This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Physical Safeguards Policy

Reference: 45 CFR § 164.310
Last Updated: May 19, 2024


The physical safeguards are a series of security measures meant to protect a CE's electronic information systems, as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized intrusion. The measures include both administrative policies and physical controls.


The specific standards of the physical safeguards are:

  • Facility access controls (CFR §164.308(a)(1)): Implementing policies and procedures that limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed.
  • Workstation use (CFR §164.310(b)): Implementing policies and procedures that specify the proper workstation functions to be performed, the manner in which those functions are to be performed, and the characteristics of the physical surroundings of workstations that can access EPHI.
  • Workstation security (CFR §164.310(c)): Implementing physical safeguards for all workstations that can access EPHI, so as to limit access to only authorized users.
  • Device and media controls (CFR §164.310(d)(1)): Implementing policies and procedures for the receipt and removal of hardware and electronic media that contain EPHI into and out of a CE, and the movement of those items within a CE.
    • Insure that any subcontractors or agents to whom the Business Associate provides ePHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such information.
    • Make available ePHI in accordance with proposed 42 C.F.R. 164.514(a),i.e., access of individuals to Protected Health Information.
    • After termination of the contract, return or destroy all Protected Health Information that the Business Associate still maintains in any form and retain no copies of such information.
    • Incorporate any amendments or corrections to Protected Health Information when notified by Security or Privacy Officer in accordance with the Privacy Rules.
  • Include in the Business Associate agreement language stating that:
    • Contract may be terminated if a determination is made that the Business Associate has violated a material term of the contract required by the Privacy Rules.
    • Business Associate shall indemnify Covered Entity from any loss resulting from an improper use or disclosure of Protected Health Information by the Business Associate.
    • In the event of a Business Associate’s breach, Business Associate shall retrieve improperly disclosed information and adopt new practices to assure Protected Health Information is appropriately handled.
    • Business Associate shall submit reports, as needed, to demonstrate compliance with HIPAA policies and procedures.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram