Physical Safeguards
Physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Security
- Primary sources
- 3
- Workspace handoff
- compliance binder →
Where this comes up
This sits inside the security risk analysis under 45 CFR 164.308(a)(1)(ii)(A) — workstation controls, EHR access roles, ePHI transmission encryption, audit logging, vendor risk, and incident response. Reviewers expect dated evidence of the control, not a policy PDF that says it exists.
Full definition
What it is in practice
45 CFR 164.310 covers Facility Access Controls, Workstation Use, Workstation Security, and Device and Media Controls. The standards cover everything from locks and cameras to laptop disposal procedures.
How it shows up in your practice
Lost laptops and improperly disposed-of media drive a meaningful share of OCR settlements. Track every device that touches ePHI; use NIST SP 800-88 sanitization standards before disposal.
Sources
- 45 CFR 164.310 — Physical safeguardshttps://www.ecfr.gov/current/title-45/section-164.310
- NIST SP 800-88 — Guidelines for Media Sanitizationhttps://csrc.nist.gov/pubs/sp/800/88/r1/final
- HHS — HIPAA Security Rulehttps://www.hhs.gov/hipaa/for-professionals/security/index.html
Adopt physical safeguard policies in the Compliance Binder
Open compliance binder →Related terms
- SecurityAdministrative SafeguardsPolicies and procedures designed to manage the selection, development, implementation, and maintenance of security measures protecting ePHI.
- SecurityTechnical SafeguardsTechnology and the policy and procedures for its use that protect ePHI and control access to it.
- HIPAA & PrivacyHIPAA Security RuleThe federal regulation at 45 CFR Part 164 Subpart C that requires safeguards for ePHI.
- SecurityMedia SanitizationProcess to render ePHI on storage media unreadable, indecipherable, or otherwise inaccessible before disposal or reuse.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryAdministrative SafeguardsPolicies and procedures designed to manage the selection, development, implementation, and maintenance of security measures protecting ePHI.
- GlossaryTechnical SafeguardsTechnology and the policy and procedures for its use that protect ePHI and control access to it.
- GlossaryMedia SanitizationProcess to render ePHI on storage media unreadable, indecipherable, or otherwise inaccessible before disposal or reuse.
- GlossaryHIPAA Security RuleThe federal regulation at 45 CFR Part 164 Subpart C that requires safeguards for ePHI.
- RegulationHIPAA Device and Media Controls (45 CFR 164.310(d))Required specifications for disposal of hardware and electronic media containing ePHI, and media re-use procedures.
- GlossaryContingency PlanThe HIPAA-required plan covering data backup, disaster recovery, and emergency-mode operation when normal operations are disrupted.
- GlossaryEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- GlossaryFacility Access ControlsPhysical safeguards controlling who can enter facilities containing ePHI.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.