LogBook360Loading
Skip to content
LogBook360
HIPAA · 45 CFR 164

PHI areas, controlled at the door.
Audit-ready logs, on tap.

Most HIPAA programs focus on cyber. OCR audits start at the front door. LogBook360 enforces every §164.310 Physical Safeguards requirement, facility access, BAA vendor screening, and tamper-evident audit logs retained for the full 6-year window.

Annual cap for willful neglect is USD 2.07M per provision, and there are 50+ provisions.
Book a compliance demoAll frameworks
HIPAA Access & Screening
Dr. Patel · Cardiology09:14
PHI Storage Rm 3B · Chart pull · Pt #88421
Karen Ng · BAA Vendor10:02
Server Closet 2 · Backup tape rotation
Visitor, J. Liu10:45
Lobby only · Patient family · screened ✓
Tom R. · Contractor11:20
Pharmacy · HVAC repair · escorted
§164.310(a)(2) facility access log · 6-yr retention
Where HIPAA meets reception

Four Physical Safeguards your front desk owns

The HHS Office for Civil Rights has expanded physical safeguards enforcement every year since 2018. Most settlements cite the same root causes.

Safeguard
Facility access (§164.310)
The Physical Safeguards rule isn't optional. Every entry to a PHI-handling area must be controlled, validated, and logged. Auditors will pull a sample.
Safeguard
Audit controls (§164.312)
OCR doesn't just want logs, they want tamper-evident logs. Paper sign-in sheets and editable spreadsheets fail the audit before the auditor opens them.
Safeguard
BAA-aware visitor flow
Vendors handling PHI must be under a Business Associate Agreement. LogBook360 flags BAA status at check-in so unauthorized vendors are stopped before entry.
Safeguard
Health screening attestation
Whether for infection control or workforce safety, screening responses must be captured, timestamped, and retained alongside the visit record.
Rule mapping

45 CFR 164 requirements. LogBook360 controls.

§164.310(a)(1)
Requirement
Facility access controls
LogBook360 control
Role-based access to PHI areas with host approval, escort logging, and time-bounded badges
§164.310(a)(2)(ii)
Requirement
Facility security plan
LogBook360 control
Documented zones, who can enter, and evidence the plan is enforced, exportable for auditors
§164.310(a)(2)(iii)
Requirement
Access control & validation
LogBook360 control
Identity verification at check-in via photo capture and matched against pre-registered roster
§164.310(a)(2)(iv)
Requirement
Maintenance records
LogBook360 control
Every contractor, vendor, and maintenance visit logged with PHI-area access duration
§164.312(b)
Requirement
Audit controls
LogBook360 control
Tamper-evident access logs with who/what/when/where, never overwritten
§164.530(j)(2)
Requirement
6-year documentation retention
LogBook360 control
All visitor and access records retained 6 years from creation or last effective date
§164.504(e)
Requirement
BAA contractor handling
LogBook360 control
Vendors flagged at check-in, BAA status verified, access limited to BAA scope
§164.514(d)
Requirement
Minimum necessary access
LogBook360 control
PHI-area access defaulted to none; explicit elevation required and logged
Non-compliance risk

HIPAA enforcement stacks: civil, state, and criminal

The Office for Civil Rights publishes every Resolution Agreement and breach over 500 records on its "Wall of Shame." State AGs add a second layer. Criminal liability sits on top.

US
OCR enforcement
Tier 1 (no knowledge)
USD 137 - 68,928 per violation
Could not have known, limited corrective action available
Tier 2 (reasonable cause)
USD 1,379 - 68,928 per violation
Should have known with reasonable diligence
Tier 3 (willful neglect)
USD 13,785 - 68,928 per violation
Conscious disregard, corrected within 30 days
Tier 4 (uncorrected)
USD 68,928 - 2.07M per violation
Willful neglect not corrected, annual cap USD 2.07M per provision
US
State attorneys general
HITECH Act §13410(e)
USD 100 - 25K per violation
State AGs have parallel HIPAA enforcement authority
State data breach laws
Varies (CA, NY, TX most active)
Stack on top of federal HIPAA penalties
Private litigation
Class action damages, often 8 figures
Negligence per se where HIPAA is the standard of care
US
Operational & criminal
Criminal (42 USC §1320d-6)
Up to USD 250K + 10 yrs prison
Knowingly disclosing PHI for personal gain or malicious harm
CMS enforcement
Loss of Medicare/Medicaid billing
Pattern of HIPAA failures can trigger CMS conditions of participation
OCR Resolution Agreement
Multi-year corrective action plan
OCR-monitored compliance program, frequent reporting required
Real enforcement
Anthem Inc.
USD 16M OCR settlement
Largest HIPAA settlement to date, physical and technical access failures led to breach of 78.8M records
Memorial Healthcare
USD 5.5M OCR
Failure to monitor facility and PHI access by former employees and unverified workforce
Premera Blue Cross
USD 6.85M OCR
Insufficient access controls and audit log review, breach affecting 10.4M individuals
Implementation

HIPAA-ready facility access in 5-7 weeks

1
Risk analysis (§164.308)
2-3 weeks
Catalog every facility access point to PHI. Identify where current sign-in fails the Physical Safeguards rule.
2
Deploy LogBook360
1-2 weeks
Configure facility zones, BAA vendor list, health screening flows, and 6-year retention policy.
3
Workforce training (§164.530)
1 week
Train reception, security, and ward staff on the new visitor flow. Document training records.
4
Privacy/Security Officer sign-off
1 week
Your designated HIPAA Privacy and Security Officers review the evidence binder and sign attestation.

Stop physical-access findings from making your next OCR audit

Our compliance team will walk your Privacy and Security Officers through every §164.310 control LogBook360 enforces, and show you the audit packet your next OCR investigator will receive.

Book a compliance demo All frameworks