Home HIPAA Controls 164.310(c)
164.310(c) Physical Safeguards

Device and Media Controls

High Risk Moderate Medium

Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.

Implementation Guidance

Develop comprehensive device and media control policies including:
• Device and media disposal procedures
• Data sanitization and destruction procedures
• Hardware disposal and recycling procedures
• Media destruction and disposal procedures
• Documentation and certification of disposal
• Regular review and update of disposal procedures

Key components:
- Device disposal procedures
- Media destruction procedures
- Data sanitization methods
- Disposal documentation
- Disposal certification
- Regular procedure review

Required Documentation

• Device and media disposal policies
• Data sanitization and destruction procedures
• Hardware disposal and recycling procedures
• Media destruction and disposal procedures
• Disposal documentation and certification
• Disposal vendor agreements
• Regular review and update procedures

Best Practices

• Develop comprehensive disposal policies
• Use proper data sanitization methods
• Implement secure hardware disposal
• Use certified media destruction
• Document all disposal activities
• Obtain disposal certifications
• Regular review and update of procedures

Common Violations

• Lack of device and media disposal policies
• Inadequate data sanitization procedures
• Insufficient hardware disposal procedures
• Poor media destruction procedures
• Inadequate disposal documentation
• Insufficient disposal certification

Testing Procedures

• Review disposal policies and procedures
• Test data sanitization methods
• Verify hardware disposal procedures
• Test media destruction procedures
• Review disposal documentation
• Verify disposal certifications
• Review policy compliance

Implementation Resources

Download expert-developed templates and checklists to implement this control:

Implementation Checklist
Policy Template

Quick Facts

Control ID 164.310(c)
Category Physical Safeguards
Risk Level High
Difficulty Moderate
Est. Cost Medium
Timeframe 2-4 months
Last Updated Mar 1, 2026
Get Expert Help Free Assessment

Related Controls

Explore other controls in the Physical Safeguards category.

164.310(a)(2) Medium

Workstation Use

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the ...

164.310(b) High

Media Controls

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, a...

164.310(a)(2)(ii) Medium

Workstation Controls

Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users....

Need Help Implementing This Control?

Our certified HIPAA experts can help you implement this control correctly and efficiently.

Contact Our Experts View All Controls