Device & Media Controls Policy

5. Procedures

1. MEDIA INVENTORY AND TRACKING

1.1 The IT Manager shall maintain a Media Inventory and Tracking Log that records: device/media type and description, serial number or asset tag, assigned location and user, whether it contains or has contained ePHI, date received/deployed, and date disposed of or transferred (with method).

1.2 The inventory shall be updated whenever devices or media are received, moved, reassigned, or disposed of.

2. RECEIPT OF DEVICES AND MEDIA

2.1 All new hardware and media that will be used with ePHI shall be logged into the inventory upon receipt.

2.2 Before deploying new devices, the IT Manager shall verify that appropriate security configurations are in place (encryption, access controls, security software).

3. MOVEMENT OF DEVICES AND MEDIA

3.1 Movement of devices containing ePHI within the facility shall be tracked in the inventory log.

3.2 Movement of devices containing ePHI outside the facility (e.g., taking a laptop to a satellite office, off-site backup rotation) requires authorization from the Security Officer and encryption of all ePHI on the device.

3.3 Devices being transported shall be physically secured during transport (e.g., in a locked bag, not left in an unlocked vehicle).

4. DISPOSAL OF DEVICES AND MEDIA

4.1 Before any device or media containing ePHI is disposed of, all ePHI shall be sanitized using one of the following methods appropriate to the media type: - Hard drives (HDD): Overwrite with at least one pass of random data using an approved wiping tool, or degauss, or physically destroy (shred or crush). - Solid-state drives (SSD): Use manufacturer's secure-erase command or cryptographic erasure, or physically destroy. - USB drives, CDs, DVDs, tapes: Physical destruction (shredding or incineration). - Copiers, fax machines, printers with hard drives: Sanitize or remove and destroy the internal hard drive before disposal or return to lessor.

Note: Disposal of paper records containing PHI is governed by the separate Records Retention and Disposal Policy (e.g., cross-cut shredding or a professional shredding service with certificate of destruction). This policy addresses electronic media and hardware under 45 CFR § 164.310(d) only; the paper reference here is provided solely as a cross-reference.

4.2 A Device Disposal Certification Form shall be completed for each device or media disposed of, documenting: the device description and serial number, the sanitization method used, the date of sanitization, the person who performed the sanitization, and whether a certificate of destruction was obtained from a third-party disposal vendor.

4.3 If a third-party disposal vendor is used, the vendor shall: sign a Business Associate Agreement (if they will have access to ePHI), provide a certificate of destruction for each batch of devices, and use NIST SP 800-88 Rev. 2 compliant sanitization methods.

5. REUSE OF DEVICES AND MEDIA

5.1 Before any device or media is reassigned to a different user or repurposed, all previous user data and ePHI shall be fully sanitized using the methods specified in Section 4.1.

5.2 The IT Manager shall re-image or reset the device to its baseline configuration before reassignment.

5.3 The inventory log shall be updated to reflect the new assignment.

6. DATA BACKUP AND STORAGE (Addressable — 164.310(d)(2)(iv))

6.1 Before any equipment containing ePHI is moved, relocated, or transported (within or outside the facility), the IT Manager shall create a retrievable, exact copy of the ePHI stored on that equipment, where the movement could risk loss of or damage to the data.

6.2 The backup copy shall be verified as complete and restorable before the equipment is moved, and shall itself be stored securely and encrypted in accordance with this policy and the Contingency Plan's Data Backup Plan.

6.3 This requirement applies in addition to, and does not replace, the routine backups maintained under the Contingency Plan. It is intended specifically to protect against data loss that could result from the physical movement of equipment.

6.4 If [PRACTICE NAME] determines that creating a pre-movement backup is not reasonable and appropriate for a specific situation (e.g., the equipment is a thin client storing no local ePHI, or the data is already replicated to the cloud in real time), the determination and the equivalent alternative measure shall be documented per the addressable specification process at 45 CFR § 164.306(d).

7. ACCOUNTABILITY

7.1 The IT Manager shall maintain records of the movements of hardware and electronic media and any person responsible for the movement, as required by 45 CFR § 164.310(d)(2)(iii).

7.2 All accountability records shall be retained for a minimum of six (6) years.

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Approves out-of-facility device movements. Reviews disposal certifications. Conducts periodic audits of the media inventory.

IT Manager/Vendor ([IT CONTACT NAME]): Maintains the Media Inventory and Tracking Log. Performs or oversees device sanitization and disposal. Configures new devices before deployment. Completes Device Disposal Certification Forms. Manages third-party disposal vendor relationships.

All Workforce Members: Report lost or stolen devices immediately. Do not dispose of any device or media containing ePHI without coordinating with IT. Secure devices during transport.

7. Review Schedule

This policy shall be reviewed at least annually. The Media Inventory and Tracking Log shall be audited at least annually to verify accuracy. Disposal vendor contracts and BAAs shall be reviewed annually.

8. Regulatory References

45 CFR § 164.310(d)(1) — Device and media controls (Required) 45 CFR § 164.310(d)(2)(i) — Disposal (Required) 45 CFR § 164.310(d)(2)(ii) — Media re-use (Required) 45 CFR § 164.310(d)(2)(iii) — Accountability (Addressable) 45 CFR § 164.310(d)(2)(iv) — Data backup and storage (Addressable) NIST SP 800-88 Rev. 2 (September 2025) — Guidelines for Media Sanitization