Use this checklist to evaluate your physical security risk, and what you can do to prevent break-ins, harm to employees, legal liability, and security breaches.


Building is surrounded by intact fence (no holes, gaps, streams under fence, etc.)

Clear zone of at least 20’ exists both inside and outside of entire fence

Fence is monitored by security cameras and/or guards

Fence is inspected regularly (how often _____________)

No vegetation (where someone could hide) grows within 20’ of building perimeter

Area within 20’ of building perimeter is well lit at night with lights that (1) have auxiliary power source and (2) turn on automatically at dusk

Parking area is monitored by security cameras and/or guards

Parking area is well lit at night


Electricity received from two separate substations or, better, two separate power plants

Phone/network connectivity is available from multiple providers

Power/phone/network lines are underground, if possible

Water is available from multiple sources (including well)

Dumpsters contain no sensitive trash and are monitored by cameras

Alarm system is monitored, regularly tested, and has auxiliary power source

Alarm panel is secured behind locked door

Alarm panel offers a duress code

Generator(s) are alarmed

Building is protected by fire alarm and sprinkler system.

Fire detection equipment is inspected and regularly tested.

Contact information for fire / burglar alarm companies is easily accessible

For Each Exterior Door or Gate

Closes securely and does not need repair

Outside hinges hidden/protected from vandalism

Ideally requires automated unique identifier to open (swipe card, badge, retina, fingerprint).
Less ideal: key access, shared code access

If keys exist, they’re all stamped with “Do Not Duplicate”

Access is disabled when an employee leaves the company. If key-based, locks are changed

Automatically locks when closed, but still able to open from the inside.

Will sound alarm if propped open or if employees should not be using during business hours

Alarmed during non-business hours

Monitored by a receptionist, security guard, etc. during business hours

Monitored by a monitored/recorded security camera

If regularly left open, secured from the inside with a locked gate

Well lit from the outside at night

All exterior windows (esp. on first floor) alarmed and protected with locks/mesh.

Roof access (doors, skylights) securely locked from the inside and alarmed.

Basement doors / man-sized ducts are securely locked from the inside and alarmed.

Each Work Area

Visitors are controlled through a combination of visitor badges, visitor logs, and constantly being escorted. Visitors cannot access work areas without these measures.

Employees are trained to greet any unknown visitors

Computers are marked with clear asset tags and/or engravings

Computers provide information before login about who to contact if lost or stolen

Computers are physically locked to work areas

Computers are not visible from first floor windows and monitors are turned off overnight (to suppress monitor glow)

Computer are plugged into surge protection devices

Sensitive paper records are either kept in locked file cabinets or are shredded

Areas with key paper records are protected by fire detection and sprinkler systems

Cleaning staff always work in groups of two

Each work area has fire extinguishers which are periodically inspected/tested

Fire alarm systems are tested periodically through live drills

Building is equipped with multiple staircases, fire stairwells and/or fire escapes

Any areas with drop ceilings prevent access to sensitive areas (e.g., wire mesh)

Sensitive areas don’t allow access (e.g., air ducts, drop ceilings) from public areas

Emergency lighting exists in the event of a power outage

Floors are clear of wiring, or wiring is permanently attached to floor

Outlets are not overloaded with cords

The key controls listed in this checklist are explained in employee training and policy

Each Computer Room

No window to the outside (unless required for fire laws)

No more than two doors, all fireproof, all close securely and not in need of repair

Doors are controlled by automatic authentication with limited number of people who access.

Door hinge pins are concealed or welded to prevent removal from outside.

Doors have signage indicating restricted access, food/drink/smoking not allowed

Room has access to redundant power, network, and cooling

The temperature is kept between 55-75% and humidity is between 20-80% and is automatically monitored

Protected by total flooding agent (e.g., halon) sprinkler system (NOT wet sprinkler system)

Room has sufficient fire extinguishers

Room has emergency power off switches

Systems are protected by UPS and/or generator for no less than 24 hours.

Contract is in place for a week’s worth of fuel on demand.

Emergency power is regularly tested.

Cleaning staff are never left unattended in room.

Room is alarmed after hours.

Computer room is not located under any plumbing or rooms with water.

Smoke and heat alarms are installed inside and directly outside computer room.

Computer room has manual fire alarms.

Emergency lighting in the event of a power outage

Servers are physically locked within the computer room.

Computers are marked with clear asset tags and/or engraving

Still feeling a bit overwhelmed?

Get some free help!  Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!