Practice Name:__________________________________________

Location: ___________________________ Date: _____________

HIPAA/HITECH Privacy & Security

Facility Walkthrough Checklist

This document is designed as a checklist that can be used to determine security risks on a
walkthrough of a facility.

The items in this checklist are derived from NIST SP 800-53 Recommended Security Controls
for Federal Information Systems and Organizations. As such, the items in this checklist are
neither required for HIPAA Compliance, nor guarantee HIPAA Compliance. However, this
checklist can be useful to a health care provider for identifying physical security risks in the
facility and can be used as part of an overall risk assessment.

The entries in the ID column relate directly to the IDs found in the “Physical and Environmental
Protection” section of SP 800-53 where more information and guidance can be found on the risks
and remediation of said item.

To use this checklist it is suggested that you:

a) Print this document and carry on the walkthrough
b) During walkthrough, place checkmarks or x’s in the Yes/No column
c) Get additional information from facility staff member about items that are not visibly
apparent or about policies and procedures controlling access to the facility
d) Make any additional notes in the Notes column
e) After walkthrough, fill out an electronic copy of the document and provide to the
provider to be included with other Risk Assessment documentation

Facility Walkthrough Checklist v1.0 Page 1

 Practice Name:__________________________________________
Location: ___________________________ Date: _____________

ITEM YES/ ID CONTROL DESCRIPTION NOTES

NO

General
Policies PE-1 Documented policies and procedures
that address physical and environmental
security
Physical PE-2 Method to determine who is authorized
Authorization to access secure area of the office (e.g.
badges, swipe cards, biometrics)

Inventory of PE-3f Inventory of physical assets maintained.

Assets

Delivery/Removal PE-16 The organization authorizes, monitors,

Records and controls components containing
EHR entering and exiting the facility.

Alternate Work PE-17 The facility provides an alternate work

Site site or remote access for employees in
the event of an emergency.

Visitors escorted PE-7 Visitors are authenticated and escorted

or monitored at all times.

Visitor records PE-8 Visitor access records exist containing

name/organization, signature, form of
ID, time of entry and departure, purpose
of visit, and person visited.
Facility Access
Access PE-3a Physical access authorization for visitor
Authorization PE-3b access to secure area of office (e.g.
(Visitors) sign-in sheet, Photo ID verification,
Photo in EHR)
Access PE-3a Physical access authorization for staff
Authorization PE-3b access to secure area of office (e.g.
(Staff) badges)

Public Area PE-3d Access to publicly-accessible area

Protected controlled in accordance with identified
Appropriately risk (e.g. receptionist able to monitor
waiting room, after hours locks or alarm
system)
Secure Area PE-3c Access to secure access physically
Physically monitored or protected (e.g. receptionist
Protected monitors entry, locked door, or security
camera)

Facility Walkthrough Checklist v1.0 Page 2

 Practice Name:__________________________________________
Location: ___________________________ Date: _____________

ITEM YES/ ID CONTROL DESCRIPTION NOTES

NO

Keys etc secured. PE-3e Keys, combinations, and passwords

physically secured.

Locks changed PE-3g Changes locks and keys when lost or

stolen or staff termination.

Physical Protections
Monitors not PE-5(2) Computer monitors are protected from
visible visibility by unauthorized individuals
(e.g. by situating in such a way that they
are not visible or security filters on
screens)
Secure systems PE- Systems with access to EHR are
with access to 18(2) protected by theft by physical location
EHR or anti-theft controls (e.g. cable locks)

Output devices PE-5(1) Devices such as monitors, printers, and

protected fax machines protected by physical
access control.

Network/phone PE-4 Transmission lines are protected (e.g.

cable protected wiring cabinet is locked, cables are
protected by conduit, no access to
cables in publicly accessible area)
Power protected PE-9 Power equipment and power cabling are
protected from damage or destruction
(e.g. redundant power, physical
protection of cables)
Emergency Systems
Emergency power PE-10 Ability to shut off power to the EHR in
shut-off the event of an emergency and ability to
shut off power from a safe location.
Power shut off protected from
unauthorized activation.
Water shut-off PE-15 The organization protects the
valves information system from damage
resulting from water leakage by
providing master shutoff valves that are
accessible, working properly, and
known to key personnel.
Emergency PE-12 The organization employs and
lighting maintains automatic emergency lighting
for the information system that activates
in the event of a power outage or

Facility Walkthrough Checklist v1.0 Page 3

 Practice Name:__________________________________________
Location: ___________________________ Date: _____________

ITEM YES/ ID CONTROL DESCRIPTION NOTES

NO

disruption and that covers emergency

exits and evacuation routes within the
facility.

Fire detectors and PE-13 The organization employs and

suppression. maintains fire suppression and detection
devices/systems for the information
system that are supported by an
independent energy source.
EHR System
EHR in secure PE- The EHR system is positioned to
location 18(1) minimize potential damage from
environmental hazards such as flooding,
fire, electrical interference, and theft.
Doors PE- Physical entry points to secure area are
locked/monitored 18(3) protected from unauthorized entry.
to secure area

EHR systems PE-6 Physical access to EHR systems is

monitored monitored. (e.g. access logs, cameras,
alarms)

Emergency power PE-11 The organization provides a UPS to

facilitate an orderly shutdown of the
information system in the event of a
primary power source loss.
Temp and PE-14 Maintains and monitors temperature
Humidity and humidity controls within the area
Controlled where the EHR resides.

Notes:

Facility Walkthrough Checklist v1.0 Page 4