What are the Physical Safeguards of HIPAA’s Security Rule?

Posted By Steve Alder on Mar 1, 2025

The Physical Safeguards of HIPAA’s Security Rule are the standards and implementation specifications that must be applied when applicable “to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.’’

As with many areas of HIPAA compliance, it is necessary to factor in other regulatory requirements when complying with the Physical Safeguards of HIPAA’s Security Rule. Depending on the nature of an organization’s activities, these can include CMS’ Emergency Preparedness Rule, OSHA’s Fire Prevention and Response Standards, and local building and safety codes.

It is also necessary to comply with the Physical Safeguards of HIPAA’s Security Rule in the context of the Security Rule’s General Rules (§164.306). These require covered entities and business associates to:

• Ensure the confidentiality, integrity, and availability of all electronic Protected Health Information (PHI) created, received, maintained, or transmitted.
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under (the HIPAA Privacy Rule).
• Ensure compliance with this subpart (the HIPAA Security Rule) by its workforce via HIPAA training and the use of a sanctions policy where necessary.
• Review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic PHI.
• Update the documentation of such security measures in accordance with the HIPAA documentation and retention requirements.

The Flexibility of Approach and Addressable Implementation Specifications

The General Rules also contain standards relating to the flexibility of approach and addressable implementation standards. These allow covered entities and business associates some leeway in how they comply with the Physical Safeguards of HIPAA’s Security Rule inasmuch as organizations can use any reasonable and appropriate security measure to implement the Physical Safeguards.

When determining which security measures to implement, covered entities and business associates must take into account their size, complexity, and capabilities, their existing safeguards, the costs of security measures, and the probability and criticality of potential risks to electronic PHI. These factors should be incorporated into the risk analysis required by §164.308(a)(1) of the Administrative Safeguards.

With regards to addressable implementation specifications, these are “required” unless the risk analysis determines they are not reasonable and appropriate. In such circumstances, it is necessary to document why the implementation specification is not reasonable and appropriate and implement an alternate security measure which is at least as effective as the measure it replaces.

The Physical Safeguards of HIPAA’s Security Rule

There are four Physical Safeguards of HIPAA’s Security Rule. These cover facility access controls, workstation use, workstation security, and device and media controls. When complying with these requirements, it is important to be aware that the definition of “access” in the Security Rule differs from the definition of access in other subparts of the HIPAA Administrative Simplification Regulations.

Facility Access Controls

The first of the Physical Safeguards of HIPAA’s Security Rule requires covered entities and business associates to “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.” The implementation specifications associate with this safeguard are:

(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. (Also see §164.308(a)(7))

(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

The reason for each of these implementation specifications being addressable is that the facility access controls also apply to covered entities and business associates that operate from multi-tenanted buildings or remotely (i.e. third party administrators that work from home). The flexibility of approach standard may also be applicable if covered entities and business associates have shared or limited control over physical security.

Workstation Use

The Workstation Use safeguard consists of a single standard: “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI”.

When complying with this standard, it is necessary to consider the definition of workstation – “an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment”. Under this definition, smartphones, iPads, and any other device used to access of store electronic PHI must also be covered by the policies and procedures.

Workstation Security

The Workstation Security safeguard also consist of a single standard: “Implement physical safeguards for all workstations that access electronic PHI, to restrict access to authorized users.” Again, this standard not only applies to computer terminals, but to other electronic devices – including personal devices – capable of electronic computing, accessing, or storing electronic PHI.

This was considered a difficult standard to comply with due to members of the workforce using personal devices to perform their functions for a covered entity or business associate. However, due to technological advances, personal devices can be secured with PIN locks and biometric security devices, while the security of electronic PHI stored on the devices can be protected by implementing the Technical Safeguard of HIPAA’s Security Rule on personal devices.

Device and Media Controls

The last of the Physical Safeguards of HIPAA’s Security Rule requires covered entities and business associates to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.” The implementation specifications associate with this safeguard are:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic PHI, and/or the hardware or electronic media on which it is stored.

(ii) Media re-use (Required). Implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.

(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic PHI, when needed, before movement of equipment.

There are two important considerations in these implementation specifications. The first is that “facility” can mean an individual’s home if an individual works from home as – for example – a member of a covered entity’s workforce or as an independent business associate. The second consideration is that the implementation specifications also apply to electronic PHI stored locally on a personal device or on a personal USB drive.

The Challenges of Complying with the Physical Safeguards of HIPAA’s Security Rule

The challenges of complying with the Physical Safeguards of HIPAA’s Security Rule vary depending on the nature of an organization’s activities, its compliance obligations with other regulatory requirements, and its size, complexity, and capabilities. For example, a smaller organization located in a multi-tenanted building may face challenges with the access control and validation requirements, while a large healthcare system may struggle securing workforce members’ personal devices.

There is no one-size-fits-all solution for complying with the Physical Safeguards of HIPAA’s Security Rule. However, the flexibility of approach and addressable implementation specifications allow covered entities and business associates to implement the most appropriate security measures for their situations. Covered entities and business associates who require assistance in determining the most appropriate security measures are advised to seek independent compliance advice.