Physical Safeguard

Physical Safeguards
164.310(a)(1) Facility access controls: Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring properly authorized access is allowed.


Have you established (and implemented as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan? (A)


Have you implemented policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft? (A)


Have you implemented procedures to control and validate a person’s access to facilities based on his/her role or function, including visitor control, and control of access to software programs for testing and revision? (A)


Have you implemented policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (for example, hardware, walls, doors, and locks)?

(A) 164.310(b)

164.310(b) Have you implemented policies and

procedures that specify the proper functions to


be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI? (R)


Have you implemented physical safeguards for all workstations that access EPHI to restrict access to authorized users? (R)


Device and media controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility.


Have you implemented policies and procedures to address final disposition of EPHI, and/or hardware or electronic media on

which it is stored? (R)

164.310(d)(2)(ii) Have you implemented procedures for removal of EPHI from electronic media before the media are available for reuse? (R)


Do you maintain a record of the movements of hardware and electronic media and the person responsible for its movement? (A)
164.310(d)(2)(iv) Do you create a retrievable, exact copy of EPHI, when needed, before moving equipment? (A)