The Security Rule's physical safeguards live at 45 CFR 164.310, and they are the standards most likely to be skipped by a team that thinks about security in terms of ports and patches. The regulation is not abstract about this. It names walls, doors, and locks. It asks about "the physical attributes of the surroundings" of a workstation. It requires policies for hardware moving into and out of a facility. If you still run any on-premise hardware that touches ePHI, the closet it sits in is a compliance surface, and it is one an assessor can evaluate in about ninety seconds by looking at it.
Why the closet is a compliance surface
Technical controls have an implicit assumption baked into them: that an attacker has to come through the network. Physical access voids that assumption. Full-disk encryption protects a drive that is powered off; it protects nothing on a machine that is logged in and sitting in an unlocked room. Console access to a server is usually authentication you did not plan for. A backup drive in a cardboard box is an exfiltration that requires no exploit.
Which is why the Security Rule treats physical measures as a peer category to technical ones rather than an afterthought, and why 164.308(a)(8) — the Evaluation standard — requires a periodic technical and nontechnical evaluation. The nontechnical half is the one that involves standing in the room.
What 164.310 actually requires
Four standards, all mandatory. The implementation specifications beneath them are a mix, and the mix matters:
| Standard / specification | Citation | Label |
|---|---|---|
| Facility access controls | 164.310(a)(1) | Standard (mandatory) |
| Contingency operations | 164.310(a)(2)(i) | Addressable |
| Facility security plan | 164.310(a)(2)(ii) | Addressable |
| Access control and validation procedures | 164.310(a)(2)(iii) | Addressable |
| Maintenance records | 164.310(a)(2)(iv) | Addressable |
| Workstation use | 164.310(b) | Standard (mandatory) |
| Workstation security | 164.310(c) | Standard (mandatory) |
| Device and media controls | 164.310(d)(1) | Standard (mandatory) |
| Disposal | 164.310(d)(2)(i) | Required |
| Media re-use | 164.310(d)(2)(ii) | Required |
| Accountability | 164.310(d)(2)(iii) | Addressable |
| Data backup and storage | 164.310(d)(2)(iv) | Addressable |
Note the two Required specifications, because they are the two most likely to be quietly unmet: disposal and media re-use. Everything about a decommissioned drive is a Required obligation, and the shelf of old drives in the back of the closet is the single most common physical finding in a small clinic.
Facility access controls
The standard at 164.310(a)(1) asks for policies and procedures to limit physical access to your electronic information systems and "the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed." That last clause is doing real work — the objective is controlled access, not no access. A door that is locked so thoroughly that the on-call engineer props it open at 2am has made the control worse, not better.
The addressable specifications underneath tell you what to think about:
- Contingency operations — procedures allowing facility access to restore lost data under your disaster recovery and emergency mode operations plans. Who gets into the building during an outage, and how, at 3am, when the badge system is the thing that is down?
- Facility security plan — safeguarding the facility and its equipment from unauthorized physical access, tampering, and theft.
- Access control and validation procedures — controlling and validating access based on role or function, including visitor control, and control of access to software programs for testing and revision.
- Maintenance records — documenting repairs and modifications to physical components related to security. The regulation's own examples: "hardware, walls, doors, and locks."
Visitor control is named in the text. If your HVAC contractor signs nothing and walks past the closet unescorted, that is the specification talking about you.
The server closet checklist
- Is the door locked, and is the lock distinct from the general office key? A closet that opens on the same key as the supply cupboard has an access list equal to your headcount.
- Who is on the access list, and when did you last read it? Tie this to your termination procedures at 164.308(a)(3)(ii)(C). Badge revocation and account revocation are two separate jobs and one of them gets forgotten.
- Is access logged? Badge reader, keypad codes issued individually, or a paper log. A shared code held by everyone since 2019 logs nothing.
- Is the room used as storage? The moment a closet becomes overflow storage, its access list expands to everyone who needs printer paper.
- Are consoles locked? Screen lock on the physical console, not just on the remote session.
- What else is in the rack? The switch, the phone system, and the door controller often share the closet. They share its risk too.
- Are backup media in the same room as the thing they back up? A fire, a flood, or a theft that takes the server and takes the backups is one event, not two.
- Environmental exposure. HHS's guidance names environmental threats explicitly — power failures, liquid leakage. A closet under a bathroom is a documented risk, not a joke.
- Is there a maintenance record? When the lock was rekeyed, when the door was replaced, who did it.
- Visitor and vendor escort. Written, and actually followed.
Workstations: the surroundings are in scope
Two standards, both mandatory, both frequently read too narrowly.
Workstation use (164.310(b)) requires policies specifying the proper functions to be performed, the manner in which they are performed, and — the phrase to notice — "the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information."
Workstation security (164.310(c)) requires physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
"Physical attributes of the surroundings" is a regulation asking which way the monitor faces. A check-in screen visible from the waiting room chairs is a workstation-use finding. So is the nurses' station terminal in a corridor, the laptop on the counter in an exam room, and the front-desk monitor angled toward the queue. None of these are software problems, and none will be found by anything that runs remotely.
Device and media controls, where Required means Required
The standard at 164.310(d)(1) governs receipt and removal of hardware and electronic media containing ePHI into and out of a facility, and movement within it. Beneath it:
- Disposal (Required) — policies and procedures addressing the final disposition of ePHI and the hardware or media storing it.
- Media re-use (Required) — procedures to remove ePHI from media before it is made available for re-use. The laptop being handed to the new hire, the copier being returned at lease end.
- Accountability (Addressable) — a record of the movements of hardware and media, and the person responsible.
- Data backup and storage (Addressable) — a retrievable exact copy before equipment moves.
The multifunction copier is worth naming on its own. It has a hard drive, it has scanned charts, and it usually leaves the building at the end of a lease with nobody having thought of it as a computer.
Documenting it so it counts
Physical safeguards fail audits in a particular way: the control exists and the evidence does not. The closet is locked; there is no access list. The old drives were destroyed; there is no certificate. The visitor was escorted; there is no log.
Under 164.316, Security Rule documentation must be kept in writing and retained for six years from the later of its creation or the date it was last in effect. For each addressable specification you decline, 164.306(d)(3) requires the written rationale. And for each item on the checklist above, the artifact an assessor wants is boring and specific: the access list with a review date, the destruction certificate with a serial number, the maintenance record with the date the lock was changed.
The takeaway
Physical safeguards are the part of the Security Rule that a technical team is least likely to own and most likely to assume someone else covered. Nobody covered it. The rule names the room, the door, the lock, the monitor's surroundings, and the drive on its way to the dumpster, and it makes disposal and media re-use flatly Required. Walk the closet with the checklist above, write down what you find, and put a date on it. It is an afternoon of work, and it closes the category most likely to be genuinely empty in your file.
Common questions
Does HIPAA require a locked server room?
The Security Rule does not use the words 'locked server room.' It sets a Facility access controls standard at 45 CFR 164.310(a)(1) requiring policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. The standard itself is mandatory. How you meet it is determined by your risk analysis. For most organizations with on-premise hardware holding ePHI, a locked room with controlled access is the obvious and easily defended answer, but the regulation states the objective rather than the lock.
Are physical safeguards addressable or required under the HIPAA Security Rule?
Both, depending on which item you mean. The standards in 164.310 are mandatory: facility access controls, workstation use, workstation security, and device and media controls. Underneath them, the implementation specifications vary. Contingency operations, facility security plan, access control and validation procedures, and maintenance records are all Addressable. Disposal and Media re-use, under device and media controls, are both Required. Addressable never means optional; it means assess, then implement, substitute an equivalent measure, or document why neither is reasonable and appropriate.
Does the Security Rule cover physical security if our EMR is in the cloud?
Yes, though the scope shifts rather than disappears. Your cloud vendor's data center is covered by their own obligations and your business associate agreement under 164.308(b). But 164.310(b) and (c), workstation use and workstation security, apply to every workstation in your building that accesses ePHI regardless of where the server lives. So do device and media controls for laptops, backup drives, and anything else leaving the facility. A cloud migration removes the server from the closet; it does not remove the closet, the workstations, or the old drives still sitting in it.
What should we do with decommissioned drives that held ePHI?
Disposal at 45 CFR 164.310(d)(2)(i) is a Required implementation specification: implement policies and procedures to address the final disposition of ePHI and the hardware or electronic media it is stored on. Media re-use at 164.310(d)(2)(ii) is also Required: remove ePHI from media before it is made available for re-use. Accountability, at 164.310(d)(2)(iii), is addressable and asks you to maintain a record of the movements of hardware and media and the person responsible. In practice that means a documented method of destruction or sanitization, and a log that says which device, when, by whom.