Does Your Clinic Meet HIPAA Physical Security Requirements?

HIPAA physical security requirements are not optional — and most small clinics in New Mexico are not fully meeting them. The U.S. Department of Health & Human Services (HHS) enforces these rules, and a single violation can cost anywhere from $100 to over $50,000 per incident. The good news is that once you know exactly what's required, getting compliant is straightforward.

This guide breaks down the physical security side of HIPAA — what it covers, what inspectors look for, and how the right security system keeps your clinic protected and audit-ready in 2026.

Why HIPAA Physical Security Requirements Matter More Than Ever

Most clinic owners think of HIPAA as a paperwork and digital privacy issue. That's only part of it. HIPAA's Security Rule covers three categories of safeguards: administrative, technical, and physical. All three are required. Physical safeguards are often the most overlooked — and the most cited in audits.

Healthcare breaches surged in 2024 and 2025. Many of them started with a physical security gap: an unlocked server room, a workstation left logged in, a visitor who walked into a restricted area unchallenged. In January 2025, HHS proposed the most significant update to the HIPAA Security Rule in over a decade — moving away from "optional" safeguards and making physical controls mandatory and measurable for all covered entities.

If you run a medical clinic, dental office, urgent care center, behavioral health practice, or any other healthcare facility in New Mexico, these rules apply to you.

What Are HIPAA Physical Security Requirements? The Full Breakdown

The physical safeguard requirements live in 45 CFR § 164.310 of the HIPAA Security Rule. They fall into four main areas: facility access controls, workstation use and security, device and media controls, and documentation. Here's what each one actually means for your clinic.

1. Facility Access Controls

Facility access controls are about who can enter your building — and which specific areas — at any given time. This goes beyond a front-door lock.

HIPAA requires your clinic to:

• Implement policies and procedures to limit physical access to systems that contain electronic Protected Health Information (ePHI) to only authorized individuals
• Have a documented contingency plan for facility access during emergencies (fire, power outage, system failure)
• Control and validate access to sensitive areas based on each person's role — not just whether they're an employee
• Maintain facility security — locks, barriers, and physical controls that prevent unauthorized entry to any area where ePHI is stored or accessible

In practice, this means your server room, EHR workstation areas, and any room where patient records are stored must have restricted access. A hallway that anyone can walk down and glance at an open patient chart is a problem. A server closet with a basic doorknob lock is a problem. A shared key that gets passed between staff is a problem.

The 2025 proposed HIPAA updates would require organizations to prove that physical controls are actually working — not just documented on paper. Expect auditors to ask for access logs, not just access policies.

Wired installs credential-based access control systems including Verkada door readers and smart locks that replace shared keys with individual credentials. Every entry and exit is logged with a timestamp and the exact employee or visitor — giving you the audit trail HIPAA requires and the access restriction it demands.

2. Workstation Security

Workstation security is one of the most commonly cited HIPAA physical violations. It covers two things: how your workstations are used and how they're physically protected.

HIPAA requires:

• Policies that define the proper functions workstations can perform and the manner in which those functions must be performed
• Physical safeguards for all workstations that access ePHI — including desktops, laptops, tablets, and any device logged into your EHR system
• Position or location controls to minimize the chance that unauthorized individuals can view ePHI on a screen

That last point is important. A workstation in a hallway, a waiting room-facing front desk screen, or a laptop left open in a break room are all potential violations. Auditors look for whether patient data can be seen by someone who shouldn't see it.

The most common failures auditors find include:

• Logged-in terminals with live patient data left unattended in patient areas
• Workstations in semi-public areas with no screen privacy filters
• No automatic screen lock after a period of inactivity
• Shared login credentials used by multiple staff members on the same machine

Physical camera coverage of workstation areas also matters here. If something happens at a workstation — an unauthorized access, a breach, a staff error — you need footage to document it and respond to it. Verkada cameras with AI-powered search let you pull footage from any workstation area instantly.

3. Device and Media Controls

This section covers the physical handling of hardware and electronic media that contain ePHI. Think hard drives, USB drives, old computers, tablets, and imaging equipment.

HIPAA requires clinics to have policies covering:

• Disposal — how devices and media containing ePHI are destroyed or wiped before disposal
• Media re-use — ensuring ePHI is completely removed before any device is repurposed or reassigned
• Accountability — maintaining a record of who has what hardware and where it is at all times
• Data backup and storage — ensuring ePHI is backed up before moving or disposing of equipment

A laptop that goes missing from a breakroom is a reportable HIPAA breach if it contained ePHI and wasn't encrypted. An old workstation donated to a nonprofit without being wiped is a breach. These scenarios are far more common than most clinics realize.

Access controls on the rooms where servers, backup drives, and networking equipment are stored fall under this section. If your IT closet is unlocked and accessible to anyone on staff, that's a gap.

4. Video Surveillance for HIPAA Compliance

HIPAA does not specify exact camera requirements the way cannabis regulations do, but physical security auditors consistently look for camera coverage as evidence that access controls are being enforced. Without cameras, your access policies are difficult to prove and nearly impossible to audit after the fact.

Best practices that align with HIPAA expectations include:

• Coverage of all entry points to restricted areas — server rooms, medication storage, EHR workstation areas, and any room where patient files are stored
• Coverage of facility entrances and exits to document who enters and when
• Footage retention long enough to support incident investigations — most healthcare attorneys recommend a minimum of 30–90 days
• Secure storage of recordings — footage must be stored in a way that prevents tampering or unauthorized deletion
• Camera placement that avoids capturing patient information — this is important. Cameras in waiting rooms and patient areas should not be positioned to record screens, charts, or conversations that include PHI

This last point is something many clinics get backwards. They want camera coverage everywhere, then inadvertently create a HIPAA issue by recording patient data on screen. Proper camera placement is a technical skill — positioning matters as much as coverage.

Wired's team designs camera layouts that provide full coverage of access points and restricted areas while keeping PHI out of frame. Our security camera installation service includes a coverage plan review specific to healthcare environments. Verkada's cloud-based system stores footage securely with role-based access — only authorized staff can view or pull recordings — and the system alerts you immediately if a camera goes offline.

5. Documentation and Maintenance Logs

Behind every physical safeguard requirement is a documentation requirement. HIPAA doesn't just want you to have security systems — it wants proof that they're working and being maintained.

Required documentation includes:

• Written policies and procedures for all physical safeguards
• Records of who has access to what areas and when that access was granted or revoked
• Visitor logs for anyone entering restricted areas — including contractors, vendors, and IT personnel
• Security system maintenance records — tests, repairs, updates, and service visits
• Any incidents involving physical security — unauthorized access attempts, missing devices, breaches

All documentation must be retained for a minimum of six years under HIPAA. State regulations in New Mexico may require longer retention periods for certain records.

This is where paper-based systems break down quickly. A clipboard visitor log works until an auditor asks to see 18 months of records. A USB drive with maintenance notes works until it goes missing. Verkada's platform logs every access event, every visitor check-in, and every camera or system event automatically — and stores it all in a searchable, cloud-based record you can pull up from any device in seconds.

Wired also provides written maintenance documentation for every service visit, firmware update, and system test we perform — exactly the records your compliance officer needs to show an auditor.

The Most Common HIPAA Physical Security Failures in New Mexico Clinics

Based on common audit findings across healthcare facilities, these are the gaps that show up most often:

• Unlocked server rooms — often just a closet with a standard door handle anyone can open
• Shared key access to restricted areas with no individual accountability or audit trail
• Workstations in semi-public areas with screens visible from waiting rooms or hallways
• No visitor log for contractors, vendors, or repair personnel entering restricted areas
• No camera coverage of server rooms, medication storage, or EHR workstation areas
• Cameras positioned incorrectly — either creating PHI exposure or leaving critical areas with blind spots
• No documented maintenance records for security systems
• Old hardware disposed of improperly — computers and drives that were never wiped

Any one of these is a citable HIPAA violation. Together, they represent serious financial and legal exposure — and in the event of a breach, they can transform a manageable incident into a federal enforcement action.

How One Integrated System Covers Every HIPAA Physical Safeguard

Trying to meet these requirements with separate, disconnected systems from different vendors creates gaps. A unified platform that handles access control, surveillance, visitor management, and documentation in one place is far easier to manage and far easier to prove in an audit.

Here's how Wired's solutions map directly to HIPAA physical safeguard requirements:

• Facility access control: Verkada door readers and smart locks replace shared keys with individual credentials and full access logs — every entry and exit timestamped and stored
• Workstation area security: Camera coverage of EHR areas and restricted rooms with placement designed to avoid PHI exposure
• Server and IT room protection: Credential-based access to server rooms and IT closets with alerts for any unauthorized access attempt
• Visitor management: Verkada Guest creates digital, timestamped visitor logs for every contractor and vendor entering restricted areas
• Camera system: 4K Verkada cameras with secure cloud storage, automatic offline alerts, and role-based access to footage
• Maintenance documentation: Wired provides written records of every service visit, update, and system test — audit-ready and retained for you
• One dashboard: Everything managed remotely from a single platform, accessible from any device, with complete audit trails built in

Don't Wait for an Audit to Find Out You're Not Compliant

HIPAA physical security requirements protect your patients, your staff, and your practice. Meeting them shouldn't require guesswork. Wired works with medical clinics, dental offices, behavioral health practices, and urgent care centers across Albuquerque, Santa Fe, Rio Rancho, and throughout New Mexico to design and install security systems that are built to pass audits — and built to protect your facility every day.

Ready to get your clinic compliant? Contact Wired today for a free security consultation. We'll walk through your facility, identify any gaps, and get you a system that covers every HIPAA physical safeguard requirement.