Skip to Content

HIPAA - Device and Media Controls 164.310(d)(1)

470  Matthew Burdick September 29, 2022  Physical Safeguards

Overview:
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.


Action Items:
1) Obtain and review the policies and procedures related to device and media controls. Evaluate the content in relation to the specified performance criteria for the proper handling of electronic media that contain EPHI. Elements to review may include but are not limited to: How are the types of hardware and electronic media that must be tracked (both entity owned and personally owned) are identified; The process of tracking all types of hardware and electronic media that contain ePHI; Workforce members’ roles and responsibilities in the device and media control process; Authorization process for the receipt and removal of hardware and electronic media that store ePHI; How the release of hardware, software, and ePHI data out of entity control is managed and documented
2) Obtain and review documentation demonstrating the movement of hardware and electronic media containing EPHI into, out of and within the facility. Evaluate and determine if movement of hardware and electronic media is being properly tracked, documented, and approved by appropriate personnel.
3) Obtain documentation demonstrating the type of security controls implemented for the facility in, out, and within movements of workforce members’ assigned hardware and electronic media that contain EPHI. Evaluate and determine if security controls are appropriate, properly implemented, and minimize possible vulnerabilities.


Related Documents:
1) Policies and procedures related to device and media controls.
2) Documentation demonstrating the movement of hardware and electronic media containing ePHI into, out of and within the facility.
3) Documentation demonstrating the type of security controls implemented for the facility in, out, and within movements of workforce members’ assigned hardware and electronic media that contain ePHI.


Additional Guidance:
As referenced here, the term “electronic media” means, “electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card…”This standard covers the proper handling of electronic media including receipt, removal, backup, storage, reuse, disposal and accountability.


Sample questions for covered entities to consider:
- Are policies and procedures developed and implemented that govern the receipt and removal of hardware and electronic media that contain EPHI, into and out of a facility, and the movement of these items within the facility?
- Do the policies and procedures identify the types of hardware and electronic media that must be tracked?
- Have all types of hardware and electronic media that must be tracked been identified, such as, hard drives, magnetic tapes or disks, optical disks or digital memory cards?
Not Rated
Secure Code