Physical Media in Transit

To meet the HITRUST “physical media in transit” requirement, you must protect any information-bearing media that leaves your facilities with secure transport, tamper-evident packaging, and encryption appropriate to the data’s sensitivity. Operationalize it by defining what counts as media, gating shipments through an approved process, and retaining end-to-end chain-of-custody evidence. ¹

Key takeaways:

• Treat “in transit” as a controlled workflow: approve, package, encrypt, ship, track, confirm receipt, and record evidence.
• Secure couriers and tamper-evident packaging are baseline expectations for anything leaving your physical boundary. ¹
• Encryption must be applied to sensitive data on the media (or via encrypted containers) before it ships. ¹

“Physical media in transit” is easy to underestimate because many organizations assume they have moved on from tapes, CDs, or portable drives. In practice, regulated data still leaves buildings on laptops, replacement drives, diagnostic tools, backup disks, paper records, and shipping boxes from third parties. HITRUST CSF v11 09.u is explicit: if media containing information crosses your physical boundary, you need controls that prevent unauthorized access, misuse, or corruption during transportation, including secure couriers, tamper-evident packaging, and encryption for sensitive data. ¹

For a CCO or GRC lead, the fastest path to compliance is to translate that statement into an operational shipping standard that (1) clearly defines covered media and “beyond the organization’s physical boundaries,” (2) requires pre-shipment risk decisions based on sensitivity, and (3) generates audit-ready evidence without heroics. This page gives you the requirement-level interpretation, the exact steps teams must follow, what to collect as proof, and the questions auditors tend to press on.

Regulatory text

HITRUST CSF v11 09.u states: “Media containing information shall be protected against unauthorized access, misuse, or corruption during transportation beyond the organization's physical boundaries. Physical media in transit shall use secure couriers, tamper-evident packaging, and appropriate encryption for sensitive data.” ¹

Operator translation (what you must do):

• Scope the trigger: Any “media containing information” that leaves your physical boundary is in scope (not just removable drives).
• Prevent three outcomes: unauthorized access, misuse, or corruption while it is being transported.
• Implement three control pillars: (1) secure courier selection and shipment tracking, (2) tamper-evident packaging to detect interference, and (3) encryption that matches the sensitivity of the data on the media. ¹

Plain-English interpretation

If you ship it, carry it, or hand it off outside your walls, assume it can be lost, swapped, opened, copied, or damaged. The requirement expects you to reduce that risk with:

1. a trustworthy transport method you can track, 2) packaging that shows if anyone opened it, and 3) encryption so data exposure is unlikely even if the media disappears. ¹

This is not limited to shipments you initiate. It also covers returns (e.g., RMA drives), transfers between sites, and third-party logistics where your data rides along.

Who it applies to

Entities: All organizations scoped to HITRUST CSF v11. ¹

Operational contexts commonly in scope:

• IT operations shipping laptops, hard drives, removable storage, or network gear with configs/logs.
• Infrastructure teams sending backup media to offsite storage or a third party.
• Clinical/health operations moving paper records, imaging media, or specimen-related documentation that includes regulated data.
• Security/forensics sending evidence media to outside counsel, insurers, or incident response partners.
• Third-party workflows: repair depots, shredding/destruction services, offsite storage, and data center relocation providers.

A quick scoping rule: If the item contains organizational information (including sensitive data) and crosses a boundary you do not physically control end-to-end, treat it as “in transit.”

What you actually need to do (step-by-step)

1) Define “covered media” and classify shipment sensitivity

Create a short standard that answers:

• What counts as physical media (examples list).
• What counts as in transit (offsite, interoffice, third party, employee hand-carry).
• What counts as sensitive data for encryption decisions, aligned to your data classification scheme. ¹

Output: “Physical Media in Transit Standard” + a one-page decision tree.

2) Establish an approved shipping workflow (no ad hoc shipments)

Gate every outbound media movement through a workflow with required fields:

• Requestor, business purpose, destination, receiving party, and data classification.
• Media type/serial number (or box seal ID).
• Encryption method/verification.
• Packaging method and tamper-evident seal identifiers.
• Courier and tracking number.
• Required receipt confirmation and timeline.

Tip: Put this in your ticketing system so every shipment produces evidence by default.

3) Use secure couriers with tracking and accountability

Define “secure courier” for your organization in procurement-operational terms:

• Trackable shipments (end-to-end tracking number).
• Signature required at delivery where appropriate for sensitivity.
• Clear chain-of-custody expectations (handoff points, who can receive).
• Exceptions process for emergencies.

If third parties ship on your behalf, require the same controls contractually and operationally (shipping method, packaging, and proof of delivery). ¹

4) Require tamper-evident packaging

Operationalize “tamper-evident” so it is testable:

• Approved tamper-evident bags/tape/seals with unique identifiers.
• Packaging steps (who applies seals, where seal IDs are recorded).
• Inspection steps on receipt (what constitutes “tampered,” what to do next).
• Secure packaging storage (to prevent staff from grabbing random supplies that do not meet the standard). ¹

5) Encrypt sensitive data before shipment (and verify)

Your procedure should require one of the following for sensitive data on media:

• Full-disk encryption on the device/drive, or
• Encrypted container/volume with strong key handling, or
• Secure hardware-encrypted removable media.

Verification matters: Make encryption a checklist item with evidence (system screenshot, command output, MDM status, or encryption attestation tied to the asset). The requirement calls for “appropriate encryption for sensitive data,” which auditors will interpret as “show me you did it, not just that you intended to.” ¹

Key handling: Document who controls keys/passwords, how they are communicated to the receiver (out-of-band), and what happens if the shipment is lost.

6) Maintain chain-of-custody from dispatch to confirmed receipt

Minimum operational elements:

• Dispatch record (date/time, who released the media, seal ID, tracking number).
• Courier proof (shipping label, tracking page capture, pickup confirmation).
• Receipt record (receiver identity, signature or acknowledgment, seal inspection result).
• Incident trigger (lost package, delayed delivery, tamper evidence, damage/corruption). ¹

7) Add “what if it goes wrong” response steps

Write a simple playbook:

• If tracking shows anomaly: who is notified, how fast, and what actions happen (courier trace, internal security review).
• If tamper-evident packaging indicates compromise: quarantine, do not connect media, open incident, preserve evidence.
• If corruption is suspected: integrity checks, re-issue media, document data restoration path.

8) Audit third parties who transport or handle your media

You do not need to “audit the world,” but you must be able to show:

• The third party is contractually required to use secure courier methods and tamper-evident packaging (or equivalent), and
• You collect proof for shipments involving your data. ¹

Practical note: Many programs fail here because the organization’s internal shipping is controlled, but RMAs or offsite storage pickups happen “outside the process.”

Required evidence and artifacts to retain

Keep evidence that proves the control operated for real shipments:

• Physical Media in Transit Policy/Standard and procedures. ¹
• Approved courier list and shipping requirements (signature, tracking, service levels).
• Approved tamper-evident packaging specifications and inventory controls.
• Shipment tickets/requests with approvals and data classification.
• Asset/media identifiers (serial number, barcode) mapped to the shipment record.
• Encryption evidence per shipment for sensitive data (MDM/FDE status, encryption logs, screenshots, or attestation tied to the asset). ¹
• Tracking numbers and proof of delivery (screenshots/PDFs acceptable if your system doesn’t natively store them).
• Receiver acknowledgment + tamper inspection record.
• Incident records for lost/tampered/damaged shipments and post-incident actions.

Common exam/audit questions and hangups

Auditors tend to test these points:

• Scope clarity: “What media types are covered? Do you include laptops and paper records?”
• Consistency: “Show me the last several shipments; did every one follow the workflow?”
• Encryption proof: “How do you verify encryption before shipment for sensitive data?” ¹
• Third-party shipments: “If your repair depot ships drives back to you, how do you know it used tamper-evident packaging and secure courier?”
• Exception control: “What happens during urgent shipments? Who approves exceptions, and what compensating controls exist?”
• Receipt controls: “Do you record seal IDs and confirm intact seals on arrival?”

Hangup to anticipate: Teams can describe the process but cannot produce end-to-end artifacts for a sample shipment.

Frequent implementation mistakes and how to avoid them

• Mistake: Treating “media” as only removable drives.
  Fix: Define covered media broadly and include examples; train shipping/IT/clinical ops together.

• Mistake: Relying on “reputable carrier” without defining “secure courier.”
  Fix: Write minimum requirements (tracking, controlled delivery, proof of receipt) and enforce them in shipping accounts. ¹

• Mistake: Encryption policy exists, but no per-shipment verification.
  Fix: Add an “encryption verified” step with required evidence, tied to the asset ID. ¹

• Mistake: Tamper-evident supplies exist but seal IDs aren’t recorded.
  Fix: Require unique seal IDs in the shipment record; require inspection on receipt.

• Mistake: Third parties bypass your process.
  Fix: Add contract clauses and require shipment evidence from third parties; include in third-party risk reviews and operational runbooks.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so you should plan control design around audit expectations and common failure modes: loss in transit, interception, and uncontrolled third-party handling. The risk is straightforward: if unencrypted sensitive data is lost or tampered with in transit, you can face confidentiality impact, integrity issues (corruption or malicious alteration), incident response burden, and contractual/regulatory reporting exposure. ¹

Practical execution plan (30/60/90)

Use this as an execution checklist, not a calendar promise.

First 30 days (Immediate)

• Assign an owner for “media movement” (often IT ops + security + facilities/shipping).
• Draft the Physical Media in Transit Standard: scope, sensitivity rules, courier requirements, tamper-evident requirements, encryption requirement for sensitive data. ¹
• Identify all shipment pathways, including RMAs and third-party logistics.
• Implement a ticket template that captures required fields (seal ID, tracking number, encryption verification).

By 60 days (Near-term)

• Stand up approved packaging: tamper-evident supplies, seal ID logging, receipt inspection steps.
• Implement encryption verification: MDM report, endpoint tooling, or a documented verification checklist.
• Update third-party contracts / add operational requirements for shipping media on your behalf. ¹
• Run a tabletop test: lost shipment, tamper evidence on arrival, corrupted media.

By 90 days (Operationalize and audit-proof)

• Train the teams that actually ship/receive items; include a one-page “ship/receive checklist.”
• Perform a sample-based internal review of recent shipments to confirm evidence completeness.
• Add recurring monitoring: review exception requests, failed deliveries, and third-party shipments for compliance gaps.
• Consider tooling: Daydream can centralize third-party due diligence and ongoing evidence collection workflows so shipment requirements (secure courier, tamper-evident packaging, encryption proof) are requested, tracked, and audit-ready without chasing emails.

Frequently Asked Questions

Does this apply if an employee hand-carries a laptop or drive to another site?

Yes if it crosses your organization’s physical boundary; treat it as “in transit” and apply encryption and chain-of-custody expectations appropriate to sensitivity. ¹

What counts as “tamper-evident packaging” in practice?

Use packaging with seals or tape that show visible evidence of opening, and record unique seal identifiers so you can match the received package to the dispatched record. ¹

If a drive is encrypted, do we still need a secure courier?

Yes. HITRUST calls out secure couriers and tamper-evident packaging in addition to encryption for sensitive data; treat encryption as a critical layer, not a substitute. ¹

How do we handle RMAs where the third party ships replacement media back to us?

Require the third party to ship via your approved courier method (or equivalent) with tamper-evident packaging and provide tracking and proof of delivery so you can retain evidence. ¹

Do paper records count as “media containing information”?

Yes. Paper is physical media and can be accessed, misused, or corrupted in transit; use secure courier controls, tamper-evident packaging where feasible, and documented chain-of-custody. ¹

What’s the minimum evidence an auditor will accept for a shipment?

A shipment record showing approval and classification, encryption verification (for sensitive data), seal ID, courier/tracking details, and confirmed receipt with inspection results is the usual baseline. ¹

Footnotes

1. HITRUST CSF v11 Control Reference