Facility Access Controls
164.310(a)(1)
Physical Safeguards
High Risk
Moderate
Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Implementation Guidance
Develop comprehensive facility access control policies including:
• Physical access controls for facilities housing ePHI systems
• Visitor access procedures and controls
• Employee access procedures and controls
• Maintenance and service personnel access procedures
• Emergency access procedures
• Monitoring and logging of physical access
Key components:
- Contingency operations procedures
- Facility security plan
- Access control and validation procedures
- Maintenance records
- Physical access monitoring and logging
• Physical access controls for facilities housing ePHI systems
• Visitor access procedures and controls
• Employee access procedures and controls
• Maintenance and service personnel access procedures
• Emergency access procedures
• Monitoring and logging of physical access
Key components:
- Contingency operations procedures
- Facility security plan
- Access control and validation procedures
- Maintenance records
- Physical access monitoring and logging
NIST References
NIST SP 800-66 Rev. 2: Section 3.2.1
NIST Cybersecurity Framework: PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7
NIST SP 800-53: PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-14, PE-15, PE-16, PE-17, PE-18, PE-19, PE-20, PE-21, PE-22, PE-23, PE-24, PE-25
NIST Cybersecurity Framework: PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7
NIST SP 800-53: PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-14, PE-15, PE-16, PE-17, PE-18, PE-19, PE-20, PE-21, PE-22, PE-23, PE-24, PE-25
Best Practices
• Implement layered physical security
• Use access control systems and monitoring
• Regular review of access permissions
• Document all access control procedures
• Train workforce on physical security
• Regular testing of access controls
• Implement emergency access procedures
• Use access control systems and monitoring
• Regular review of access permissions
• Document all access control procedures
• Train workforce on physical security
• Regular testing of access controls
• Implement emergency access procedures
Testing Procedures
• Review facility access control policies
• Test physical access controls
• Verify visitor access procedures
• Review maintenance procedures
• Test emergency access procedures
• Verify monitoring and logging capabilities
• Review documentation of access controls
• Test physical access controls
• Verify visitor access procedures
• Review maintenance procedures
• Test emergency access procedures
• Verify monitoring and logging capabilities
• Review documentation of access controls
Frequently Asked Questions
Q: What level of physical security is required?
A: The level of physical security should be appropriate to the risk level and the sensitivity of the ePHI being protected.
Q: How should visitor access be managed?
A: Visitor access should be controlled through proper identification, escort procedures, and monitoring of visitor activities.
Q: What should be included in maintenance procedures?
A: Maintenance procedures should include proper identification of maintenance personnel, supervision of maintenance activities, and documentation of all maintenance work.
A: The level of physical security should be appropriate to the risk level and the sensitivity of the ePHI being protected.
Q: How should visitor access be managed?
A: Visitor access should be controlled through proper identification, escort procedures, and monitoring of visitor activities.
Q: What should be included in maintenance procedures?
A: Maintenance procedures should include proper identification of maintenance personnel, supervision of maintenance activities, and documentation of all maintenance work.
Control Information
Control ID:
164.310(a)(1)
164.310(a)(1)
Category:
Physical Safeguards
Physical Safeguards
Subcategory:
Physical Access Controls
Physical Access Controls
Risk Level:
High
High
Implementation Difficulty:
Moderate
Moderate
Estimated Cost:
High
High
Implementation Timeframe:
2-4 months
2-4 months
Views:
5
5
Last Updated:
Oct 1, 2025
Oct 1, 2025
Related Controls
Additional Resources
• NIST SP 800-66 Rev. 2: Facility Access Controls Guidance
• HHS Facility Access Controls Guidance
• Physical Security Best Practices
• Access Control System Implementation Guide
• Facility Security Plan Template
• HHS Facility Access Controls Guidance
• Physical Security Best Practices
• Access Control System Implementation Guide
• Facility Security Plan Template