Facility Access Controls

HIPAA’s Facility Access Controls requirement means you must have documented policies and procedures that restrict physical access to facilities and the electronic information systems housed there, while still allowing approved staff and third parties to do their jobs. Operationalize it by defining controlled areas, authorizing access by role, enforcing entry controls, and keeping auditable records of who can enter and when. ¹

Key takeaways:

• You need written, implemented procedures that limit physical access to systems and the facilities where they live, not just “locked doors.” ¹
• Auditors will look for alignment between your access list, physical controls (badges/keys), visitor handling, and logs.
• Scope includes data centers, wiring closets, server rooms, record-scanning rooms, and any office areas hosting ePHI systems.

Facility access controls are the “keep people out” layer of the HIPAA Security Rule, but the bar is higher than basic building security. The requirement expects you to deliberately decide which spaces house electronic information systems that create, receive, maintain, or transmit ePHI, then restrict physical access to those spaces through policies, procedures, and day-to-day operations. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path is to translate the regulation into three operational outcomes: (1) clearly defined secure areas and roles allowed inside them, (2) reliable mechanisms that enforce those decisions (badges, keys, mantraps, locks, escorted access), and (3) evidence that proves the controls work (access rosters, approvals, visitor logs, incident records). This requirement also forces clarity on third-party access: landlords, managed service providers, cleaning crews, security guards, and maintenance contractors often have the most “default” physical access unless you constrain it.

If you need a system to coordinate approvals, evidence, and recurring reviews, Daydream can serve as the workflow layer that keeps access lists, tickets, and audit artifacts tied to the same control narrative.

Regulatory text

45 CFR § 164.310(a)(1) requires you to: “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.” ¹

Operator interpretation: you must (a) decide what “facility” and “electronic information systems” are in your environment, (b) limit physical access to those places and systems, and (c) keep a working authorization process so legitimate staff can enter without unsafe workarounds (propping doors, shared keys, borrowed badges). The control is only “implemented” if people follow it and you can prove it.

Plain-English requirement

Maintain documented facility security rules that prevent unauthorized people from physically reaching the computers, servers, network gear, and supporting infrastructure that handle ePHI, while enabling approved workforce members and approved third parties to access those spaces for legitimate business reasons. ¹

Who it applies to

Entities: HIPAA Covered Entities and Business Associates. ¹

Operational scope (typical):

• Corporate offices that host endpoints, on-prem servers, network equipment, or printing/scanning tied to ePHI workflows.
• Data centers, server rooms, wiring closets, telecom rooms, and badge-controlled floors.
• Clinics and care sites where workstations, nurse stations, or local infrastructure process ePHI.
• Offsite storage or colocation spaces where your electronic information systems are housed.
• Any location where third parties have routine physical access near ePHI systems (facilities management, security, cleaning, maintenance).

If you are mostly cloud-hosted, you still have “facilities in which [systems] are housed” for your own office networks, endpoints, and any on-prem network equipment. Cloud provider facilities are typically a third-party responsibility, but you still need governance for how you control and document that reliance.

What you actually need to do (step-by-step)

1) Define the in-scope “facilities” and “electronic information systems”

Create and maintain a simple inventory that answers:

• Which locations contain systems that store/process/transmit ePHI?
• Which rooms/areas inside each location contain sensitive infrastructure (server room, MDF/IDF closets, secure print rooms)?
• Which systems are physically present (servers, backup devices, firewalls, switches, storage arrays, workstations used for ePHI)?

Deliverable: “Facility and System Locations Register” mapped to ePHI flows.

2) Classify areas into control zones

Most teams succeed with 3–4 tiers:

• Public: lobbies, waiting rooms.
• Controlled: general office areas (badge access).
• Restricted: areas adjacent to critical infrastructure or unattended endpoints that access ePHI.
• High-restriction: server rooms, network closets, backup media storage.

Decision point: if someone could plug into the network, access an unlocked workstation with ePHI, or remove a device, the area should be Restricted or higher.

3) Set authorization rules by role (including third parties)

Write role-based access criteria for each zone:

• Who can be unescorted?
• Who must be escorted?
• Who is prohibited?
• Who approves access (Facilities, IT, Security, Compliance)?
• Required prerequisites (background checks if your organization uses them, security training, badge issuance, ticket approval).

Include third parties explicitly. If cleaners can enter after hours, define where they can go, whether they are escorted, and how exceptions are handled.

4) Implement physical controls that match the zones

Pick mechanisms that your environment can run consistently:

• Badge readers and door controllers for controlled/restricted zones.
• Keys with a formal key inventory and issuance/return process.
• Locked racks/cages inside shared spaces.
• Visitor check-in, temporary badges, escort rules, and sign-out.
• Camera coverage or security patrols where appropriate.

Avoid “paper-only” controls. If the policy says “Restricted area requires badge,” but the door is on a mechanical key shared by a team, you have a control gap.

5) Build an access provisioning, change, and removal process

Tie facility access to workforce lifecycle events:

• Joiner: request, approval, badge/key issuance, and training completion.
• Mover: role change triggers reassessment of zone access.
• Leaver: same-day badge/keys deactivation and physical collection.

If you already run an IAM process for logical access, mirror it for physical access, even if the tooling differs.

6) Create a visitor and maintenance workflow that stands up in an audit

Minimum elements:

• Identification check (whatever your organization requires).
• Visitor log (name, company, host, areas accessed, time in/out).
• Temporary badge that visually differs from employee badges.
• Escort requirement for restricted areas unless explicitly authorized.

For maintenance work (HVAC, electrical, ISP, copier repair), require a ticket or work order that documents the purpose and the host/escort.

7) Monitor, review, and test

Build lightweight recurring checks:

• Periodic review of badge access lists for restricted zones.
• Spot checks that doors latch, readers work, and visitor process is followed.
• Review of exceptions (lost badges, propped doors, tailgating incidents) with corrective action.

Daydream can help by assigning control owners, scheduling access reviews, collecting evidence from Facilities/IT, and keeping exceptions tied to remediation tasks.

Required evidence and artifacts to retain

Auditors typically want proof of design (policy) and operation (records). Maintain:

• Facility Access Controls policy and supporting procedures. ¹
• Zone map or written list of controlled/restricted/high-restriction areas.
• Badge/keys access roster for restricted areas, including approvals.
• Visitor logs and escort records (manual or system-generated).
• Key inventory and key return records (if keys are used).
• Termination/deprovision evidence (badge disablement, key recovery).
• Exception documentation (temporary access approvals, after-hours access).
• Physical security incident records and corrective actions (lost badge, unauthorized entry attempts).

Retention duration is an organizational decision; pick a period you can defend and apply consistently.

Common exam/audit questions and hangups

Expect questions like:

• “Show me which rooms house systems that handle ePHI, and how access is restricted.” ¹
• “Who has access to the server room/network closet? Who approved it?”
• “How do you handle visitors and third-party technicians?”
• “What happens to badges and keys when someone leaves?”
• “Do you review facility access periodically? Show evidence.”

Hangups that create findings:

• Facilities owns badges, IT owns server rooms, Security owns cameras, and nobody can produce a single coherent story with evidence.
• Access lists exist, but they do not match reality (terminated employees still active; contractors still active).
• Restricted spaces are defined informally (“everyone knows”), not documented.

Frequent implementation mistakes (and how to avoid them)

1. Scoping only the data center. Include wiring closets, shared printer/scanner areas, and clinic back offices that expose ePHI systems.
2. Relying on “front desk security” without procedures. Document visitor handling, escort requirements, and restricted areas.
3. Shared keys and badge borrowing. Use named issuance and track return; treat “temporary access” as a logged exception.
4. No third-party rules. Cleaning and building maintenance often have broad access. Constrain it with zones, escorting, and work orders.
5. Offboarding gaps. Make badge disablement and key recovery part of the termination checklist, with evidence.

Enforcement context and risk implications

This requirement reduces the risk of physical theft, tampering, unauthorized network access, and opportunistic access to unlocked workstations that can expose ePHI. Physical access is also a “bypass” path: strong logical access controls do not help if an unauthorized person can walk into a server room, attach a device, or remove backups. The regulatory expectation is policy plus execution. ¹

Practical 30/60/90-day execution plan

First 30 days (Immediate stabilization)

• Assign a single control owner and name backup owners (Facilities + IT + Security stakeholders).
• Identify and document restricted/high-restriction spaces where ePHI systems are housed.
• Implement basic visitor controls if they are inconsistent (logbook, escort rule, temporary badges).
• Pull current badge/key access lists for restricted areas and reconcile obvious mismatches (terminated staff, unknown contractors).

By 60 days (Operationalize and document)

• Publish the Facility Access Controls policy and procedures aligned to how you actually run access. ¹
• Stand up a standardized access request and approval workflow for each restricted zone, including third parties.
• Create a key inventory process if keys exist; reduce master key sprawl.
• Add offboarding steps for physical access into HR/IT termination workflows.

By 90 days (Evidence and repeatability)

• Run your first formal access review for restricted/high-restriction areas and archive the results.
• Test the visitor process and after-hours maintenance process with spot checks; log exceptions and corrective actions.
• Centralize artifacts (policy, rosters, logs, reviews, exceptions) in a control repository or GRC workflow (Daydream or equivalent) so audit response is a matter of exporting evidence, not searching inboxes.

Frequently Asked Questions

Does “facility access controls” apply if all ePHI systems are in the cloud?

Yes, because you still have physical facilities where endpoints, network equipment, and administrative functions access ePHI, and those physical access paths must be controlled. The requirement is about limiting physical access to electronic information systems and the facilities where they are housed. ¹

What areas should be considered “restricted”?

Any space where an unauthorized person could directly access ePHI systems or supporting infrastructure, such as server rooms, network closets, secure print/scanning rooms, or unattended workstations used for ePHI. Document the areas and match them to enforced access rules.

Are visitor logs mandatory?

The regulation requires policies and procedures to limit physical access while allowing authorized access. ¹ Visitor logs are a common and defensible way to prove controlled access, especially for restricted spaces.

How do we handle third-party technicians who need after-hours access?

Require a documented work order or ticket, define whether escorting is required, and record entry/exit in visitor or access logs. Make exceptions explicit and approve them through the same workflow used for employee access.

What evidence is most persuasive in an audit?

Auditors respond well to traceability: a restricted-area list, an approved access roster tied to roles, and logs showing that access is controlled in practice. Pair that with offboarding records showing access removal.

Our building uses shared keys controlled by the landlord. What do we do?

Document the constraint, then add compensating controls you control: locked interior rooms or cages, restricted racks, escort requirements, and a process to track who receives keys and when they are returned. Your policy should describe how access is limited under the shared-building model. ¹

Footnotes

1. 45 CFR Parts 160, 162, 164