Conducting Physical Security Site Assessments

aerial-view-3292550_1920The first thing to keep in mind with all physical security site reviews is, that because your security risk assessment is required to be organization-wide, your physical security assessment should include all of the locations your organization controls (locations controlled by Business Associates are not required to be visited, but you may decide to do so)

This includes all locations where health care delivery is conducted, all locations where servers or technology infrastructure are maintained, and all locations where paper PHI is maintained. If you fail to visit all of the locations, the risk assessment will not meet the organization-wide requirement.

A physical security site assessment is best conducted when it is unannounced to the general staff.

This is the best way for observing the most accurate state of the facilities. Staff tend to be on heightened alert when they know any type of assessment is underway, which might not be indicative of standard practices.

A thorough physical security site assessment will look for items such as,

  • Positioning of computer monitors to determine if they can be viewed by unnecessary staff or the patients;

  • Posting of Notice of Privacy Practices;

  • Badge utilization by staff;

  • Escorting of guests;

  • Locking of restricted areas include where samples and technology equipment are kept;

  • Identifying unlocked and unattended workstations; and

  • Overhearing conversations that include PHI.

Any one of these items pose a risk to PHI, and each one can best be identified and assessed through a physical security site assessment. The risks identified in the physical security site assessment should be included in the Security Risk Assessment report, and remediation activities should be included in the risk management plan.

While they are time consuming, physical security site reviews are an essential part of conducting an organization-wide risk assessment, and thus are a valuable investment of time and resources. 



Compliance and security are complex, but they don't have to be hard to comprehend. Check out our resources page for more educational ebooks, presentations, infographics, and more!

View All Resources

Our resources are compiled by our experts here at QI Express. With backgrounds in information technology consultation, IT systems design, audits, law, and patient-facing clinical roles, our team is able to leverage a unique scope of experience to deliver the most comprehensive educational material possible.