CMA: Physical Security for Small Organizations

Disclaimer:  CMA/PrivaPlan PrivaGuide: Ensure Adequate Physical Security to Safeguard Protected Health InformationThe information provided in this document does not constitute, and is no substitute for, legal or other professional advice. Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns.

PrivaGuide: Ensure adequate physical security to safeguard protected health information




By Lesley Berkeyheiser and David Ginsberg





The HIPAA Privacy Rule requires that you control and monitor physical access to areas in which protected health information may be accessed. In other words, you must reasonably safeguard protected health information from any intentional or unintentional use or disclosure. These are known as “physical safeguards.”




How to do this:


In this section we document some practical suggestions for meeting the core HIPAA privacy requirements. “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities that must be accomplished on a recurring basis. Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy regulation applies to you.


The sample procedures included in this PrivaGuide will help you do the following:


Evaluate safeguards currently in place.
Determine your “vulnerability” to inappropriate access to PHI.
Determine reasonable steps to reducing any vulnerability.
Documenting the above.



The first step in achieving physical safeguards is to assess and understand the systems you currently have in place. In general physical safeguards are “physical” as opposed to technical. For example a physical safeguard would include adequate door locks to prevent unauthorized entry, or locks on file cabinets.


Implementation Suggestion: Inventory safeguards in place today.


Conduct a walk through of your practice similar to the one you did to develop a PHI inventory.
During the walk through look for safeguards in place that protect unauthorized access.
Document these safeguards on a document you have created for this purpose During the walk through look for vulnerabilities that may not be safeguarded. For example a back room that houses computer equipment that could be easily accessed from the outside “staff” entrance to your office. This step helps you identify potential “risks.”
Document the probability these risks could occur. This step helps you determine the reasonable and appropriate safeguards or measures to put in place.
Document these safeguards and risks on a document you have created for this purpose; Or, you may choose to document this on the Risk Analysis Tracking form. The Risk Analysis Tracking form is a document that is completed as part of the security rule requirements. It is described in both the Implementing the Security PrivaGuide as well as the Risk Analysis PrivaGuide. Alternatively, you can start with the Start the Security Walkthrough document.

Typical areas of risk and safeguard (and questions to ask as you do the walk through) include the following. They are designed to reveal areas of concern:

Main entry door locks.
Are there secondary entry doors that are unlocked? For example a back or side staff entrance?
Are the locks changed after employees are terminated; this may not be a practical solution if you have high turnover. Do you use “do not duplicate keys”?
A complete list by name of who has keys (including business associates like janitors, or the landlord). You can choose to use the Job Responsibility with respect to PHI to record this or another master employee/contractor list.
Security systems, and listed by name who has access codes
Frequency of changes to security system pass or alarm codes; document if you have a specific policy of changing these codes, for example every 90 days or whenever an employee leaves.
Are medical records (charts) maintained in a separate room? Is this room locked? If charts are not maintained in a separate room, are they isolated from patient access?
Are medical records maintained in a locking file cabinet? While not required, this is a desirable measure. If the cabinets do not lack, other measures must be taken to be certain the records are secure.
Do you have any physical barriers for unauthorized access? For example is there a door between the waiting room and the rest of the office? Is this door locked?
Do you use signage to indicate “authorized access”?
Are fax machines and computer terminals kept distant or turned away from patients and or repair people?
Are repair personnel accompanied and monitored when they are on the premises?
Do you use door chart holders that are opaque, or do you turn the chart around so there are no identifying indicators to the patient passing by?
Does the physician or nursing staff do dictation in the hall or in other areas where patients might be present?
Is your paper waste containing PHI shredded?
Does your paper waste get discarded at the end of the day? If so, does it get discarded into locked trash dumpsters?
Do you store old charts or records in a separate room? Does this room have a lock?
Are billing records kept in secured areas? For example are payment remittances and superbills kept in a locked cabinet or a locked office?
Has the staff been trained to lock rooms and cabinets at night?
Does the physician maintain charts, lab results and so forth in his/her office at night? Does his office have a lock? Who has keys to this office?
Are charts removed from the office for any reason? When they are removed are they placed and kept in any kind of locked container?
Are certain devices and equipment kept secure from theft-for example are laptop computers secured or locked to the desk?
Are there areas that should be restricted to staff? For example, if the computer server sits in a secure location in the billing office, should this be restricted to nursing staff?
When repairs are made to a part of the facility that could affect physical security do you document and review the work? For example work on windows or doors?
Do you verify the security when new electronic “media” or equipment is brought into the practice and connected to your network? For example ensuring it is virus free?

– Reasonability


The word “reasonable” appears frequently in the HIPAA Privacy and Security regulations. You can apply “reasonability” to the physical security requirements or any of the standard safeguards. For example, if locking the patient charts requires an expensive replacement of your chart file system, this may not be “reasonable”. In this case consider other options that reduce the vulnerability or risk posed by open chart racks. For example, isolating chart racks, restricting access to the chart area by using “authorized only signs”; and training staff to keep patients or repair people away from the chart areas.



Implementation Suggestion: Determine your vulnerability.


Using the evaluation just completed, identify areas you believe are vulnerable. You can indicate this on the evaluation document by “highlighting” those areas or creating some kind of notation.

Implementation Suggestion: Determine reasonable steps to reducing any vulnerability.


Using the highlighted list of “vulnerable” areas on your Risk Analysis Tracking form or the document you created, develop a plan to reduce these vulnerabilities. 
Remember to be reasonable in your approach. It is not necessary to renovate your office to reduce or mitigate vulnerability. For example if you have open chart files that are “built” into the wall, you may choose to simply use a sign that states “authorized access only”. 
If changing door locks whenever an employee is terminated is too costly, consider a security system and alarm. 
Using the document you created to identify vulnerability, indicate the measure you will employ to reduce the vulnerability.

Implementation Suggestion: Document your efforts.


Using the Risk Analysis form or your own documentation, indicate the measures actually used to correct the problem. Indicate what the measure is (for example, obtaining an alarm system), when it was implemented, and who is responsible for it.

Maintenance Suggestion: On-going staff awareness.


Review the document you created of “vulnerabilities” and employ the staff in determining reasonable measures to reduce these is a great staff training and awareness program.
Periodically review with the staff, physical safeguards in place and the importance of remembering to use these safeguards. Whenever a mistake is made (for example, a chart room left unlocked at night) be sure to review this with the staff.

Maintenance Suggestion: Keep in place a visitor (non-patient) access log.


You probably have visited companies that required all visitors to sign in. This might be a good measure for your practice. Since you may have a patient sign in sheet consider keeping a sign in log for repair personnel, pharmaceutical detail representatives, consultants and other non-patient visitors. Use the “Sign In Sheet for Non-workforce Personnel” as a sample template for this.
Develop a protocol for maintenance personnel and repair personnel who may access protected health information during the performance of their duties. The protocol might include accompanying these personnel while they are on site, as well as explaining to them the importance of not looking at PHI.

Maintenance Suggestion: Keep key and pass code logs up to date:

Be sure to maintain an up to date log by name/job description of persons who have keys (and where the keys provide access) or security system alarm pass codes/swipe cards. Use the “Workforce Log for Physical Security Access” as a sample template for this.

Negligent Creation, Maintenance or Disposal of Records:


California law states that health care providers, health plans and health plan contractors must create, maintain, preserve, store, abandon, destroy, or dispose of medical records in a manner that preserves their confidentiality. The negligent creation, maintenance, preservation, storage, disposal, abandonment or destruction of medical records in a manner which fails to preserve their confidentiality is prohibited. (Civil Code 56.101.).


This is a strong incentive to consider shredding and appropriate “disposal” methods!



About the Authors:


This PrivaGuide has been greatly improved and customized by the California Medical Association. Specifically, the work of Catherine Hanson, Vice President and General Counsel of the CMA and Steve Fleisher, Esq. of Fleisher and Associates.



Lesley Berkeyheiser

Ms. Berkeyheiser has over twenty years experience in the healthcare industry, most of it involving managed care, including direction and management of healthcare operations at various renowned health plans. She is Principal and founder of The Clayton Group, LLC, an independent consulting company specializing in healthcare issues including Health Insurance Portability and Accountability Act of 1996 (HIPAA) preparation work, business development and technology.   She either has created and/or maintains ownership in various HIPAA remediation products, including HIPAA training products, (PrivaPlanED), Gap Analysis (PrivaPlan), and HIPAA Policies and Procedures (Clayton MacBain HIPAA Templates) and actively participates as Co-Chair for Security and Privacy, and was past Leader of the Vendor Technologies Interdependencies subgroup of the workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDI SNIP). This gives her an extensive and current knowledge of HIPAA remediation solutions.


Ms. Berkeyheiser can be contacted at The Clayton Group, 53 Bethel Road, Glen Mills, PA 19342.  Telephone: (610)-558-3332.  Email:



David Ginsberg


Mr. Ginsberg is President of PrivaPlan Associates, Inc. and is one of the founders. 


David Ginsberg is a healthcare consultant with over twenty-five years experience. Most currently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California; during this time he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.

Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues. 


Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  877-218-7707.  Email:

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates