Why Medical Offices Need More Than Locks
Medical offices occupy an uncomfortable middle ground in the security world. They're not hospitals with dedicated security teams and badge-access everywhere. They're not retail shops where the door is just open during business hours. Medical offices have irregular schedules (early appointments, late procedures, Saturday hours that vary by practice), multiple tenants sharing a building, and a regulatory obligation to control who can access patient information.
HIPAA doesn't specifically mandate electronic access control. But it requires "facility access controls" — documented procedures that limit physical access to information systems and the facilities where they're housed. In practice, that means medical offices need to demonstrate that unauthorized people can't walk into areas where patient records, prescription pads, or electronic health systems are accessible.
A ring of keys copied six times for every new hire, with no audit trail and no way to deactivate a specific key when someone leaves, doesn't meet that standard. And in a multi-tenant medical building, the exposure compounds — the more practices sharing a building, the more people with keys, and the less control anyone has over who goes where.
The South Plainfield Building
This building houses four medical practices: a family medicine office, a cardiology group, an orthopedic practice, and a physical therapy clinic. There's a shared lobby, shared restrooms, and a common back hallway that connects all four suites. The building has a main entrance, a rear staff entrance, and individual suite doors off the common hallway.
Before the access control install, the building used a combination of traditional deadbolts and a push-button keypad on the rear entrance — the kind where everyone shares the same four-digit code and nobody changes it for years. Each practice had keys to their own suite, but the common hallway was unrestricted once you got past either entrance.
The problems were predictable. Staff from one practice would prop the back door for lunch deliveries, leaving the entire building accessible. The shared keypad code had been given to so many people over the years that it was effectively public knowledge. And when an employee left one of the practices, the only option was to re-key the suite — an expense the building owner avoided until it became unavoidable.
The System Design
We installed credential readers at all eight access points — both building entrances and every interior door that separates tenant spaces or protects sensitive areas. The system uses proximity card credentials (tap-to-enter, no fumbling with keys), and each practice manages their own staff credentials through a web portal.
The zone structure works like this:
- Building perimeter (main entrance, rear entrance): All credentialed staff from any practice can enter during their practice's operating hours. After hours, only staff with specific after-hours authorization can badge in.
- Individual suites: Only staff from that practice can access their suite. The cardiology group's credentials don't open the orthopedic practice's door, and vice versa.
- Records/IT room: Restricted to designated personnel from each practice — typically the office manager and one designated IT contact. Not general staff access.
- Medication storage: Highest restriction level. Limited to physicians and authorized nursing staff, with every entry logged and time-stamped.
Every access event — successful or denied — is logged with a timestamp, credential ID, and door location. That audit trail is exactly what HIPAA compliance auditors want to see. If someone asks "who accessed the records room last Thursday at 6 PM," the answer is three clicks away.
After-Hours Logic
Medical offices don't keep banker's hours. The family medicine practice runs 7 AM to 7 PM on weekdays. The PT clinic is open Saturday mornings. The orthopedic group has a physician who comes in at 5 AM to review imaging before the first appointment.
We built the schedule profiles around each practice's actual calendar. During business hours, credentialed staff from each practice can access the building entrances and their own suite with a single tap. Outside those windows, the system requires individual after-hours authorization — the practice administrator grants it per-person, and it shows up on the audit log as a distinct after-hours entry.
The building owner wanted the exterior doors to auto-lock at 9 PM regardless of any practice's schedule. We set that as a hard lockdown — anyone still inside can exit freely (fire code requires it), but re-entry requires a credential with after-hours clearance. That eliminated the chronic "propped door" problem entirely.
The first week the system was live, one of the practices realized they had three former employees whose keys had never been collected. With the old system, those keys still worked. Now it's irrelevant — the credentials are deactivated the day someone leaves.
HIPAA and the Audit Trail
The access log isn't just a security feature — it's a compliance tool. HIPAA's physical safeguard requirements (§164.310) require covered entities to implement facility access controls and maintain records of who accessed what. A credential-based system with time-stamped logs satisfies that requirement in a way that a ring of keys never can.
Practical example: if a patient's records are accessed inappropriately and a complaint reaches HHS, the practice needs to demonstrate what physical controls were in place. "We have an electronic access log showing that only three authorized individuals entered the records area that week, and here are the timestamps" is a fundamentally different answer than "we gave keys to people."
We've worked with medical offices in Middlesex and Somerset counties that upgraded specifically because a compliance consultant flagged their physical access controls as a gap. The cost of a credential system is always less than the cost of a HIPAA violation — which starts at $100 per violation for unknowing breaches and scales to $50,000+ for willful neglect.
What Medical Offices Should Know About Access Control
Credential systems are not expensive anymore. A decade ago, electronic access control was a hospital-budget line item. Modern cloud-managed systems have made per-door costs accessible for small and mid-size medical practices. An eight-door system like this South Plainfield install is a fraction of what it would have cost five years ago.
You don't need to rip out existing doors. Credential readers mount alongside existing hardware. We typically keep the physical lock as a manual backup (required by fire code) and add the electronic reader as the primary entry method. No door replacements, no frame modifications.
Multi-tenant buildings benefit the most. When every practice has independent credential management but the building owner retains master access and scheduling control, everyone wins. Practices don't need to coordinate with each other on key management, and the building owner has a real-time view of who's in the building at any time. For more on how multi-tenant access control works, see our full access control guide.
If you're running a medical office in South Plainfield, Piscataway, Edison, or the surrounding Middlesex County area and your access control is still based on physical keys, call us at 732-346-5333. We'll walk the building, map your access points, and design a system that gives each tenant control over their own space while the building owner retains oversight.