Should an Office Use Open Concept for Client Areas? (w/Examples) + FAQs

No, most offices should not use a fully open concept for client areas, because client-facing work almost always involves confidential information that federal and state privacy laws protect, and open layouts make overheard conversations, visible screens, and exposed documents the default rather than the exception. A hybrid layout that blends open collaboration zones for staff with enclosed, sound-rated rooms for client interaction is the safer and more defensible design choice for law firms, medical practices, financial advisors, and most other professional services.

The core problem is that open concepts collide head-on with confidentiality duties baked into statutes like the HIPAA Privacy Rule, professional conduct rules like ABA Model Rule 1.6, and financial privacy laws like the Gramm-Leach-Bliley Act. These rules require “reasonable safeguards” against incidental disclosure, and regulators have fined offices for layouts that let visitors overhear or see protected information. The consequences range from six-figure settlements with the HHS Office for Civil Rights to bar discipline, client lawsuits, and insurance denials.

According to a Steelcase global workplace study, 95% of workers say private space is important, yet only 41% say they have it, and open plans cut focused work time by an average of 32 minutes per day. That gap shows up even more sharply in client areas, where privacy is not a preference but a legal duty.

Here is what you will learn in this guide:

• 🏛️ How federal laws like HIPAA, GLBA, and FERPA shape office layout choices
• ⚖️ Why ABA confidentiality rules make open client areas risky for law firms
• 🧑‍⚕️ How medical, dental, and therapy practices can design compliant waiting and exam zones
• 📐 Which acoustic standards (ASTM E1130, STC ratings) prove “reasonable safeguards”
• 🧾 Named examples, scenario tables, and a full mistakes-to-avoid list for your next buildout

What “Open Concept” Really Means in a Client-Facing Office

Open concept is a design approach that removes interior walls, doors, and tall partitions to create shared, flexible space. In a client-facing office, it usually means a combined lobby, reception, waiting area, and sometimes staff workstations or meeting tables in one visually connected room. The appeal is collaboration, daylight, lower buildout cost, and a modern look that many clients associate with innovation.

The problem is that client work is not like internal staff work. When a client walks in, the office becomes a place where protected health information, privileged legal advice, or nonpublic financial data moves through the air and across screens. Open concepts make it easy for a second client, a delivery driver, or a cleaner to hear or see that information by accident. Federal regulators call this incidental disclosure, and they only allow it when the office has taken “reasonable safeguards” first.

The General Services Administration’s Workplace 2030 research shows that modern offices now blend open and enclosed zones, rarely using a single approach across the whole floorplate. That hybrid trend is driven by both privacy law and the rise of video calls, which need quiet, closed rooms.

Core components of a client area

A client area usually includes a greeting or reception point, a waiting zone, a private meeting room, a restroom, and a pathway to and from staff space. Each component carries its own privacy weight. The reception desk handles names, appointment reasons, and payment details, which the HHS sample HIPAA policies list as commonly overheard data.

Meeting rooms handle the deepest confidential content, so they need walls, doors, and sound control. Waiting zones sit in between, since clients there may see other clients, sign-in sheets, or screens. Skipping any one of these layers is where most open-concept plans fail the compliance test described in the FTC Safeguards Rule.

Why “openness” is not one-size-fits-all

Openness lives on a spectrum from fully enclosed private offices to bench seating with no barriers at all. Middle options include glass-walled rooms with blinds, acoustic phone booths, half-height partitions, and zoned furniture clusters. The WELL Building Standard recognizes this range and gives acoustic targets for each zone type.

For client areas, the honest answer is that a semi-open or hybrid layout usually wins. It keeps the daylight and modern feel while protecting the specific moments where confidentiality matters. A law firm that uses an open lounge for waiting but frosted-glass rooms for intake passes both the design test and the ABA Formal Opinion 477R reasonableness test.

Federal Laws That Govern Client Area Privacy

Federal law does not tell you where to put a wall, but it tells you what outcome the wall must achieve. The HIPAA Privacy Rule at 45 CFR 164.530(c) requires covered entities to have “appropriate administrative, technical, and physical safeguards” to protect protected health information. The consequence of ignoring this rule is civil penalties of up to $68,928 per violation in 2025, as adjusted by the HHS penalty update.

A common misconception is that HIPAA bans all overheard conversations. It does not. The HHS incidental disclosures guidance allows brief, unavoidable overhearing if the office has reasonable safeguards like lowered voices, distance between waiting clients, and private rooms for detailed talks.

HIPAA and the Privacy Rule

HIPAA applies to covered entities such as doctors, dentists, therapists, pharmacies, and their business associates. In plain English, it says you must protect patient information in any form, including spoken words at a front desk. The consequence of a layout failure is an OCR investigation, a corrective action plan, and sometimes a public resolution agreement listed on the OCR enforcement page.

A real-world example is the Providence Health settlement line of cases, where poor physical safeguards contributed to sanctions. A common misconception is that a sign reading “please wait behind the line” is enough; OCR has found that signs without physical distance or sound barriers still lead to violations.

Gramm-Leach-Bliley Act and the FTC Safeguards Rule

GLBA applies to banks, credit unions, mortgage brokers, investment advisers, tax preparers, and similar financial institutions. The FTC Safeguards Rule requires a written information security program, and physical security of client data is a listed element. The consequence of a lapse is an FTC enforcement action and, in many states, a parallel attorney general claim.

A plain example is a CPA office where the reception printer sits in the open lobby and spits out 1099 forms with Social Security numbers. The mistake looks small, but a single client photo of another client’s SSN can trigger a breach notification under the FTC breach notification amendment.

FERPA, ADA, and Other Overlapping Rules

The Family Educational Rights and Privacy Act protects student records, which matters for school counselors, college advisors, and tutoring firms. The Americans with Disabilities Act sets minimum clearances, counter heights, and route widths, so an open plan must still give a wheelchair user a 36-inch path and a 36-inch-high accessible counter section.

OSHA general duty clause obligations add a workplace safety layer, since open lobbies can expose staff to violent visitors without a barrier. Ignoring ADA or OSHA does not just hurt clients; it invites private lawsuits and DOJ consent decrees like those on the ADA enforcement page.

State Law Nuances That Change the Analysis

State privacy laws often go further than federal ones, and they reach offices that HIPAA and GLBA miss. The California Consumer Privacy Act, as amended by the CPRA, covers many businesses that collect personal information from California residents. It requires “reasonable security” and gives consumers a private right of action when a breach flows from a failure of that duty.

The New York SHIELD Act applies to any business holding private information of New York residents and lists physical safeguards as a required element. Illinois adds the Biometric Information Privacy Act, which can reach fingerprint check-in kiosks placed in open lobbies. Texas, Virginia, Colorado, Connecticut, and Utah now have comprehensive privacy statutes tracked by the IAPP state privacy tracker.

A common misconception is that a small office in a low-population state is safe from these laws. In reality, any office with a website that accepts a California or New York resident’s information can be pulled into those states’ rules, and the layout of the physical intake area becomes part of the “reasonable security” review.

Industry-by-Industry: Where Open Concepts Fit and Fail

Different client industries face different privacy risks, so the right mix of open and closed space changes by sector. A marketing consultancy and a psychiatric practice cannot use the same floorplan. The table below frames three common scenarios and their likely consequences.

Scenario Tables

Law firms and attorney-client privilege

Law firms carry a duty of confidentiality under ABA Model Rule 1.6 that is broader than attorney-client privilege. Every state has adopted a version of this rule, and most follow the ABA’s “reasonable efforts” framework. An open concept client area that lets visitors hear intake questions can strip the privilege from the conversation and open the firm to malpractice claims.

A concrete example is Maria Chen, a solo immigration lawyer in Santa Clara, who meets clients in a shared coworking café. When a second visitor overheard a client’s undocumented status, the client refused to pay and filed a bar complaint. The State Bar of California’s Rule 1.6 analysis turned on whether Maria took reasonable physical steps, and the open café cost her a private admonishment.

Medical, dental, and mental health practices

Healthcare practices face the strictest layout scrutiny because HIPAA regulators inspect waiting rooms, check-in counters, and exam-room doors. A common failure is a sign-in sheet listing full names and reasons for the visit in an open lobby. The OCR guidance on sign-in sheets allows names but not conditions or reasons.

Dr. Daniel Okafor, a family dentist in Columbus, redesigned his open reception after a patient complained about overheard billing talk. He added a half-height partition, a sound-masking device from the Cambridge Sound directory, and a dedicated billing alcove. His next OCR-style audit by his cyber insurer passed without findings.

Financial advisors, CPAs, and tax preparers

Financial professionals must meet both the SEC Regulation S-P amendments and the FTC Safeguards Rule. Open concept client lounges are popular in modern RIA offices, but every review meeting should happen in an enclosed room. Printing, scanning, and faxing must live behind a door, not on the lobby credenza.

Priya Shah, a CPA in Austin, converted her open bullpen to a hybrid layout with two glass meeting rooms and a locked print room. She cited the AICPA Statement on Standards for Tax Services confidentiality standard in her written information security plan, which her cyber insurer required for renewal.

Real estate, insurance, and general professional services

Real estate brokerages often use open bullpens, which is fine for internal work but not for client signings. Insurance agencies collect Social Security numbers, driver’s license images, and medical questionnaires that trigger state privacy laws. A general consultancy may have lighter duties, but client NDAs still require reasonable physical protection.

The right move is to give every client interaction a dedicated room option, even if the main floor stays open. This approach mirrors the BOMA office space classification guide, which increasingly treats private rooms as a core amenity rather than a luxury.

Acoustic and Visual Privacy Standards You Can Cite

Designers and lawyers speak different languages, so shared standards help. The ASTM E1130 standard measures speech privacy using an Articulation Index, with values under 0.20 meaning “normal” privacy and under 0.05 meaning “confidential.” The ASTM E336 standard measures field sound transmission between rooms.

Sound Transmission Class, or STC, rates wall assemblies in a lab. A typical drywall office partition rates STC 35, which blocks normal speech but not loud speech. Confidential rooms need STC 45 to 50, which the USG wall selector catalogs. Doors are usually the weak link, so a solid-core door with gasketing matters as much as the wall.

Visual privacy standards come from NIST SP 800-53 and the HHS physical safeguards guidance. Together they support practices like angled monitors, privacy filters, clean-desk policies, and locked storage for paper files.

Named Examples of Hybrid Client Areas That Work

The strongest designs mix open and enclosed space in a way that matches the client journey. Below are three named examples drawn from how firms solve the same problem differently.

James Rivera, a managing partner at a 40-lawyer firm in Denver, replaced a wood-paneled lobby with a daylit open lounge, then placed six glass-walled meeting rooms along the perimeter. Each room has a solid-core door, STC 45 walls, and a Logitech privacy-filter monitor for screen-sharing. The firm kept the modern feel and passed its cyber insurer’s physical inspection.

Aisha Patel, owner of a five-chair dental practice in Miami, kept an open check-in counter but added a second “privacy window” set back six feet for billing and insurance talks. Her sign-in process uses a tablet from the Weave platform so no names appear on paper. Her HIPAA risk assessment, done annually per 45 CFR 164.308(a)(1)(ii)(A), scored the layout as low risk.

Marcus Lee, a wealth advisor in Seattle, uses an open client café for coffee and onboarding paperwork that contains no account data, then moves every review meeting to a glass-fronted office with blinds. He documented the layout in his written information security program required by the FTC Safeguards Rule and by his state’s investment adviser rules.

Mistakes to Avoid in Open Client Areas

Most layout failures come from a handful of repeat mistakes. Each one has a direct negative outcome that you can avoid with a small design change.

• Letting the reception desk face an open lobby with no sound barrier, which allows overheard intake and triggers HIPAA or GLBA complaints.
• Placing shared printers, fax machines, or scanners in client-visible areas, which exposes other clients’ data and can trigger state breach notices.
• Using sign-in sheets that show prior visitors’ names or reasons, which the OCR sign-in guidance flags as a violation risk.
• Skipping monitor privacy filters on client-facing screens, which invites shoulder surfing flagged by NIST SP 800-53 PE-5.
• Relying on half-height partitions alone, which block sight but not sound and fail ASTM E1130 confidential-privacy thresholds.
• Forgetting door gasketing and undercuts, which let speech leak from an “enclosed” room and drop its effective STC by 10 points or more.
• Using glass walls without acoustic laminate or blinds, which looks modern but creates a fishbowl that can waive privilege for lawyers.
• Ignoring ADA clearances when adding partitions, which triggers private suits under ADA Title III.
• Skipping written policies to match the physical layout, which makes even a good design fail the FTC Safeguards Rule documentation test.
• Training staff to speak normally in an open area, which turns a design choice into a daily compliance breach.

Do’s and Don’ts for Client Area Layout

Do’s

• Do run a written privacy risk assessment before you design, because the HHS security risk assessment tool ties design choices to legal duties.
• Do give every client interaction an enclosed-room option, because privilege and HIPAA “reasonable safeguards” depend on it.
• Do use sound masking in any open waiting area, because it lowers speech intelligibility to the ASTM E1130 confidential range.
• Do pick solid-core doors with gasketing, because the door is usually the weakest link in an enclosed room.
• Do train staff on the layout, because a compliant space with noncompliant habits still fails an audit.

Don’ts

• Don’t place reception within earshot of seated clients, because intake questions are the most common overheard data.
• Don’t let client-facing monitors face the lobby, because shoulder surfing is a documented breach vector.
• Don’t use fabric panels alone to define “private” rooms, because fabric rarely reaches STC 40.
• Don’t keep paper files on open credenzas, because clean-desk failures show up in every OCR audit protocol.
• Don’t rely on verbal warnings to other clients to stop listening, because regulators expect physical safeguards, not social ones.

Pros and Cons of Open Concept Client Areas

Pros

• Daylight and modern feel boost client perception of the brand, which marketing studies from Gensler’s Workplace Survey support.
• Lower buildout cost per square foot, because fewer walls and doors cut construction spending.
• Flexibility for future reconfiguration, which matters as hybrid work shifts space needs.
• Better staff visibility for supervision and mentoring, which the Harvard Business Review on open offices notes as a real benefit.
• Faster client flow in low-sensitivity service businesses, like brand consultancies or design studios.

Cons

• Privacy risk across HIPAA, GLBA, FERPA, and state laws, which can trigger fines and lawsuits.
• Attorney-client privilege waiver risk for law firms under ABA Rule 1.6.
• Lower focused-work time, which the Steelcase study pegs at 32 minutes per day.
• Higher noise complaints from both clients and staff, which raise turnover.
• Harder cyber-insurance underwriting, because insurers now ask for physical controls under forms like the Travelers CyberRisk application.

Processes and Forms: Designing Your Client Area Step by Step

A compliant client area is built through a repeatable process, not a single design meeting. The steps below follow the sequence most architects and compliance officers use together.

Step one is the privacy risk assessment, required by 45 CFR 164.308(a)(1)(ii)(A) for HIPAA covered entities and by the FTC Safeguards Rule for financial institutions. Step two is the program document, which lists each client touchpoint, the data involved, and the physical control chosen for it. Step three is the schematic design review, where the architect marks each room with its target STC rating and sound-masking plan.

Step four is construction administration, where the general contractor confirms wall assemblies, door gasketing, and ceiling tile ratings match the specification. Step five is post-occupancy testing, which can include an ASTM E336 field test and a walk-through with a HIPAA privacy officer. Step six is staff training, because even the best space fails without scripts for front-desk staff and a clean-desk policy.

Step seven is annual review, since layouts change through furniture moves, new hires, and new services. The OCR audit protocol and the FTC Safeguards Rule both expect ongoing, documented review rather than a one-time design.

Key Entities You Should Know

Several agencies, organizations, and concepts shape whether an open client area passes muster. The HHS Office for Civil Rights enforces HIPAA and publishes resolution agreements that double as design lessons. The Federal Trade Commission enforces the Safeguards Rule and the FTC Act’s unfairness authority.

The Securities and Exchange Commission sets Regulation S-P for advisers and broker-dealers, while FINRA layers on broker-dealer privacy expectations. State attorneys general, especially the California Privacy Protection Agency, run parallel enforcement. On the design side, ASTM International sets acoustic test standards, the International WELL Building Institute sets sound and air quality goals, and the U.S. Access Board sets ADA design standards.

Professional bodies include the American Bar Association, the American Medical Association, the American Institute of CPAs, and the American Psychological Association. Each publishes practice guidance that courts use to define “reasonable” in privacy disputes.

Recap of Relevant Rulings and Enforcement Actions

Enforcement patterns, more than any single case, show what open-concept failures cost. The OCR enforcement highlights page lists settlements where physical safeguard failures contributed to penalties, including cases involving unsecured paper records and overheard conversations.

The FTC’s CafePress action and similar cases show that the Safeguards Rule applies to physical and procedural failures, not just cyber ones. State enforcement under the CCPA enforcement page shows regulators expect “reasonable security” in physical spaces too.

On the legal-ethics side, bar opinions from states like New York State Bar Ethics Opinion 842 and California Formal Opinion 2010-179 confirm that reasonable physical measures are part of a lawyer’s confidentiality duty. The trend is clear across sectors: regulators and courts treat layout as a compliance artifact, not a decorating choice.

FAQs

Does HIPAA ban open concept waiting rooms?

No. HIPAA does not ban any specific layout, but it requires reasonable safeguards like sound masking, distance, and private rooms for detailed talks, so a pure open concept without these features fails.

Is a glass-walled meeting room HIPAA compliant?

Yes. Glass walls can be compliant if the glass is acoustically rated, the door is solid-core with gasketing, blinds or frosting block visual privacy, and the room meets at least STC 45.

Can law firms use coworking open spaces for client intake?

No. Most state bar opinions require reasonable physical safeguards, so intake in an open coworking café risks waiving privilege and violating ABA Model Rule 1.6 duties of confidentiality.

Do small offices under 10 employees have to worry about this?

Yes. HIPAA, GLBA, and most state privacy laws apply regardless of headcount, so a one-dentist practice or a solo advisor carries the same layout duties as a large firm.

Is sound masking enough on its own?

No. Sound masking helps in waiting areas but cannot substitute for enclosed rooms during detailed client talks, since ASTM E1130 confidential privacy usually needs walls plus masking.

Are open reception desks ever acceptable?

Yes. An open reception can be acceptable if staff use lowered voices, clients stand at a set distance, screens face away from the lobby, and detailed talks move to a private room.

Does the ADA allow private meeting rooms?

Yes. The ADA allows private rooms and even encourages them for confidential interviews, as long as routes, doorway widths, and counter heights meet the 2010 ADA Standards for Accessible Design.

Can I rely on an NDA instead of physical walls?

No. An NDA binds the parties who sign it but does nothing to stop third-party overhearing, and regulators expect physical safeguards regardless of contract terms.

Does cyber insurance care about office layout?

Yes. Cyber underwriters now ask about physical controls like locked print rooms, privacy filters, and enclosed meeting rooms, and they can deny claims tied to preventable physical failures.

Is open concept cheaper over the life of the office?

No. Initial buildout is cheaper, but higher noise complaints, lower focus time, and regulatory risk often make hybrid layouts cheaper over a typical ten-year lease.

Do state privacy laws like CCPA affect physical layout?

Yes. The CCPA and similar laws require “reasonable security,” which regulators read to include physical safeguards, so layout failures can support a private action after a breach.

Should therapy practices ever use open client areas?

No. Therapy sessions need fully enclosed rooms with STC 50+ walls, and even waiting areas should be designed so clients cannot see or hear other clients’ arrivals.