HIPAA physical safeguards for small practices: what the rule actually requires

Physical safeguards under 45 CFR § 164.310 govern how your practice controls physical access to ePHI — from workstations and server closets to portable devices and decommissioned hard drives. Here is every standard and what it means in a small-practice setting.

By CoreFolio

Published May 20, 2026Verified May 20, 20267-minute read

Of the three safeguard categories in the HIPAA Security Rule — administrative, technical, and physical — physical safeguards may be the easiest to overlook in a small practice. The assumption is that physical security is common sense: lock the door, secure the server. In reality, 45 CFR § 164.310 is more specific than that, and the violations OCR finds in investigations are often not dramatic security failures but documentation failures — policies that were never written, procedures that were followed informally but not recorded.

This article covers every standard in § 164.310, what the required and addressable specifications mean for a small practice, and the documentation floor that a covered entity needs to be defensible.

The four physical safeguard standards

1. Facility access controls — § 164.310(a)(1)

This standard requires covered entities to implement policies and procedures to limit physical access to their electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed.

Contingency operations (Addressable): Establish and implement procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. For a small practice, this means having a documented procedure for accessing systems and data when your normal electronic access controls fail — including who has physical key access and under what circumstances.

Facility security plan (Addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. This does not require an enterprise security system. It requires a written plan that addresses: who has key or code access to the office, how that access is managed when staff leave, what physical barriers protect areas where ePHI systems are housed, and how the plan is reviewed.

Access control and validation procedures (Addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function. In a small practice, this might mean that an unlocked network closet or server room is accessible to all staff — including maintenance workers, cleaning staff, and temporary employees. The policy must address which roles have physical access to ePHI systems, and access lists must be updated when staff roles change.

Maintenance records (Addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security — for example, hardware, walls, doors, and locks. This is a documentation requirement, not a technical one. Keep a record of any modifications to physical security components.

2. Workstation use — § 164.310(b)

Workstation use (Required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.

This is a required specification. For a small practice, a workstation use policy must address:

Which workstations (desktop computers, laptops, tablets) may be used to access ePHI and which may not
Approved uses: clinical documentation, billing, communication with referring providers — and prohibited uses: personal social media, unsecured personal email, unauthorized downloads
Screen positioning: workstations in patient-facing areas must be positioned so that patients in waiting rooms or hallways cannot view ePHI on screen
End-of-session logout requirements: staff must log out of ePHI systems when leaving a workstation unattended
Prohibition on personal devices accessing ePHI unless covered by a formal bring-your-own-device policy with documented safeguards

3. Workstation security — § 164.310(c)

Workstation security (Required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.

This is distinct from workstation use policy. Workstation security covers the physical controls on the devices themselves:

Desktop computers should be locked to desks or housed in secured areas when not in use during non-business hours
Laptop computers should have cable locks when used in open areas; when removed from the office, additional controls apply (encryption at rest, remote wipe capability)
Workstations in common areas must have privacy screens or be positioned to prevent unauthorized viewing
Office areas where workstations are located should be lockable and locked during non-business hours
Visitor access to areas where workstations with ePHI access are located should be controlled

4. Device and media controls — § 164.310(d)

Device and media controls (Required — standard): Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility and the movement of these items within the facility.

Disposal (Required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.

When a computer, server, external hard drive, USB drive, tablet, or mobile device that has stored ePHI is decommissioned, sold, donated, or discarded, the ePHI must first be rendered unusable. Acceptable methods per NIST SP 800-88:

Clear: Overwriting with a recognized tool (software overwrite)
Purge: Degaussing magnetic media; block erase or cryptographic erase for solid-state devices
Destroy: Physical shredding, disintegration, or incineration

Simply deleting files, emptying the trash, or reformatting a drive is not sufficient under either NIST guidance or HIPAA requirements. The disposal method and the device serial number or asset identifier should be documented.

Media re-use (Required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. Before a computer or storage device is repurposed — reassigned to a different staff member, loaned to a volunteer, or sent to a repair facility — the ePHI it contains must be sanitized per the above methods.

Accountability (Addressable): Maintain a record of the movements of hardware and electronic media, and any person responsible therefor.

Data backup and storage (Addressable): Create a retrievable exact copy of ePHI, when needed, before movement of equipment.

Remote work: an area of growing risk

The physical safeguards requirements do not end at the office door. If a workforce member accesses ePHI from a home office, hotel room, or other remote location, the covered entity’s workstation use and workstation security policies must address that scenario.

Key requirements for remote access scenarios:

Documented policy specifying which devices may access ePHI remotely and under what conditions
Screen positioning and privacy controls at remote locations (work in a private area; do not use ePHI on screens visible to household members or in public spaces)
Physical security of remote devices: not left in unattended vehicles, not accessible to unauthorized household members
Remote-wipe capability for laptops and mobile devices accessing ePHI
Automatic logoff configuration consistent with the office environment

The 2026 NPRM (90 Fed. Reg. 898) does not add new physical safeguard standards, but its proposed requirements for encrypted devices and remote wipe capability reinforce existing physical safeguard obligations.

The documentation floor for small practices

Physical safeguards enforcement often turns on the absence of written policies rather than the absence of physical controls. A small practice that has adequate locks, controls workstation positioning, and manages device disposal appropriately — but has no written policies documenting any of this — may still face enforcement findings.

The minimum documentation set:

Facility security plan: Who has physical access to areas housing ePHI systems, how access is managed, and how the plan is reviewed
Workstation use policy: Approved workstations, approved uses, screen positioning, logout requirements
Workstation security policy: Physical controls on devices, remote work requirements
Device and media disposal log: Asset identifier, disposal date, method used, person responsible
Portable device policy: Whether personal devices may access ePHI, and if so, what controls are required

None of these documents need to be lengthy. A single-page policy for each area is sufficient for most small practices. The obligation is to have them, maintain them, and be able to produce them.

Sources: 45 CFR § 164.310 (physical safeguards); HHS Physical Safeguards guidance, hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf; HHS Summary of the HIPAA Security Rule, hhs.gov/hipaa/for-professionals/security/laws-regulations; NIST SP 800-88 (guidelines for media sanitization); 90 Fed. Reg. 898 (HIPAA Security Rule NPRM, January 6, 2025). Last verified May 20, 2026.

FAQ

Common questions

What are the HIPAA physical safeguards?

Physical safeguards under 45 CFR § 164.310 are the policies, procedures, and controls that protect a covered entity's electronic information systems — and the buildings and equipment in which they are housed — from natural and environmental hazards and unauthorized intrusion. They cover four standards: facility access controls, workstation use, workstation security, and device and media controls.

Does HIPAA apply to physical access in a small practice's office?

Yes. The physical safeguards requirements apply to all covered entities regardless of size. OCR does not scale the requirements based on employee count or office size. A solo practitioner in a single-room office must comply with the same standards as a multi-site clinic — the 'reasonable and appropriate' standard allows for scaled implementation, but does not permit non-compliance.

What must happen to a hard drive or device before it is discarded or recycled?

Under 45 CFR § 164.310(d)(2)(i), covered entities must implement policies and procedures governing the final disposition of ePHI and the hardware or electronic media on which it is stored. Acceptable methods include media sanitization (clearing/purging) per NIST SP 800-88 guidelines, or physical destruction. Simply deleting files or formatting a drive is not sufficient.

Does the physical safeguards rule cover remote work and home offices?

Yes. If a workforce member accesses ePHI from a home office or remote location, the physical safeguards requirements extend to that environment. The covered entity must address remote workstation access in its policies, including screen positioning, automatic logoff, and physical access controls at the remote location.

Keep learning

How-to
HIPAA administrative safeguards: the complete checklist for small practices
Administrative safeguards under 45 CFR § 164.308 are the most commonly cited standard in OCR enforcement actions. Here is every requirement, what 'addressable' actually means, and what a small practice must have documented.
May 20, 20268-minute read
The 2026 rule
HIPAA technical safeguards: current requirements and what the 2026 NPRM changes
The HIPAA Security Rule's technical safeguards govern access, encryption, audit logging, and authentication. The 2026 NPRM proposes significant changes. Here is what is required now and what would change under the proposed rule.
May 20, 20267-minute read
How-to
How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself — or prepare for a focused consultant review.
May 14, 20266-minute read