Accountability

“Accountability” under the HIPAA Security Rule is a practical, audit-friendly requirement: if a laptop, server drive, backup tape, removable media, or other electronic media moves, you need a record of the movement and the person responsible. The goal is simple: prevent loss, theft, and uncontrolled disposal of ePHI by making custody visible and provable. (45 CFR Parts 160, 162, 164)

For a Compliance Officer, CCO, or GRC lead, the fast path is to define scope (what counts as “hardware and electronic media” in your environment), implement a lightweight chain-of-custody process, and make it hard for IT and facilities workflows to bypass it. This control usually touches IT asset management, endpoint management, data destruction, third-party risk management, and HR offboarding.

Treat this as an operational control with evidence. Auditors rarely accept “we generally track assets” if you cannot show who had a device, when it moved, why it moved, and what happened to the data on it. The rest of this page gives you requirement-level steps, artifacts to retain, and common audit hangups so you can operationalize the accountability requirement quickly. (45 CFR Parts 160, 162, 164)

Regulatory text

Requirement: “Maintain a record of the movements of hardware and electronic media and any person responsible therefore.” (45 CFR Parts 160, 162, 164)

Operator interpretation (what you must do):

• Maintain a movement log for HIPAA-relevant hardware and electronic media.
• Each time an in-scope asset changes location, status, or custodian, record the movement event and the person responsible for the asset during that period.
• Ensure the record is retrievable and complete enough to support investigations, audits, and incident response. (45 CFR Parts 160, 162, 164)

This is part of the HIPAA Security Rule’s physical safeguards for device and media controls. You are expected to demonstrate control over devices and media that store or may store ePHI throughout their lifecycle. (45 CFR Parts 160, 162, 164)

Plain-English interpretation of the accountability requirement

You need to answer, quickly and with evidence:

1. Where is the device/media now?
2. Where has it been?
3. Who had responsibility at each step?
4. What happened to the data when it was transferred, reused, or retired? (45 CFR Parts 160, 162, 164)

This is not limited to “IT’s asset list.” The requirement is about movements (shipment, transfer, offsite storage, return-to-vendor, disposal, repair) and responsibility (custodian/owner at the time), including when third parties handle the asset.

Who it applies to

Entity scope: Covered Entities and Business Associates. (45 CFR Parts 160, 162, 164)

Operational scope (where it shows up):

• Endpoint fleets: laptops, desktops, tablets, phones used for work where ePHI may be accessed or stored.
• Datacenter and network gear: servers, storage arrays, firewalls, and components with persistent storage.
• Removable media: USB drives, external drives, SD cards.
• Backup and archival media: tapes or other media shipped offsite.
• Printer/copier/fax hard drives and multifunction devices that cache documents.
• Spare parts and failed components: removed drives awaiting destruction, RMA shipments, repair depot transfers.
• Third-party handling: ITAD (IT asset disposition), shredding/destruction, offsite storage, managed print, field service, cloud-managed hardware where you ship devices. (45 CFR Parts 160, 162, 164)

A common scoping decision: include any hardware/media that stores ePHI or could reasonably contain ePHI due to configuration or use. Document your rationale so you can defend it during an audit.

What you actually need to do (step-by-step)

1) Define “in-scope” assets and events

Create a short standard that answers:

• Asset types in scope (by category, not by brand).
• Movement events you will log, such as:
  • issued to workforce member
  • transferred between users/teams
  • moved between sites/rooms
  • shipped/received (including third parties)
  • sent for repair/RMA
  • placed in secure storage
  • retired for reuse, wipe, destruction, or resale
• Who can authorize movements (IT asset manager, security, facilities) and which events require approval. (45 CFR Parts 160, 162, 164)

Deliverable: “Device & Media Movement Logging Standard” (1–3 pages) mapped to your asset lifecycle.

2) Establish a system of record (and lock down “side logs”)

Pick one primary location where movement records live:

• IT asset management tool (preferred if it supports chain-of-custody fields),
• ticketing system with structured fields,
• a controlled register with access controls and change history. (45 CFR Parts 160, 162, 164)

Operational rule: if it is not in the system of record, it did not happen. Train IT, facilities, and the service desk to stop tracking moves in email threads.

3) Design the movement record (required fields)

Your log needs to tie asset + event + custodian + time + outcome. Use required fields such as:

• Asset identifier (asset tag, serial number)
• Asset type/category
• Movement type (issue/transfer/ship/repair/retire)
• From location / to location (or “user to user”)
• Date/time (or ticket created/closed time)
• Person responsible (custodian) and person authorizing (if different)
• Third party name (if handled externally)
• Shipping details (carrier + tracking number) when shipped
• Data handling outcome (encrypted in transit, wiped, destroyed, returned, stored)
• References (ticket number, RMA number, destruction certificate ID) (45 CFR Parts 160, 162, 164)

Keep it tight. Too many optional fields creates empty logs that fail audits.

4) Build workflows that force logging at the trigger points

Add mandatory logging to:

• Onboarding/device issuance: custody assigned to a person.
• Offboarding: device return, inspection, wipe, and custody closure.
• Refresh cycles: batch transfers, storage staging, ITAD pickup.
• Break/fix: repair shipments and returns.
• Moves/adds/changes: office moves, clinic expansions, storage room transfers.
• Media handling: backup tape rotation, offsite vaulting, restoration returns. (45 CFR Parts 160, 162, 164)

Practical control: require a ticket for any movement event. The ticket becomes the evidence container.

5) Extend accountability to third parties

Where a third party transports, stores, repairs, or destroys hardware/media, ensure:

• The movement log captures the handoff and the third party receiving it.
• Contracts/SOWs require chain-of-custody support artifacts (e.g., pickup logs, serial-level manifests, destruction certificates).
• Your receiving process reconciles what left with what arrived or was destroyed. (45 CFR Parts 160, 162, 164)

If you use Daydream for third-party due diligence, set a standard intake: request the third party’s chain-of-custody procedure, sample manifests, and certificate formats during onboarding, then track renewal evidence alongside the engagement record.

6) Reconcile and review

Accountability fails when records drift from reality. Implement:

• Periodic reconciliation: compare inventory vs. movement log vs. endpoint management enrollments.
• Exception handling: missing devices, late returns, incomplete fields, untracked shipments.
• Corrective actions: retraining, process fixes, access restrictions, disciplinary pathways as appropriate. (45 CFR Parts 160, 162, 164)

Keep reconciliation evidence. Auditors often ask how you detect an unlogged movement.

Required evidence and artifacts to retain

Retain artifacts that prove movements and responsibility, not just that a policy exists:

Core artifacts

• Device & Media Movement Logging Standard (and any supporting procedures) (45 CFR Parts 160, 162, 164)
• Asset inventory showing unique identifiers and status
• Movement logs (exportable) with required fields populated
• Ticket records for issues/transfers/shipments/retirements
• Offboarding checklists with device return confirmation
• Chain-of-custody forms for high-risk media (e.g., backups, drives pending destruction)
• ITAD/destruction documentation (manifests, certificates) linked to asset IDs
• Training/communications records for teams executing the process (IT, facilities, service desk) (45 CFR Parts 160, 162, 164)

Third-party artifacts

• Third party pickup/delivery logs and serial-level manifests
• Evidence of acceptance/receipt at destination
• Repair RMA documentation tied to serial numbers
• Evidence of secure storage arrangements for offsite media (as applicable) (45 CFR Parts 160, 162, 164)

Common exam/audit questions and hangups

Expect questions that test completeness, scope, and traceability:

1. “Show me your record of movements for these sampled assets.”
   Auditors will pick devices across categories: a laptop, a server drive, a copier HDD, backup media.

2. “How do you know assets didn’t move without being logged?”
   Have reconciliation and exception handling evidence.

3. “Who is ‘responsible’ when a third party is involved?”
   Clarify internal accountable owner plus external custodian. Your log should reflect both.

4. “What happens during offboarding and break/fix?”
   These are common leakage points. Show consistent workflows.

5. “What is your definition of electronic media?”
   Show your scope statement and rationale. (45 CFR Parts 160, 162, 164)

Frequent implementation mistakes and how to avoid them

Mistake: Inventory without movement history

Fix: Add event logging. A static asset register does not meet “movements” well.

Mistake: Tracking only laptops, ignoring media and components

Fix: Include drives, removable media, backup media, and any equipment with persistent storage in your scope definition. (45 CFR Parts 160, 162, 164)

Mistake: “Shared custody” with no named person

Fix: Require a named custodian for each state. For storage rooms, assign an accountable room owner and log each deposit/withdrawal.

Mistake: Third-party handoffs with no serial-level manifest

Fix: Require manifests and link them to your movement record. If the third party cannot provide serial-level tracking, treat it as a risk and add compensating controls. (45 CFR Parts 160, 162, 164)

Mistake: No closure step after shipment or destruction

Fix: Track open movement events until confirmed received, returned, wiped, or destroyed, and document closure evidence.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific actions.

Operationally, weak accountability shows up as: lost laptops, misplaced backup media, untracked repairs, and improper disposal. Those failures create incident response churn because you cannot quickly determine whether ePHI was exposed, what data was on the asset, and who last had custody. Accountability records also support breach analysis and defensible decision-making. (45 CFR Parts 160, 162, 164)

A practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Name an executive owner (often Security or IT) and an operational process owner (asset manager/service desk lead).
• Publish a one-page scope statement: asset types and movement events in scope. (45 CFR Parts 160, 162, 164)
• Choose the system of record and define required fields.
• Implement “no ticket, no move” for shipments, repairs, and retirements.
• Start capturing third-party manifests and destruction certificates for all outgoing hardware/media.

Next 60 days (operationalize)

• Build ticket templates/forms that enforce required fields.
• Train IT, facilities, and HR offboarding coordinators.
• Add chain-of-custody forms for high-risk media (backups, drives).
• Run a reconciliation exercise and document exceptions and fixes.
• For third parties, standardize due diligence requests and evidence collection in Daydream so chain-of-custody expectations are consistent across engagements. (45 CFR Parts 160, 162, 164)

Next 90 days (prove it works)

• Perform a sample-based internal audit: pick assets and trace full movement history plus custody.
• Tune workflows: reduce optional fields, tighten approvals, close gaps in offboarding and repair.
• Establish ongoing metrics (qualitative is fine): volume of exceptions, common failure points, corrective actions taken.
• Bake requirements into contracts/SOW templates for ITAD, repair, offsite storage, and managed services. (45 CFR Parts 160, 162, 164)

Frequently Asked Questions

What counts as “electronic media” for the accountability requirement?

Treat it as media that can store electronic information, especially ePHI, such as removable drives and backup media. Document your definition and keep it consistent with how your teams actually handle devices and storage. (45 CFR Parts 160, 162, 164)

Do we have to track every physical move inside a building?

Track movements that change custody, risk, or control, such as transfers between users, shipments, moves into or out of secure storage, and retirement/disposal. Define your trigger events so the process is workable and defensible. (45 CFR Parts 160, 162, 164)

If devices are encrypted, do we still need accountability logs?

Yes. The requirement is about recording movements and the person responsible, not only about reducing data confidentiality risk. Encryption helps, but it does not replace custody records. (45 CFR Parts 160, 162, 164)

How do we handle shared devices (nursing stations, kiosks, shared workstations)?

Assign a responsible role or custodian for the device location (for example, the unit manager or site IT lead) and log transfers when the device moves sites or is serviced. Avoid “everyone is responsible,” which fails audits.

What evidence should we request from an ITAD or repair third party?

Ask for pickup/delivery records, serial-level manifests, and destruction or disposition documentation that you can tie back to your asset IDs. Your movement record should link to these artifacts. (45 CFR Parts 160, 162, 164)

Can we meet this requirement with spreadsheets?

You can, if access is controlled, changes are tracked, required fields are enforced, and you can produce complete movement histories on demand. In practice, ticketing plus asset management tools reduce missed events and missing fields.