Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural hazards and unauthorized intrusion.
Physical safeguards are one of the three categories of safeguards required by the HIPAA Security Rule, alongside administrative and technical safeguards. They address the physical protection of electronic information systems and the facilities that house them. Physical safeguards ensure that the hardware, equipment, and physical environment containing ePHI are protected against unauthorized physical access, tampering, theft, and natural or environmental hazards such as fire, floods, and power outages. While often overshadowed by technical controls like encryption and access management, physical safeguards remain a critical layer of defense in any comprehensive security program.
The Security Rule defines four standards within physical safeguards. Facility access controls require organizations to limit physical access to facilities where ePHI is stored, while allowing authorized access. This includes contingency operations, facility security plans, access control and validation procedures, and maintenance records. Workstation use requires organizations to specify the proper functions and physical attributes of workstations that access ePHI. Workstation security requires physical safeguards for all workstations that access ePHI, restricting access to authorized users. Device and media controls govern the receipt, removal, disposal, and reuse of hardware and electronic media containing ePHI, including policies for disposal, media re-use, accountability tracking, and data backup and storage.
The evolution of healthcare technology has made physical safeguards both more complex and more important. With the rise of cloud computing, mobile devices, telehealth, and remote work, the physical perimeter of where ePHI exists has expanded dramatically. Organizations must now consider physical security not only for server rooms and clinical workstations but also for employee home offices, mobile devices carried outside facilities, and data center locations operated by cloud service providers. Physical safeguards should be addressed in Business Associate Agreements with hosting and cloud providers, and organizations should verify that these providers maintain appropriate physical security through audits, certifications, and contractual requirements.