Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Physically Securing Your Work Environment

HIPAA compliance may seem daunting, but, believe it or not, there are easy, cost-effective steps you can take right now to help get you there. If you’re responsible for upholding HIPAA law, take a moment to look around your office space. How well is your environment protecting others’ electronic Protected Health Information (ePHI)?

The Department of Health and Human Services’ Office for Civil Rights’ (OCR) most recent newsletter serves as a reminder for all Covered Entities, Business Associates, and Business Associate Subcontractors to physically secure surroundings where there is access to ePHI. The HIPAA Security Rule requires the “[implementation of] physical safeguards for all workstations that access ePHI to restrict access to authorized users.”

The Security Rule specifically references “workstations,” which includes “a computing device, for example, a laptop or desktop computer, or any other device that performs similar functions and electronic media stored in its immediate environment.” What else is meant by “workstations”? Don’t forget about portable electronic devices like tablets, smartphones, and medical devices. While making physical changes seems easy enough, many organizations overlook these types of safeguards because they’re more concerned with their technical (encryption to thwart cyber attackers, for example) or administrative HIPAA obligations (like preparing and implementing a risk assessment). Physical controls are often the simplest and cheapest ways to keep ePHI private and confidential.


The Cost of No Physical Security

Many physical security controls are absolutely free to set up, like ensuring portable electronic devices (laptop computers, portable storage devices, and pen drives) are locked away when they are not in use. Physically locking a device is one of the most effective ways of preventing theft.

Examples of HIPAA Physical Mistakes

The HIPAA Security Rule’s physical safeguard standard has resulted in OCR settlement payments ranging from $250,000 to $3.9 million. In 2015, Lahey Hospital and Medical Center had an unencrypted laptop computer stolen, resulting in the exposure 599 patients’ ePHI. The laptop was stolen from an unlocked treatment room. Lahey Hospital paid $850,000 in HIPAA fines for the mistake, a costly fee for the lack of implementing a free physical security control!

When QCA Health Plan failed in 2014 to implement physical safeguards for their company’s workstations, they were forced to settle HIPAA violations with OCR for $250,000. The workstation included an unencrypted laptop computer that was stolen from the vehicle of an employee.

In 2016, OCR settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. Feinstein Institute did not physically secure a laptop computer containing the ePHI of 13,000 patients. The device was stolen from the vehicle of an employee.

In July 2016, University of Mississippi Medical Center settled a case for $2.75 million after an unencrypted laptop was stolen from its Medical Intensive Care Unit. The computer contained the ePHI of an about 10,000 patients.

MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) settled with OCR for $2.2 million in January 2017. MAPFRE filed a breach report with OCR indicating that a USB data storage device (pen drive) containing ePHI of 2,209 individuals was stolen from its IT department, where the device was left without safeguards overnight.


Implementing Your Own Physical Security

Covered Entities, Business Associates, and Business Associate Subcontractors should define physical security controls based on their risk assessments and risk management process. Consider implementing the following physical security controls to secure electronic devices and ePHI:

  • Position desks to ensure screens cannot be easily viewed by anyone other than the user of a workstation
  • Use privacy screens to prevent shoulder surfing
  • Use cable locks to prevent electronic devices containing PHI from being stolen
  • Install security cameras to deter theft of electronic devices and physical PHI
  • Use signage to remind employees of the need to use physical security controls
  • Use port and device locks to prevent CD/DVD drives and USB connections from being used on workstations to copy ePHI and install unauthorized software

As OCR highlights in their May newsletter, Covered Entities and Business Associates have had to enter into settlement agreements ranging from $250,000 to $3.9 million for violation of the physical security requirement. Don’t neglect to secure your environment to avoid costly HIPAA fines!



  1. https://healthitsecurity.com/news/hipaa-security-rule-requires-physical-security-of-equipment
  2. https://www.hipaajournal.com/ocr-reminds-covered-entities-not-to-overlook-physical-security-controls/
  3. https://www.hhs.gov/about/news/2017/01/18/hipaa-settlement-demonstrates-importance-implementing-safeguards-ephi.html

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)