Which of the Following Is a Physical Safeguard Requirement? HIPAA Security Rule Examples and Answers

You face a specific set of HIPAA Security Rule obligations for protecting electronic protected health information (ePHI) in the real world, not just on networks. Under 45 CFR § 164.310, physical safeguards cover how facilities, workstations, devices, and media are secured. Some implementation specifications are “required,” while others are “addressable,” meaning you must implement them if reasonable and appropriate—or document why an alternative achieves equivalent protection.

Quick answer to “Which of the following is a physical safeguard requirement?”: Workstation Use (required), Workstation Security (required), and within Device and Media Controls the Disposal and Media Re-use specifications are required. Facility Access Controls are required as a standard, while their four implementation specifications are addressable. You still must demonstrate effective facility access restriction and document your rationale for any alternatives.

Facility Access Controls

What HIPAA requires (45 CFR § 164.310(a))

This standard is required, and it aims to limit physical access to systems, equipment, and the facilities where ePHI is housed. Its implementation specifications—Contingency Operations, Facility Security Plan, Access Control and Validation Procedures, and Maintenance Records—are addressable. You must establish effective facility access restriction, even if you tailor how each element is met.

Practical examples

• Layered access: locked perimeter doors, keycards for interior zones, and restricted server rooms with badge plus PIN or biometrics.
• Visitor controls: government ID check, sign-in, visitor badges, and escort to authorized areas only.
• Emergency access: documented contingency operations that allow emergency entry while preserving accountability through badges and incident notes.
• Maintenance records: logs for door hardware changes, camera testing, lock rekeying, and contractor access to sensitive areas.

Evidence you can show

• A facility security plan mapping who may enter which areas and how those decisions are validated.
• Access authorization logs for doors and server rooms, plus visitor sign-in sheets retained per policy.
• Up-to-date floor plans marking ePHI locations and the controls protecting them.

Workstation Use and Security

What HIPAA requires (45 CFR § 164.310(b)–(c))

Two required standards apply here. Workstation Use requires policies defining proper functions, permissible locations, and the physical environment for workstations that access ePHI. Workstation Security requires physical safeguards that restrict access to authorized users.

Workstation security standards in practice

• Device placement to prevent shoulder surfing; privacy screens in semi-public areas.
• Lockable offices, cable locks, and secured docking stations for laptops and thin clients.
• Prohibitions on leaving ePHI visible when unattended; clean-desk practices for printed materials near workstations.
• Rules for remote and shared work areas that specify where ePHI use is permitted and how to prevent casual observation.

What auditors expect to see

• Written workstation security standards that name approved locations, physical safeguards, and responsibilities.
• Photos or diagrams of workstation layouts showing privacy measures where needed.
• Spot-check logs or inspection reports verifying compliance in high-traffic zones.

Device and Media Controls

What HIPAA requires (45 CFR § 164.310(d)(1))

• Disposal — Required: implement policies and procedures to address the final disposition of ePHI and the hardware or electronic media on which it is stored.
• Media Re-use — Required: remove ePHI from electronic media before the media are re-used.
• Accountability — Addressable: track the movement of hardware and media and maintain a record of who has them.
• Data Backup and Storage — Addressable: create a retrievable, exact copy of ePHI before moving equipment.

How to execute with confidence

• Media sanitization: apply approved methods (for example, secure overwrite, cryptographic erasure, or physical destruction) before re-use or disposal.
• Equipment disposal policy: define roles, approved vendors, chain-of-custody steps, and certificates of destruction for retired assets.
• Asset accountability: maintain an inventory with custody changes, transport logs, and storage locations for portable drives and backups.
• Pre-move backups: create and verify a retrievable copy of ePHI before relocating or servicing systems.

Common audit artifacts

• Sanitization and destruction records mapped to device serial numbers and dates.
• Transfer and access authorization logs for media leaving secure areas.
• Proof of backup completion and restore tests prior to equipment moves.

Physical Security Policies

Clear, written policies unify your controls and make them actionable across sites and shifts. Align each policy clause to 45 CFR § 164.310 so staff see exactly how daily practices satisfy the rule.

What a strong policy set includes

• Scope and definitions covering facilities, workstations, removable media, and storage areas.
• Facility access restriction rules for perimeters, secure rooms, visitors, and emergencies.
• Workstation security standards specifying placement, privacy screens, cable locks, and unattended-device protocols.
• Device and media rules for media sanitization, chain-of-custody, and the equipment disposal policy.
• Records management: what you log, who reviews it, and how long you retain it.

Why policies matter

• They translate risk analysis outcomes into consistent, testable procedures.
• They provide training content and audit criteria in one place.
• They document addressable choices and the reasonable alternatives you selected.

Security Maintenance Procedures

Even the best controls fail without upkeep. HIPAA’s focus on maintenance records and validation encourages a lifecycle approach where you inspect, test, and prove your safeguards actually work.

Core procedures that stand up to scrutiny

• Scheduled inspections of locks, badge readers, cameras, and cabinets; document fixes and re-tests.
• Change control for physical components: track door rekeys, cylinder swaps, and controller firmware updates.
• Environmental checks for server rooms (power, HVAC, water sensors) with escalation steps for excursions.
• Drills for contingency operations that verify emergency access while preserving logging and accountability.

Operational metrics and records

• Open vs. closed maintenance tickets and time-to-remediate control failures.
• Exception logs for after-hours entries, tailgating reports, and camera outages.
• Retention schedules for maintenance records that align to policy and legal hold needs.

Authorized Access Management

Physical access should always reflect a person’s role and current employment status. Strong access control and validation procedures ensure only the right individuals enter areas where ePHI exists—and that you can prove it.

Provisioning and validation

• Role-based badges and keys issued only after management approval and identity verification.
• Tiered access for high-risk zones (for example, server rooms requiring two factors and supervisor authorization).
• Visitor and contractor procedures: pre-registration, ID verification, escorting, and return of badges.

De-provisioning and oversight

• Immediate badge and key revocation upon role change or termination, with reconciliation against HR events.
• Periodic access recertifications where managers attest to each person’s continued need to enter secure areas.
• Routine review of access authorization logs to spot anomalies such as off-hours entries or repeated denials.

Summary

To answer the headline question, the HIPAA Security Rule makes Workstation Use and Workstation Security required, and within Device and Media Controls it makes Disposal and Media Re-use required. Facility Access Controls are required as a standard, with addressable specifications that you must meet or justify with equivalent measures. When your facility access restriction, workstation security standards, media sanitization, and equipment disposal policy all map cleanly to 45 CFR § 164.310—and you maintain accurate logs and records—you meet the letter and the spirit of the rule.

FAQs.

What is a physical safeguard under HIPAA?

Physical safeguards are the policies, procedures, and mechanisms that protect the buildings, equipment, workstations, and storage media used to handle ePHI. Under 45 CFR § 164.310, they include Facility Access Controls, Workstation Use, Workstation Security, and Device and Media Controls. These measures limit who can physically reach ePHI and prove that access was authorized and appropriate.

How do facility access controls protect ePHI?

They restrict and validate entry to areas where ePHI resides through measures like locked perimeters, role-based badges, biometrics for server rooms, visitor escorting, and maintenance records. Together, these controls enforce facility access restriction, preserve accountability via access authorization logs, and ensure emergency access is possible without sacrificing auditability.

What are the requirements for device and media controls?

HIPAA requires two things outright: Disposal and Media Re-use—both must ensure ePHI is irretrievable or removed before disposal or re-use. Two additional specifications are addressable: Accountability (tracking movement and custody) and Data Backup and Storage (creating a retrievable copy before equipment moves). In practice, that means documented media sanitization, a clear equipment disposal policy, asset inventories, chain-of-custody logs, and verified backups prior to relocation.