Device and Media Controls

§164.310(d)(1): Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.

Audit Inquiry

Does the entity have policies and procedures in place that govern the receipt and removal of hardware and electronic media that contain ePHI, into and out of a facility, and the movement of these items within the facility?

Does the entity govern the receipt and removal of hardware and electronic media that contain ePHI, into and out of a facility, and the movement of these items within facility?

Obtain and review the policies and procedures related to device and media controls. Evaluate the content in relation to the specified performance criteria for the proper handling of electronic media that contain ePHI.

Elements to review may include but are not limited to:
• How are the types of hardware and electronic media that must be tracked (both entity owned and personally owned) are identified
• The process of tracking all types of hardware and electronic media that contain ePHI
• Workforce members’ roles and responsibilities in the device and media control process
• Authorization process for the receipt and removal of hardware and electronic media that store ePHI
• How the release of hardware, software, and ePHI data out of entity control is managed and documented

Obtain and review documentation demonstrating the movement of hardware and electronic media containing ePHI into, out of and within the facility. Evaluate and determine if movement of hardware and electronic media is being properly tracked, documented, and approved by appropriate personnel.

Obtain documentation demonstrating the type of security controls implemented for the facility in, out, and within movements of workforce members’ assigned hardware and electronic media that contain ePHI. Evaluate and determine if security controls are appropriate, properly implemented, and minimize possible vulnerabilities.

Required/Addressable

Required