Control Movement of Devices and Media Containing ePHI
Plain English Translation
Policies and procedures must govern the receipt, removal, and internal movement of hardware and electronic media containing ePHI into and out of the facility. Unauthorized transfer or removal of media containing patient data is a reportable security incident.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Maintain a centralized tracking spreadsheet for all company laptops and removable media, requiring manual sign-outs before hardware leaves the office.
Required Actions (scaleup)
- Implement a formal IT asset management (ITAM) ticketing system to systematically document the receipt, authorization, and relocation of all hardware containing ePHI.
Required Actions (enterprise)
- Deploy automated endpoint management platforms integrated with physical security protocols to dynamically track device movement and generate alerts upon unauthorized hardware relocation.
HIPAA device and media controls are physical safeguards required by the Security Rule that dictate how an organization manages the receipt, removal, and movement of hardware and electronic media containing ePHI into, out of, and within a facility.
45 CFR 164.310(d)(1) requires organizations to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, as well as its movement within and outside the facility.
Organizations should track devices by utilizing a centralized asset management system or detailed electronic media tracking log that records device serial numbers, assigned users, current locations, and any movement history.
When moving hardware between facilities, organizations must secure the devices during transit, log the departure and expected arrival, document the authorized personnel transporting the hardware, and verify successful receipt at the destination.
Yes, while not explicitly using the term 'chain of custody', HIPAA requires organizations to maintain accountability for hardware and electronic media movement, which effectively necessitates a chain of custody log documenting who handles the media at all times.
Organizations need a hardware and electronic media movement policy that requires formal authorization, documentation of the removal's purpose, and verification that the device is properly encrypted before it is allowed to leave the physical facility.
These physical safeguards apply by requiring that the movement of laptops, USB drives, and other portable media is strictly controlled, logged, and restricted to authorized personnel to prevent the physical theft or loss of the contained ePHI.
Covered hardware and media include desktop computers, laptops, servers, smartphones, tablets, external hard drives, USB flash drives, backup tapes, and any other physical storage device capable of holding electronic protected health information.
Organizations should document receipt and removal by using standardized authorization forms and tracking logs that capture the date, time, device identifier, person responsible, and the specific reason for the device's relocation or removal.
Auditors typically look for a documented device movement policy, active asset management logs, signed authorization forms for removed hardware, and historical chain of custody records demonstrating accountability for all ePHI media.
The main challenge is maintaining accurate accountability when laptops, backup media, mobile devices, or removable storage move between users, departments, facilities, vendors, or disposal workflows. Tools like WatchDog Security's Asset Inventory can help centralize device ownership, location, assignment, and lifecycle status so teams can more easily identify which assets may contain ePHI and require movement tracking.
Device and media movement controls depend on clear procedures for authorization, tracking, encryption, custody transfer, and exceptions. Tools like WatchDog Security's Policy Management can help maintain version-controlled policies, assign employee acknowledgements, and preserve acceptance records that support HIPAA audit evidence.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | Compliance Content Specialist | Initial publication |

