Building Security—More Than Just Locks on the Doors: HIPAA & HITECH Act Blog by Jonathan P. Tomes

In this digital world, forgetting about something as low-tech as physical security of the building in which a covered entity or a business associate is housed is often way too easy. The Security Rule addresses physical security in these four sections:

  1. Facility Access Controls, § 164.310(a)(1).
  2. Workstation Use, § 164.310(b).
  3. Workstation Security, § 164.310(c).
  4. Device and Media Controls, § 164.310(d)(1).

The only one of these four sections that relates to building security is the first one—that is, facility access controls. It requires covered entities and business associates to “implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.” Within the Facility Access Controls standard are the following four implementation specifications, all addressable, which, simply stated, means that the covered entity or business associate must comply with them only if it is reasonable and appropriate to do so:

  1. Contingency Operations. How do you get into the building during an emergency?
  2. Facility Security Plan. This policy tells who is responsible for the security of the facility and what his/her/their duties are.
  3. Access Control and Validation Procedures. This policy specifies who is responsible for assigning, revising, and terminating access and how.
  4. Maintenance Records. Records of facility security repairs and modifications, such as changing locks, making routine maintenance checks, and installing new security devices.

But building security encompasses more than just locks on the doors and perhaps bars on the windows or even security cameras or an alarm system. You must also consider other aspects of physical security in a risk analysis of a building or office.

One physical security expert suggests that the way to look at doing a risk analysis of a building is to consider the primary services supporting the building, which could include the following:

  • Electricity.
  • Industrial controls.
  • IT communications.
  • Waste/waste treatment/sewer.
  • Water.

Ernie Hayden, Techtarget Network, “How to conduct a security risk review on a large building,” May 9, 2019, at

Obviously, not all of these elements are involved in HIPAA security—that is, the security of health information and the system that it resides in or is transmitted over. For example, the waste element is inapplicable unless you are storing paper records to be picked up by the shredding service on a loading dock. One covered entity that this author audited simply put the boxes of paper records on the sidewalk outside the back door. Was that scenario an invitation to a seven-figure fine like the one that CVS pharmacy suffered for putting paper records into a dumpster? If you are placing such records on a loading dock, is the loading dock physically secure from unauthorized access while the health records are stored there waiting to be picked up?

But the physical security of electrical conduits may also need a risk analysis. What if a vandal can sever them, leaving the electronic medical record without power? Even if you have emergency electric power/backup, loss of primary power will immediately cause degraded performance of most, if not all, building systems, including IT systems. What happens if your card keys can’t open the doors because the power is out?

Industrial controls could involve such things as HVAC. What happens if they are attacked resulting in the cooling system in the file server room failing? Something to consider in your building risk analysis.

Tools to help in your building risk analysis include, but are not necessary limited to, the following:

  • Copies of building floor plans from roof to basement.
  • Procedures for taking manual control of building subsystems, such as cooling, lighting, etc. to maintain operations.
  • Online diagrams:
    • Electric power (normal and emergency).
    • Building management system (“BMS) controls network.
    • IT and telecom communications.

If you are leasing space, you may need to ensure that you can access these documents from the landlord before entering into the lease.

A White Paper by Steven Rinaldi, James Peerenboom and Terrence Kelly,  “Identifying, Understanding and Analyzing Critical Infrastracture Interdependencies,” at, may be helpful in doing your risk analysis.

So remember, security refers to more than just having good passwords, firewalls, encryption, and the like. You must also consider the physical security of the environment that you operate in. And make sure that you include all of those elements in every risk analysis, especially if you change buildings, storage facilities, and so forth.

