Physical Safeguards: HIPAA Security Rule Requirements

Practical guidance for healthcare teams and business associates
One Guy Consulting
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
9 min read

Physical protections: HIPAA Security Rule rules

Physical Security rules

Physical protections are one of three safeguard categories the HIPAA Security Rule requires. The other two are admin and tech protections. Physical security failures still cause major breaches every year.

Lost laptops, forced facility entry, and unsecured workstations all lead to fines. You must control who can physically reach the systems and devices that hold ePHI.

The Security Rule (45 CFR 164.310) sets four physical safeguard standards. They are: facility access controls, workstation use, workstation security, and device and media controls. Each standard has specs that are either required or addressable. Required specs must be done as written. Addressable specs must be done unless you record a valid reason for an alternative. This guide covers each standard with practical steps for healthcare habits of all sizes.

Facility Access Controls

backup Operations

Your practice must have steps that allow facility entry during a disaster. When systems go down, staff must be able to get in and restore operations.

  • Document steps for physical entry during emergencies and disaster recovery.
  • List the staff approved for emergency facility access.
  • Set up backup entry methods if primary access fails (key overrides, emergency codes).
  • Test emergency access steps as part of regular disaster recovery drills.
  • Keep a current contact list for staff with emergency entry authority.

Facility Security Plan

Create and follow policies to protect your facility and its equipment from theft, tampering, and unwanted entry.

Core facility security measures:.

  • Perimeter security: Locked exterior doors, cameras, good lighting, and posted signs.
  • Access control systems: Badge readers, key cards, or biometric controls at entry points to areas with ePHI.
  • Intrusion detection: Alarm systems that watch for unwanted entry after hours.
  • Secure areas: Restricted zones for server rooms, records storage, and workstations with ePHI access.
  • Security staff: On-site security staff or a contracted service, sized for your facility and risk level.

Access Control and Validation

Put steps in place to control and check who enters your facility. Base access on each person's role. This includes managing visitors and controlling access to software used for testing.

Validation steps:.

  • Keep an access list that shows who is approved for each restricted area.
  • Update access when staff change roles or leave your practice.
  • Use badge or credential systems that block entry to areas a person is not approved for.
  • Log and audit physical access events, especially for high-security areas like server rooms.
  • Review access logs on a set schedule to spot anything unusual.

upkeep Records

Record all repairs and changes to physical parts of your facility that relate to security. This includes hardware, walls, doors, locks, and any structure that protects ePHI.

upkeep records should include:.

  • Date of repair or change.
  • Description of the work done.
  • Name of the person or company that did the work.
  • Whether the work affected security controls.
  • Confirmation that security stayed intact during and after the work.

Workstation Use

Policies for Workstation Use

The Security Rule requires policies that spell out what tasks may be done on each workstation that accesses ePHI. Policies must also cover the physical setup around those workstations.

Workstation use policies should address:.

  • Approved actions: Define what ePHI tasks are allowed on each type of workstation.
  • Screen positioning: Place monitors so screens showing ePHI are not visible to patients or passersby.
  • Privacy screens: Require screen filters on workstations in open areas where someone could look over a shoulder.
  • Auto screen lock: Set workstations to lock after a set period of no action (often 2–5 minutes in clinical areas).
  • Personal use rules: Limit or ban personal use of workstations that access ePHI.
  • Remote workstation use: Set clear rules for home offices and remote locations, including physical setup standards.

Workstation Classification

Not all workstations need the same level of protection. Group workstations by their ePHI access and physical location.

Classification Description Security Level
High-security. Server room terminals, system admin workstations. Restricted area, badge access, surveillance.
Clinical. EHR workstations in exam rooms, nurse stations. Privacy screens, auto-lock, clean-desk.
admin. Billing, scheduling, registration workstations. Privacy screens, auto-lock, supervised area.
Public-adjacent. Check-in kiosks, waiting area terminals. No ePHI access, hardened setup.
Remote. Home office, mobile workstations. Encrypted, VPN-required, physical setting standards.

Workstation Security

Physical Protection of Workstations

Put physical protections on all workstations that access ePHI. Only approved users should be able to reach them.

Workstation security measures:.

  • Cable locks: Secure desktops and laptops to desks or docking stations to stop theft.
  • Locked rooms: Keep workstations in rooms that lock when no one is there.
  • Surveillance: Put cameras in areas with high-security workstations.
  • Hardware tracking: Keep a list of all workstations with serial numbers, assigned users, and locations.
  • Tamper detection: Use asset tags and tamper-evident seals to spot unapproved hardware changes.
  • Clean desk rule: Require all removable media and printouts with PHI to be locked away when the workstation is not in use.

Device and Media Controls

Disposal

You need policies for how to safely dispose of ePHI and the hardware or media that holds it.

Disposal rules:.

  • Hard drives: Degauss, physically destroy, or use NIST-approved wiping methods before disposal or reuse.
  • Solid-state drives: Use the maker's secure erase commands or physically destroy them.
  • Removable media: Physically destroy CDs, DVDs, USB drives, and tapes that held ePHI.
  • Copiers and printers: Clear internal hard drives on multifunction devices before disposal, return, or lease end.
  • Mobile devices: Run a certified remote wipe or factory reset before reuse or disposal.
  • Paper records: Cross-cut shred paper with PHI. Use a HIPAA-in line shredding service for large amounts.
  • written records: Keep destruction records for all media with ePHI, including date, method, and responsible party.

Media Re-Use

Before reusing any digital media, remove all ePHI from it.

  • Confirm your wiping steps meet NIST SP 800-88 guidelines.
  • Test a sample of wiped media to confirm data is gone.
  • Document the cleaning process for each media item.
  • Keep a chain of custody for media from removal through cleaning.

clear ownership

Track all moves of hardware and digital media. Record who handles each move.

clear ownership measures:.

  • Track all hardware and media with ePHI from purchase through disposal.
  • Log every move of portable devices and media, including check-out and check-in records.
  • Assign a named person to be responsible for each device with ePHI.
  • Run regular physical counts to confirm all tracked items are still where they should be.

Data Backup and Storage

Create an exact copy of ePHI before moving any equipment.

  • Back up all ePHI before moving, servicing, or retiring any hardware.
  • Verify the backup works before making equipment changes.
  • Store backup media in secure, access-controlled locations.
  • Test restore steps on a regular schedule to make sure backups are usable.

Visitor Management

Controlling Visitor Access

Visitors are a physical security risk that many habits underestimate. Delivery workers, vendors, and contractors can all reach areas with ePHI, by accident or on purpose.

Visitor management habits:.

  • Sign-in rules: All visitors must sign in at a reception desk with their name, group, purpose, and arrival time.
  • Badge issuance: Give visitors a temporary badge that looks different from employee badges.
  • Escort policy: Require an escort for visitors in areas with ePHI or ePHI systems.
  • Access limits: Keep visitors in non-sensitive areas unless a specific business need requires access to a restricted zone.
  • Sign-out and badge return: Require visitors to sign out and return badges when they leave.
  • Visitor log retention: Keep visitor logs for at least six years as part of your rule-keeping records.

Environmental Controls

Protecting Against Environmental Threats

Physical protections go beyond access control. You must also protect ePHI from environmental threats that could destroy or damage it.

Environmental protection measures:.

  • Fire suppression: Install and keep fire detection and suppression systems in server rooms and records storage areas.
  • Climate control: Keep temperature and humidity at proper levels for digital equipment and physical media.
  • Water damage protection: Raise equipment off the floor in flood-prone areas and install water detection sensors.
  • Power protection: Use uninterruptible power supplies (UPS) and surge protectors on key systems.
  • Backup power: Install generators or arrange emergency power for key systems during long outages.
  • Natural disaster planning: Include facility protection steps in your disaster recovery and emergency operations plans.

Off-Site factors

Remote Work and Mobile Devices

Remote work and mobile devices extend physical safeguard rules beyond your facility walls. Every location where ePHI is accessed or stored needs proper physical protection.

Remote and mobile physical security rules:.

  • Home office standards: Set minimum physical security rules for home offices — locked rooms or cabinets, screen privacy, and secure Wi-Fi.
  • Laptop security: Require full-disk data scrambling, cable locks in public spaces, and secure storage when not in use.
  • Mobile device management: Use remote wipe, screen lock rules, and a clear lost-device reporting process.
  • Travel security: Give staff guidance for securing devices while traveling — never leave devices in cars, use hotel safes, avoid public Wi-Fi without VPN.
  • Off-site storage: If you store physical records or backup media off-site, confirm that facility meets the same physical security standards.

For a full look at HIPAA security rules including admin and tech protections, see our guide on HIPAA Security Rule setup.

Physical protections FAQ

Are physical protections required for cloud-based systems?

Yes. Even when ePHI is stored in the cloud, physical protections still apply to the devices used to access it. Workstations, laptops, and mobile devices that reach cloud-based ePHI must be physically secured.

Also check your cloud provider's physical security. Review their SOC 2 reports or similar records. Look at their data center access controls and environmental protections.

What is the difference between required and addressable physical protections?

Required specs must be done exactly as written. Addressable specs require a written down review. If the spec fits your setting, do it. If not, write down why and use an equal alternative.

"Addressable" does not mean "optional." You must address every spec — either by doing it or by writing down your rationale for an alternative.

How should we handle physical security for a multi-tenant building?

In shared buildings, physical protections become more important. Keep your practice's space secured separately from other tenants. Use dedicated access controls for your suite or floor.

Address shared areas like lobbies, elevators, and parking garages in your facility security plan. Review the building's security measures. Add your own controls as needed to meet HIPAA rules.

Physical protections Takeaways

Physical protections are a core part of HIPAA rule-keeping. No practice can afford to skip them. Digital threats get most of the attention, but physical security failures cause real breaches, real fines, and real harm to patients.

A full approach to facility access, workstation security, device controls, visitor management, and environmental protection builds the physical base that your tech and admin protections rely on.

Check your current physical protections against the rules in this guide. Fix gaps in order of risk, starting with the highest-risk areas. Document your decisions, keep your security systems, and train your staff on their physical security duties.

One Guy Consulting helps healthcare habits assess, set up, and keep physical protections that meet HIPAA Security Rule rules. We offer facility security reviews, policy writing, and staff training. We help make sure your physical setting protects the ePHI it holds. Start your risk assessment to review your physical protections, or read our HIPAA rule-keeping guide for full coverage of all HIPAA rules.

Keep Reading

More archive content for healthcare teams working through HIPAA operations, policy, and risk.

All Articles