The HIPAA Security Rule regulates the front door. Alongside the technical controls most people associate with it, 45 CFR 164.310(a)(1) requires every covered entity and business associate to limit physical access to its electronic information systems and the facility they are housed in, while ensuring properly authorized access is allowed. That standard is not Addressable and it does not scale away at small size. What a practice gets to decide is how it meets it, and that decision is supposed to be written down.
What the standard requires
The second half of that sentence is the half people skip. The standard has two obligations pulling in opposite directions: keep the wrong people out, and let the right people in. A control that locks the records room so thoroughly that the one person with the key is on vacation has failed the standard, not satisfied it. This is a recurring theme in the physical safeguards and it is why the rule keeps pairing restriction with availability.
The four specifications
Four implementation specifications sit under the standard. All four are Addressable.
| Specification | What it asks for |
|---|---|
| 164.310(a)(2)(i) Contingency operations | Procedures allowing facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency |
| 164.310(a)(2)(ii) Facility security plan | Policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft |
| 164.310(a)(2)(iii) Access control and validation procedures | Procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision |
| 164.310(a)(2)(iv) Maintenance records | Policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks) |
The last one surprises people every time. The regulation names walls, doors, and locks in its own parenthetical. When a contractor re-keys the back door or moves a wall during a remodel, that is a documented event under the Security Rule. Most practices have no record of it, because it feels like facilities work rather than compliance work.
What Addressable means here
All four specifications being Addressable is the source of most confusion about this standard, and it is worth being precise, because "Addressable" is the most misread word in the Security Rule.
Under 45 CFR 164.306(d), for an Addressable specification you assess whether it is a reasonable and appropriate safeguard in your environment. If it is, you implement it. If it is not, you document why not and implement an equivalent alternative measure if one is reasonable and appropriate.
So the available answers are "we did it," or "we did something else instead, and here is the reasoning." The answer that is not available is silence. An office with no badge system, no visitor procedure, and no written reasoning has not made an Addressable determination. It has made no determination.
Meanwhile the standard at 164.310(a)(1) is not Addressable. Limiting physical access is required. Only the mechanisms are flexible.
Keys are an access control system with no audit log
Most small practices control facility access with metal keys, which is legitimate and often reasonable and appropriate. It is worth being clear-eyed about what a key does and does not give you.
A key has no log. It cannot tell you who opened the records room on Saturday, cannot be deactivated remotely, and cannot be counted. Copies propagate quietly: a key issued to a departed employee three years ago is indistinguishable from one that was returned, unless somebody wrote it down.
None of that makes keys non-compliant. It does mean the compensating work is manual, and the practical minimum is a key register recording who holds which key, when it was issued, and when it came back. Re-keying after a departure where the key was not returned is the equivalent of disabling a login, and it costs enough that it tends to get postponed indefinitely, which is exactly the decision worth making deliberately rather than by default.
Visitor control, and what the rule does not say
164.310(a)(2)(iii) names visitor control explicitly. It does not name a visitor log, a badge, or a sign-in sheet. That distinction matters, because the requirement is frequently restated as "HIPAA requires visitor logs," and the regulation does not say that.
What it asks is that you can control and validate a person's access based on their role or function. In a medical office, the people who walk in beyond the waiting room are a predictable list, and each raises a different question:
- Contractors and cleaners, often present after hours when nobody is watching, with access to every room including the one with the charts on the desk.
- Vendor technicians servicing equipment, sometimes with legitimate access to systems holding ePHI.
- Delivery and courier staff, usually stopping at the front, sometimes not.
- Landlord or building maintenance, who may hold a master key you did not issue and cannot recall. Worth knowing before you need to know.
- Job candidates and shadowing students, walked through clinical areas as a courtesy.
The workable question is not "do we have a logbook." It is: for each of those categories, does someone know they are here, is someone accountable for them while they are, and does their access match what they came to do?
Two standards that sit next to this one
Facility access controls are one of four standards in 164.310, and two of the others operate at the desk rather than the door.
Workstation use, 164.310(b) asks for policies and procedures specifying the proper functions to be performed, the manner in which they are performed, and the physical attributes of the surroundings of a workstation that can access ePHI. That last clause is about where the screen points. A monitor at a check-in desk angled toward the waiting room is squarely within what this standard contemplates.
Workstation security, 164.310(c) requires physical safeguards for all workstations that access ePHI, to restrict access to authorized users. Note that this standard has no implementation specifications and is not Addressable.
Read together with facility access controls, the three standards describe a layered idea: control the building, control the room, control the machine. Most practices are strongest on the third and weakest on the second.
The gap between IT offboarding and physical offboarding
When someone leaves, the login gets disabled. Whether the badge, the key, and the alarm code follow is a separate workflow, usually owned by a different person, and often the one that quietly does not happen.
The Security Rule addresses the digital half at 164.308(a)(3)(ii)(C), Termination procedures, an Addressable specification covering procedures for terminating access to ePHI when employment or another arrangement ends. Physical access to the facility housing the systems is governed here at 164.310(a). Two provisions, two owners, one departing employee.
A useful test: pick someone who left in the last year and ask what they could still get into. If the honest answer involves a key nobody collected or a door code that has not changed since 2019, the finding is real, and it is the kind that no system report will ever surface.
A walkthrough you can run this week
None of this requires a consultant to begin. Walk the office after hours with a notepad and answer these:
- Where does ePHI physically live? Server, workstations, backup drives, the laptop someone takes home.
- Which doors stand between the public and each of those locations, and does each one latch and lock on its own?
- Who holds a key or code to each, including the landlord, the cleaners, and anyone who left?
- What can you see from the waiting room? Sit in the chairs. Look at the screens.
- Is the server closet also the supply closet? Shared-purpose rooms defeat access control because access has to be granted for the other purpose.
- Where do paper records sit overnight, and is that room locked?
- If the power failed tonight, could the person doing the restore physically get in, and does the door fail locked or unlocked?
- When did anyone last change a lock, and is there a record of it?
Anything you cannot answer is a finding. Write down the answers and the decisions, because under an Addressable specification the reasoning is part of what compliance looks like.
What software can and cannot see
This is the part worth stating plainly, because it shapes how practices budget for compliance work.
A compliance platform can hold your policies, track your training, store your decisions, and tell you when a review is due. Those are real jobs. What no software reads is whether the records room door actually latches, whether the badge you deactivated on paper still opens the back entrance, whether the server closet has become a storage room, or whether the visitor policy survives contact with a busy Friday afternoon.
The Security Rule asks for administrative, physical, and technical safeguards, and it puts them in three separate sections precisely because they are three different kinds of thing. 164.312's technical safeguards are conditions in a system, and a tool connected to that system can evaluate them. 164.310's physical safeguards are conditions in a building. They are assessed by someone walking the building, whether that is your practice manager with the list above or someone you bring in.
A questionnaire that asks "are physical safeguards in place?" and records "yes" has produced a document, not an assessment. The distinction is invisible in a compliance file and obvious in an investigation.
Common questions
Does HIPAA require visitor logs?
Not by name. 45 CFR 164.310(a)(2)(iii), Access control and validation procedures, is an Addressable implementation specification requiring procedures to control and validate a person's access to facilities based on their role or function, including visitor control. The regulation says visitor control; it does not say a logbook. Because the specification is Addressable, an office implements it if it is reasonable and appropriate, or documents why it is not and implements an equivalent alternative measure where one is reasonable and appropriate. A visitor log is a common way to meet it, not a mandated one. The requirement is that you can control and validate who gets in, and that your decision is documented either way.
Are facility access controls Required or Addressable under HIPAA?
The standard itself at 45 CFR 164.310(a)(1) is required. Every covered entity and business associate must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. All four implementation specifications underneath it are Addressable: contingency operations, facility security plan, access control and validation procedures, and maintenance records. So the obligation to control facility access is not optional. The specific mechanisms are where the flexibility sits, and each Addressable decision has to be documented.
Does a small medical office need a facility security plan?
The facility security plan at 45 CFR 164.310(a)(2)(ii) is Addressable, so a small office may determine a formal plan is not reasonable and appropriate and implement an equivalent alternative measure, documenting the reasoning. What it cannot do is skip the question. 45 CFR 164.306(b) allows a covered entity to take into account its size, complexity, and capabilities, its technical infrastructure, the costs of security measures, and the probability and criticality of potential risks. That scales the plan's depth. It does not remove the standard at 164.310(a)(1), which applies to a two-person practice and a hospital alike.
Can compliance software assess physical safeguards?
Software can document them, track them, and remind you to review them. What it cannot do is observe them. Whether the records room door actually latches, whether a badge deactivated on someone's last day still opens the back entrance, whether the server closet is also where staff store supplies, and whether the visitor policy is followed at 4:45 p.m. are all conditions in a physical space. A tool that reads your systems cannot see any of them. This is why 45 CFR 164.310 is a distinct category of safeguard from 164.312's technical safeguards, and why a walkthrough by someone who knows what to look for tends to surface findings a questionnaire records as compliant.