How To Make Your Office HIPAA Compliant With Physical Security

By Bernhard Mehl
March 18, 2019
HIPAA Compliant

Potential clients often ask if our access control system complies with HIPAA standards when they are looking to to become fully HIPAA compliant. They are vaguely aware, from the requests of their lawyer, that they have to make their office secure by addressing both their network security and physical security.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act.

According to HIPAA standards, “The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).

Your duty as a HIPAA compliant company is it to prevent unauthorized physical access to Protected Health Information (PHI).

So, how do you actually become HIPAA compliant? Here are the four standards set under the HIPAA Security Rules.

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Devices and Media Controls

In addition to ensuring robust network security in the office through establishing firewalls, encrypted data, communication policies, background checks, secure servers, Two Factor Authentication (2FA) and all the other digital measures you need to be compliant with, physical security matters just as much.

HIPAA Standard: Facility Access Control

Here’s a typical scenario: Most companies usually get a key card (fob) system in place first. The downside? According to the requirements of the US HSS, most might not actually be complying with the standard.

Here is the original excerpt about the requirements in terms of access control by law:

Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.

In brief, it mentions everything that is required from you to make your physical access and facility access HIPAA compliant. (If you're interested in the granular details of the standard, you can read the standards here). Most access control systems and offices might not be complying with the standards.

With keys you obviously can’t limit authorized access once you gave out the key. People can easily pass the keys to unauthorized personnel. The switch from keys to key cards is also particularly motivated by such security fears and risks.

In a dissertation by Seymour E. Goodman and Herbert S. Lin of the Committee on Improving Cybersecurity Research in the United States, they wrote:

Because the intent of security is to make a system completely unusable to an unauthorized party but completely usable to an authorized one…

That’s why people traditionally used keycards to allow “authorized access”—keycard systems are meant to comply with the security measures and standards of the law. With smartphone access, you can use stronger, un-hackable credentials as an authorized way to access your facility.

Who says you have to use an access system, such as a key card system, that actually creates more trouble than usefulness? Other than the fact that it complies with the law.


Here are the 3 security measures a cloud managed, modern access control system can add, in addition to HIPAA compliance. When deciding on a new access control system, compare this to key card systems, which lack these features and security measures.

  • Managed access: You decide which access level an employee, freelancer, visitor or client has and which doors should be accessible for this access group.
  • Real-time audit: At any time you can pull a report of real-time access events, including unsuccessful, unauthorized or denied requests.
  • Remotely disable physical access: Limit access to your facility remotely by disabling access from your smartphone instantly.

If you'd like to hear more about how your space can become HIPPA compliant, let us show you how easy it is and why many modern organizations use our cloud-based software to automate compliance. For more on visitor policies at work you can read our article on managing workplace visitor policies or feel free to get in touch with one of our security consultants who can tell you more.

An additional note:

If you host a data center, you might also want to look at SSAE 16 SOC 2, Type 2 Certified Facilities-Controls-Process.

SSAE 16, also called Statement on Standards for Attestation Engagements 16, is a regulation created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for defining how data centers report on compliance controls.

The SOC 2 framework is a comprehensive set of criteria, known as the Trust Services Principles.

Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.