Implement policies and procedures governing the receipt, removal, and disposal of hardware and electronic media containing ePHI
Electronic media containing ePHI, including hard drives, USB drives, backup tapes, optical discs, and mobile devices, must be carefully controlled from receipt through disposal. A discarded hard drive with unwiped ePHI is a HIPAA violation and a breach waiting to be discovered. Organizations must control which media can be removed from the facility, maintain accountability for media containing ePHI, create backup copies of ePHI before moving equipment, and ensure media is properly sanitized or destroyed before disposal or reuse.
Implementation steps
- 1
Establish media disposal procedures
Define and document procedures for disposing of hardware and electronic media that has contained ePHI. Hard drives and solid-state drives must be securely wiped using NIST 800-88 compliant methods or physically destroyed. Use a certified media destruction vendor and obtain certificates of destruction for auditable documentation.
blancco confluence - 2
Define and enforce media reuse procedures
Before reusing electronic media (hard drives, USB drives, backup tapes) that previously contained ePHI, the media must be securely wiped to remove all ePHI. Document the reuse process and verify sanitization was completed before the media is assigned to a new system or person.
blancco confluence - 3
Maintain media accountability records
Track electronic media containing ePHI throughout its lifecycle: where it is, who has custody of it, and when it is moved, decommissioned, or disposed of. For removable media, maintain a log of media that leaves the facility. For hardware assets, maintain an asset inventory with location and status.
excel confluence servicenow - 4
Back up ePHI before moving equipment
Create a retrievable, exact copy of ePHI before moving equipment to prevent data loss during transport. Verify the backup is recoverable before completing the move. Document the backup and transfer process.
aws-backup azure-backup veeam
Evidence required
Media disposal records
Evidence that media containing ePHI is securely disposed of.
- - Certificates of destruction from media destruction vendor
- - Hard drive wipe logs
- - Disposal policy documentation
Media accountability records
Records tracking media containing ePHI.
- - Hardware asset inventory
- - Removable media tracking log
- - Chain of custody records for media leaving the facility
Related controls
Implement policies and procedures to limit physical access to electronic information systems and the facilities where they are housed
Facility Access Controls
Specify the proper functions to be performed by workstations that access ePHI and the manner in which those functions are to be performed
Workstation Use
Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users
Workstation Security
Implement a security management process to prevent, detect, contain, and correct security violations
Security Management Process