HIPAA Physical Safeguard Audits
Physical safeguards protect the buildings, rooms, and equipment where health data lives. We audit your facility access, workstation security, and device handling.
What Are HIPAA Physical Safeguards?
Physical safeguards keep your buildings, rooms, and equipment safe from break-ins, disasters, and people who should not be there.
The Security Rule has four parts: Facility Access, Workstation Use, Workstation Security, and Device Controls. Each part has steps you must take and steps you should take. Learn more from the HHS physical safeguards guidance.
Physical safeguards are the most skipped part of HIPAA. Many practices invest in IT security but leave server rooms unlocked and screens open in public areas.
Who Needs This
A physical audit is important if any of these apply:
- Practices that have never had a formal physical security walk-through
- Practices getting ready for audits where building access is a known weak spot
- Practices with more than one location that need the same controls at every site
- Teams that moved, added offices, or changed their floor plan lately
- Business associates that keep or handle PHI at their own offices
Physical Safeguard Compliance Benchmarks
Common gaps we see before a physical audit. Your results will match your own setup.
Physical Safeguard Gap Distribution
Where most practices have gaps in physical controls
AREAS
Physical Control Maturity by Area
How mature each control area is (0 to 100)
Compliance: Before vs. After Audit
Typical physical safeguard improvement post-engagement
Typical 60-day post-audit improvement
Five-Step Physical Audit Process
This process covers every location and turns findings into a clear fix plan.
Facility Walkthrough
We review every location where ePHI is stored or accessed.
Access Control Review
Check door locks, badge readers, visitor logs, and restricted areas.
Workstation Audit
Look at screen placement, auto-lock timers, and clean desk habits.
Device and Media Review
Count portable devices, check disposal steps, and confirm encryption on thumb drives and laptops.
Findings Report
You get a report with photos, risk scores, and clear next steps.
Physical Safeguard Audit Case Study
Scenario
A three-location practice needed to prove physical safeguard compliance for a payer audit. They had basic locks and alarms but no written access rules, visitor sign-in sheets, or workstation policies.
Key Gaps Found
The main server room had no lock. Front desk screens faced the waiting area with no privacy filters. No one tracked portable devices. Old hard drives sat in an open closet.
Result
All three locations passed the audit with documented proof. Server rooms got dedicated locks. Privacy screens went up. Devices were tracked. Old hard drives were wiped and destroyed with records.
Implementation Timeline
Most physical audits complete within two to three weeks depending on the number of locations. Single-site audits can finish in as little as one week.
- List all locations and set up walk-through dates
- Review current security write-ups
- Stakeholder interviews
- On-site physical audit at each location
- Photo documentation
- Access control testing
- Compile findings and rate each risk
- Write up fixes for each finding
- Draft report review
- Final report delivery
- Remediation plan handoff
- Quick-win implementation support
Most physical audits complete within two to three weeks depending on the number of locations. Single-site audits can finish in as little as one week.
Physical Safeguard Patterns by Healthcare Specialty
Physical needs change by practice type. We match our findings and fix plans to how your office works.
Medical Practices
Shared workstations, exam rooms, and lab areas that need clear rules about who can access what.
Behavioral Health
Therapy rooms, group spaces, and extra privacy needs for how clients move through the office.
Dental Practices
Screens that patients can see, X-ray rooms, and areas that need limited access.
Pharmacies
Drug storage areas that also hold ePHI, plus open counter workstations.
Business Associates
Data centers, remote offices, and shared work areas where PHI is used off-site.
Telehealth Providers
Home offices, laptops, and keeping remote work areas safe.
What Your Physical Audit Includes
Every audit covers the four standards. You get documents you can show during an OCR audit, payer review, or internal check.
Physical Audit Report
Findings for each location with photos, risk ratings, and rule references.
Facility Access Control Assessment
Review of your locks, badges, visitor logs, and restricted areas.
Workstation Security Review
Where screens face, auto-lock timers, and clean desk rules.
Device and Media Inventory
A full list of devices that touch ePHI, showing which are encrypted and how old ones are disposed of.
Remediation Action Plan
A ranked list of fixes with cost estimates and timelines.
Why Physical Audits Deliver Better Outcomes
Physical safeguards are the foundation. The best encryption does not help if someone can walk into your server room. We audit what matters, write up what we find, and give you a clear path to fix every gap.
Physical audits often lead to fast wins. A privacy screen, a moved monitor, or a $50 lock can close big gaps right away.
Practices that do yearly audits find and fix problems before they turn into audit failures or breaches. Catching issues early is always cheaper.
Common Pitfalls We Help You Avoid
These are the most common physical problems found during audits:
- No physical audits: Many practices check their IT every year but never walk through their building
- Main office only: Practices with more than one site often check the main office but skip the other sites
- No visitor tracking: Open doors and blank sign-in sheets are some of the most common findings
- Screen exposure: Screens that face public areas show PHI to people who should not see it
- Old media left around: Hard drives, USBs, and paper records that are not properly wiped and destroyed create risk
How to Track Progress After a Physical Audit
Track your progress with a few monthly numbers. How many locations have been audited? How many findings are closed? How long does each fix take?
Good proof matters as much as closing items. Marking a finding "done" without proof will not hold up in an audit. Get photos, updated policies, or vendor sign-offs for each fix.
Controls slip over time. Doors get propped open, locks break, and new gear shows up with no review. An annual audit catches this drift early.
Annual audits catch this kind of drift before it becomes a finding.
Deep-Dive Resources
These guides help you put audit findings into action:
Frequently Asked Questions
Ready to Secure Your Physical Environment?
We will walk your facility, document what we find, and give you a clear plan to meet every physical safeguard requirement.
Book a 30-Minute Intro