Checklist: 11 Steps to Securing Physical PHI



HIPAA sets the standards for protecting sensitive patient information, including the measures that must be taken to protect against unauthorized access to patient information stored in physical form.

Here are 11 key physical safeguards to implement in your organization:


  • Access Controls: Physical access to patient information should be limited to authorized personnel only.

  • Secure Storage: Patient information stored in physical form, such as medical records, should be stored in secure locations, such as locked cabinets, to prevent unauthorized access.

  • Secure Disposal: Physical copies of patient information that are no longer needed should be securely disposed of, through the use of shredding or other secure disposal methods.

  • Workstation Security: Workstations used to access patient information should be located in secure areas and physically secured with locking mechanisms, to prevent unauthorized access.

  • Physical Backups: Physical backups of patient information should be stored in secure locations. In many cases offsite storage facilities are best for backup storage, to protect against data loss in the event of a disaster or breach.

  • Camera Surveillance: Camera surveillance can be used to monitor physical access to patient information and provide evidence of any unauthorized access.

  • Physical Access Logs: Organizations should maintain physical access logs to track who has access to patient information and when access was granted.

  • Physical Security Perimeter: The physical area where patient information is stored should be secured with a physical security perimeter, such as a fence or gate, to prevent unauthorized access.

  • Emergency Procedures: Organizations should have emergency procedures in place to protect patient information in the event of a disaster, such as a fire or flood.

  • Maintenance of Physical Safeguards: Organizations should regularly maintain and update their physical safeguards to ensure that they continue to be effective in protecting patient information.

  • Training of Staff: Organizations should provide training to employees on the physical safeguards set up within their organization and how to best protect patient information stored in physical form.


By implementing these physical safeguards, healthcare organizations can significantly reduce the risk of a data breach. It's important to note that physical safeguards are just one aspect of your security requirements. Organizations must also implement administrative, and technical safeguards to comply with HIPAA law.

These three safeguard categories should all be addressed in your complete HIPAA Security Risk Assessment. Do you have a plan for your risk assessment in 2023? Medcurity is here to help you simplify HIPAA compliance, so that you can focus on providing the best patient care. A big part of that mission is our Guided Security Risk Assessment and compliance services. Take the stress out of a self-conducted SRA with our easy-to-use platform, and/or gain peace of mind as our experts walk you through your assessment. Let us know how we can help.

If you have any questions regarding your physical safeguards, please reach out to your team at Medcurity!