HIPAA Physical Safeguards Checklist for Small Clinics

What the physical safeguards standard actually requires

The HIPAA Security Rule splits safeguards into three families: administrative, physical, and technical. The physical safeguards live in 45 CFR 164.310 and govern the buildings, rooms, workstations, and devices that hold electronic protected health information. They are the part of HIPAA that lawyers tend to skim and that auditors tend to dwell on, because physical control failures are the easiest to verify with a walkthrough.

The rule defines four standards:

• Facility access controls (164.310(a)(1))
• Workstation use (164.310(b))
• Workstation security (164.310(c))
• Device and media controls (164.310(d))

Each standard has implementation specifications that are either required or addressable. Addressable does not mean optional. It means a covered entity must implement the specification, document why an alternative is appropriate, or document why the specification is not reasonable for the environment. For small clinics, the addressable label is most often misread as a license to skip a control. It is not.

Specific requirements and CFR citations

Facility access controls — 45 CFR 164.310(a)(1). Implementation specifications include contingency operations, a facility security plan, access control and validation procedures, and maintenance records. The standard requires policies and procedures to limit physical access to electronic information systems and the facility in which they are housed, while ensuring that properly authorized access is allowed.

Workstation use — 45 CFR 164.310(b). Requires policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access PHI.

Workstation security — 45 CFR 164.310(c). Requires physical safeguards for all workstations that access PHI, restricting access to authorized users.

Device and media controls — 45 CFR 164.310(d). Required specifications: disposal and media re-use. Addressable specifications: accountability and data backup and storage. The standard governs the receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the movement of these items within the facility.

Common gaps in small clinics

Most small clinics we have audited pass the front-door check and fail the back-office check. Patterns we see repeatedly:

• A locked front door after hours, but a back hallway with a server closet that anyone with a key to the suite can open.
• Paper charts left on counters in unlocked exam rooms overnight.
• A laptop inventory in a spreadsheet that has not been updated since the practice last hired a new clinician.
• No record of how the prior generation of office computers was disposed of.
• Visitor logs that exist on paper but are never reviewed and never retained for six years.
• Reception workstations angled so that the monitor is visible to the waiting room.

None of these are exotic findings. They are the ordinary failure modes of a busy clinic that has not run a documented physical walkthrough in the last twelve months.

Numbered checklist

Run this list quarterly. Mark each item as compliant, partially compliant, or non-compliant, with the name of the person who verified it and the date.

1. Exterior doors lock automatically after business hours and a documented key holder list exists.
2. Server closet, network rack, or wiring cabinet is locked separately from the rest of the office.
3. A current floor plan identifies every room that contains PHI in any form.
4. A facility security plan is written, signed, and dated within the last twelve months.
5. Visitor sign-in is required for any non-staff visitor entering clinical areas, with name, time in, time out, and host.
6. Visitor logs are retained for six years and reviewed at least annually for anomalies.
7. Vendors who service equipment that touches PHI are escorted at all times and recorded in the visitor log.
8. Contingency operations procedures describe how authorized personnel access the facility during a disaster or system failure.
9. Maintenance records track every repair, modification, or component change to security-relevant physical features (locks, doors, walls protecting PHI areas).
10. Workstation use policy specifies which roles may use which workstations and for what purposes.
11. Workstations are positioned so monitors are not visible from public areas, or privacy filters are installed.
12. Automatic screen lock engages after no more than fifteen minutes of inactivity on every workstation.
13. Reception workstations are configured so PHI is not displayed by default when no patient is being served.
14. Paper charts and printouts are removed from clinical surfaces and locked at end of day.
15. Fax machines that receive PHI are located in non-public areas and emptied at least daily.
16. Printers in shared areas require pull-printing or staff supervision, and stray output is shredded same day.
17. Locked file cabinets or a locked records room hold every paper record containing PHI overnight.
18. Cleaning crews and after-hours staff are escorted, work under a BAA when applicable, or are restricted to areas with no PHI exposure.
19. Device inventory exists and lists every workstation, laptop, tablet, phone, server, and removable drive that has held PHI.
20. Each device record shows acquisition date, assigned user, location, and disposal status.
21. A written media disposal procedure specifies how hard drives, USB drives, backup media, and paper records are destroyed.
22. Disposal certificates are retained from any third-party shredding or destruction vendor and that vendor has a signed BAA when handling PHI.
23. Re-use procedures require certified wipe or cryptographic erase before any device that has stored PHI is reassigned.
24. Backup media stored offsite is in a locked container or facility, and the offsite location is documented.
25. Movement of any device or media containing PHI between facilities is logged with date, sender, recipient, and purpose.
26. Lost or stolen device reports are filed within twenty-four hours and trigger the security incident procedures.
27. The Security Officer reviews this checklist each quarter and signs the result.
28. The clinic walks through the checklist as a physical inspection, not a desk exercise, at least once per year.

Documentation requirements

The Security Rule requires written policies and procedures, written records of actions and assessments, and retention for six years from creation or last effective date. For physical safeguards, that means at minimum:

• A facility security plan
• A workstation use policy
• A device and media disposal procedure
• A device inventory with revision history
• Visitor logs
• Maintenance records
• Quarterly checklist results signed by the Security Officer

Store all of it where the Security Officer can produce it within forty-eight hours of an OCR request. Paper in a binder is acceptable. A shared drive with access controls is better. PHI must never appear in any of these documents.

For the administrative and technical companions to this checklist, see our administrative safeguards walkthrough and the broader compliance operations library. If you are evaluating tooling that bundles the policy library, audit log, and quarterly review schedule, the PHIGuard HIPAA platform is built around exactly this rhythm.