You run a small firm, maybe 8 people, maybe 40, in healthcare billing, financial advising or defense contracting. A new client sends over a contract, and buried in the terms is a requirement: prove your workspace meets a specific compliance standard. You look up from your laptop at the open coworking floor around you, the shared Wi-Fi, the strangers walking past your screen, the phone booth someone else is already using, and you realize you have a problem.
That problem has a name: sometimes HIPAA, sometimes SOC 2, sometimes FINRA or CMMC, and it means your physical workspace is now part of your compliance posture.
This article gives you a five-layer audit framework to evaluate any workspace against those requirements, a clear picture of what compliance-grade flex space costs, and a path to get there without a five-year lease.
Key takeaway
If confidential work is daily rather than occasional, your workspace must provide controlled physical access, network isolation, acoustic separation, secure document handling, and managed visitor entry.
Flexible office options can meet these requirements without a long-term lease, and the cost premium over standard coworking is typically lower than the total occupancy cost of a traditional lease with compliance-grade build-out.
What “Compliance-Ready Workspace” Actually Means
A compliance-ready workspace is an office where the walls, the locks, the network, and the operational policies are set up so you can pass an audit. You can protect sensitive data, restrict who gets access to it, and prove both of those things to a regulator or a client’s compliance team.
The frameworks differ in specifics, but they all ask the same physical questions, which we map in the five-layer audit below. If you need that foundation first, our flexible office space guide breaks down the full range of workspace types.
Where Each Framework Hits Your Workspace
Each of these frameworks imposes workspace-level obligations that go beyond what most office tours will surface. Here is where each one actually hits, and where firms get tripped up:
HIPAA
HIPAA’s Security Rule requires physical safeguards for electronic protected health information (ePHI), including facility access controls, workstation use, workstation security, and device and media controls. In December 2024, HHS issued a proposed rule that would significantly revise the Security Rule, including removing the distinction between many “required” and “addressable” implementation specifications. Because the rule is still proposed, firms should treat it as a signal of regulatory direction rather than current law.
For many healthcare workflows, that means controlled entry, workstation placement that limits unauthorized viewing, and secure media storage or disposal. A shared floor with open seating and communal Wi-Fi is unlikely to satisfy these requirements for most firms handling ePHI routinely.
A common issue is HIPAA’s expectation of reasonable safeguards against incidental disclosures, which includes spoken information. It sounds vague on paper. It stops being vague when an auditor walks your floor and can hear a patient’s name through a glass partition from three desks away.
SOC 2
SOC 2 reports evaluate whether a service organization’s controls relevant to security (and, if in scope, confidentiality and privacy) are suitably designed and operating effectively. In practice, that often includes controls over physical and logical access, but the exact obligations depend on the scope of the system described in the report.
The common mistake is assuming your operator’s SOC 2 report covers your suite, your devices, or your internal controls. It only covers the system and controls within the report’s defined scope. In most cases, that means building-level common infrastructure: the lobby access system, the shared network backbone. Your suite? Your responsibility.
Ask to see the scope of the operator’s SOC 2 report before relying on it.
FINRA
For broker-dealers, FINRA Rule 3110 requires a supervisory system and written supervisory procedures reasonably designed to achieve compliance. Separately, Regulation S-P requires policies and procedures addressing administrative, technical, and physical safeguards for customer records and information.
In workspace terms, the key question is whether your setup supports supervision and protects customer information from unauthorized access or exposure. A shared open floor plan can make those objectives harder to document and defend during an examination.
CMMC
Even at CMMC Level 1, organizations must limit physical access to systems, equipment, and operating environments to authorized individuals. At Level 2, additional practices include escorting visitors, monitoring visitor activity, and maintaining audit logs of physical access.
The part that catches small defense contractors off guard is the visitor escort requirement. Your coworking operator’s front desk staff probably has no idea what CUI is, let alone how to escort a visitor through a controlled area. That gap between your compliance obligation and your operator’s awareness is yours to close before your C3PAO assessment, not during it.
The Five-Layer Compliance Workspace Audit
This five-layer audit is a practical evaluation framework, not an official regulator-issued checklist. Firms should map it to the specific controls and evidence their own framework requires. That said, audit any current or prospective space against these five layers. Each one maps directly to the regulatory requirements above. If your framework requires a specific control in a given layer, your workspace must deliver it.
Layer 1: Physical Access
Control over who can enter the space where sensitive data is accessed or stored.
| Framework | What It Requires |
|---|---|
| HIPAA | Facility access controls; restrict physical access to ePHI systems while allowing authorized access |
| SOC 2 | Security criteria require physical access restrictions to systems and data |
| FINRA | Supervisory system and safeguards for customer records require controlled access to areas where those records are processed |
| CMMC | Limit physical access to organizational systems, equipment, and operating environments to authorized individuals |
What to look for in flex workspace: Badge or key-card entry to your suite (not just the building lobby); lockable doors; no shared-access floor plan for your team.
Layer 2: Network Isolation
Separation of your network traffic from other tenants and the general internet.
| Framework | What It Requires |
|---|---|
| HIPAA | Technical safeguards require access controls and transmission security for ePHI; shared Wi-Fi may be inappropriate unless secured and segmented to support those safeguards |
| SOC 2 | Confidentiality and security criteria require data transmission controls and network segmentation |
| FINRA | Electronic communications must be archivable and monitorable; shared networks complicate both |
| CMMC | Monitor, control, and protect communications at external and key internal boundaries of the information system |
What to look for in flex workspace: A private network segment or equivalent isolation; clear responsibility for firewalling and monitoring; documented controls for any production devices that handle regulated data.
Layer 3: Acoustic Privacy
Ability to discuss sensitive information without being overheard by unauthorized individuals.
| Framework | What It Requires |
|---|---|
| HIPAA | Privacy Rule requires reasonable safeguards against incidental disclosures, including verbal |
| SOC 2 | If confidentiality or privacy criteria are in scope, the report may evaluate controls that reduce unauthorized disclosure, including environmental or workplace controls |
| FINRA | Customer communications and information must be protected from exposure to unauthorized persons |
| CMMC | Organizations must prevent unauthorized access to CUI, which may include considering how verbal discussions occur in areas where CUI is handled |
What to look for in flex workspace: Soundproofed or sound-rated walls (not glass partitions alone); white noise systems; no open-plan seating for teams handling sensitive calls.
Layer 4: Document Handling
Secure storage, access, and disposal of physical and electronic media containing sensitive data.
| Framework | What It Requires |
|---|---|
| HIPAA | Device and media controls require policies for disposal, re-use, and movement of electronic media; workstation security for physical documents |
| SOC 2 | Confidentiality criteria require protection of information designated as confidential, including physical records |
| FINRA | Customer records must be maintained securely and accessible only to authorized, supervised personnel |
| CMMC | Control and manage physical media (paper, devices, drives) containing CUI during transport, storage, and disposal |
What to look for in flex workspace: Lockable filing cabinets or storage within your suite; on-site shredding services; no shared printer/copier queue visible to other tenants.
Layer 5: Visitor Management
Tracking and controlling non-employee access to your workspace.
| Framework | What It Requires |
|---|---|
| HIPAA | Facility access controls include procedures for validating access authorization and documenting repairs and modifications |
| SOC 2 | Security criteria require logging and monitoring of physical access, including visitor access |
| FINRA | Visitor practices should align with supervisory procedures and safeguards for protecting customer records from unauthorized access |
| CMMC | Maintain audit logs of physical access; escort visitors and monitor visitor activity; at Level 2+, log visitor access to CUI areas |
What to look for in flex workspace: Sign-in system for your suite (not just the building); escort policies for visitors in sensitive areas; visitor badges or temporary access credentials.
If you are weighing whether your team even needs a private suite or whether an open desk plan could work, our private office decision tree walks through the criteria. The short version: if confidential work is routine and your team discusses sensitive information daily, phone booth availability at peak hours is not a compliance strategy.
What Compliance-Grade Flex Workspace Actually Costs
Three price tiers matter here. A standard coworking membership runs about $220 per month at the national median. A serviced office, which bundles furniture, utilities, internet, cleaning, and reception, averages roughly $456 per desk per month. A compliance-grade private suite with dedicated network infrastructure, controlled access, and acoustic separation typically starts at or above that serviced tier. (Our analysis of hidden line items across workspace models breaks down these tiers in detail.)
But the right comparison is not flex versus open coworking. It is compliance-grade flex versus a traditional lease where you build compliance yourself. In a lease, you procure furniture, cleaning, HVAC maintenance, network infrastructure, access control hardware, and soundproofing, all separately, all on your budget, all before your team sits down. In a serviced or managed suite, those are bundled into the monthly fee.
The ratio to carry away: a compliance-grade flex suite typically runs 2 to 3 times an open coworking desk per person, but comes in well below a leased build-out in the first year once you account for everything the lease forces you to procure on your own.
Scenario: A Healthcare Billing Firm Faces a Compliance Deadline
A 12-person healthcare billing company operating on an open coworking floor wins a contract with a hospital system that requires a signed Business Associate Agreement. During due diligence, three gaps surface: shared Wi-Fi with no network segmentation, open-plan workstations with visible screens, and no lockable document storage. Their five-layer audit:
- Physical access: fails
- Network isolation: fails
- Acoustic privacy: marginal
- Document handling: fails
- Visitor management: building-level only
Three outright failures. Not fixable in the current space. The firm moves to a serviced private suite: 12-month agreement, two-week move-in, $5,000 to $8,000 per month versus their previous $2,640.
The operator’s BAA does not make you compliant on its own. Whether a workspace operator needs to sign a BAA depends on whether it creates, receives, maintains, or transmits PHI on your behalf. If so, the BAA defines part of the operator’s obligations, but your organization remains responsible for its own devices, endpoint security, encryption, and access management for ePHI. This firm layers its own VPN, endpoint management, and encryption on top of the operator’s dedicated VLAN. That shared-responsibility model, operator infrastructure plus your technical controls, is how compliance actually works in flex spaces.
For regulated firms, the compliance premium is treated as client-acquisition infrastructure rather than overhead. It’s true, the monthly cost nearly tripled, but the contract it unlocked was worth multiples of the difference, and the firm now has a workspace it can point to in every future client compliance review.
What Operators Are Doing to Meet This Demand
Some operators are positioning compliance-oriented suites for regulated tenants by offering stronger access controls, private network segmentation, audit-friendly visitor processes, and willingness to share compliance documentation. The reason is straightforward: regulated tenants pay a premium, sign longer agreements, and churn at lower rates. According to Fortune Business Insights, the global flexible office market was valued at $45.24 billion in 2025 and is projected to reach $194.75 billion by 2034, with the BFSI sector expected to register the highest growth rate among all industry segments.
When evaluating operators, ask concrete questions:
- Can they provide a dedicated network segment for your suite?
- Will they sign a BAA (if applicable) or share their SOC 2 report, including its scope?
- Do they offer suite-level access control, not just floor-level?
- Is there on-site secure shredding? How are visitors to your specific suite logged?
If the answers are vague or rely entirely on building-level controls, keep looking.
How to Evaluate Your Current Workspace
Run the five-layer audit against your actual environment. Not the operator’s marketing materials and not the tour you took six months ago. Walk it with your compliance officer or outside counsel and verify each layer physically.
Check whether your network traffic is actually isolated; ask for network architecture documentation. Test acoustic separation yourself: have a colleague speak at normal volume inside your suite while you stand in the hallway. Can you make out words? Then so can everyone else. Confirm that your lockable storage actually locks and that you hold the only key or access code. Review visitor management for your suite specifically, not the building’s general front desk procedure.
If your space fails on one or more layers, you have three options: negotiate upgrades with your current operator (some will add a VLAN or badge reader for an incremental fee), move to a compliance-grade suite, or transition to a traditional lease with custom build-out. The first two typically resolve within 30 to 60 days. The third can take six months or more.
Frequently Asked Questions
Can I use a coworking space if I need HIPAA compliance?
Yes, but only if the space meets HIPAA’s physical, technical, and administrative safeguard requirements. That typically means a private suite with controlled access (not an open floor plan), a dedicated or segmented network (not shared Wi-Fi), lockable storage for any physical media, and, where applicable, an operator that will sign a Business Associate Agreement. A standard open coworking membership will not satisfy these requirements.
What network security features should a compliance-ready workspace include?
At minimum, a compliance-ready workspace should provide a private network segment or equivalent isolation that separates your traffic from other tenants. Many regulated firms also require a managed firewall or security appliance, encrypted Wi-Fi with unique credentials for your team (not a shared password), and the ability to run your own VPN on top of the operator’s infrastructure. Ask the operator for network architecture documentation before signing.
Do I need a Business Associate Agreement with my coworking provider?
It depends on whether the operator creates, receives, maintains, or transmits protected health information on your behalf. If so, a BAA is required under HIPAA. The scope depends on what the operator can access. If they provide IT infrastructure, cleaning services in areas with physical records, or maintenance in your suite, those activities may constitute access to PHI. Not every workspace operator qualifies as a business associate. Consult your compliance counsel to determine whether your specific arrangement triggers BAA requirements.
How much more does a compliance-grade private suite cost compared to standard coworking?
The national median for a standard coworking membership is approximately $220 per month per person. Serviced offices, which include more infrastructure and privacy, average roughly $456 per desk per month. Compliance-grade suites with dedicated networks, badge access, and acoustic separation typically fall at or above the serviced office tier. For a 12-person team in a mid-tier market, expect a range of $5,000 to $8,000 per month for a fully compliant private suite, compared to roughly $2,640 per month for open desk memberships at the national median.
What is the difference between a private office and a compliance-ready suite?
A private office gives you a door. A compliance-ready suite gives you an audit trail. In practical terms, a private office in a coworking space provides a lockable room with dedicated desks and typically 24/7 access. A compliance-ready suite adds infrastructure layers on top of that: dedicated network segmentation (VLAN), suite-level access control (badge or key card, not just a door lock), acoustic treatment rated for confidential conversations, lockable document storage, and a visitor management process specific to your suite. The difference is the gap between “private” and “auditable.”
Which regulatory frameworks require dedicated workspace features?
HIPAA requires physical safeguards including facility access controls, workstation security, and device and media controls for any entity handling electronic protected health information. SOC 2’s security and confidentiality criteria require physical access restrictions and network controls. FINRA’s supervision rules require controlled environments where registered personnel can oversee communications and client records. CMMC requires physical access controls and, at higher levels, visitor logging. If you are subject to any of these, an open coworking floor with shared Wi-Fi and no suite-level access control will not pass an audit. Start with the five-layer audit framework above to identify exactly where your current workspace falls short.
