HIPAA Physical Security

HIPAA Physical Safeguard Audits

Physical safeguards protect the buildings, rooms, and equipment where health data lives. We audit your facility access, workstation security, and device handling.

What Are HIPAA Physical Safeguards?

Physical safeguards keep your buildings, rooms, and equipment safe from break-ins, disasters, and people who should not be there.

The Security Rule has four parts: Facility Access, Workstation Use, Workstation Security, and Device Controls. Each part has steps you must take and steps you should take. Learn more from the HHS physical safeguards guidance.

Physical safeguards are the most skipped part of HIPAA. Many practices invest in IT security but leave server rooms unlocked and screens open in public areas.

Who Needs This

A physical audit is important if any of these apply:

  • 🏢
    Practices that have never had a formal physical security walk-through
  • 🔍
    Practices getting ready for audits where building access is a known weak spot
  • 📈
    Practices with more than one location that need the same controls at every site
  • 🔁
    Teams that moved, added offices, or changed their floor plan lately
  • 🔗
    Business associates that keep or handle PHI at their own offices

Physical Safeguard Compliance Benchmarks

Common gaps we see before a physical audit. Your results will match your own setup.

Physical Safeguard Gap Distribution

Where most practices have gaps in physical controls

5
GAP
AREAS

    Physical Control Maturity by Area

    How mature each control area is (0 to 100)

    Compliance: Before vs. After Audit

    Typical physical safeguard improvement post-engagement

    0%
    Before
    0%
    After

    Typical 60-day post-audit improvement

    Five-Step Physical Audit Process

    This process covers every location and turns findings into a clear fix plan.

    1

    Facility Walkthrough

    We review every location where ePHI is stored or accessed.

    2

    Access Control Review

    Check door locks, badge readers, visitor logs, and restricted areas.

    3

    Workstation Audit

    Look at screen placement, auto-lock timers, and clean desk habits.

    4

    Device and Media Review

    Count portable devices, check disposal steps, and confirm encryption on thumb drives and laptops.

    5

    Findings Report

    You get a report with photos, risk scores, and clear next steps.

    Physical Safeguard Audit Case Study

    Scenario

    A three-location practice needed to prove physical safeguard compliance for a payer audit. They had basic locks and alarms but no written access rules, visitor sign-in sheets, or workstation policies.

    Key Gaps Found

    The main server room had no lock. Front desk screens faced the waiting area with no privacy filters. No one tracked portable devices. Old hard drives sat in an open closet.

    Result

    All three locations passed the audit with documented proof. Server rooms got dedicated locks. Privacy screens went up. Devices were tracked. Old hard drives were wiped and destroyed with records.

    Implementation Timeline

    Most physical audits complete within two to three weeks depending on the number of locations. Single-site audits can finish in as little as one week.

    Phase 1
    Week 1
    • List all locations and set up walk-through dates
    • Review current security write-ups
    • Stakeholder interviews
    Phase 2
    Week 2
    • On-site physical audit at each location
    • Photo documentation
    • Access control testing
    Phase 3
    Week 3
    • Compile findings and rate each risk
    • Write up fixes for each finding
    • Draft report review
    Phase 4
    Week 4
    • Final report delivery
    • Remediation plan handoff
    • Quick-win implementation support

    Most physical audits complete within two to three weeks depending on the number of locations. Single-site audits can finish in as little as one week.

    Physical Safeguard Patterns by Healthcare Specialty

    Physical needs change by practice type. We match our findings and fix plans to how your office works.

    🏥

    Medical Practices

    Shared workstations, exam rooms, and lab areas that need clear rules about who can access what.

    🧠

    Behavioral Health

    Therapy rooms, group spaces, and extra privacy needs for how clients move through the office.

    🦷

    Dental Practices

    Screens that patients can see, X-ray rooms, and areas that need limited access.

    💊

    Pharmacies

    Drug storage areas that also hold ePHI, plus open counter workstations.

    🔗

    Business Associates

    Data centers, remote offices, and shared work areas where PHI is used off-site.

    📱

    Telehealth Providers

    Home offices, laptops, and keeping remote work areas safe.

    What Your Physical Audit Includes

    Every audit covers the four standards. You get documents you can show during an OCR audit, payer review, or internal check.

    Physical Audit Report

    Findings for each location with photos, risk ratings, and rule references.

    Facility Access Control Assessment

    Review of your locks, badges, visitor logs, and restricted areas.

    Workstation Security Review

    Where screens face, auto-lock timers, and clean desk rules.

    Device and Media Inventory

    A full list of devices that touch ePHI, showing which are encrypted and how old ones are disposed of.

    Remediation Action Plan

    A ranked list of fixes with cost estimates and timelines.

    Why Physical Audits Deliver Better Outcomes

    Physical safeguards are the foundation. The best encryption does not help if someone can walk into your server room. We audit what matters, write up what we find, and give you a clear path to fix every gap.

    Physical audits often lead to fast wins. A privacy screen, a moved monitor, or a $50 lock can close big gaps right away.

    Practices that do yearly audits find and fix problems before they turn into audit failures or breaches. Catching issues early is always cheaper.

    Common Pitfalls We Help You Avoid

    These are the most common physical problems found during audits:

    • ⚠️
      No physical audits: Many practices check their IT every year but never walk through their building
    • ⚠️
      Main office only: Practices with more than one site often check the main office but skip the other sites
    • ⚠️
      No visitor tracking: Open doors and blank sign-in sheets are some of the most common findings
    • ⚠️
      Screen exposure: Screens that face public areas show PHI to people who should not see it
    • ⚠️
      Old media left around: Hard drives, USBs, and paper records that are not properly wiped and destroyed create risk

    How to Track Progress After a Physical Audit

    Track your progress with a few monthly numbers. How many locations have been audited? How many findings are closed? How long does each fix take?

    Good proof matters as much as closing items. Marking a finding "done" without proof will not hold up in an audit. Get photos, updated policies, or vendor sign-offs for each fix.

    % Locations audited
    % Findings closed
    Avg remediation days
    Evidence quality score

    Controls slip over time. Doors get propped open, locks break, and new gear shows up with no review. An annual audit catches this drift early.

    Annual audits catch this kind of drift before it becomes a finding.

    Deep-Dive Resources

    These guides help you put audit findings into action:

    Frequently Asked Questions

    It covers four areas: facility access, workstation use, workstation security, and device controls. We review locks, badges, visitor logs, screen placement, device tracking, and how old media is disposed of.
    Yes. Physical and technical safeguards are separate HIPAA requirements. Strong passwords and encryption do not protect against someone walking into an unlocked server room or viewing a screen in a waiting area. Both layers must be in place.
    HIPAA does not set a fixed schedule, but you must review security measures on a regular basis. Most practices do annual physical audits. You also need a review after office moves, new locations, staffing changes, or security incidents.
    Partly. Policy reviews, access logs, and paperwork can be handled remotely. But checking workstation placement, testing door locks, and counting devices works best on-site or through a guided video walkthrough with your staff.
    The most frequent findings are unlocked server rooms, workstation screens visible to unauthorized persons, missing visitor sign-in procedures, lack of privacy screens, and no documented media disposal process. Most of these have low-cost, high-impact fixes.

    Ready to Secure Your Physical Environment?

    We will walk your facility, document what we find, and give you a clear plan to meet every physical safeguard requirement.

    Book a 30-Minute Intro

    Questions About Physical Safeguard Audits?