HIPAA physical safeguards exist to protect electronic protected health information (ePHI) from unauthorized physical access, tampering, and theft. While most people associate data security with passwords and encryption, HIPAA’s Security Rule recognizes that digital health records are only as secure as the buildings, rooms, devices, and media that store them. The physical safeguards standard, codified at 45 CFR 164.310, requires covered entities and their business associates to implement four categories of protections that control who can physically reach ePHI and what happens to the hardware that contains it.
The Four Standards of Physical Safeguards
HIPAA’s physical safeguards break down into four distinct standards, each targeting a different layer of physical risk:
- Facility access controls: Policies and procedures that limit physical access to electronic information systems and the facilities that house them, while still allowing authorized personnel in.
- Workstation use: Rules specifying what functions a workstation can perform, how those functions should be carried out, and the physical setup of the surrounding environment.
- Workstation security: Physical protections on every workstation that accesses ePHI, restricting use to authorized individuals only.
- Device and media controls: Policies governing how hardware and electronic media containing ePHI enter, leave, and move within a facility.
Together, these standards form a chain of protection. Facility controls keep unauthorized people out of the building. Workstation rules keep ePHI safe once someone is inside. Device and media controls ensure data doesn’t walk out the door on a laptop, hard drive, or USB stick without proper handling.
Facility Access Controls
The first standard addresses the most basic question: who can physically get into the spaces where ePHI lives? This covers server rooms, filing areas, offices with computer terminals, and any other location where electronic health information is stored or accessed.
In practice, facility access controls look like locked doors, key card systems, alarm keypads, and designated staff who manage and document who has access. Organizations need to identify which individuals have authority to grant access, maintain logs tracking that access, and change codes or credentials on a regular basis. The standard also requires a contingency plan so that ePHI remains accessible during emergencies like fires, power outages, or natural disasters, while still staying protected from unauthorized entry.
This standard applies equally to a large hospital data center and a small clinic’s back office. The scale of the solution differs, but the obligation is the same: only authorized people should be able to physically reach the systems storing patient data.
Workstation Use and Security
HIPAA defines a workstation broadly as any electronic computing device, including laptops, desktops, and anything that performs similar functions, along with electronic media stored in its immediate environment. This means a nurse’s station terminal, a physician’s laptop, and a billing department desktop all qualify.
The workstation use standard requires organizations to spell out what each workstation or class of workstation is allowed to do. A computer at a reception desk, for instance, might need different access permissions and usage rules than a workstation in a radiology reading room. Beyond software-level restrictions, this standard also addresses the physical surroundings. Screens should be positioned so that passersby or patients in waiting areas can’t read patient records. The physical layout matters because it determines how easily someone could glance at or photograph sensitive information.
Workstation security goes a step further by requiring physical safeguards that restrict access to authorized users. This could mean cable locks on laptops, privacy screens on monitors, or placing workstations in rooms that require badge access. The key point from HHS guidance: all safeguards required for office workstations must also be applied to workstations located off site. A laptop used for telehealth at an employee’s home needs the same level of physical protection as one sitting in a hospital office.
Device and Media Controls
Hardware doesn’t stay in one place forever. Computers get replaced, hard drives fail, USB drives move between departments, and organizations upgrade their systems. The device and media controls standard governs what happens to ePHI during all of these transitions.
This standard has four components. Disposal requires that before any hardware or media is discarded, the ePHI on it must be properly destroyed or wiped. Simply deleting files isn’t enough; organizations need to sanitize media so that data can’t be recovered. Media re-use follows the same logic: before a hard drive, flash drive, or any other storage device gets repurposed, all previous ePHI must be erased to the point where it’s neither readily available nor recoverable.
The accountability component requires organizations to maintain records tracking the movement of hardware and media containing ePHI, along with the person responsible for each item. If a laptop moves from one department to another, or an external drive goes home with a staff member, that movement needs to be logged. Finally, organizations need a process for tracking media that leave the facility. If employees are allowed to remove devices that contain or access ePHI, procedures must exist to monitor where those devices go.
Why Physical Safeguards Matter Alongside Technical Ones
It’s tempting to think of health data security as purely a digital problem. Encryption, firewalls, and strong passwords get most of the attention. But none of those protections help if someone can walk into an unlocked server room and take a hard drive, or if a decommissioned laptop with thousands of patient records ends up in a recycling bin with its data intact.
Physical safeguards close the gap between digital security and the real world. A stolen laptop that was properly tracked and encrypted is a manageable incident. A stolen laptop that nobody knew was missing, containing unprotected records, is a breach. The difference often comes down to whether an organization followed the physical safeguard standards.
Applying Physical Safeguards in Remote Work
The rise of telehealth and remote administrative work has made physical safeguards more complex. When ePHI is accessed from a home office, the same principles apply. Paper records containing protected health information need to be secured, whether that means locked file cabinets or locked rooms. Computer screens should be positioned so that family members or visitors can’t see patient data. Organizations should have a process for tracking the location of records and devices while in use, in transit, or in storage, regardless of where that storage happens to be.
The regulatory language is technology-neutral and location-neutral by design. It doesn’t prescribe specific products or solutions. Instead, it requires organizations to assess their own risks and implement reasonable physical protections. For a hospital, that might mean biometric door locks on a data center. For a solo practitioner working from home, it might mean a locked office door and a privacy screen on a laptop. Both satisfy the same underlying obligation: keep unauthorized people away from the systems and media that hold patient health information.