164.310(c) Physical Safeguards

Device and Media Controls

High Risk Moderate Implementation Medium Cost

Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.

Implementation Guidance

Develop comprehensive device and media control policies including:
• Device and media disposal procedures
• Data sanitization and destruction procedures
• Hardware disposal and recycling procedures
• Media destruction and disposal procedures
• Documentation and certification of disposal
• Regular review and update of disposal procedures

Key components:
- Device disposal procedures
- Media destruction procedures
- Data sanitization methods
- Disposal documentation
- Disposal certification
- Regular procedure review

Required Documentation

• Device and media disposal policies
• Data sanitization and destruction procedures
• Hardware disposal and recycling procedures
• Media destruction and disposal procedures
• Disposal documentation and certification
• Disposal vendor agreements
• Regular review and update procedures

Best Practices

• Develop comprehensive disposal policies
• Use proper data sanitization methods
• Implement secure hardware disposal
• Use certified media destruction
• Document all disposal activities
• Obtain disposal certifications
• Regular review and update of procedures

Common Violations

• Lack of device and media disposal policies
• Inadequate data sanitization procedures
• Insufficient hardware disposal procedures
• Poor media destruction procedures
• Inadequate disposal documentation
• Insufficient disposal certification

Testing Procedures

• Review disposal policies and procedures
• Test data sanitization methods
• Verify hardware disposal procedures
• Test media destruction procedures
• Review disposal documentation
• Verify disposal certifications
• Review policy compliance

Audit Considerations

• Device and media disposal policies
• Data sanitization implementation
• Hardware disposal procedures
• Media destruction procedures
• Disposal documentation
• Disposal certifications
• Policy review and updates

NIST Cybersecurity Framework Alignment

This HIPAA control aligns with the following NIST Cybersecurity Framework functions and controls:

Identify (ID)

  • ID.AM-1: Physical devices and systems within the organization are inventoried
  • ID.AM-2: Software platforms and applications within the organization are inventoried
  • ID.AM-3: Organizational communication and data flows are mapped

Protect (PR)

  • PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited
  • PR.AC-3: Remote access is managed
  • PR.DS-1: Data-at-rest is protected
  • PR.DS-2: Data-in-transit is protected

Detect (DE)

  • DE.AE-1: A baseline of network operations and expected data flows is established
  • DE.CM-1: The network is monitored to detect potential cybersecurity events
  • DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events

Respond (RS)

  • RS.CO-1: Personnel know their roles and order of operations when a response is needed
  • RS.CO-2: Incidents are reported consistent with established criteria
  • RS.AN-1: Notifications from detection systems are investigated

Recover (RC)

  • RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
  • RC.IM-1: Recovery plans incorporate lessons learned
  • RC.CO-1: Public relations are managed

Note: This mapping provides a general alignment between HIPAA controls and NIST Framework functions. Specific implementation may vary based on your organization's risk profile and compliance requirements.

Implementation Templates & Checklists

Download our expert-developed templates and checklists to implement this control effectively:

Implementation Checklist

Step-by-step checklist to ensure complete implementation of this control

Download Checklist

Policy Template

Ready-to-customize policy template for this specific control

Download Template

Risk Assessment Form

Comprehensive risk assessment form for this control

Download Form

Training Materials

Staff training materials and awareness resources

Download Materials

Expert Implementation Recommendations

Based on our experience with 500+ healthcare organizations, here are our expert recommendations for implementing this control:

High Priority

Start with Risk Assessment

Conduct a comprehensive risk assessment to identify specific vulnerabilities and threats related to this control. This will help prioritize implementation efforts and allocate resources effectively.

  • Identify all systems and data covered by this control
  • Assess current security measures and gaps
  • Evaluate potential impact of security incidents
  • Document findings and remediation priorities
Medium Priority

Develop Comprehensive Policies

Create detailed policies and procedures that address all aspects of this control. Ensure policies are specific, actionable, and aligned with your organization's risk profile.

  • Define roles and responsibilities clearly
  • Establish approval workflows and escalation procedures
  • Include specific technical requirements and standards
  • Regular review and update schedules
Low Priority

Implement Monitoring and Testing

Establish ongoing monitoring and testing procedures to ensure the control remains effective over time. Regular testing helps identify new vulnerabilities and compliance gaps.

  • Automated monitoring where possible
  • Regular manual testing and validation
  • Incident response procedures
  • Continuous improvement processes

Recommended Implementation Timeline

1

Week 1-2: Assessment & Planning

Conduct risk assessment and develop implementation plan

2

Week 3-4: Policy Development

Create and review policies and procedures

3

Week 5-8: Implementation

Deploy technical controls and train staff

4

Week 9-10: Testing & Validation

Test controls and validate compliance

Related Controls

164.310(a)(1) - Facility Access Controls
164.310(a)(2) - Workstation Use
164.310(b) - Media Controls
164.312(a)(1) - Access Control

Quick Facts

Control ID: 164.310(c)
Category: Physical Safeguards
Subcategory: Media Controls
Risk Level: High
Difficulty: Moderate
Cost: Medium
Timeframe: 2-4 months
Views: 51
Last Updated: Nov 22, 2025

Actions

Get Expert Help Free Assessment

Additional Resources

• NIST SP 800-66 Rev. 2: Device and Media Controls Guidance
• HHS Device and Media Controls Guidance
• Data Sanitization Best Practices
• Hardware Disposal Procedures
• Media Destruction Certification Guide

Related Controls

164.310(a)(1) High

Facility Access Controls

Implement policies and procedures to limit physical access to electronic information systems and the facility or facilit...

164.310(b) High

Media Controls

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI...

164.310(a)(2)(ii) Medium

Workstation Controls

Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users....