GRCWatch
Sign inStart free trial

HIPAA PP-1.4: Facility Access Controls — Maintenance Records Documentation

Physical security isn't just about locks and doors—it's about proving you've maintained them. HIPAA's PP-1.4 control requires documented policies and procedures for tracking repairs and modifications to security-related facility components. Without a maintenance audit trail, you can't demonstrate that your physical infrastructure remains secure.

What this means

PP-1.4 mandates that your organization establish and maintain formal policies documenting all repairs, replacements, and modifications made to physical security components within your facility. This includes hardware, walls, doors, locks, and access points. The control ensures you have a verifiable record proving that security-critical infrastructure has been maintained, inspected, and remediated appropriately—a key requirement for HIPAA's Security Rule.

How to comply

  1. 1.Develop a facility maintenance policy that specifically addresses security-related components (doors, locks, hardware, walls, access control systems)
  2. 2.Establish a maintenance request and approval workflow with documented sign-off by authorized personnel
  3. 3.Create a centralized maintenance log or tracking system recording all repairs, modifications, and completion dates
  4. 4.Require maintenance vendors to provide detailed work orders, completion reports, and any changes made to security systems
  5. 5.Schedule regular facility inspections and document findings, repairs needed, and remediation completion
  6. 6.Train relevant staff on the maintenance policy and escalation procedures for security-related issues
  7. 7.Archive maintenance records for a minimum of 6 years in compliance with HIPAA retention requirements

Evidence auditors look for

  • Formal facility maintenance and modification policy document with security-specific requirements
  • Maintenance request forms showing requestor, description, authorization, and completion details
  • Maintenance log or database entries documenting repairs to locks, doors, hardware, and access points
  • Work orders from contracted maintenance vendors with scope, completion date, and authorized sign-off
  • Facility inspection reports showing identified security defects and corresponding repair records
  • Change orders or modification requests for physical infrastructure with security impact assessment
  • Vendor certifications or compliance confirmations for lock re-keying, door repairs, or system upgrades
  • Training records confirming staff understanding of maintenance documentation procedures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch's control management module centralizes maintenance documentation and audit trails, automatically organizing work orders, vendor reports, and inspection records into a searchable, retention-compliant repository—eliminating manual tracking and audit delays.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PP-1.1 — Facility Access Control PolicyPP-1.3 — Visitor Log ProceduresPP-2.2 — Facility Disaster Recovery