Why Your Lease Is a HIPAA Document
Healthcare providers operate in physical spaces. Those physical spaces contain Protected Health Information (PHI) — patient records, intake forms, scheduling systems, medical equipment data logs, and billing information. The moment your office exists, your lease terms directly govern who can enter that space, when, under what conditions, and on how much notice.
Under HIPAA's Privacy Rule and Security Rule, covered entities — physicians, therapists, dentists, chiropractors, physical therapists, pharmacies, and their business associates — must implement reasonable physical safeguards to protect PHI. This includes access controls, workstation security, and facility security plans.
Your lease shapes all of these. If your landlord can walk into your space at any time with a master key, you have a HIPAA problem that originated in your lease terms. If your TI build-out didn't include sound attenuation between exam rooms and the waiting area, you have a HIPAA problem rooted in your construction provisions.
Yet most healthcare tenants sign standard commercial leases with no healthcare-specific modifications and no HIPAA counsel involvement. This guide changes that.
This guide is relevant for any healthcare tenant that is a HIPAA Covered Entity or Business Associate: physician practices, dental offices, mental health clinics, physical therapy centers, urgent care facilities, pharmacies, imaging centers, and any other provider that creates, maintains, or transmits PHI in a leased commercial space.
The Landlord Access Problem: Your #1 HIPAA Lease Risk
Standard commercial leases give landlords broad access rights. A typical access clause reads something like: "Landlord may enter the Premises at any time in the event of an emergency, and at any time during normal business hours upon 24 hours prior written notice, for inspection, repair, maintenance, or any other reasonable purpose."
From a standard commercial perspective, this is perfectly normal. From a HIPAA perspective, it creates a significant problem: your landlord — or their maintenance contractors — may be "Business Associates" under HIPAA if their access creates a reasonable possibility of exposure to PHI.
When Is a Landlord a Business Associate?
The HHS Office for Civil Rights issued guidance indicating that a landlord who merely rents space is typically not a Business Associate — PHI doesn't flow to them as part of their function. However, the analysis changes when:
- The landlord provides maintenance, janitorial, or repair services that take place within areas where PHI is stored or displayed
- The landlord has access to IT infrastructure within your space (wiring closets, server rooms)
- The landlord manages security systems that log entry/exit of patients or staff
- The landlord operates shared reception or front desk services that may encounter patient information
In these cases, healthcare attorneys and HHS guidance suggest a Business Associate Agreement is appropriate — even if technically not required for pure real estate relationships.
Many leases allow landlord access "at any time" in emergencies with no advance notice. For a standard tenant, this is fine. For a healthcare tenant, an unannounced landlord entry into a patient consultation room or medical records area constitutes a potential PHI exposure event that must be logged under your HIPAA Security Plan. Negotiate emergency access procedures that minimize PHI exposure.
Business Associate Agreements: What Healthcare Tenants Should Request
If you determine your landlord qualifies as a Business Associate (or as a precautionary measure even if they don't clearly qualify), you should request a signed Business Associate Agreement (BAA) as a condition of signing the lease.
| BAA Provision | Why It Matters for Healthcare Tenants |
|---|---|
| PHI use limitations | Landlord agrees not to use any PHI encountered for any purpose other than the service necessitating access |
| Safeguard requirements | Maintenance staff must follow PHI handling procedures when in patient areas |
| Subcontractor requirements | Landlord must pass BAA requirements to any contractors they send into your space |
| Breach notification | Landlord must notify you within 60 days if they discover a PHI breach resulting from their access |
| Return or destruction of PHI | Governs what happens to any PHI accidentally retained by the landlord |
| HIPAA compliance representation | Landlord represents they will comply with applicable HIPAA Security Rule requirements |
Physical Space Requirements Under HIPAA: The Build-Out Checklist
HIPAA's Physical Safeguard standards require covered entities to implement reasonable measures to protect PHI from unauthorized access in their facilities. For medical office tenants, this translates to specific build-out requirements that must be incorporated into your TI scope.
Sound Attenuation: The Most Overlooked HIPAA Risk
HIPAA requires that conversations containing PHI not be overheard by unauthorized parties. In a medical office, this primarily means ensuring that conversations between providers and patients in exam rooms cannot be heard from waiting areas, hallways, or adjacent suites.
Standard commercial construction provides approximately STC (Sound Transmission Class) 35–40 in typical partition walls — audible speech is understandable through these walls. HIPAA-compliant medical spaces typically require STC 45–50 between patient areas and public spaces, and STC 50+ between psychiatric/counseling spaces and adjacent areas.
Math Example: Sound Attenuation Cost
For a 3,000 SF medical office with 6 exam rooms:
- Standard partition walls: ~$12–18/SF of wall area
- STC 50-rated partition walls: ~$20–28/SF of wall area
- Approximate upgrade premium: $8–10/SF of wall area
- Estimated total upgrade cost for 6 exam rooms (approx. 400 LF of partition walls): $6,400–$8,000
This cost is modest but must be explicitly included in the TI build-out scope. Standard "medical office build-out" language in a lease does not automatically include HIPAA-compliant sound attenuation. Specify it.
Required Physical Safeguard Elements
| Physical Element | HIPAA Requirement | Lease/Build-Out Implication |
|---|---|---|
| Exam room door locks | Patient areas must be lockable and secured during consultations | Specify lockable doors in TI scope; standard commercial doors often don't lock from inside |
| Front desk design | PHI on screens/papers must not be visible to other patients | Requires privacy screens and elevated counter or partition — specify in TI drawings |
| Medical records storage | Paper records must be locked; electronic systems behind access controls | Negotiate for locking file rooms or built-in locking storage; specify in TI scope |
| Access control to clinical areas | Non-clinical visitors should not have unsupervised access to clinical areas | Include keypad or badge access between waiting and clinical zones in TI |
| Sound attenuation | Patient-provider conversations must be private | Specify STC rating in TI scope; confirm with acoustic consultant |
| Secure waste disposal | PHI must be securely destroyed before disposal | Confirm lease allows medical waste contractors; confirm shredder service access to space |
| Restroom access | Patient restrooms should not route through clinical areas | Specify restroom location and access path in lease exhibit |
Permitted Use Provisions: Healthcare-Specific Risks
Commercial leases specify the permitted use of the space — what you're allowed to do there. For healthcare tenants, this clause requires careful drafting to avoid two opposite problems:
Too narrow: If your permitted use says "general medical practice," you may need landlord approval to add behavioral health services, telemedicine, or ancillary services like lab or imaging. Each landlord approval takes time and may be denied.
Too broad: Some healthcare tenants request "any lawful use" — but landlords in medical buildings often resist this, as certain healthcare uses (addiction treatment, behavioral health, certain specialty clinics) may affect neighboring tenants or building insurance.
The ideal healthcare permitted use clause identifies your specific practice type and ancillary services, and includes language permitting "related healthcare services as may be offered from time to time." Work with healthcare real estate counsel to define this specifically for your practice type.
Regulatory License and Certificate of Occupancy Provisions
Medical practices often require specific regulatory approvals beyond a standard Certificate of Occupancy (CO). These include state medical board registrations, DEA facility registration (if prescribing controlled substances), state pharmacy board approvals, and certificate of need (CON) approvals in states that require them for certain services.
Healthcare tenants should negotiate lease provisions that:
- Make commencement contingent on receipt of all required regulatory approvals
- Grant a reasonable "regulatory approval period" before rent begins if approvals are delayed
- Allow early termination if regulatory approvals are denied or revoked due to factors outside the tenant's control
- Require the landlord to cooperate with regulatory inspections of the space
Many healthcare tenants sign leases with rent starting 90 days after lease execution — a standard "TI construction period." But regulatory approvals for medical spaces can take 4–8 months in some states. If your rent clock starts before your approvals arrive, you're paying for space you can't legally use. Negotiate a rent commencement trigger tied to regulatory approval, not just construction completion.
Lease Termination Rights Healthcare Tenants Must Negotiate
Healthcare tenants face regulatory risks that general commercial tenants don't. A practice may lose a key physician, face a license suspension investigation, or experience a payer contract termination that fundamentally affects their ability to use the space. Standard commercial leases provide no termination rights for these scenarios.
Healthcare-specific termination provisions to negotiate:
- Regulatory termination right: Right to terminate if the space cannot obtain or maintain required regulatory approvals for the practice's licensed activities
- Physician termination right: For solo or small group practices — right to terminate if the founding physician dies, becomes disabled, or loses their license
- Payer termination right: In some markets — right to terminate if major payer contracts are terminated and the practice becomes economically unviable at the location
- HIPAA breach termination right: Right to terminate if landlord actions result in a confirmed PHI breach and the landlord fails to remediate within a reasonable period
The Lease Surrender Problem: What Happens to Patient Records
When a healthcare lease ends, HIPAA creates obligations that standard lease surrender provisions don't contemplate. HIPAA requires:
- Medical records must be retained for a minimum of 6 years from the date of creation or the date when last in effect (some states require longer)
- PHI must be securely destroyed — not simply thrown away or left in the space
- Patients must be notified if a practice closes or relocates, so they can obtain their records
A standard lease surrender clause requires you to leave the space "broom clean" and remove all personal property within a set period (usually a few days to a week after the lease ends). HIPAA record destruction alone can take months if the practice is winding down and patient notification is required.
Healthcare tenants should negotiate:
- An extended surrender period (30–60 days post-expiration) to address PHI disposition
- Landlord agreement not to dispose of, relocate, or allow access to any abandoned property in the space during the extended period
- A holdover rental rate that reflects the temporary nature of the records disposition period
Parking, Accessibility, and ADA Compliance in Healthcare Leases
Healthcare practices have above-average parking needs — patients, many with mobility limitations, come from outside and need parking close to the entrance. ADA compliance is both a federal legal requirement and a practical patient-access necessity.
Math Example: Parking Ratio Analysis
A family medicine practice seeing 25 patients per day in a 2,500 SF space:
- Typical appointment duration: 20–30 minutes
- Peak hour patients: 6–8 simultaneous patients + 3–4 staff = 10–12 cars needed at peak
- Required parking ratio: ~4–5 spaces per 1,000 SF (vs. standard office: 3–4 per 1,000 SF)
- ADA requirement: At least 1 ADA space per 25 total parking spaces, minimum 1 van-accessible space per 6 ADA spaces
Before signing any healthcare lease, confirm: (1) the total parking ratio, (2) your guaranteed/exclusive parking allocation, (3) the number of ADA-accessible spaces near your entrance, and (4) whether neighboring tenants share the same lot and create peak-time competition.
Healthcare Lease vs. Standard Commercial Lease: Key Differences
| Provision | Standard Commercial Lease | Healthcare Lease (Should Have) |
|---|---|---|
| Permitted Use | General office/business | Specific practice type + ancillary services language |
| Landlord Access | 24 hrs notice for routine access | PHI-aware access protocols; BAA obligation for access-requiring staff |
| Build-Out (TI) | General office construction | HIPAA-specified: STC ratings, lockable exam rooms, access controls |
| Rent Commencement | Fixed date or construction completion | Tied to regulatory approvals, not just construction |
| Early Termination | None or financial penalty only | Regulatory, physician disability/death, HIPAA breach triggers |
| Surrender | Broom clean, 3–7 days | Extended period for PHI disposition; no access by landlord during period |
| Signage | Standard commercial signage | May need to address HIPAA-compliant patient wayfinding |
| Hazardous Materials | Standard prohibition | Carve-out for medical/pharmaceutical waste in normal healthcare operations |
HIPAA Compliance Lease Provisions: 12-Point Checklist for Medical Tenants
- Involve HIPAA counsel in lease review — have a healthcare attorney (not just a real estate attorney) review the lease before signing.
- Assess landlord Business Associate status — determine whether maintenance, janitorial, or other landlord services create BAA obligations.
- Request a BAA from the landlord — if landlord staff will access clinical areas, execute a BAA as a lease condition.
- Negotiate PHI-aware landlord access provisions — require advance notice, restrict access to clinical areas, and require accompanying by practice staff.
- Specify HIPAA build-out requirements in TI scope — STC-rated partitions, lockable exam rooms, access controls, and privacy screens are not implied by "medical office build-out."
- Tie rent commencement to regulatory approvals — don't pay rent for space you can't legally use because state approvals are pending.
- Draft a specific permitted use clause — include your practice type and all anticipated ancillary services; avoid both over-narrow and over-broad permitted use language.
- Negotiate regulatory and physician termination rights — protect the practice from lease liability if licensure, regulatory approval, or the founding physician's health creates a fundamental practice disruption.
- Confirm parking ratio and ADA accessibility — verify minimum parking, your guaranteed allocation, and ADA-accessible spaces near your entrance.
- Carve out medical/pharmaceutical waste from hazardous materials prohibitions — ensure normal healthcare waste in standard operations isn't a lease default.
- Negotiate extended surrender period for PHI disposition — ensure you have at least 30–60 days post-expiration to address HIPAA-compliant records destruction and patient notification.
- Use LeaseAI to extract and verify all lease terms — analyze your lease to confirm access provisions, TI obligations, termination rights, and surrender terms are all accurately understood before your practice depends on them.
Is Your Healthcare Lease HIPAA-Ready?
Most medical office leases weren't drafted with HIPAA in mind. LeaseAI extracts every key provision — access rights, TI obligations, permitted use, surrender terms — in minutes. Know what's in your lease before your practice depends on it.
Analyze My Healthcare Lease →Frequently Asked Questions
HIPAA doesn't directly regulate lease agreements, but your lease creates physical space obligations that affect HIPAA compliance. If your landlord has access to your space — for routine maintenance, inspections, or emergencies — and that space contains PHI, the landlord may qualify as a Business Associate requiring a signed BAA.
Possibly. If your landlord or their maintenance staff may access areas containing PHI — even incidentally — the landlord may qualify as a Business Associate under HIPAA. The HHS Office for Civil Rights has indicated that a landlord who provides maintenance services that could expose them to PHI may need to sign a BAA. This is a nuanced question that depends on the nature of the access and the presence of PHI in accessible areas.
Not automatically — unless your lease includes specific healthcare-related default provisions. Standard commercial leases do not include HIPAA compliance as a landlord obligation. Healthcare tenants should negotiate explicit termination rights tied to landlord actions that compromise PHI or violate agreed-upon access control protocols.
HIPAA requires "reasonable safeguards" for PHI. For physical spaces, this means private exam rooms, sound attenuation between patient areas, secure medical records storage, controlled access to areas where PHI is created or stored, and covered workstations in areas visible to passersby.
When your lease ends, you are responsible for securing and properly disposing of all PHI in the space before surrender. HIPAA requires medical records retention for a minimum of 6 years from creation or last effective date. You cannot simply leave records in the space. Your lease surrender provisions should allow adequate time for HIPAA-compliant record disposal.
The most common mistake is treating the lease as a purely financial transaction without involving HIPAA counsel. Healthcare tenants routinely sign leases with no access control provisions, no BAA requirements for the landlord, no sound attenuation requirements, and no PHI-specific surrender obligations — all of which can result in HIPAA violations rooted in their physical space, not their clinical systems.