When people talk about HIPAA security, the conversation almost always turns to technology.
Firewalls.
Passwords.
Multi-factor authentication.
Software updates.
And while all of those matter, they’re not the whole picture.
Week after week, as our team conducts Security Risk Analysis (SRA) walkthroughs with healthcare organizations, we consistently see the same category of issues surface—ones that don’t live in software, dashboards, or written policies, but in everyday workspaces.
These are HIPAA’s physical safeguards.
They’re easy to overlook. They rarely feel urgent. And yet, they quietly create real exposure if left unaddressed.
In this post, we want to take you inside what we’re seeing during SRAs, why physical safeguards are so often missed, and how small, intentional adjustments can make a meaningful difference.
Most healthcare teams are moving fast.
They’re seeing patients, answering phones, documenting care, coordinating schedules, and juggling multiple systems at once. In that environment, physical safeguards tend to fade into the background—not because people don’t care, but because these details blend into daily routines.
Over time, small shortcuts become normal:
None of these choices are malicious. Most are rooted in good intentions and time pressure. But this normalization of small risks is exactly why physical safeguard issues show up so consistently during Security Risk Analyses.
Across recent SRA walkthroughs, we’ve noticed a handful of recurring patterns.
Not dramatic failures.
Not intentional negligence.
Just everyday habits that quietly increase risk.
Here are some of the most common issues we encounter.
One of the biggest red flags we see is workstations that access or store PHI without encryption, especially when they’re logged into generic or shared user accounts.
When devices aren’t encrypted, a lost or stolen workstation can quickly turn into a reportable incident. And when multiple staff members share a login, accountability disappears. From an auditor’s perspective, this combination significantly increases risk.
This one is incredibly common.
A staff member steps away “just for a moment” and relies on an automatic screen timeout to kick in. During that window, patient information remains visible and accessible to anyone passing by.
Auditors don’t need system logs to notice this. An unlocked screen is a visible, immediate indicator that physical safeguards may not be consistently practiced.
Sticky notes. Notebooks. Passwords taped under desks or tucked into drawers.
We see this regularly – even for systems that directly access electronic PHI. In most cases, the motivation is efficiency. People are trying to do their jobs well and quickly.
But written passwords undermine nearly every other security control in place and signal weak access management during an SRA.
Even organizations with strong electronic safeguards often underestimate how much paper PHI is still in use.
Common examples include:
If PHI is visible to someone walking through the space, it’s considered accessible. This is one of the fastest ways physical safeguard gaps become obvious during an audit or assessment.
Shred bins come up more often than many organizations expect.
We see bins that:
The intention is usually there, but the execution matters. An unsecured shred bin can create just as much exposure as leaving documents out in the open.
IT closets often house critical infrastructure: networking equipment, servers, backups.
And yet, during walkthroughs, we still find doors left open or access unrestricted to anyone walking by. From an auditor’s standpoint, this raises immediate concerns about unauthorized access and environmental security.
Individually, none of these issues feel catastrophic. But taken together, they paint a picture auditors pay close attention to.
Physical safeguards matter because they’re visible.
Auditors don’t need special tools to notice:
These observations shape how an organization’s overall security posture is perceived. And perception matters—especially when it comes to compliance reviews, investigations, or follow-up audits.
The good news?
Most of these issues are entirely preventable.
They rarely require new technology or large investments. More often, they require awareness, consistency, and a shared understanding of expectations.
The most encouraging part of addressing physical safeguards is how straightforward the improvements usually are.
Here are a few steps that consistently strengthen both real-world security and SRA documentation:
These changes don’t just reduce risk. They demonstrate intentional, thoughtful security practices that auditors look for during a Security Risk Analysis.
One of the most helpful questions leaders can ask is a simple one:
“If someone walked through our space today, what would they notice?”
Not what your policies say.
Not what your intentions are.
But what’s actually visible in real time.
That single perspective shift often uncovers physical safeguard gaps long before they ever show up in an SRA.
Physical safeguards don’t always get the same attention as technical controls, but they matter just as much.
Small, intentional changes can significantly reduce exposure, strengthen your Security Risk Analysis, and reinforce a culture of security throughout your organization.
If you work with healthcare organizations that could benefit from a closer look at these areas, or if you’d like support walking through your own Security Risk Analysis, the Medcurity team is here to help.
