HIPAA Security Rule -- Physical Safeguard

HIPAA Device and Media Controls

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.

45 CFR § 164.310(d)(1)

What the safeguard requires

The HIPAA Device and Media Controls is defined at 45 CFR § 164.310(d)(1) of the HIPAA Security Rule. It is one of the core standards that every covered entity and business associate must address in a documented, defensible way. Petronella Technology Group interprets the requirement below exactly as written in the rule, without paraphrasing past what the regulation actually says.

Disposal (Required)

Implement policies and procedures to address the final disposition of ePHI, and the hardware or electronic media on which it is stored.

Media Re-use (Required)

Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.

Accountability (Addressable)

Maintain a record of the movements of hardware and electronic media and any person responsible.

Data Backup and Storage (Addressable)

Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.

Why it matters

Lost laptops, unwiped copiers, and tossed-out hard drives are a consistent category on the HHS breach list. A single unencrypted laptop with 10,000 records walks out of a clinic and becomes a seven-figure enforcement case. Device and media controls are cheap and high-impact.

Enforcement context is important. The Office for Civil Rights (OCR) publishes settlement agreements that cite exactly which Security Rule standards were violated. Repeat findings in recent years include missing or stale risk analyses, insufficient access controls, unencrypted devices, and weak workforce training. Treating each safeguard -- including this one -- as a living program rather than a one-time checkbox is the defensible posture.

How Petronella Technology Group implements it

Petronella Technology Group has supported HIPAA compliance programs since 2002. Our team -- led by Craig Petronella (CMMC-RP, CCNA, CWNE, DFE #604180) and staffed with CMMC-RP certified engineers -- applies the same rigor to HIPAA Security Rule safeguards that we apply to defense-industrial-base compliance. The practical implementation usually looks like this:

Full-disk encryption everywhere

BitLocker or FileVault on every laptop, with MDM-enforced policy. Encryption converts most loss events into non-reportable safe-harbor cases under HITECH.

Certified data destruction

We coordinate NIST SP 800-88 compliant wipes or physical destruction with certificates of destruction retained as evidence.

Asset inventory and chain of custody

Every laptop, tablet, phone, USB drive, copier hard drive, and backup tape is tracked from purchase to destruction.

Removable-media controls

Endpoint policy blocks or encrypts USB storage, per policy.

Copier and MFP management

Multifunction printers store images on internal drives -- lease returns get wiped or destroyed with documentation.

Common pitfalls

These are the gaps we see most often when taking over a HIPAA environment from another provider or during initial risk-analysis engagements. Each one is a documented OCR finding in at least one public settlement:

  • Laptops with no encryption -- the most expensive mistake in HIPAA enforcement history.
  • Copiers returned at lease end with patient images still on the drive.
  • Old servers sent to 'recycling' without a certificate of destruction.
  • No chain of custody -- you cannot prove a missing laptop was wiped or was encrypted at time of loss.
  • USB sticks 'borrowed' for convenience and never returned.

Compliance evidence and documentation

HIPAA compliance is ultimately a documentation exercise. OCR investigators ask for evidence, not explanations. For this safeguard, the artifacts auditors typically expect include:

  • Asset inventory with encryption status
  • Certificates of destruction
  • Media movement log
  • Encryption policy and MDM configuration
  • Disposal policy aligned with NIST SP 800-88

All documentation must be retained for six years from creation or last effective date under 45 CFR § 164.316(b)(2).

Related HIPAA Security Rule controls

This safeguard works alongside several other standards. In a well-run program they reinforce each other; gaps in one almost always surface as findings in the others:

Workstation Security Facility Access Controls Integrity Safeguard Managed IT Services

Frequently asked questions

Is encryption required by HIPAA?
Encryption is an 'addressable' specification, but the HITECH breach-notification safe harbor means loss of encrypted ePHI typically does not trigger breach notification. That practical reality makes encryption effectively mandatory for portable devices.
How should we dispose of old hard drives?
NIST SP 800-88 Rev. 1 is the accepted standard: cryptographic erase, purge, or physical destruction depending on media type. Always retain a certificate of destruction.
Do copiers and printers need to be considered?
Yes. Most multifunction printers have internal hard drives that cache scanned and printed documents. Lease-return and end-of-life procedures must include media sanitization.
What about personal devices that touch ePHI?
Any personal device that stores or transmits ePHI falls under Device and Media Controls. BYOD programs require enrolled MDM, encryption, remote wipe, and a written agreement.

Need help with this HIPAA safeguard?

Petronella Technology Group has helped practices, hospitals, health-tech companies, and business associates implement HIPAA Security Rule safeguards since 2002. BBB A+ accredited, headquartered at 5540 Centerview Dr in Raleigh, NC. Talk with our team about a documented risk analysis, Virtual CISO engagement, or targeted remediation.

Schedule a Compliance Consultation