HIPAA Physical Security Compliance Checklist

Use this checklist to assess your healthcare facility's physical security compliance with HIPAA requirements.

Required by HIPAA

Best Practice

Facility Access Controls

Physical access to areas containing PHI is restricted

Required

Access control system logs all entry/exit events with timestamps

Required

Unique credentials assigned to each authorized individual

Required

Terminated employee access revoked immediately

Required

Visitor access is logged and escorted in PHI areas

Required

After-hours access restricted and monitored

Best Practice

Emergency access procedures documented

Required

Access logs retained for minimum 6 years

Required

Workstation Security

Workstations positioned to prevent unauthorized viewing

Required

Privacy screens installed on monitors in public areas

Best Practice

Automatic screen lock enabled (15 min or less)

Required

Physical access to workstations restricted

Required

Portable devices secured when not in use

Required

Clean desk policy implemented

Best Practice

Video Surveillance

Cameras cover all entry points to PHI areas

Best Practice

No cameras in patient treatment areas or restrooms

Required

Video footage access restricted to authorized personnel

Required

Retention period meets state requirements (typically 30-90 days)

Required

Signage notifies visitors of video surveillance

Best Practice

Video system has backup power capability

Best Practice

Device & Media Controls

Inventory of all hardware containing PHI maintained

Required

Media disposal procedures documented (shredding, degaussing)

Required

Data backup media stored securely offsite

Required

Movement of hardware with PHI is tracked

Required

USB and removable media policies enforced

Best Practice

Mobile device management (MDM) implemented

Best Practice

Emergency Procedures

Emergency access procedures documented

Required

Contingency plan for facility access during outages

Required

Backup power for security systems

Best Practice

Emergency contact list maintained and updated

Required

Annual testing of emergency procedures

Best Practice

Recovery procedures for compromised access credentials

Required

Important Notes

Disclaimer: This checklist is provided for informational purposes only and does not constitute legal advice. HIPAA compliance requirements may vary based on your specific situation. Consult with a qualified HIPAA compliance professional for a comprehensive assessment.

Documentation Requirements

All policies and procedures must be documented in writing
Access logs must be retained for minimum 6 years
Training records for security awareness must be maintained
Incident reports and breach notifications must be documented
Risk assessments should be conducted annually

Need Help With HIPAA-Compliant Security?

We specialize in security systems for healthcare facilities with built-in HIPAA compliance features.

Read Healthcare Security Guide Request Compliance Assessment

Loading...

Please wait while we prepare your content

Facility Access Controls

Physical access to areas containing PHI is restricted

Required

Access control system logs all entry/exit events with timestamps

Required

Unique credentials assigned to each authorized individual

Required

Terminated employee access revoked immediately

Required

Visitor access is logged and escorted in PHI areas

Required

After-hours access restricted and monitored

Best Practice

Emergency access procedures documented

Required

Access logs retained for minimum 6 years

Required

Workstation Security

Workstations positioned to prevent unauthorized viewing

Required

Privacy screens installed on monitors in public areas

Best Practice

Automatic screen lock enabled (15 min or less)

Required

Physical access to workstations restricted

Required

Portable devices secured when not in use

Required

Clean desk policy implemented

Best Practice

Video Surveillance

Cameras cover all entry points to PHI areas

Best Practice

No cameras in patient treatment areas or restrooms

Required

Video footage access restricted to authorized personnel

Required

Retention period meets state requirements (typically 30-90 days)

Required

Signage notifies visitors of video surveillance

Best Practice

Video system has backup power capability

Best Practice

Device & Media Controls

Inventory of all hardware containing PHI maintained

Required

Media disposal procedures documented (shredding, degaussing)

Required

Data backup media stored securely offsite

Required

Movement of hardware with PHI is tracked

Required

USB and removable media policies enforced

Best Practice

Mobile device management (MDM) implemented

Best Practice

Emergency Procedures

Emergency access procedures documented

Required

Contingency plan for facility access during outages

Required

Backup power for security systems

Best Practice

Emergency contact list maintained and updated

Required

Annual testing of emergency procedures

Best Practice

Recovery procedures for compromised access credentials

Required

Important Notes

Documentation Requirements

All policies and procedures must be documented in writing
Access logs must be retained for minimum 6 years
Training records for security awareness must be maintained
Incident reports and breach notifications must be documented
Risk assessments should be conducted annually