Media Controls
164.310(b)
Physical Safeguards
High Risk
Moderate
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.
Implementation Guidance
Develop comprehensive media control policies including:
• Media receipt and removal procedures
• Media movement and tracking procedures
• Media sanitization and disposal procedures
• Media inventory and management procedures
• Media security and protection procedures
• Media access control procedures
Key components:
- Media receipt and removal
- Media movement tracking
- Media sanitization
- Media inventory management
- Media security controls
- Media access controls
• Media receipt and removal procedures
• Media movement and tracking procedures
• Media sanitization and disposal procedures
• Media inventory and management procedures
• Media security and protection procedures
• Media access control procedures
Key components:
- Media receipt and removal
- Media movement tracking
- Media sanitization
- Media inventory management
- Media security controls
- Media access controls
NIST References
NIST SP 800-66 Rev. 2: Section 3.2.3
NIST Cybersecurity Framework: PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-4, PR.DS-5, PR.DS-6, PR.DS-7, PR.DS-8
NIST SP 800-53: MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8
NIST Cybersecurity Framework: PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-4, PR.DS-5, PR.DS-6, PR.DS-7, PR.DS-8
NIST SP 800-53: MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8
Best Practices
• Develop comprehensive media control policies
• Implement effective media tracking
• Use proper media sanitization methods
• Maintain accurate media inventory
• Implement strong media security controls
• Control access to media
• Regular review and update of procedures
• Implement effective media tracking
• Use proper media sanitization methods
• Maintain accurate media inventory
• Implement strong media security controls
• Control access to media
• Regular review and update of procedures
Testing Procedures
• Review media control policies
• Test media tracking procedures
• Verify media sanitization methods
• Review media inventory management
• Test media security controls
• Verify media access controls
• Review policy compliance
• Test media tracking procedures
• Verify media sanitization methods
• Review media inventory management
• Test media security controls
• Verify media access controls
• Review policy compliance
Frequently Asked Questions
Q: What media controls are required?
A: Media controls should govern receipt, removal, movement, and disposal of hardware and electronic media containing ePHI.
Q: How should media be tracked?
A: Media should be tracked through inventory management, movement logs, and access controls.
Q: What sanitization is required for media?
A: Media must be properly sanitized before disposal to ensure ePHI is not accessible.
A: Media controls should govern receipt, removal, movement, and disposal of hardware and electronic media containing ePHI.
Q: How should media be tracked?
A: Media should be tracked through inventory management, movement logs, and access controls.
Q: What sanitization is required for media?
A: Media must be properly sanitized before disposal to ensure ePHI is not accessible.
Control Information
Control ID:
164.310(b)
164.310(b)
Category:
Physical Safeguards
Physical Safeguards
Subcategory:
Media Controls
Media Controls
Risk Level:
High
High
Implementation Difficulty:
Moderate
Moderate
Estimated Cost:
Medium
Medium
Implementation Timeframe:
2-4 months
2-4 months
Views:
4
4
Last Updated:
Oct 1, 2025
Oct 1, 2025
Related Controls
Additional Resources
• NIST SP 800-66 Rev. 2: Media Controls Guidance
• HHS Media Controls Guidance
• Media Security Best Practices
• Sanitization Procedures Guide
• Media Inventory Management Template
• HHS Media Controls Guidance
• Media Security Best Practices
• Sanitization Procedures Guide
• Media Inventory Management Template