Physical safeguards

The HIPAA physical safeguards requirement means you must protect the buildings, rooms, and devices that store or access ePHI so unauthorized people can’t see, steal, or tamper with it ¹. Operationalize it by defining where ePHI exists physically, locking down access, controlling workstations and portable devices, and proving it with logs, inventories, and disposal records.

Key takeaways:

• Physical safeguards are about facilities, workstations, and device/media handling where ePHI is present ¹.
• Your fastest path is asset-and-location mapping, then access controls, then device/media procedures with audit-ready evidence.
• The most common gap is “we do it” without artifacts; build repeatable records (inventories, access lists, and disposal certificates).

“Physical safeguards” can feel like a facilities problem, but HIPAA treats it as a security requirement with audit expectations: you must protect facilities and devices containing ePHI ¹. That includes offices, clinics, data closets, file rooms, call centers, employee homes (if ePHI is accessed there), and any endpoint device that stores or can access ePHI (laptops, thin clients, printers, copiers, mobile devices, removable media).

For a Compliance Officer, CCO, or GRC lead, the practical challenge is scope and proof. You need a defensible definition of “where ePHI physically lives or can be reached,” controls that match that exposure, and evidence that the controls operate day-to-day. This page translates the physical safeguards requirement into an operator-ready checklist: what policies to write, what processes to implement, what to ask Facilities and IT to produce, and what artifacts to retain for audits and investigations.

This guidance stays anchored to the HIPAA Security Rule source provided. Where teams commonly rely on “common sense,” you’ll instead build a small, testable control set that survives turnover, site changes, and third-party involvement.

Regulatory text

Requirement (excerpt): “Protect facilities and devices containing ePHI.” ¹

What the operator must do: Treat any physical space or physical object that can store, display, print, or provide access to ePHI as in-scope. Put barriers in place (locks, access control, secure storage, secure disposal), define who is allowed where, and keep records that show the protections exist and are followed.

Plain-English interpretation (what this really means)

If someone can walk into a space, pick up a device, view a screen, pull a hard drive, or remove printed output and obtain ePHI, you have a physical safeguards problem. This requirement expects you to:

• Control who can enter ePHI-relevant areas (including after hours).
• Control how devices and media that contain ePHI are issued, moved, reused, repaired, and destroyed.
• Control how workstations are positioned and used so ePHI isn’t exposed to passersby.
• Maintain evidence that these controls are defined and operating (not just “known”).

Who it applies to (entity and operational context)

Applies to:

• Covered Entities and Business Associates that create, receive, maintain, or transmit ePHI ¹.

Operational contexts that trigger physical safeguards work:

• Any facility with workforce access to systems containing ePHI (front desk, nursing station, billing office).
• Shared spaces: co-working offices, subleased clinics, multi-tenant buildings.
• Hybrid/remote work where ePHI is accessed from home or while traveling.
• Locations with “incidental ePHI” exposure: printers, fax devices, copier/scanners, mailrooms.
• Third-party operations: outsourced IT, offsite storage, shredding vendors, device repair depots.

What you actually need to do (step-by-step)

The control objective is simple: reduce unauthorized physical access and remove unmanaged ePHI-bearing media from your environment.

Step 1: Define physical scope (spaces + things)

1. List facilities/areas where ePHI is accessed or could be exposed:
   • Offices, clinics, server/network closets, records rooms, reception areas, home offices.
2. List device classes that can store/display ePHI:
   • Laptops/desktops, mobile devices, tablets, thin clients, printers/copiers, removable media.
3. Decide what “containing ePHI” means for each class:
   • Stored locally vs. only accessed via a virtual session still creates exposure because screens and printed output can reveal ePHI.

Deliverable: “Physical ePHI footprint” register (locations + device categories + owners).

Step 2: Implement facility access controls

1. Set access rules by zone:
   • Public areas (lobby) vs. restricted areas (clinical workrooms) vs. highly restricted areas (server closet).
2. Establish an authorization process:
   • Who approves badges/keys, who removes access on termination, and how fast changes occur.
3. Visitor management:
   • Sign-in process, escort rules, temporary badges, restricted photography, after-hours policy.
4. After-hours and emergency access:
   • Document who can enter and how access is recorded.

Evidence goal: You can show who had access to what areas, when, and why.

Step 3: Lock down workstations (screens, placement, and session security)

1. Workstation placement review:
   • Ensure screens are not visible to patients/visitors in public or semi-public areas.
2. Secure session practices:
   • Require workforce to lock screens when unattended and end sessions at shift changes.
3. Shared workstation rules:
   • No password sharing; clean desk expectations where printouts are involved; “no sticky-note credentials” enforcement.

Practical tip: Do quick walk-throughs at high-risk times (shift change, lunch, end of day) and capture findings in a simple checklist log.

Step 4: Device and media handling procedures (the most audited part)

1. Device inventory and assignment:
   • Track devices that can access or store ePHI and who they are assigned to.
2. Movement controls:
   • Require tickets/approvals for moving devices between sites or shipping devices for repair.
3. Media reuse and disposal:
   • Define steps before reissuing laptops, copiers, or drives (wipe/clear processes).
   • Use secure destruction for drives or media that cannot be reliably cleared.
4. Printer/copier controls:
   • Place devices in monitored areas; manage stored jobs; control access to output trays; ensure hard-drive handling on leased copiers.

Minimum viable outcome: No device leaves your control without a documented chain of custody and a documented wipe/destroy action when needed.

Step 5: Extend controls to third parties who touch your physical environment

1. Identify third parties with physical access to spaces or devices (cleaning crews, shredding services, IT field support, copier lessors).
2. Contract + onboarding requirements:
   • Background/authorization expectations (as appropriate), escort requirements, sign-in procedures, and “no unescorted access” zones.
3. Proof collection:
   • Keep disposal certificates, service tickets, pickup logs, and access rosters.

Step 6: Make it auditable (test and fix)

1. Choose a control owner for each domain:
   • Facilities for access controls, IT for device handling, Operations for front-desk visitor management, Security/Compliance for oversight.
2. Run a tabletop test:
   • “Lost laptop,” “unauthorized visitor in restricted area,” “copier replacement,” and verify records exist.
3. Document corrective actions and retest.

Required evidence and artifacts to retain

Auditors and investigators look for “show me,” not “tell me.” Keep:

• Physical safeguards policy (facility access + workstation + device/media handling) ¹.
• Facility/zone list with access rules and owners.
• Badge/key access lists and change records (adds/removals) where available.
• Visitor logs (paper or electronic) and escort procedures.
• Workstation walk-through/inspection logs and remediation tickets.
• Device inventory for ePHI-capable endpoints and printers/copiers.
• Chain-of-custody records for device shipping/repair/transfer.
• Media wipe logs or destruction certificates from IT or a third party.
• Offboarding checklist showing retrieval of devices/badges/keys.
• Exceptions register (who has special access, why, approval, and end date).

Common exam/audit questions and hangups

Expect questions like:

• “Show your inventory of devices that store or access ePHI. Who owns it and how is it kept current?”
• “How do you restrict access to areas where ePHI is present? Provide access lists and evidence of removal upon termination.”
• “What happens to copier hard drives at end of lease? Show your process and records.”
• “How do you control printing? Where do printed documents wait and who can pick them up?”
• “Demonstrate your device disposal process end-to-end for one disposed laptop.”

Hangups that slow teams down:

• Facilities and IT each assume the other “owns” physical safeguards.
• Remote work: no defined minimum standard for home workspaces and portable device handling.
• Copier/printer oversight: devices treated as “office equipment,” not as ePHI-bearing assets.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: No defined “restricted areas.”
   Fix: Create a simple zoning map (public/restricted/highly restricted) and align badge permissions to zones.

2. Mistake: Inventory exists, but doesn’t include printers/copiers or loaner devices.
   Fix: Add device categories explicitly. Require Service Desk tickets for loaners and transfers.

3. Mistake: Disposal is informal (“we drop it at e-waste”).
   Fix: Require wipe/destroy proof per asset. If a third party destroys media, collect certificates tied to asset IDs.

4. Mistake: Visitor logs are inconsistent or not retained.
   Fix: Standardize the log format, train front-desk staff, and set a retention practice you can execute.

5. Mistake: “We have locks” with no evidence of access governance.
   Fix: Keep access rosters and change approvals. Evidence beats anecdotes.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. You should still treat physical safeguards as a breach-risk accelerator: physical loss/theft, improper disposal, and casual viewing of screens or printouts can lead to unauthorized disclosure of ePHI. Regulators commonly test whether safeguards are documented, implemented, and provable ¹.

Practical 30/60/90-day execution plan

Days 1–30: Baseline and triage

• Assign owners for: facility access, visitor management, workstation practices, device/media handling.
• Build the physical ePHI footprint register (locations + device categories + third parties).
• Draft or refresh physical safeguards policy and minimum standards for each site.
• Identify high-risk gaps you can fix quickly: unlocked closets, exposed monitors, untracked printers, uncontrolled disposal.

Days 31–60: Implement and instrument

• Roll out zone-based access rules and a consistent visitor process.
• Stand up or clean up device inventory for ePHI-capable endpoints and office equipment that stores/prints ePHI.
• Implement chain-of-custody and disposal documentation for devices and media.
• Start workstation walk-throughs with a simple checklist and ticket-based remediation.

Days 61–90: Prove operations and harden

• Run a sample-based internal test: pick a terminated user, a disposed device, and a visitor day. Verify artifacts exist.
• Close documentation gaps: access change records, disposal certificates, copier lease end procedures.
• Train managers and front desk staff on the “what to do” steps and what evidence must be produced.
• Optional: Use Daydream to track control owners, map evidence requests to this physical safeguards requirement, and maintain an audit-ready artifact library tied to your physical ePHI footprint.

Frequently Asked Questions

Do physical safeguards apply if our EHR is cloud-hosted and nothing is stored locally?

Yes, because workforce devices and facilities still display and can print ePHI, and devices can retain data through caches, downloads, or screenshots ¹.

Are home offices in scope for the physical safeguards requirement?

If workforce members access ePHI from home, you need minimum physical expectations (private workspace, secure storage, preventing family/visitors from viewing screens) and a way to enforce and evidence them ¹.

What’s the minimum evidence an auditor will accept for device disposal?

Keep an inventory record showing the asset, the disposition decision, and proof of wipe or destruction tied to that asset (ticket, log, or third-party certificate).

How should we handle copier/printer hard drives?

Treat them as ePHI-capable assets: track them, control physical access, and document what happens at repair, replacement, and end-of-lease so drives are wiped, retained, or destroyed per your process.

Can Facilities own this requirement without IT involvement?

No. Facilities can manage doors, badges, and visitors, but IT must own device/media handling and endpoint inventory. Compliance should coordinate and test evidence across both.

What’s the fastest way to find gaps?

Walk the floor with a checklist: look for exposed monitors, unattended printouts, unlocked closets with devices, and untracked equipment. Turn findings into tickets and keep the inspection logs as evidence.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. HIPAA Security Rule (45 CFR Part 164 Subpart C)