As the technologies used to deliver telehealth services become more complex, telehealth providers as well as other HIPAA “covered entities” have an increasingly demanding role to play in ensuring the security of protected health information (PHI).  To fulfill this role, both telehealth providers and their business associates (such as the information technology companies and data storage providers that support telehealth platforms) must implement not only technical safeguards, but also physical security measures.  From locks, to security guards, to alarm systems, physical security measures are a critical piece of the overall data protection equation.  While physical security may be an obvious concern for organizations that store sensitive data on-site, this topic deserves renewed attention in light of the growing popularity of off-site, cloud-based storage; new regulations; and more aggressive enforcement of Health Insurance Portability and Accountability Act (HIPAA) and state health privacy laws.

Physical security is often overlooked when covered entities are assessing their own privacy and security practices and those of potential business associates. One factor that contributes to this oversight is the increasing number of providers that are choosing to store their PHI off-site (either with a vendor or a vendor’s subcontractor). However, regardless of where PHI is ultimately stored, telehealth providers should always factor physical security into their privacy and security assessments.  Further, providers should consider conducting a physical security inspection of any facility where significant volumes of electronic PHI are stored (including, in some instances, the data centers where the information being hosted in the cloud is stored).  Physical security inspections not only reveal the physical security controls that a facility has in place to protect PHI, they can also be a good indicator of an organization’s overall information security practices. Poor physical security management is often a signal of greater systemic problems, and should lead a provider to think twice about its choice in data storage vendor.

A physical security inspection generally consists of the following five elements:

1)      Perimeter Security.  Perimeter security serves as the outermost layer of physical site protection.  Perimeter controls can be natural barriers, such as shrubs, rough terrain, or bodies of water, or artificial barriers, such as gates and fences.  However, perimeter controls are not limited to physical barriers.  For example, facilities may also utilize continuous lighting systems and surveillance cameras to help maintain perimeter security.

2)      Facility Access Management.  Important considerations in the area of facility access management include: (1) whether a facility uses a security guard or receptionist to control the flow of entrants into the building; (2) whether an additional guard or receptionist monitors entry into work areas; and (3) whether specific authentication methods (e.g., smart cards, passcodes, etc.) are required to access different areas of the building (e.g., elevators, the server room, work areas, etc.) during and outside normal business hours.


3)      Server Room Security.  A physical security assessment also requires an evaluation of the facility’s server room.  As part of this evaluation, attention to the server room’s location is critical.  Specifically, covered entities should note the floor where the server room is located and whether the room is adjacent to windows, water sources, or areas with high public traffic.  Additional factors to consider include whether the server room has its own temperature and humidity controls, whether the servers themselves are kept inside locked racks or cages, and whether the room is equipped with a fire suppression system and/or emergency power shutdown controls.  Along with server room controls, covered entities should also note whether any loose media containing PHI (in paper or electronic form) are kept elsewhere in the facility.  If so, measures used to protect such media should be recorded.

4)      Door and Window Security.  Door and window controls can range from simplistic locks to sophisticated alarm systems.  In assessing building doors, covered entities should identify which doors are open to the outside (and whether such doors automatically lock) and determine whether door frames are permanently mounted to adjoining wall studs.  Door and window materials also warrant consideration (e.g., a window made of standard plate glass versus a glass-clad polycarbonate or laminated glass window).  Additionally, if the facility has an alarm system, the covered entity should determine which doors and windows are alarmed and whether interior surveillance cameras are also used in these areas.

5)      Facility Heating, Ventilation, and Air Conditioning (HVAC) and Electrical Systems.  The physical security assessment should include an evaluation of the storage site’s HVAC and electrical systems. Particular HVAC considerations include whether the server room uses a HVAC system that is separate from the rest of the building (this is preferable), whether the server room has a positive pressure air system, and whether building ducts and vents were designed to prevent possible use by intruders.  In terms of electrical systems, the physical security assessment should include an evaluation of whether the facility’s electrical closets are secured and whether the facility has back-up generators or battery systems that would allow it to operate without power.

Increasingly sophisticated threats to information security, new regulatory requirements, and ramped-up enforcement of HIPAA are prompting many health care providers and other covered entities (and their business associates) to revisit their security policies. As these policies are revisited, physical security should undoubtedly be part of the conversation. Whether a telehealth company stores its data in its own facilities or relies on a vendor or a downstream subcontractor for its storage needs, physical security controls provide a vital line of defense. While technical security measures do offer telehealth providers significant data protection, the value of a carefully designed and managed physical security plan should not be underestimated.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.