Partly. A remote assessment can establish most of what the Security Rule's technical and documentation standards ask for, and it can establish very little of what 45 CFR 164.310 asks for, because 164.310 is about rooms, doors, screens, and drives. A remote method does not observe a physical safeguard. It records somebody's description of one. Both are evidence. They are not the same evidence, and the difference is worth knowing before you buy an assessment rather than after a regulator asks how you reached your conclusions.
The short answer
Nothing in HIPAA requires a site visit. Plenty in HIPAA is difficult to assess accurately without one. Those two facts coexist, and most of the confusion in this market comes from vendors and buyers each quoting one of them and ignoring the other.
What 164.310 asks about
The Security Rule splits safeguards into three categories: administrative (164.308), physical (164.310), and technical (164.312). 45 CFR 164.306(c) requires compliance with the applicable standards across all of them with respect to all ePHI. The physical section sets four standards, and reading their actual subjects makes the assessment problem obvious:
| Standard | What it is about |
|---|---|
| 164.310(a)(1) Facility access controls | “Limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed” |
| 164.310(b) Workstation use | The proper functions, the manner of performance, and “the physical attributes of the surroundings of a specific workstation or class of workstation” |
| 164.310(c) Workstation security | “Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users” |
| 164.310(d)(1) Device and media controls | Receipt and removal of hardware and electronic media “into and out of a facility, and the movement of these items within the facility” |
Facilities. Surroundings. Movement of items within the facility. The regulation's own examples under the maintenance records specification at 164.310(a)(2)(iv) are “hardware, walls, doors, and locks.” This section is not an abstraction that happens to have a physical metaphor attached. It is about the building.
An assertion and an observation are different evidence
Here is the mechanic underneath the whole question, and it is not complicated.
A questionnaire asks: is the server room locked? Someone types yes. That answer is now in the report, and it is very likely honest. It is also an assertion: a person's recollection of a room, filtered through their understanding of what the question meant, on the day they filled in the form.
Someone standing in the corridor learns a different set of facts. The room is locked. The door is also propped open every Tuesday when the HVAC contractor comes. The badge list still has two people who left in March. There is a box of retired drives under the desk that nobody has a record of, which is a 164.310(d)(2)(i) disposal problem and a Required specification. A monitor at the end of the hall faces the waiting area. None of that is a lie in the questionnaire. All of it is invisible to the questionnaire, because the questionnaire asked about the lock and the risk was in the room.
The gap is not honesty. It is that people stop seeing the rooms they work in every day, and a form can only return what the person filling it in already knows to notice.
ONC's own overview material for the free federal assessment tool makes a version of this point about self-completed questionnaires generally, and it is unusually direct: organizations “should take care that its responses reflect an accurate and thorough assessment of the questions presented and are not merely a clerical exercise to produce a report,” and “the value of the SRA to your organization depends on the integrity of the input.” The same material warns that “responding to questions without considering how the questions apply throughout the organization may result in a risk analysis that is not accurate and thorough as required by the HIPAA Security Rule.”
What remote methods do well
Remote assessment gets unfairly maligned in conversations like this one, so it is worth being precise about how much of the rule it genuinely reaches:
- Technical safeguards (164.312). Access control, audit controls, integrity, authentication, and transmission security are evidenced through configuration exports, access control lists, log samples, and encryption settings. A reviewer with the right read-only access can establish these better remotely than by standing in a room.
- Documentation (164.316). Policies, procedures, business associate agreements, and retention practice are documents. Reviewing them is a remote activity by nature.
- Much of the administrative section (164.308). Workforce clearance and termination procedures, training records, sanction policy, contingency planning documents, and incident response records all review remotely.
- The nontechnical evaluation, partly. 164.308(a)(8) requires a periodic technical and nontechnical evaluation. A good interview by video reaches a lot of it: asking the night shift what they do when the system is slow works over a call.
That is most of the rule. A well-run remote engagement is a real assessment, and for an organization with one office and a cloud-hosted stack it may be close to sufficient.
What needs eyes in the room
The residue is small and specific, and it is concentrated almost entirely in 164.310:
- Surroundings. 164.310(b) is written about the physical attributes of the surroundings of a workstation. Sightlines, foot traffic, and who walks past a screen are things you look at.
- Doors and their real behavior. Whether the badge reader is used, propped, shared, or bypassed is a question about practice, not policy.
- Unmanaged storage. The drives in a drawer, the old server in the closet, the backup tapes in a cabinet. Device and media controls at 164.310(d) cover the movement of these items within the facility, and the items nobody remembers are the ones the inventory misses.
- The undocumented estate. The workstation in the back office that IT does not manage. The fax server everyone forgot. The equipment that caches studies locally.
These are not exotic risks. They are the ordinary ones, and they share a property: the person answering the questionnaire does not know they exist, so no question can retrieve them.
The two Required specifications hiding in the physical section
Worth flagging, because the physical section gets treated as soft. Most of 164.310's implementation specifications are Addressable: contingency operations, facility security plan, access control and validation procedures, maintenance records, accountability, and data backup and storage. Addressable, under 45 CFR 164.306(d)(3), means implement it if reasonable and appropriate, or document why it is not and implement an equivalent alternative measure where one is reasonable and appropriate. It is a documented decision, not an option to ignore.
Two specifications in this section are Required:
§ 164.310(d)(2)(ii) Media re-use (Required). “Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.”
Required means no documented-alternative path, and both specifications are about physical objects moving through a physical place. A remote assessment can read the disposal policy. It cannot see the box under the desk that the policy was supposed to prevent.
The rule does not mandate a site visit
Being accurate about this cuts against the argument above, and it needs saying plainly: HIPAA does not require an onsite assessment. Anyone who tells you the regulation mandates a site visit is overstating it.
OCR's Guidance on Risk Analysis is explicit that method is the organization's choice: “We understand that the Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization.” The guidance is also clear that it is “not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement.” And 45 CFR 164.306(b) lets an entity use any security measures that reasonably and appropriately implement the standards, taking size, capabilities, infrastructure, cost, and the probability and criticality of risks into account.
So the rule sets an outcome and leaves the route to you. The outcome is the sentence that matters:
Which reframes the buying question usefully. Not “does the law require someone to visit?” The answer is no. The better question is “can the method I am buying produce an accurate and thorough result for the standards it claims to cover?” For 164.312, a remote method plainly can. For 164.310, a remote method is working from testimony about a room, and it should say so and compensate for it rather than quietly scoring the section as complete.
There are honest ways to compensate. A structured self-walkthrough with a defined checklist and photographs. A local person, briefed properly, who is not the person who set the environment up. Existing evidence like badge access reports, camera coverage, and maintenance records under 164.310(a)(2)(iv). These are legitimate methods and they are much better than a yes/no field. They are also more work than a yes/no field, which is why the question is worth asking before signing.
Where this bites hardest: multiple sites
One office with a cloud stack is the easy case. The problem compounds when an organization has several locations, because a remote assessment of twelve sites is usually a remote assessment of one site's description of twelve.
OCR's guidance is clear that scope follows the ePHI regardless of location: electronic media “includes a single workstation as well as complex networks connected between multiple locations,” and the analysis should account for all ePHI “regardless of... the source or location.” The federal tool's user guide offers a practical test in its FAQ, framing the answer as depending on “how much the locations differ with their policies, procedures, and infrastructure,” and noting that where “question responses are not applicable to all locations, you may consider doing a separate SRA for each location.”
The failure mode is specific. Sites one through twelve run the same EHR, so they get assessed once and assumed eleven times. The EHR is the thing they have in common. The locks, the sightlines, the closets, the drives in drawers, and the person who props the door are the things they do not have in common, and those are exactly the 164.310 questions. Standardization travels well through software and poorly through buildings.
How to tell what you are buying
Three questions, asked before signing, will separate the offerings without anyone having to argue about methodology:
- “Which of the four standards in 164.310 does this assess, and by what method for each?” A scope that names the section and describes a method for it is one you can evaluate. Physical safeguards listed as a bullet with no method attached is a questionnaire section.
- “Will anyone look at the places holding ePHI, and if not, what replaces looking?” A good answer to the second half exists. Not having thought about it is the signal.
- “Which specific locations are covered, and which are inferred?” A scope statement with honest boundaries is worth more than one implying coverage it never had.
Both models are legitimate purchases. A remote assessment at a fraction of the cost may be exactly right for a single-site organization with a cloud stack and no server closet. What should not happen is buying one and believing you bought the other, and then discovering the difference at the point where somebody asks how you concluded that your facilities were secure.
One note on what is ahead. Updates to the Security Rule have been proposed and have not been finalized. Proposed requirements are not binding, and nothing in this article depends on them. Everything above is current law today.
Common questions
Does a HIPAA risk analysis have to cover physical security?
Yes. 45 CFR 164.310 is an entire section of the Security Rule devoted to physical safeguards, and it sets four standards: facility access controls, workstation use, workstation security, and device and media controls. Two of its implementation specifications are Required rather than Addressable, disposal at 164.310(d)(2)(i) and media re-use at 164.310(d)(2)(ii), meaning there is no documented-alternative path for either. 45 CFR 164.306(c) requires compliance with the applicable standards in 164.308, 164.310, 164.312, 164.314 and 164.316 with respect to all ePHI. A risk analysis that assesses only technical controls has assessed one of the three safeguard categories.
Does HIPAA require an onsite risk assessment?
No. The Security Rule does not prescribe a methodology and does not mandate a site visit. OCR's Guidance on Risk Analysis states that the rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization. What the rule does require is an outcome: 45 CFR 164.308(a)(1)(ii)(A) requires an accurate and thorough assessment. So onsite is not a legal requirement, and it is also not the question worth asking. The question is whether the method used can produce an accurate and thorough result for the standards being assessed. For provisions written about the physical attributes of surroundings, a method that never observes the surroundings has a gap it needs to close some other way.
What can a remote HIPAA risk assessment verify?
A remote assessment can verify a great deal, and more than it usually gets credit for. Technical safeguards under 45 CFR 164.312 are largely evidenced through configuration exports, access control lists, audit log samples, and encryption settings. Documentation review under 164.316 works remotely by definition. Policies, procedures, business associate agreements, and training records are all reviewable from anywhere. Interviews conducted by video reach the nontechnical evaluation required by 164.308(a)(8). What remote methods produce for physical safeguards is testimony rather than observation: a person's account of a room, given in good faith, by someone who has stopped noticing it. That is evidence, and it is a weaker class of evidence than looking.
How do I tell whether a risk analysis engagement includes physical safeguard assessment?
Ask three questions before signing. First, which of the four standards in 45 CFR 164.310 does the engagement assess, and by what method for each. Second, will anyone visit the locations holding ePHI, and if not, what compensates for the absence of observation. Third, if there are multiple sites, which specific ones are covered and which are being inferred from a sample. A scope that names 164.310 and describes a method for it is a scope you can evaluate. A proposal that lists physical safeguards as a bullet without a method is describing a questionnaire section. Both can be legitimate purchases. The difference should be visible to you before you buy rather than after.