Do cloud-only SaaS companies need facility access controls?

Yes, but the scope is narrower. Your hyperscale cloud provider inherits most data center controls through its BAA, but you still need facility access controls for your offices, any location where workforce members handle PHI, and any physical media you ship or receive.

What counts as a facility under HIPAA?

A facility is the physical premises and interior and exterior of any building that contains electronic information systems or ePHI. This includes data centers, offices, clinics, warehouses holding devices, and any location where workforce members routinely access ePHI.

Are visitor logs required under HIPAA?

Visitor logs are not explicitly required by rule, but they are the most common evidence that facility access controls are operating. OCR audit protocol asks how the organization controls access for visitors, vendors, and maintenance personnel, and a log is the standard answer.

How does remote work change facility access controls?

Remote work shifts the facility boundary to the workforce member's home. Your controls must address home office expectations, shared spaces, physical security of devices, and the handling of printed PHI — because all of those are now inside the facility for HIPAA purposes.

HIPAA Facility Access Controls - §164.310(a) Physical Safeguards Guide

Why HIPAA facility access controls matter

HIPAA §164.310(a) — the Facility Access Controls standard — requires covered entities and business associates to "implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed." It is one of the four standards in the physical safeguards category, alongside workstation use, workstation security, and device and media controls.

Physical safeguards sit at an uncomfortable intersection for modern SaaS companies. The hyperscale cloud providers that host most production ePHI inherit the bulk of data center controls, but that does not end the obligation — it shifts it. Workforce offices, co-working spaces, home offices, warehouses, and any location where physical media moves are still in scope. And for clinical settings, physical safeguards are front-line compliance work.

For the broader physical safeguards context, see the HIPAA Security Rule guide and the HIPAA hub page.

The four implementation specifications

§164.310(a)(2) lists four implementation specifications. All four are addressable — meaning you must implement each, document an equivalent, or justify its absence based on your risk analysis.

Contingency operations — §164.310(a)(2)(i)

Contingency operations establish procedures that allow facility access in support of the restoration of lost data under the HIPAA contingency plan. In other words, when you are recovering from a disaster, the people who need to enter a facility to restore systems must be able to do so — without bypassing your normal access controls entirely.

This specification is often neglected because it sits at the intersection of physical security and disaster recovery. Neither team owns it completely. The fix is to name an owner, define who has emergency access authority, document how access is granted during a contingency, and exercise the procedure during your DR tests.

Facility security plan — §164.310(a)(2)(ii)

The facility security plan documents policies and procedures that safeguard the facility and the equipment inside it from unauthorized physical access, tampering, and theft. It should describe the physical boundaries of each facility, the controls at each boundary (locks, badge readers, cameras, alarms), monitoring expectations, and the responsible owners.

A defensible facility security plan is not generic. It describes your buildings, your controls, and your threats — not a template's buildings. Include floor plans, control inventories, and risk notes for each location.

Access control and validation — §164.310(a)(2)(iii)

Access control and validation procedures govern who gets in and how their identity is validated. This includes workforce members, visitors, vendors, maintenance personnel, and contractors. For workforce members, validation usually rides on the same identity infrastructure as logical access: badge plus PIN, badge plus biometric, or badge plus escort for lower-trust areas. For visitors, the industry standard is photo identification, sign-in, a visible badge for the duration of the visit, and escort in sensitive areas.

Access levels should be role-based and reviewed periodically. When a workforce member changes roles or leaves the organization, their physical access must be revoked promptly — this is one of the most common and most embarrassing OCR findings.

Maintenance records — §164.310(a)(2)(iv)

Maintenance records document repairs and modifications to the physical components of the facility that are related to security — hardware, walls, doors, locks, badge readers, alarms, and cameras. The point is traceability: if a door is cut for cabling and then poorly resealed, the record is how you catch it on the next audit.

Modern facility management systems handle most of this automatically. The gap is usually the tenant-improvement and office-move scenarios where construction work bypasses the normal ticket flow.

Extending the perimeter to remote work

The traditional facility access model assumes a building with a door, a badge reader, and a receptionist. That model covers fewer workforce members every year. Modern HIPAA programs treat the facility boundary as wherever a workforce member handles PHI.

Your controls should answer practical questions for remote workers.

What is the expectation for a home office workspace? Locked door? Locked filing cabinet for any printed PHI?
How is PHI handled in shared living spaces, coffee shops, and during travel?
Who is allowed to be present when the workforce member is viewing PHI on a screen?
How are corporate devices secured when not in use?
What is the process for returning devices at offboarding, especially when the workforce member never set foot in a corporate office?

Bake these expectations into the acceptable use policy and the workforce training curriculum, then validate adherence through attestations, device management telemetry, and spot checks.

Visitor management

Visitor management is the most visible facility access control and the most common source of awkward findings during on-site audits. A defensible process includes five elements.

Pre-arrival notification. Hosts announce expected visitors in advance.
Identity verification. Government-issued photo identification at sign-in.
Visible badge. A badge that differs from workforce member badges, valid only for the day.
Escort requirement. Visitors are escorted in sensitive areas — server rooms, clinical areas, wherever PHI is physically accessible.
Sign-out and badge return. A clean closeout so the log reflects who is actually in the building.

Camera coverage of entrances, reception areas, and sensitive zones supports the visitor log as corroborating evidence. Retain footage per your policy and review after any incident.

Cloud inheritance and the BAA

For the portion of your ePHI that lives with a hyperscale cloud provider, the provider's physical controls are inherited through the BAA. You should still do three things.

Document the inheritance. Map each §164.310(a) specification to the provider control that covers it, and cite the provider's compliance attestations (SOC 2, HITRUST, or equivalent).
Scope the boundary. Make explicit what is and is not inherited. A cloud provider does not cover your office, your laptop, or your home workspace.
Keep the BAA current. Provider BAAs change. Track versions and re-review when providers update their terms.

How this fits into your HIPAA program

Facility access controls pair with several other safeguards. Workstation and device controls pick up where facility controls end, governing the endpoints inside the facility. Contingency planning shares the contingency operations specification and exercises it during DR tests. The HIPAA risk analysis identifies which facilities, regions, and configurations carry the greatest physical risk and directs investment there.

Access control and validation also tie back to workforce training. Workforce members need to know what to do when they see an unbadged visitor in a restricted area, how to handle tailgating at the main entrance, and where to escalate suspected physical security concerns. Training transforms the policy into active vigilance.

Common pitfalls

Office-only thinking. The plan covers the main office but not co-working spaces, satellite facilities, or home offices where workforce members routinely handle PHI.
Orphaned badge access. Terminated workforce members retain badge access for days or weeks because deprovisioning is not tied to the HR offboarding event.
Untested contingency access. When a DR event actually happens, no one can prove they have authority to enter a facility, and recovery is delayed.
Visitor log on paper only. The log is on a clipboard at reception, no photo ID is captured, and the book is discarded annually. There is nothing to review after an incident.
No maintenance record trail. Construction and facility work bypass the normal ticket flow, so a door cut for cabling six months ago never made it into the security record.
Cloud inheritance undocumented. The organization relies on a cloud provider for physical safeguards but cannot produce the mapping during an audit, and the cloud provider's BAA in the evidence locker is two years old.

How episki helps

episki maps §164.310(a) to your facilities, cloud providers, and remote work program so the full scope of physical safeguards is visible in one place. Visitor management, badge review, maintenance records, and cloud inheritance attestations feed the evidence locker; facility risk notes feed the HIPAA risk analysis; and role-based physical access reviews run on the same schedule as logical access reviews. When a customer asks for your physical security posture, the answer is ready.

See the full HIPAA platform overview or start a free trial from the top of the hub page.

HIPAA Facility Access Controls