Device and Media Controls — Accountability

§164.310(d)(2)(iii): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Audit Inquiry

Does the entity have policies and procedures to record the movements of hardware and electronic media and any person responsible therefore?

Does the entity record the movements of hardware and electronic media and any person responsible therefore?

Obtain and review policies and procedures related to device and media accountability. Evaluate the content relative to the specified performance criteria regarding tracking the location of electronic media and hardware (including entity-owned and personally-owned electronic/mobile devices and media containing, or with access to, ePHI) and maintaining records of movements of, and individual(s) responsible for, hardware and electronic media that has access or contains ePHI.

Elements to review may include but are not limited to:
• Workforce members’ roles and responsibilities in the device and media accountability process
• How records of movements of electronic media and hardware are maintained
• The processing of reviewing and certifying movements of hardware and electronic media records
• Identify the types of hardware and electronic media that will be tracked in the device and media accountability process

Obtain and review documentation demonstrating a record of movements of hardware and electronic media and person responsible therefore. Evaluate and determine if media and hardware (including entity-owned and personally owned electronic/mobile devices and media) are tracked, recorded, and certified by appropriate personnel.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.

Required/Addressable

Addressable