Device and Media Controls

The HIPAA Device and Media Controls requirement means you must have written, followed procedures that control how devices and electronic media containing ePHI are received, moved within your facilities, and removed or disposed of. Operationalize it by building an end-to-end chain of custody: inventory, authorization, secure transport, sanitization, and auditable records. (45 CFR Parts 160, 162, 164)

Key takeaways:

• You need facility-level rules for ePHI-bearing hardware/media movement, not just IT asset management. (45 CFR Parts 160, 162, 164)
• Auditors look for chain-of-custody evidence: who moved what, when, why, and how it stayed protected. (45 CFR Parts 160, 162, 164)
• Disposal and reuse are where programs fail; tie media sanitization to decommission workflows and third-party handling. (45 CFR Parts 160, 162, 164)

“Device and media controls” is easy to mis-scope as “we encrypt laptops.” The actual requirement is broader and more operational: you need policies and procedures governing the receipt, internal movement, and removal of hardware and electronic media that contain ePHI, across facilities and controlled spaces. That includes laptops, desktops, servers, removable drives, backup media, mobile devices, network appliances with storage, medical devices with local memory, and even “temporary” media created during repairs or migrations. (45 CFR Parts 160, 162, 164)

For a Compliance Officer, the fastest way to make this real is to treat it like a custody problem, not a technology problem. Map each lifecycle event where ePHI-bearing assets enter, move, leave, get repurposed, or get destroyed. Then put gates in front of those events: authorization, tracking, secure handling, and proof. Your program succeeds if you can answer, on demand, “Where is the device/media now, who last had it, and what did we do to protect the ePHI when it moved or exited?” (45 CFR Parts 160, 162, 164)

Regulatory text

Requirement (operator meaning): You must “implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.” (45 CFR Parts 160, 162, 164)

What an operator must do: Document and enforce a controlled process for (1) bringing ePHI-capable devices/media into controlled spaces, (2) moving them between rooms, departments, or sites, and (3) removing them for repair, redeployment, return, disposal, or destruction, with protections appropriate to the risk and with records that demonstrate the process is followed. (45 CFR Parts 160, 162, 164)

Plain-English interpretation

If hardware or electronic media can store ePHI, you need rules for how it is handled physically. That means:

• Receipt: How the device/media is accepted, tagged, inventoried, and approved before it is put into service or brought into sensitive areas. (45 CFR Parts 160, 162, 164)
• Movement within a facility: How it is transported between offices, floors, clinics, data closets, or secure rooms, including temporary staging. (45 CFR Parts 160, 162, 164)
• Removal from a facility: How it leaves your building or controlled spaces, including repairs, returns, third-party servicing, recycling, and destruction. (45 CFR Parts 160, 162, 164)

The compliance test is simple: can you show a repeatable chain of custody and demonstrate that ePHI was protected through the entire lifecycle? (45 CFR Parts 160, 162, 164)

Who it applies to

Entities: Covered Entities and Business Associates. (45 CFR Parts 160, 162, 164)

Operational contexts where this bites:

• Hospitals/clinics: Biomedical devices, nursing station workstations, portable diagnostic equipment, “loaner” devices, and on-site/off-site repair cycles. (45 CFR Parts 160, 162, 164)
• Health plans/call centers: End-user devices, shared workstations, printers with storage, and office moves. (45 CFR Parts 160, 162, 164)
• Business associates (billing, IT, hosting, records): Data center equipment swaps, backup media handling, staff laptops, and subcontractor field work. (45 CFR Parts 160, 162, 164)
• Hybrid environments: Cloud-first organizations still have endpoints, removable media, and occasionally on-prem appliances; the requirement remains. (45 CFR Parts 160, 162, 164)

What you actually need to do (step-by-step)

1) Define scope: what counts as “hardware and electronic media”

Build a scoping list that matches how your organization really operates. Include, at minimum:

• End-user devices (laptops, desktops, tablets, phones) used to access or store ePHI. (45 CFR Parts 160, 162, 164)
• Removable media (USB drives, external HDD/SSD, memory cards). (45 CFR Parts 160, 162, 164)
• Data center gear with storage (servers, storage arrays, certain firewalls/load balancers with logs, hyperconverged nodes). (45 CFR Parts 160, 162, 164)
• Medical/IoT devices that store patient data locally. (45 CFR Parts 160, 162, 164)
• Backup media and export media (tapes, disk-based backups, encrypted archives). (45 CFR Parts 160, 162, 164)

Deliverable: a “covered asset classes” appendix to your policy that prevents endless debates in audits. (45 CFR Parts 160, 162, 164)

2) Write a Device & Media Controls policy that matches workflow reality

Your policy should be short enough to follow and specific enough to test. Include:

• Roles and approvals: who can authorize receipt, relocation, off-site removal, and disposal. (45 CFR Parts 160, 162, 164)
• Chain-of-custody expectations: tagging, sign-out/sign-in, and required ticketing. (45 CFR Parts 160, 162, 164)
• Handling rules: secure containers, no unattended staging, locked rooms/cages, and after-hours rules. (45 CFR Parts 160, 162, 164)
• Third-party handling: requirements for couriers, repair depots, recyclers, and subcontractors that may touch devices/media. (45 CFR Parts 160, 162, 164)

Practical drafting tip: write the policy around lifecycle events (receive, move, remove, sanitize, dispose) rather than around teams (IT, facilities, biomed). Auditors test events. (45 CFR Parts 160, 162, 164)

3) Implement inventory and custody tracking that an auditor can follow

You need an authoritative record for ePHI-capable assets, and it must support custody questions.

• Assign asset IDs and labels for in-scope devices/media. (45 CFR Parts 160, 162, 164)
• Maintain location and assignee/owner fields (person or department). (45 CFR Parts 160, 162, 164)
• Require a work order/ticket for moves, repairs, and disposal, linked to the asset record. (45 CFR Parts 160, 162, 164)

If your CMDB is weak, start with a controlled register for high-risk classes (endpoints, removable media, servers, backup media) and expand. (45 CFR Parts 160, 162, 164)

4) Control “movement within the facility” like a real process

Write a simple internal movement SOP:

• Requestor submits move request (ticket). (45 CFR Parts 160, 162, 164)
• Approver validates business need and destination security. (45 CFR Parts 160, 162, 164)
• Mover documents pickup, transport method, and drop-off. (45 CFR Parts 160, 162, 164)
• Receiver confirms receipt and updates asset location. (45 CFR Parts 160, 162, 164)

Focus on high-risk locations: data closets, records rooms, nurse stations, and staging areas during renovations. “Temporary staging” is where devices disappear. (45 CFR Parts 160, 162, 164)

5) Control removal from the facility (repair, return, redeploy, dispose)

Create an “off-site removal gate”:

• Confirm the asset is authorized to leave (ticket + approval). (45 CFR Parts 160, 162, 164)
• Confirm protection state: encryption enabled, access controls applied, or ePHI removed/sanitized if appropriate. (45 CFR Parts 160, 162, 164)
• Document transfer method: secured courier, tamper-evident packaging where appropriate, and named recipient. (45 CFR Parts 160, 162, 164)
• Require return confirmation or destruction/sanitization confirmation. (45 CFR Parts 160, 162, 164)

For third parties (repair/recycler), bake these into contracting and onboarding. Daydream is often the easiest place to standardize this by attaching required “device handling” controls and evidence requests to the third party record, so procurement and IT stop reinventing checklists. (45 CFR Parts 160, 162, 164)

6) Tie sanitization and disposal to your decommission workflow

Device and Media Controls fails if disposal is informal.

• Define which events require sanitization (redeploy, return, recycle, disposal). (45 CFR Parts 160, 162, 164)
• Define acceptable sanitization proof (internal wipe logs, technician attestation, third-party certificate). (45 CFR Parts 160, 162, 164)
• Require sign-off before an asset can be marked “retired.” (45 CFR Parts 160, 162, 164)

7) Train the people who physically move things

This is not just IT training.

• Facilities, biomed, desktop support, storage/backup admins, and clinic managers all need task-based training: “If you move a device/media, you must open a ticket and record custody.” (45 CFR Parts 160, 162, 164)

Required evidence and artifacts to retain

Keep evidence that proves the policy is real and followed:

• Device & Media Controls policy and SOPs for move/removal/disposal. (45 CFR Parts 160, 162, 164)
• Asset inventory (in-scope classes) with owner and location history. (45 CFR Parts 160, 162, 164)
• Tickets/work orders for moves, off-site removals, repairs, and retirements, mapped to asset IDs. (45 CFR Parts 160, 162, 164)
• Chain-of-custody logs (sign-out/sign-in records, shipping receipts, recipient confirmation). (45 CFR Parts 160, 162, 164)
• Sanitization/destruction evidence (wipe logs, technician attestations, third-party certificates). (45 CFR Parts 160, 162, 164)
• Training records for staff involved in physical handling. (45 CFR Parts 160, 162, 164)
• Third-party due diligence artifacts for repair/recycling/shredding providers that may handle ePHI-bearing media. (45 CFR Parts 160, 162, 164)

Common exam/audit questions and hangups

Expect questions like:

• “Show me your written procedure for moving a device within the facility.” (45 CFR Parts 160, 162, 164)
• “Pick a retired laptop. Prove it was sanitized or destroyed before it left.” (45 CFR Parts 160, 162, 164)
• “How do you prevent unauthorized staff from removing devices from controlled areas?” (45 CFR Parts 160, 162, 164)
• “Do biomedical devices store patient data locally? If yes, show how you track and dispose of them.” (45 CFR Parts 160, 162, 164)
• “Which third parties handle your ePHI-bearing media, and what controls do you require of them?” (45 CFR Parts 160, 162, 164)

Hangup to plan for: teams often can describe the process verbally but cannot produce consistent records tying asset ID → ticket → custody → sanitization evidence. Fix the joins. (45 CFR Parts 160, 162, 164)

Frequent implementation mistakes (and how to avoid them)

1. Treating this as “endpoint encryption” only.
   Avoidance: scope medical devices, backup media, and infrastructure gear with storage; document your scope decision. (45 CFR Parts 160, 162, 164)

2. No control over internal moves.
   Avoidance: require tickets for office moves and closet cleanups; make facilities part of the workflow. (45 CFR Parts 160, 162, 164)

3. Relying on a recycler’s invoice as proof of destruction.
   Avoidance: require sanitization/destruction attestations that identify assets or media, and link them to inventory records. (45 CFR Parts 160, 162, 164)

4. Shadow removable media.
   Avoidance: restrict issuance, require encryption where applicable, and track assignment and return like keys. (45 CFR Parts 160, 162, 164)

5. Third-party repair without custody controls.
   Avoidance: approved shipping methods, named recipients, and return confirmation; attach requirements to third-party onboarding in your GRC workflow. (45 CFR Parts 160, 162, 164)

Risk implications (what can go wrong)

This control area exists because physical loss is still a primary failure mode: devices walk out during renovations, “temporarily” stored equipment disappears, drives are sent for repair without sanitization, or media is discarded without proof. The impact is usually incident response, breach analysis obligations, operational disruption, and reputational harm. Your job is to make loss harder and proof easier. (45 CFR Parts 160, 162, 164)

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Assign an owner and working group (IT, security, facilities, biomed, compliance). (45 CFR Parts 160, 162, 164)
• Publish a scoped asset class list for ePHI-bearing hardware/media. (45 CFR Parts 160, 162, 164)
• Draft or refresh the Device & Media Controls policy and two SOPs: “internal move” and “off-site removal/disposal.” (45 CFR Parts 160, 162, 164)
• Pick the system of record for inventory and for tickets; define required fields (asset ID, location, custodian, disposition evidence). (45 CFR Parts 160, 162, 164)

Next 60 days (implement gates and recordkeeping)

• Enforce ticket-based approvals for moves and removals for the in-scope asset classes. (45 CFR Parts 160, 162, 164)
• Implement custody logging for shipments and off-site repairs (who released, carrier, recipient, confirmation). (45 CFR Parts 160, 162, 164)
• Stand up a disposal workflow that blocks “retired” status without sanitization/destruction evidence. (45 CFR Parts 160, 162, 164)
• Update third-party onboarding requirements for recyclers/repair providers; add evidence requests and renewal tracking in Daydream if you use it. (45 CFR Parts 160, 162, 164)

Next 90 days (test, train, and audit-proof)

• Train all roles that touch devices/media; make it task-based, not policy-recitation. (45 CFR Parts 160, 162, 164)
• Run an internal audit: sample a set of moved and disposed assets; verify end-to-end evidence. (45 CFR Parts 160, 162, 164)
• Fix gaps: missing asset IDs, inconsistent tickets, weak destruction proof, unmanaged biomed devices. (45 CFR Parts 160, 162, 164)
• Establish ongoing monitoring: periodic sampling, exception handling, and executive reporting on findings and closures. (45 CFR Parts 160, 162, 164)

Frequently Asked Questions

Does this requirement apply if all ePHI is in the cloud?

Yes, because endpoints and local devices can still store or cache ePHI, and removable media can still be created. Your procedures should cover any hardware or electronic media that contains ePHI, regardless of where the system of record lives. (45 CFR Parts 160, 162, 164)

What counts as “movement within a facility”?

Any relocation inside your controlled spaces: office moves, moving devices between departments, transferring servers between racks, or staging equipment during renovations. If the item can contain ePHI, you need a governed process and records for the move. (45 CFR Parts 160, 162, 164)

Do I need chain-of-custody logs for every laptop?

You need evidence that your procedures govern receipt, movement, and removal; many teams implement custody logs for higher-risk events like off-site removal, repair shipments, and disposal. Define what events require logging and enforce it consistently. (45 CFR Parts 160, 162, 164)

How do we handle third-party repairs where the manufacturer requires the device be shipped out?

Require approval before shipment, document the recipient and shipping method, and ensure ePHI protection through sanitization or other safeguards appropriate to the situation. Retain shipment and receipt records and link them to the asset record. (45 CFR Parts 160, 162, 164)

Can we rely on a third party’s “certificate of destruction”?

You can retain third-party destruction evidence, but make sure it is specific enough to tie back to your inventory and the exact media or device. If the certificate is generic, treat it as weak evidence and strengthen your acceptance criteria. (45 CFR Parts 160, 162, 164)

What is the minimum set of artifacts an auditor will ask for?

A written policy/SOP, an inventory of in-scope assets, and records showing controlled movement/removal plus sanitization or destruction for retired items. If those records connect cleanly (asset ID to ticket to evidence), audits move faster. (45 CFR Parts 160, 162, 164)