Device and Media Controls
164.310(c)
Physical Safeguards
High Risk
Moderate
Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
Implementation Guidance
Develop comprehensive device and media control policies including:
• Device and media disposal procedures
• Data sanitization and destruction procedures
• Hardware disposal and recycling procedures
• Media destruction and disposal procedures
• Documentation and certification of disposal
• Regular review and update of disposal procedures
Key components:
- Device disposal procedures
- Media destruction procedures
- Data sanitization methods
- Disposal documentation
- Disposal certification
- Regular procedure review
• Device and media disposal procedures
• Data sanitization and destruction procedures
• Hardware disposal and recycling procedures
• Media destruction and disposal procedures
• Documentation and certification of disposal
• Regular review and update of disposal procedures
Key components:
- Device disposal procedures
- Media destruction procedures
- Data sanitization methods
- Disposal documentation
- Disposal certification
- Regular procedure review
NIST References
NIST SP 800-66 Rev. 2: Section 3.2.4
NIST Cybersecurity Framework: PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-4, PR.DS-5, PR.DS-6, PR.DS-7, PR.DS-8
NIST SP 800-53: MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8
NIST Cybersecurity Framework: PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-4, PR.DS-5, PR.DS-6, PR.DS-7, PR.DS-8
NIST SP 800-53: MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8
Best Practices
• Develop comprehensive disposal policies
• Use proper data sanitization methods
• Implement secure hardware disposal
• Use certified media destruction
• Document all disposal activities
• Obtain disposal certifications
• Regular review and update of procedures
• Use proper data sanitization methods
• Implement secure hardware disposal
• Use certified media destruction
• Document all disposal activities
• Obtain disposal certifications
• Regular review and update of procedures
Testing Procedures
• Review disposal policies and procedures
• Test data sanitization methods
• Verify hardware disposal procedures
• Test media destruction procedures
• Review disposal documentation
• Verify disposal certifications
• Review policy compliance
• Test data sanitization methods
• Verify hardware disposal procedures
• Test media destruction procedures
• Review disposal documentation
• Verify disposal certifications
• Review policy compliance
Frequently Asked Questions
Q: What disposal procedures are required?
A: Disposal procedures should address final disposition of ePHI and hardware/electronic media on which it is stored.
Q: What sanitization methods are acceptable?
A: Sanitization methods should be appropriate to the media type and ensure ePHI is not recoverable.
Q: What documentation is required for disposal?
A: Disposal documentation should include what was disposed, when, how, and certification of proper disposal.
A: Disposal procedures should address final disposition of ePHI and hardware/electronic media on which it is stored.
Q: What sanitization methods are acceptable?
A: Sanitization methods should be appropriate to the media type and ensure ePHI is not recoverable.
Q: What documentation is required for disposal?
A: Disposal documentation should include what was disposed, when, how, and certification of proper disposal.
Control Information
Control ID:
164.310(c)
164.310(c)
Category:
Physical Safeguards
Physical Safeguards
Subcategory:
Media Controls
Media Controls
Risk Level:
High
High
Implementation Difficulty:
Moderate
Moderate
Estimated Cost:
Medium
Medium
Implementation Timeframe:
2-4 months
2-4 months
Views:
3
3
Last Updated:
Oct 1, 2025
Oct 1, 2025
Related Controls
Additional Resources
• NIST SP 800-66 Rev. 2: Device and Media Controls Guidance
• HHS Device and Media Controls Guidance
• Data Sanitization Best Practices
• Hardware Disposal Procedures
• Media Destruction Certification Guide
• HHS Device and Media Controls Guidance
• Data Sanitization Best Practices
• Hardware Disposal Procedures
• Media Destruction Certification Guide