HIPAA Security Rule -- Physical Safeguard

HIPAA Facility Access Controls

Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

45 CFR § 164.310(a)(1)

What the safeguard requires

The HIPAA Facility Access Controls is defined at 45 CFR § 164.310(a)(1) of the HIPAA Security Rule. It is one of the core standards that every covered entity and business associate must address in a documented, defensible way. Petronella Technology Group interprets the requirement below exactly as written in the rule, without paraphrasing past what the regulation actually says.

Contingency Operations (Addressable)

Procedures that allow facility access in support of restoration of lost data under the disaster-recovery and emergency-mode-operations plans.

Facility Security Plan (Addressable)

Policies and procedures to safeguard the facility and equipment from unauthorized physical access, tampering, and theft.

Access Control and Validation Procedures (Addressable)

Procedures to control and validate access to facilities based on role or function, including visitor control and access to software programs for testing and revision.

Maintenance Records (Addressable)

Policies to document repairs and modifications to the physical components of a facility which are related to security.

Why it matters

Most breaches are digital, but physical intrusions still happen -- a stolen server, a tailgater in a server room, a contractor with unsupervised access. Physical safeguards are also where OCR looks when a covered entity has great tech controls but weak documentation.

Enforcement context is important. The Office for Civil Rights (OCR) publishes settlement agreements that cite exactly which Security Rule standards were violated. Repeat findings in recent years include missing or stale risk analyses, insufficient access controls, unencrypted devices, and weak workforce training. Treating each safeguard -- including this one -- as a living program rather than a one-time checkbox is the defensible posture.

How Petronella Technology Group implements it

Petronella Technology Group has supported HIPAA compliance programs since 2002. Our team -- led by Craig Petronella (CMMC-RP, CCNA, CWNE, DFE #604180) and staffed with CMMC-RP certified engineers -- applies the same rigor to HIPAA Security Rule safeguards that we apply to defense-industrial-base compliance. The practical implementation usually looks like this:

Electronic access control

Badge systems, PIN pads, or smart locks on server rooms, medical records areas, and IT closets, with logging.

Visitor management

Sign-in, badging, escort policies, and logs retained per your documentation schedule.

Security cameras with retention

Coverage of entrances, server rooms, and records storage with retention that matches your incident-response needs.

Maintenance and contractor logs

Documented access by HVAC, electrical, cleaning, and IT vendors -- with BAAs where appropriate.

Alarm and monitoring

Intrusion detection on after-hours entry to sensitive areas.

Common pitfalls

These are the gaps we see most often when taking over a HIPAA environment from another provider or during initial risk-analysis engagements. Each one is a documented OCR finding in at least one public settlement:

Server room doors propped open 'because the AC is broken.'
Keys to the records room floating among staff with no tracking.
Cleaning crews and HVAC vendors with unsupervised after-hours access and no BAA.
Camera systems where nobody has checked recording in six months.
Visitor logs full of 'John -- meeting' with no validation.

Compliance evidence and documentation

HIPAA compliance is ultimately a documentation exercise. OCR investigators ask for evidence, not explanations. For this safeguard, the artifacts auditors typically expect include:

Facility Security Plan document
Access control logs (badge, key, or electronic)
Visitor logs
Maintenance records
Camera retention policy and sample footage check
Contractor BAAs where applicable

All documentation must be retained for six years from creation or last effective date under 45 CFR § 164.316(b)(2).

Related HIPAA Security Rule controls

This safeguard works alongside several other standards. In a well-run program they reinforce each other; gaps in one almost always surface as findings in the others:

Frequently asked questions

Do small practices really need badge access and cameras?

The Security Rule is scalable. A two-provider clinic may meet these requirements with keyed locks, a visitor log, and after-hours alarm. A multi-site practice or hospital needs more. The documentation has to match the size, complexity, and risk of the operation.

What about data centers and cloud providers?

If ePHI is housed in a third-party data center or cloud provider, that provider is a Business Associate. Their facility controls are your responsibility to evaluate through SOC 2 reports, HITRUST certifications, or equivalent documentation -- and a signed BAA.

How long should we keep visitor logs and camera footage?

Align retention to your incident-response and documentation policies. Most covered entities retain visitor logs for six years (matching the HIPAA documentation rule) and camera footage for 30-90 days unless an incident requires longer.

Are maintenance records really a HIPAA concern?

Yes. Changes to locks, doors, alarms, and server-room infrastructure can affect the security of ePHI. A documented log helps investigate tampering and demonstrates ongoing oversight.

Need help with this HIPAA safeguard?

Petronella Technology Group has helped practices, hospitals, health-tech companies, and business associates implement HIPAA Security Rule safeguards since 2002. BBB A+ accredited, headquartered at 5540 Centerview Dr in Raleigh, NC. Talk with our team about a documented risk analysis, Virtual CISO engagement, or targeted remediation.

Schedule a Compliance Consultation