The third paper within HIPAA talks about the Physical Safeguards that are created to protect all of the patient information. In this blog, we find four topics that can be used as guidance to help clinics, health providers, and others regarding security.

Facility Access Controls

First, we have the facility access controls, where it is necessary to decide the policies and install procedures to limit the physical access to not only the EPHI but also the facility within itself. Within this measure we have the following controls:

  • Operations containment - establish and implement, if necessary, procedures that allow easy access in support of the restoration of data lost due to disasters, or emergencies;
  • Unit security plan - have policies and procedures to protect the installation and equipment contained in the building against unauthorized physical access, tampering, and theft. Usually, this item takes into account locks, alarms, cameras, access tags for employees and visitors, and even private security;
  • Access and verification - it is necessary that, before the entry of an employee or visitor, it must be identified in some way;
  • Registers - keep registers of all equipment maintenance.


The workplace can be defined as any electronic equipment, notebooks, desktop computers, or others that have similar functions where information is stored and made available for access, and this equipment can be inside the health unit, or in the homes of employees who are home office, for example.

Within this item we also have the security of the workplaces, which states that physical security must be implemented for all equipment and places that store confidential patient information, thus restricting the access of unauthorized people.

For the equipment used, is also necessary to take into account how it will be disposed of, when their technologies are outdated, their reuse, who is responsible for accessing, editing, and maintaining them, as well as maintaining an updated backup.

Source: HHS - Physical Safeguards