Physical Safeguards¶
HIPAA Rule: §164.310
Physical safeguards control physical access to systems containing PHI. For cloud-hosted infrastructure, AWS assumes responsibility for data center physical security under the signed BAA.
Facility Access Controls (§164.310(a))¶
| Requirement | Responsible Party | Notes |
|---|---|---|
| Data center physical access | AWS | Covered by BAA |
| Server room access controls | AWS | Covered by BAA |
| Maintenance records | AWS | Available in AWS compliance reports |
| Visitor controls | AWS | Covered by BAA |
AWS SOC 2 Type II and ISO 27001 reports document their physical security controls. These are available via AWS Artifact.
Workstation Use (§164.310(b))¶
All workforce members accessing PHI systems from workstations must:
- Use company-issued or approved devices
- Enable full-disk encryption (FileVault on Mac, BitLocker on Windows)
- Lock screen when unattended (max 5 minutes idle)
- Not access PHI from public Wi-Fi without VPN
- Not download PHI to local storage
Workstation Security (§164.310(c))¶
- Physical access to devices containing AWS credentials or SSM session access must be restricted
- Lost or stolen devices must be reported immediately — AWS credentials revoked same day
Device and Media Controls (§164.310(d))¶
| Requirement | Implementation |
|---|---|
| Disposal of PHI media | AWS handles decommission of physical media (BAA) |
| Media re-use | AWS handles (BAA) |
| Accountability for hardware | EC2 instances tracked via Terraform state |
| Data backup | AWS Backup (Contingency Plan) |
AWS Compliance Documentation¶
AWS physical security controls are documented in: - AWS Artifact: SOC 2 Type II, ISO 27001, HIPAA Compliance Guide - Available at: AWS Artifact Console