Device and Media Controls 45 CFR 164.310(d)

Device and Media Controls govern the receipt, removal, movement, disposal, and re-use of any hardware or electronic media that contains ePHI - the standard that catches lost laptops, retired servers, and improperly wiped drives.

CMMC-AB RPO #1449 · BBB A+ Since 2003 · Healthcare Compliance Specialists
Call Penny → (919) 348-4912 See ComplianceArmor
Regulation

What the regulation requires

45 CFR 164.310(d)(1) Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

Two of the four implementation specifications are required (Disposal, Media Re-use); two are addressable (Accountability, Data Backup and Storage). Lost-device incidents are the most-cited Device and Media Controls finding in OCR enforcement.

Implementation specifications

Required

Disposal

Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored. (164.310(d)(2)(i))

Required

Media Re-use

Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. (164.310(d)(2)(ii))

Addressable

Accountability

Maintain a record of the movements of hardware and electronic media and any person responsible therefore. (164.310(d)(2)(iii))

Addressable

Data Backup and Storage

Create a retrievable, exact copy of ePHI, when needed, before movement of equipment. (164.310(d)(2)(iv))

Implementation

How Petronella implements this safeguard

Every Petronella HIPAA engagement maps 45 CFR 164.310(d)(1) to documented evidence in your environment. This is what that looks like in practice for the device and media controls standard:

  • Hardware inventory with chain-of-custody for every device that ever touched ePHI - laptops, servers, printers, copiers, scanners, mobile devices.
  • NIST SP 800-88 Revision 1 media sanitization (clear, purge, destroy) with certificates of destruction filed in ComplianceArmor.
  • Pre-disposal data backup procedure that captures ePHI before equipment leaves the facility.
  • Mobile device management with remote wipe and a documented policy for lost-device response (immediate revocation, forensic review, breach analysis under 164.402).

Built on top of ComplianceArmor for documentation, training records, and BAA inventory, with optional HIPAA managed IT services for the technical safeguard layer and vCISO services for the named Security Official role.

Common Findings

Where most practices fall short

OCR resolution agreements, HHS audit reports, and our own engagements show the same handful of gaps under 45 CFR 164.310(d)(1). We surface these before they become a finding.

  • Old hard drives and copiers sold or donated without sanitization (cited in the $1.2 million Affinity Health Plan settlement and the $750,000 Cancer Care Group settlement).
  • Inventory does not include printers and copiers, which often store thousands of patient images.
  • Mobile device lost or stolen, and the practice cannot prove encryption was on at the time - turning the loss into a presumed breach.
  • BYOD devices retired without removal of ePHI - employees keep them or sell them.
Related

Related HIPAA safeguards

Device and Media Controls interacts with several other Security Rule standards. Cover them together for a defensible program.

Workstation Security Facility Access Controls Transmission Security Back to HIPAA compliance pillar HIPAA security risk assessment HIPAA 4-pillars playbook

Need help with Device and Media Controls?

Penny answers before the third ring, asks 3 qualifying questions, then books your free 15. Or jump straight to the platform that runs your HIPAA program.

Call Penny → (919) 348-4912 See the platform

← Back to HIPAA compliance pillar