Restricted areas must have physical detection control access mechanisms (cameras, security workforce, heat sensors, etc.).
HIPAA Security Rules 164.308(a)(3)(ii)(A): Authorization and/or Supervision: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
HIPAA Security Rules 164.310(a)(1) Facility Access Controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
HIPAA Security Rules 164.310(a)(2)(ii): Facility Security Plan: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft
HIPAA Security Rules 164.310(c): Workstation Security: Implement physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.