HIPAA Physical Security

HIPAA Physical Safeguard Audits

Physical safeguards protect the buildings, rooms, and equipment where protected health information lives. We audit your facility access controls, workstation security, and device handling against 45 CFR §164.310 requirements.

Book a 30-Minute Intro

The Service

What Are HIPAA Physical Safeguards?

Physical safeguards are the policies, procedures, and physical measures that protect electronic information systems and related buildings and equipment from natural hazards, environmental threats, and unauthorized intrusion.

Under 45 CFR §164.310, covered entities and business associates must implement four standards: Facility Access Controls §164.310(a), Workstation Use §164.310(b), Workstation Security §164.310(c), and Device and Media Controls §164.310(d). Each standard carries specific required and addressable implementation specifications. Learn more from the HHS physical safeguards guidance.

Physical safeguards are often the most overlooked part of HIPAA compliance. Organizations invest in encryption and firewalls but leave server rooms unlocked and workstations unattended in public areas.

Who Needs This

🏢
Organizations that have never had a formal physical security walkthrough
🔍
Practices preparing for audits where facility access is a known weak area
📈
Multi-location practices that need consistent physical controls across sites
🔁
Teams that moved offices, added locations, or changed facility layouts recently
🔗
Business associates that store or process PHI on physical premises

Visual Intelligence

Physical Safeguard Compliance Benchmarks

Typical findings from organizations before a structured physical audit. Your actual results will reflect your specific environment.

Physical Safeguard Gap Distribution

Where most organizations have incomplete physical controls

GAP
AREAS

Physical Control Maturity by Area

Average maturity score by control area (0–100)

Compliance: Before vs. After Audit

Typical physical safeguard improvement post-engagement

Before

→

After

Typical 60-day post-audit improvement

How It Works

Five-Step Physical Audit Process

This structure keeps every location and control area covered and turns findings into a clear remediation plan.

Facility Walkthrough

On-site or virtual review of all locations where ePHI is stored, accessed, or transmitted.

Access Control Review

Evaluate door locks, badge systems, visitor logs, and restricted area protections.

Workstation Audit

Check placement, screen visibility, auto-lock settings, and clean desk compliance.

Device and Media Review

Inventory portable devices, review disposal procedures, and verify encryption on removable media.

Findings Report

Deliver a prioritized report with photographic evidence, risk ratings, and specific remediation steps.

Real-World Example

Physical Safeguard Audit Case Study

Scenario

A three-location medical practice needed to demonstrate physical safeguard compliance for a payer audit. They had basic locks and alarm systems but no documented access controls, visitor procedures, or workstation security policies.

Key Gaps Found

Server room at the main office had no dedicated lock. Front desk workstations faced patient waiting areas with no privacy screens. Portable devices lacked inventory tracking. Old hard drives were stored in an unlocked closet.

Result

All three locations passed the payer audit with documented evidence. Server rooms received dedicated access controls. Privacy screens were installed. A device inventory system was implemented. Old media was properly disposed of with certificates of destruction.

Delivery Model

Implementation Timeline

Most physical audits complete within two to three weeks depending on the number of locations. Single-site audits can finish in as little as one week.

Phase 1

Week 1

Facility inventory & walkthrough scheduling
Current control documentation review
Stakeholder interviews

Phase 2

Week 2

On-site physical audit at each location
Photo documentation
Access control testing

Phase 3

Week 3

Findings compilation & risk rating
Remediation recommendations
Draft report review

Phase 4

Week 4

Final report delivery
Remediation plan handoff
Quick-win implementation support

Most physical audits complete within two to three weeks depending on the number of locations. Single-site audits can finish in as little as one week.

Specialty Considerations

Physical Safeguard Patterns by Healthcare Specialty

Physical security needs vary by practice type. We shape findings and remediation plans to match how your environment actually operates.

🏥

Medical Practices

Multi-room layouts with shared workstations, lab areas, and equipment requiring role-based physical access.

🧠

Behavioral Health

Private therapy rooms, group session spaces, and heightened privacy requirements for client movement.

🦷

Dental Practices

Operatory workstations visible to patients, imaging equipment access, and sterilization area controls.

💊

Pharmacies

Controlled substance storage overlapping with ePHI access, counter-area workstation exposure.

🔗

Business Associates

Data centers, remote offices, and co-working spaces where PHI processing occurs off-site.

📱

Telehealth Providers

Home office physical security, portable device controls, and remote workspace verification.

What You Receive

What Your Physical Audit Includes

✓

Physical Audit Report

Location-by-location findings with photo evidence, risk ratings, and CFR references for each gap.

✓

Facility Access Control Assessment

Evaluation of locks, badges, visitor management, and restricted area protections.

✓

Workstation Security Review

Screen placement analysis, auto-lock compliance, clean desk policy assessment.

✓

Device and Media Inventory

Complete catalog of devices that store or access ePHI with encryption and disposal status.

✓

Remediation Action Plan

Prioritized physical security improvements with cost estimates and implementation timelines.

Our Approach

Why Physical Audits Deliver Better Outcomes

Physical safeguards are the foundation that technical controls sit on top of. The strongest encryption does not matter if someone can walk into your server room. We audit what matters, document what we find, and give you a clear path to close every gap.

Physical audits also tend to have the highest-impact quick wins. Simple changes like adding privacy screens, relocating monitors, or installing a $50 door lock can close significant compliance gaps immediately.

Organizations that complete annual physical audits find and fix problems before they become audit findings or breach vectors. Prevention is always cheaper than response.

Common Pitfalls We Help You Avoid

⚠️
Skipping physical audits: Many organizations audit technical controls annually but never formally review physical safeguards
⚠️
Single-location focus: Multi-site practices often audit the main office but overlook satellite locations with weaker controls
⚠️
No visitor management: Unlocked doors and unsigned visitor logs are among the most common physical findings
⚠️
Workstation placement: Screens facing public areas expose PHI to unauthorized viewing every day
⚠️
Media disposal gaps: Old hard drives, USB devices, and paper records without documented destruction create ongoing risk

Post-Audit

How to Track Progress After a Physical Audit

To ensure findings become closed controls, track remediation progress with a simple monthly metrics set. Measure how many locations have been audited, how many findings have been closed, and the average time from finding to remediation.

Evidence quality matters as much as closure rate. A finding marked resolved without documented proof does not hold up in an audit. Require photo evidence, policy updates, or vendor confirmations for each closed item.

% Locations audited

% Findings closed

Avg remediation days

Evidence quality score

Physical controls degrade over time. Doors get propped open, locks break, and new equipment gets added without security review. Scheduling an annual audit catches drift before it becomes a finding.

Physical controls degrade over time. Doors get propped open, locks break, and new equipment gets added without security review. Annual audits catch drift before it becomes a finding.

Deep-Dive Resources

Use these guides to align physical safeguard findings to realistic implementation plans:

Common Questions

Frequently Asked Questions

A physical safeguard audit evaluates four areas defined in 45 CFR §164.310: facility access controls, workstation use policies, workstation security measures, and device and media controls. It includes reviewing locks, badges, visitor logs, workstation placement, screen visibility, portable device inventory, and media disposal procedures.

Yes. Physical and technical safeguards are separate HIPAA requirements. Strong passwords and encryption do not protect against someone walking into an unlocked server room or viewing a screen in a waiting area. Both layers must be in place.

HIPAA requires periodic review of physical safeguards. Most organizations benefit from annual audits and event-triggered reviews after office moves, renovations, new location openings, or security incidents.

Partially. We can review policies, procedures, and documentation remotely. However, facility walkthroughs, workstation placement checks, and access control testing are most effective when conducted on-site or via guided video walkthrough.

The most frequent findings are unlocked server rooms, workstation screens visible to unauthorized persons, missing visitor sign-in procedures, lack of privacy screens, and no documented media disposal process. Most of these have low-cost, high-impact fixes.

Ready to Secure Your Physical Environment?

We will walk your facility, document what we find, and give you a clear plan to meet every physical safeguard requirement.