Physical Safeguards: Protecting Data From Hazards and Unauthorized Access



Today we’re looking at essential physical safeguards that covered entities must make sure they have in place.

The HIPAA Security Rule requires covered entities to implement and document safeguards in three different categories: administrative, technical, and physical. Although administrative and technical safeguards are often prioritized in a security plan, physical safeguards must also be addressed, and should work seamlessly with the other two.

What are Physical Safeguards?

Physical safeguards are the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

When dealing with physical access to electronic protected health information (ePHI), the security landscape continues to change as more and more portable devices containing ePHI are used. Technical safeguards would involve good password protection and encryption on these drives and laptops. Physical safeguards must be put in place to protect the devices themselves from theft, loss, and inappropriate access.

As with the other safeguards, physical safeguards may look very different for individual organizations. A small practice, for example, may not require video surveillance. When the appropriate protections are implemented, they must be documented and included in your organization’s security policies and procedures.

Facility Access Implementation Specifications

To clarify, let’s look at the four facility access implementation specifications to follow:

  1. Contingency operations: In case of a disaster or other emergency, policies should be established for authorized personnel to access the facility to restore lost data.
  2. Facility security plan: This includes physical controls such as locks on doors, cameras, and alarms.
  3. Access control and validation procedures: These procedures should ensure that only the right people are given access to devices with ePHI. The only employees with access should be those whose job function requires it.
  4. Maintenance records: This specification requires organizations to “regularly check for security updates or modifications and implement them as necessary.” Any repairs or changes made must be documented.


In addition to facility access control, physical safeguards also involve:

  • Workstation Use

These policies should include what ePHI access functions can be performed at a workstation and how, as well as the attributes of the workstation’s surroundings. Questions like “Is it in a public place?” and “How many people access the workstation?” should be answered by the organization.

  • Device Security

Disposal and media re-use procedures for devices are specified and required by the Security Rule. Accountability and data backup and storage are “addressable” here, meaning that they are still required, but the method of implementation may look different in various organizations.


Good physical safeguards can mean the difference between protecting patient information and the high costs of a data breach. If you have further questions about the Security Rule physical safeguards, please contact your team at Medcurity.