What Is a Physical Safeguard for PHI? Requirements and Examples

A physical safeguard for PHI is any tangible control—plus the policies and procedures guiding it—that protects electronic protected health information (ePHI) from unauthorized physical access, tampering, loss, or theft. Under the HIPAA Security Rule, physical safeguards complement administrative and technical measures to create layered ePHI protection across facilities, workstations, and hardware media.

HIPAA organizes physical safeguards into four standards: facility access controls, workstation use, workstation security, and device and media controls. Below, you’ll find what each standard requires in practice, how to implement it effectively, how to verify compliance, and concrete examples you can adopt.

Facility Access Controls

Purpose

Facility access controls prevent, detect, and document physical entry to locations where ePHI is stored or accessed. You apply these controls proportionally to risk across data centers, clinics, server rooms, wiring closets, and any space hosting systems that handle ePHI.

Key controls to implement

• Layered physical access controls: perimeter fencing, locked exterior doors, reception checkpoints, and secured server rooms.
• Identity verification: badges, PINs, biometrics, visitor sign-in with government ID, and temporary badges for vendors.
• Escort and zoning rules: restrict non-public areas; require escorts for visitors beyond reception; use mantraps for high-risk zones.
• Surveillance and detection: CCTV in ingress/egress paths, tamper-evident seals, door-forced-open and door-held-open alarms.
• Continuity and contingencies: documented procedures for emergency access, power loss, evacuation, and disaster recovery site access.

Policies and documentation

• Facility security protocols describing who may enter, when, how access is approved, and how exceptions are handled.
• Maintenance and change records for locks, readers, badge systems, and camera placements.
• Audit trail requirements: retain visitor logs, badge access logs, and video footage for a defined period with tamper protection.

Workstation Use Policies

Scope and intent

Workstation use policies govern how users should operate desktops, laptops, thin clients, and kiosks that access ePHI. These policies translate risk analysis into practical rules for behavior, location, and acceptable use—i.e., your workstation security policies.

Rules to set and enforce

• Approved locations: position workstations to prevent shoulder surfing; avoid public-facing screens unless privacy screens are installed.
• Session management: automatic screen locks, short inactivity timeouts, and mandatory re-authentication after lock.
• Data handling: prohibit local ePHI storage unless justified; require encrypted storage if local use is necessary.
• Peripheral control: define use of printers, USB ports, and camera/microphone hardware; disable unused ports where feasible.
• Clean desk and screen: secure documents, remove sticky notes with credentials, and clear whiteboards after use.

Training and accountability

• User training on spotting tailgating, preventing visual exposure, and securing devices when stepping away.
• Documented sanctions for policy violations and a simple process to report lost or unattended devices.

Workstation Security Measures

Physical protections

• Asset locking: cable locks, locking drawers, anchored docking stations, and lockable laptop carts in clinical areas.
• Screen privacy: privacy filters on mobile carts, triage desks, registration areas, and any kiosk exposed to the public.
• Secure placement: keep systems away from public corridors; use wall mounts and ceiling mounts to limit tampering.
• Port and drive security: port blockers, locked cases, and tamper seals on removable media bays.

Environmental controls

• Power and climate: surge protection, UPS for critical workstations, and adequate cooling to prevent failure.
• Labeling and inventory: unique asset IDs tied to location, custodian, and support owner for rapid incident response.

Device and Media Controls

Hardware media management

These controls govern the receipt, movement, reuse, storage, and disposal of hardware and media that may contain ePHI (drives, tapes, USBs, mobile devices, copiers, and multifunction printers). The goal is to keep physical custody known and secure at all times.

Required practices

• Disposal and destruction: sanitize or destroy media before disposal—shred or pulverize drives, degauss magnetic media, or crypto-erase encrypted devices; use certified vendors with documented certificates of destruction.
• Media re-use: sanitize prior to redeployment; validate wipes; document the method and verification.
• Accountability: chain-of-custody forms for media movement; check-in/out logs for loaner laptops and removable media.
• Backup and storage: store backup media in locked, environmentally controlled locations; separate primary and backup sites.

Transport and storage

• Secure containers and tamper-evident bags for any media in transit; never leave devices unattended in vehicles.
• Encryption as a safety net: full-disk encryption on laptops and portable drives to reduce breach impact if lost.

Implementation Best Practices

Plan with risk—and layers

• Start with a documented risk analysis focused on how and where ePHI is handled physically.
• Use defense-in-depth: combine badges, cameras, escorts, and logging rather than relying on a single control.

Make protocols usable

• Write concise facility security protocols and workstation procedures that staff can follow under pressure.
• Design for clinic reality: privacy screens on mobile carts, hands-free badge readers near scrub areas, and simple lost-device reporting.

Operate and improve

• Train, drill, and refresh: short scenario-based training and periodic physical security walk-throughs.
• Change control: review security impact before moving walls, rekeying doors, or relocating devices.
• Vendor management: require contractors to follow onsite physical access controls and sign confidentiality and access agreements.

Compliance Verification

What auditors expect to see

• Documented policies and procedures mapped to the HIPAA Security Rule physical safeguards.
• Evidence of implementation: access logs, visitor logs, camera retention schedules, maintenance records, and training completion.
• Audit trail requirements satisfied: trace who accessed which areas, when, and why—plus how exceptions were approved.

How to test your program

• Conduct periodic badge and key audits; reconcile active badges with HR rosters; promptly revoke terminated staff access.
• Perform physical walkthroughs: verify door closures, camera coverage, workstation placement, and presence of privacy screens.
• Run tabletop exercises for emergency access and lost-device incidents; document lessons learned and remediation.
• Sample chain-of-custody records for devices and media; validate destruction certificates against asset inventories.

Metrics to track

• Tailgating reports, door-held-open alarms, and unresolved camera outages.
• Time to revoke access after role changes; percentage of workstations with privacy screens in required areas.
• On-time training completion, audits, and remediation actions.

Examples of Physical Safeguards

• Reception checkpoints with visitor management and temporary badges.
• Badge-operated doors with role-based zoning to server rooms and records areas.
• Mantraps for high-risk spaces such as data centers or pharmacy vaults.
• CCTV covering entrances, exits, and critical corridors with defined retention.
• Door-held-open alarms and anti-tamper sensors on network closets.
• Locked server racks and cable management that prevents unplugging or re-routing.
• Privacy screens on registration desks, triage carts, and nurse stations.
• Laptop locking cables; anchored docking stations for shared work areas.
• Port blockers for USB and unused network ports in public or semi-public areas.
• Secure printer locations with release printing and locked paper/output bins.
• Locked media safes for backups; offsite storage with documented chain of custody.
• Certified media destruction (shredding, degaussing, or crypto-erase) with receipts tied to asset IDs.
• Tamper-evident bags for transporting removable drives between sites.
• Emergency access kits: physical keys, contact lists, and procedures sealed and logged for urgent use.

Conclusion

Physical safeguards convert policy into real-world protection for ePHI. By combining strong physical access controls, clear workstation policies, practical workstation security, and disciplined device and media controls—and by verifying them with evidence and audits—you create a resilient, HIPAA-aligned program that reduces breach risk and supports safe, continuous care.

FAQs

What constitutes physical access controls for PHI?

Physical access controls include layered measures that restrict and record entry to spaces where ePHI resides: locked doors, badge or biometric readers, staffed reception, visitor sign-in, escorts, CCTV, and alarms. They also include procedures for approving access, handling emergencies, and maintaining logs and maintenance records.

How do workstation policies protect ePHI?

Workstation policies set clear rules for where and how devices are used: screen placement, automatic locks, short idle timeouts, restrictions on local storage and peripherals, and clean desk/screen practices. These rules reduce visual exposure, prevent unauthorized use, and ensure sessions and data are controlled in line with the HIPAA Security Rule.

What are device and media control requirements?

Organizations must manage the entire lifecycle of hardware and media: track custody, secure storage, control transport, sanitize before reuse, and destroy media securely at end-of-life. Chain-of-custody logs, validated sanitization (e.g., crypto-erase or shredding), and certificates of destruction are core to hardware media management.

How can organizations verify physical safeguard compliance?

Verify by mapping policies to HIPAA standards, reviewing audit trails (badge logs, visitor logs, camera retention), and performing periodic walkthroughs and tabletop exercises. Reconcile badges with HR records, sample chain-of-custody documents, and measure remediation timeliness to demonstrate consistent, effective control operation.