What Are the Physical Safeguards Required by HIPAA? Examples and Compliance Checklist

HIPAA’s Physical Safeguards (45 CFR §164.310) protect Electronic Protected Health Information (ePHI) by controlling who can access facilities, workstations, and media, and how devices and backups are managed. Below you’ll find clear explanations, practical examples, and compliance checklists you can act on today.

Facility Access Controls

Facility Access Controls limit physical entry to locations where ePHI is created, received, maintained, or transmitted. You implement Physical Access Controls through Facility Security Policies and enforce Access Authorization so only approved personnel and visitors reach sensitive areas.

Key requirements

• Contingency operations: enable authorized access to sites and equipment during emergencies.
• Facility security plan: document how you protect buildings, rooms, and critical areas.
• Access control and validation: verify identity and role before granting entry.
• Maintenance records: track changes to doors, locks, cameras, and badges.

Examples

• Badge readers with role-based Access Authorization for server rooms and records areas.
• Visitor sign-in, government ID verification, and escorted access to ePHI zones.
• Door alarms and surveillance for data closets; locked cages for networking gear.
• Documented emergency access plan to retrieve ePHI during power outages or disasters.

Compliance checklist

• Publish Facility Security Policies describing zones, controls, and responsibilities.
• Define who can access each area holding ePHI and how validation occurs.
• Issue, revoke, and inventory badges/keys; review access lists at least quarterly.
• Maintain logs for visitors, contractors, and after-hours entries.
• Record all physical security maintenance and test alarms and cameras on a schedule.
• Drill emergency access procedures and document outcomes.

Workstation Use and Security

This safeguard sets rules for how users operate workstations that handle ePHI. Policies govern acceptable use, location, and session behavior so ePHI is not exposed during everyday work.

Examples

• Acceptable use standards that prohibit storing ePHI on local desktops unless required.
• Auto-lock after short inactivity, secure login, and screen timeout requirements.
• Privacy screens in reception areas and exam rooms to prevent shoulder-surfing.
• Prohibiting ePHI display on monitors visible from public corridors.

Compliance checklist

• Publish workstation use policies covering login behavior, data handling, and session locking.
• Set timeouts and automatic screen locks on all ePHI-capable workstations.
• Place workstations to reduce public viewing; require privacy filters where needed.
• Restrict local downloads of ePHI; use secure network locations as the default.
• Train workforce annually on safe workstation use and incident reporting.

Device and Media Controls

These controls manage hardware and electronic media that store ePHI throughout their lifecycle—receipt, movement, reuse, and disposal. They include Media Sanitization, Media Accountability, and required backups during equipment changes.

Core elements

• Disposal: render ePHI unrecoverable when media is discarded.
• Media reuse: sanitize before redeploying drives, copiers, or removable media.
• Accountability: track the location and custodian of devices and media.
• Data backup and storage: create a retrievable, exact copy of ePHI before equipment movement.

Examples

• Cryptographic erase or physical destruction for retired SSDs and hard drives.
• Sanitization certificates for leased copiers and scanners before return.
• Asset tags and chain-of-custody forms when laptops or external drives leave a site.
• Documented backup of ePHI before replacing a file server or imaging a workstation.

Compliance checklist

• Maintain an inventory of all ePHI-capable devices and media with owners and locations.
• Standardize Media Sanitization procedures and keep proof (logs, certificates, photos).
• Require sign-out/sign-in and shipping records when devices move between sites.
• Back up ePHI and verify restores before repurposing or disposing of equipment.
• Prohibit uncontrolled use of USB drives; issue encrypted media only when justified.

Workstation Security

Workstation Security focuses on the physical protection of the workstation itself, preventing tampering and unauthorized viewing or use.

Examples

• Lockable offices or cabinets for workstations in semi-public spaces.
• Cable locks, port blockers, and lockable docking stations for laptops.
• Dedicated, locked medication and charting stations in clinical areas.
• Secure carts with badges and automatic logoff for mobile workstations-on-wheels.

Compliance checklist

• Document physical protections for each workstation type (fixed, laptop, kiosk, WOW cart).
• Position monitors away from public view; apply privacy filters where needed.
• Use port controls to prevent unauthorized peripherals in patient areas.
• Inspect locks and tamper-evident seals periodically and record findings.

Accountability

Accountability ensures you always know who has which device or media containing ePHI, where it is, and when custody changes. It operationalizes Media Accountability and ties to Access Authorization for personnel.

Examples

• Barcode or RFID asset tracking with location history and custodian assignments.
• Check-in/out logs for laptops, backup tapes, and encrypted USB media.
• Quarterly inventory reconciliations that flag missing or unreturned devices.

Compliance checklist

• Assign a responsible owner to each asset and record every custody transfer.
• Reconcile inventory to purchase and decommission records at defined intervals.
• Trigger incident response if an asset is lost, stolen, or unaccounted for.
• Align badge/role changes with device reassignment and access revocation.

Data Backup and Storage

As a physical safeguard, Data Backup and Storage requires you to maintain a retrievable, exact copy of ePHI before moving or changing equipment. You should integrate these Data Backup Procedures with your broader contingency and recovery plans.

Examples

• Pre-move snapshot of an EHR database with a documented restore test.
• Immutable backup copy stored in a secured, access-controlled location.
• Locked, environmentally controlled room or cabinet for on-premises backup media.

Compliance checklist

• Document step-by-step Data Backup Procedures, including verification of restore.
• Ensure backups are stored in access-controlled areas with Physical Access Controls.
• Label and track backup media with chain-of-custody when transported offsite.
• Test restores on a schedule and record results; remediate gaps promptly.

Conclusion

Physical safeguards protect your facilities, workstations, and media so ePHI remains confidential and available. By enforcing Facility Access Controls, clear workstation rules, disciplined Device and Media Controls with Media Sanitization and Accountability, and reliable Data Backup Procedures, you build a defensible, auditable compliance posture.

FAQs

What physical safeguards does HIPAA require for facilities?

HIPAA requires Facility Access Controls that restrict entry to areas where ePHI resides. You must maintain Facility Security Policies, validate Access Authorization at doors, log visitors, protect critical rooms with locks and monitoring, document maintenance on security systems, and plan for emergency access.

How should workstations be secured under HIPAA?

Secure workstations with placement that prevents public viewing, privacy screens, automatic session locks, and policies governing acceptable use. Add physical protections—locks, port blockers, and secure storage—and limit local ePHI storage to justified cases with approval and monitoring.

What are the procedures for disposing of electronic media under HIPAA?

Before disposal, back up required ePHI, then perform Media Sanitization so data is unrecoverable (for example, cryptographic erase or certified destruction). Record the method, date, asset ID, custodian, and witness, and maintain a disposal certificate or log for audits.

How is physical access to ePHI monitored for compliance?

Organizations monitor with badge system logs, visitor sign-in records, camera footage where appropriate, and periodic access reviews. They reconcile device and media inventories, verify custody changes, and investigate anomalies to ensure only authorized individuals reach ePHI.