage emergency keys/badges in sealed, logged containers; define break‑glass approvals.
• Document routes, safe staging areas, generator connections, and critical vendor contacts.
• Coordinate with building management and first responders on access and reentry conditions.

During and after an event

• Activate emergency access logs and escorts; capture who entered, when, and why.
• Protect assets in transit (e.g., moving servers to an alternate site) with chain‑of‑custody forms.
• Run after‑action reviews; update procedures and your Contingency Planning Procedures accordingly.

Workstation Use

This standard requires policies that specify proper functions, how work is performed, and the physical attributes of the environment for any workstation that accesses ePHI. A “workstation” includes desktops, laptops, thin clients, tablets, and kiosks.

What your policy should define

• Authorized uses and prohibited activities (e.g., personal storage of patient data, unauthorized software).
• Screen positioning, privacy screens, and clean‑desk expectations to prevent shoulder surfing.
• Automatic session locks, short inactivity timeouts, and logoff rules before leaving a device.
• Printing controls: secure pick‑up, locked bins, and immediate shredding of misprints.

Remote, mobile, and shared scenarios

• Home and telehealth settings: dedicated workspace, locked storage, and no access by family or visitors.
• Hot‑desks and kiosks: single‑purpose accounts, no local data storage, and frequent sanitation between users.
• Transport expectations: do not leave devices unattended in vehicles; use locked cases when traveling.

Workstation Security

Workstation Security requires physical safeguards that restrict access to authorized users. It complements technical controls by preventing theft or tampering with unattended devices.

Physical controls to implement

• Locks and anchors: cable locks, locked offices, and bolted docking stations in public‑facing areas.
• Secure placement: keep devices out of public sightlines; avoid exposing screens to waiting rooms.
• Port and peripheral controls: port blockers, locked USB hubs, and secured external drives.
• Inventory discipline: unique asset tags, assigned custodians, and routine spot checks.

Special cases

• Kiosks and registration desks: tamper‑evident seals, auto‑logout, and locked BIOS/boot settings.
• Home use: store devices in locked rooms when unattended; restrict use to authorized staff only.
• Incident response: immediate reporting for lost/stolen devices and prompt execution of containment steps.

Device and Media Controls

This standard governs the movement, reuse, storage, and disposal of hardware and electronic media that contain ePHI. Strong chain‑of‑custody and Media Disposal Protocols reduce the risk of data exposure when devices leave secure areas or are retired.

Disposal (Required)

• Sanitize or destroy media before disposal using methods appropriate to the medium (e.g., cryptographic erase, multi‑pass overwrite, degauss, shred).
• Use vetted disposal vendors with documented serial‑number tracking and certificates of destruction.
• Record what was destroyed, when, by whom, and the method used; retain evidence for audits.

Media Re‑use (Required)

• Sanitize devices and removable media before reassigning them to new users or functions.
• Validate the wipe (spot checks, verification logs) and document approvals prior to redeployment.
• Reimage from trusted sources; restore only authorized configurations.

Accountability (Addressable)

• Maintain an asset register with owners, locations, and data classifications.
• Log check‑out/check‑in for laptops, loaners, external drives, and backup media.
• Require chain‑of‑custody forms when shipping or moving equipment between sites.

Data Backup and Storage (Addressable)

• Back up ePHI before moving or servicing devices; verify restore integrity.
• Store backup media in secure, access‑controlled locations with environmental protections.
• Protect encryption keys and ensure they are recoverable during emergencies.

Additional practices

• Standardize packaging and tamper‑evident seals for shipping devices that may contain ePHI.
• Define vendor intake/outtake procedures for repairs, including signed acknowledgments of data handling rules.
• Align records and receipts with your Security Rule Compliance evidence strategy.

Conclusion

To implement HIPAA physical safeguards effectively, define clear Access Control Policies, document a living Facility Security Plan, drill Contingency Operations, govern Workstation Use and Workstation Security, and rigorously manage Device and Media Controls. Keep thorough Maintenance Documentation and chain‑of‑custody records to demonstrate consistent, risk‑based protection of Electronic Protected Health Information.

FAQs.

What are the main types of HIPAA physical safeguards?

The four types are Facility Access Controls (including contingency operations, a facility security plan, access control/validation, and maintenance records), Workstation Use, Workstation Security, and Device and Media Controls (disposal, media re‑use, accountability, and data backup/storage). Together, they cover buildings, people, endpoints, and media handling.

How do physical safeguards protect electronic protected health information?

They reduce opportunities for unauthorized viewing, theft, or tampering by regulating who can enter sensitive spaces, how workstations are used and secured, and how devices and media are stored, transported, reused, and destroyed. These Physical Security Measures complement technical controls to keep ePHI confidential, available, and accurate.

What procedures are required for facility access control?

You need written procedures that limit physical access to areas housing ePHI while permitting authorized entry. That includes role‑based Access Control Policies, identity validation, visitor and contractor workflows, after‑hours rules, and Maintenance Documentation for changes affecting doors, locks, or barriers. Addressable elements must be implemented or replaced with an equivalent control and fully documented.

How should devices containing ePHI be disposed of securely?

Follow defined Media Disposal Protocols: inventory the item, back up needed data, sanitize or destroy using an approved method suitable for the medium, capture serial numbers, and retain certificates of destruction. If a vendor performs destruction, verify chain‑of‑custody, witness or audit the process, and reconcile records to ensure nothing is missed.