Facility Security Plan

A HIPAA Facility Security Plan requires you to implement written policies and procedures that protect your facilities and the equipment inside them from unauthorized physical access, tampering, and theft. To operationalize it, define what “facility” covers in your environment, map where ePHI-related systems live, and implement physical controls with auditable access governance, monitoring, and exception handling. (45 CFR Parts 160, 162, 164)

Key takeaways:

• Your “facility” scope must include any location where ePHI systems or media exist, not just your main office or data center. (45 CFR Parts 160, 162, 164)
• Auditors expect documented physical access rules plus evidence they work in practice: access lists, logs, approvals, and incident records. (45 CFR Parts 160, 162, 164)
• Treat tampering and theft as explicit threats; cover devices, network gear, and media across offices, closets, and third-party sites. (45 CFR Parts 160, 162, 164)

“Facility security plan requirement” in HIPAA usually becomes urgent after a move, a new clinic opening, a colo deployment, a stolen laptop event, or an auditor asking, “Show me how you prevent unauthorized physical access to systems that store ePHI.” The Security Rule’s Physical Safeguards section includes a specific addressable implementation specification: Facility Security Plan. It is “addressable,” but that does not mean optional; it means you must implement it if reasonable and appropriate, or document an equivalent alternative that reduces risk. (45 CFR Parts 160, 162, 164)

For a CCO or GRC lead, the operational goal is straightforward: create a repeatable, evidence-backed program that governs physical access to areas and equipment that support ePHI, across your own sites and any third-party locations you rely on. The fastest path is to (1) define and inventory your facility footprint tied to ePHI, (2) standardize physical access governance and controls, and (3) retain proof that access is authorized, reviewed, and monitored. (45 CFR Parts 160, 162, 164)

Regulatory text

Requirement (45 CFR § 164.310(a)(2)(ii)): “Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.” (45 CFR Parts 160, 162, 164)

Operator interpretation (what you must do):

• Write and maintain policies and procedures that define how your organization prevents unauthorized people from entering areas that contain systems and devices used to create, receive, maintain, or transmit ePHI. (45 CFR Parts 160, 162, 164)
• Extend protection to equipment within the facility (servers, network gear, workstations, portable devices staged for deployment, backup media, printers/fax/MFDs that store images, etc.) and explicitly address tampering and theft, not only “badging into the building.” (45 CFR Parts 160, 162, 164)
• Make the plan operational: assign owners, implement controls, and produce evidence that access is granted intentionally and reviewed. (45 CFR Parts 160, 162, 164)

Plain-English requirement interpretation

A Facility Security Plan is your written playbook for physical security where ePHI-supporting technology lives. It answers:

• What locations are in scope?
• Who is allowed in, and under what conditions?
• How do you prevent, detect, and respond to physical intrusion, device tampering, and theft?
• How do you prove it to an auditor? (45 CFR Parts 160, 162, 164)

“Facility” is broader than many teams assume. In practice it includes clinics, offices, server rooms, network closets, storage rooms for retired drives, and any controlled area where ePHI equipment or media is present. If your ePHI systems are hosted, your plan still needs coverage through third-party management and contractual controls, plus your on-site endpoints and network edge. (45 CFR Parts 160, 162, 164)

Who it applies to

In-scope entities

• Covered Entities and Business Associates that handle ePHI. (45 CFR Parts 160, 162, 164)

In-scope operational contexts (typical)

• Clinical sites, corporate offices, call centers, and any location with ePHI workstations or local servers. (45 CFR Parts 160, 162, 164)
• On-prem data centers, server rooms, and network closets supporting EHR access, VPN, identity infrastructure, logging, backups, and file shares. (45 CFR Parts 160, 162, 164)
• Hybrid environments where endpoints and network gear remain on-site even if primary applications are hosted. (45 CFR Parts 160, 162, 164)
• Third-party facilities where your equipment is installed or where a third party stores or processes ePHI on your behalf; manage via due diligence and contracting plus evidence you assessed physical safeguards. (45 CFR Parts 160, 162, 164)

What you actually need to do (step-by-step)

1) Define scope: facilities, areas, and equipment tied to ePHI

Create a short scoping memo (or policy section) that:

• Lists sites/addresses in scope.
• Identifies restricted areas within each site (server room, IDF/MDF, records room, device cage, secure storage).
• Defines in-scope equipment (servers, firewalls/switches, storage arrays, backup devices/media, endpoint staging areas, MFDs with storage, retired media pending destruction). (45 CFR Parts 160, 162, 164)

Practical tip: Audits bog down when “facility” is undefined. Make it explicit, then tie it to where ePHI systems and media exist. (45 CFR Parts 160, 162, 164)

2) Write the Facility Security Plan as an operational document

Keep it readable and testable. Minimum sections most teams need:

• Access control rules: badge/key requirements, visitor escort, after-hours rules, prohibited tailgating, and separation of duties for granting access. (45 CFR Parts 160, 162, 164)
• Authorization workflow: who approves access to restricted areas (role-based), how requests are documented, and how quickly access is removed at termination or role change. (45 CFR Parts 160, 162, 164)
• Monitoring and response: logs, camera coverage expectations (where used), alarm response, and what constitutes a security incident (e.g., door forced open, missing device, evidence of tampering). (45 CFR Parts 160, 162, 164)
• Equipment protection: locked racks/cabinets, port security where relevant, device inventory tagging, secure storage for spare drives/media, and rules for moving equipment between sites. (45 CFR Parts 160, 162, 164)
• Third-party access: requirements for contractors, cleaning crews, maintenance, and delivery; escort rules; work order verification. (45 CFR Parts 160, 162, 164)

3) Implement core controls aligned to the plan

Your controls should match your footprint, but most HIPAA programs converge on:

• Restricted area hardening: locks, badge readers, key control, and documented key issuance/return. (45 CFR Parts 160, 162, 164)
• Visitor management: sign-in/out, identity verification, badges, escort requirement, and visitor log retention. (45 CFR Parts 160, 162, 164)
• Access list governance: named list of authorized personnel per restricted area, approval records, and periodic review with HR/IAM termination feed. (45 CFR Parts 160, 162, 164)
• Device and media controls: inventory, secure storage, chain-of-custody for decommissioned drives/media, and documented destruction/return processes. (45 CFR Parts 160, 162, 164)
• Tamper/theft response: incident runbook steps for containment, evidence preservation, investigation, and whether ePHI exposure analysis is required. (45 CFR Parts 160, 162, 164)

4) Prove it works: build an evidence routine

Operationalize evidence collection so you are not scrambling during an audit:

• Monthly/quarterly exports of badge access to restricted areas (or equivalent sign-in controls where badges are not used). (45 CFR Parts 160, 162, 164)
• Sampling of visitor logs with escort sign-off where required. (45 CFR Parts 160, 162, 164)
• Access reviews with approvals/removals tracked to completion. (45 CFR Parts 160, 162, 164)
• Incident records for lost/stolen devices, forced-entry alerts, or suspicious access events. (45 CFR Parts 160, 162, 164)

If you manage this in Daydream, set the requirement up as a control with mapped evidence requests (badge logs, visitor logs, access review sign-offs, incident tickets) so site owners and facilities teams can submit artifacts on a schedule and you maintain a clean audit trail without email chasing. (45 CFR Parts 160, 162, 164)

Required evidence and artifacts to retain

Keep artifacts that show policy, operation, and oversight:

Governance

• Facility Security Plan (policy/procedure document) with version history and approvals. (45 CFR Parts 160, 162, 164)
• Defined roles: Facilities/Security, IT, HR, Compliance, site managers. (45 CFR Parts 160, 162, 164)

Access control operation

• Authorized access lists per restricted area. (45 CFR Parts 160, 162, 164)
• Badge/key issuance records and key inventory (if keys are used). (45 CFR Parts 160, 162, 164)
• Visitor logs and escort records. (45 CFR Parts 160, 162, 164)

Monitoring and response

• Door/access logs for restricted areas (where available). (45 CFR Parts 160, 162, 164)
• Incident tickets and investigation notes for suspected theft/tampering/unauthorized access. (45 CFR Parts 160, 162, 164)

Equipment safeguards

• Asset inventory for in-scope equipment, including location mapping for servers/network gear. (45 CFR Parts 160, 162, 164)
• Chain-of-custody and destruction/return records for media and retired equipment. (45 CFR Parts 160, 162, 164)

Common exam/audit questions and hangups

Auditors and assessors commonly press on these points:

• “Show me your facility security plan and the list of facilities it covers.” (45 CFR Parts 160, 162, 164)
• “Which rooms are restricted, and who has access today?” (45 CFR Parts 160, 162, 164)
• “How do you remove physical access after termination or role change?” (45 CFR Parts 160, 162, 164)
• “How do you prevent and detect tampering with network gear?” (45 CFR Parts 160, 162, 164)
• “Provide evidence: visitor logs, badge reports, and an access review.” (45 CFR Parts 160, 162, 164)

Hangup to expect: facilities/security functions often sit outside GRC. If you cannot get logs, approvals, and reviews reliably, the plan reads like shelfware.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Treating the plan as “building security only”	HIPAA text includes “equipment therein” plus tampering/theft. (45 CFR Parts 160, 162, 164)	Add equipment-specific controls: locked racks, inventory, chain-of-custody, decommission process.
No defined restricted areas	You can’t prove access is controlled if everything is “general office.”	Publish a restricted-area register per site and post signage where appropriate.
Access granted ad hoc (email, verbal)	Auditors ask for approvals and revoke evidence.	Require ticketed/recorded approvals and periodic review.
Ignoring third-party on-site access	Contractors can access network closets and devices.	Add contractor verification, escort rules, and work-order checks.
Missing evidence routine	Teams scramble for logs and “best effort” records.	Schedule evidence capture and store it centrally (e.g., Daydream evidence requests).

Enforcement context and risk implications

No public enforcement cases were provided in the approved source catalog for this page, so do not treat the absence of examples as reduced risk. Operationally, weak facility controls increase the likelihood of device theft, media loss, and undetected tampering with systems that store or transmit ePHI, which can expand the scope and cost of incident response. (45 CFR Parts 160, 162, 164)

Practical execution plan (30/60/90-day)

This plan uses “days” as phase labels, not as a guaranteed duration.

First 30 days (stabilize scope and governance)

• Name owners for facilities security, IT asset management, and compliance sign-off. (45 CFR Parts 160, 162, 164)
• Build the facility and restricted-area inventory tied to ePHI systems and media. (45 CFR Parts 160, 162, 164)
• Draft the Facility Security Plan with clear access authorization and visitor rules. (45 CFR Parts 160, 162, 164)
• Identify evidence sources: badge system, key logs, visitor system, camera/alarm monitoring (if used), ticketing system. (45 CFR Parts 160, 162, 164)

Days 31–60 (implement controls and start collecting evidence)

• Standardize access request/approval workflow for restricted areas. (45 CFR Parts 160, 162, 164)
• Roll out visitor management and escort requirements at each site. (45 CFR Parts 160, 162, 164)
• Lock down equipment: racks, closets, secure storage for media and spares; update the asset inventory with locations. (45 CFR Parts 160, 162, 164)
• Begin routine evidence capture (badge exports, visitor logs, access list snapshots). (45 CFR Parts 160, 162, 164)

Days 61–90 (prove operational maturity)

• Run your first formal restricted-area access review and document removals. (45 CFR Parts 160, 162, 164)
• Tabletop a physical security incident scenario (missing server drive, forced door, unauthorized visitor) and update the runbook. (45 CFR Parts 160, 162, 164)
• Validate third-party controls where contractors access sensitive areas; confirm logs and escort practices are real at site level. (45 CFR Parts 160, 162, 164)
• Centralize artifacts in a system of record (Daydream or equivalent) with clear ownership and audit-ready trails. (45 CFR Parts 160, 162, 164)

Frequently Asked Questions

Does “facility” include remote clinics and small offices?

Yes, if ePHI-related systems or media are present there. Define which areas and equipment are in scope per site and document how you control access to them. (45 CFR Parts 160, 162, 164)

We are cloud-hosted. Do we still need a Facility Security Plan?

Yes. You still have physical locations with endpoints, networking, and any media handling, and you also need third-party governance for hosted environments where ePHI is processed or stored on your behalf. (45 CFR Parts 160, 162, 164)

What’s the minimum evidence an auditor will accept?

Expect to produce the written plan plus proof of operation: who has access to restricted areas, how access was approved, visitor logs, and records showing you review and remove access when needed. (45 CFR Parts 160, 162, 164)

How do we address tampering risk for network closets?

Treat closets as restricted areas, limit access to named roles, keep access logs (badge or sign-in), and document inspections or checks tied to suspicious events or maintenance. (45 CFR Parts 160, 162, 164)

Can we use keys instead of badge readers?

The regulation does not require a specific technology. If you use keys, maintain tight key issuance/return records, restrict copying, and document periodic reconciliation of key inventory against authorized access lists. (45 CFR Parts 160, 162, 164)

How should we handle third-party technicians who need after-hours access?

Require pre-approval, identity verification, and a documented work order. If escort is not feasible, document compensating controls such as time-bounded access, monitoring, and post-visit review of access logs. (45 CFR Parts 160, 162, 164)