HIPAA §164.310(d) - Device and Media Controls

🔑 AUDIT-GRADE EVIDENCE Follows AICPA SOC 2 / HHS HIPAA / PCI QSA ROC / NIST 800-53A Report tamper-evident via SHA-256 chain

1. CONTROL IDENTIFICATION

FrameworkHIPAA Security Rule
Control ID§164.310(d)
Control FamilyPhysical Safeguards > Device & Media
Control NameDevice and Media Controls
StatusIMPLEMENTED
Assessment Date2026-04-19T02:25:35.202960+00:00
AssessorTITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Environment ScopeAzure: Pay-As-You-Go (prod) (4f29d094-1079-44c9-acb0-4d73a7a2dd34)
Report IDa858185e0abe2c7a2f4faf2019cafd63b0f3b07cdf00065233c42b33fbe483c9

2. REGULATORY TEXT

Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.

Source: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310

3. IMPLEMENTATION SPECIFICATIONS

Each implementation specification addressed separately per HIPAA §164.306(d) / NIST 800-53A assessment methodology.

164.310(d)(2)(i) REQUIRED Disposal IMPLEMENTED

Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

Evidence: #A1, #A2
164.310(d)(2)(ii) REQUIRED Media Re-use IMPLEMENTED

Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

Evidence: #A1, #A2
164.310(d)(2)(iii) ADDRESSABLE Accountability IMPLEMENTED

Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Evidence: #A1, #A2
164.310(d)(2)(iv) ADDRESSABLE Data Backup and Storage IMPLEMENTED

Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Evidence: #A1, #A2

4. EVIDENCE ARTIFACTS

Summarized with counts + exceptions + drill-down. Raw data available on request per retention policy.

#A1 Media Disposal Log 2026-04-19T02:25:35.202960+00:00
12 decommissioned devices in last 90 days. All have signed disposal certificates (NIST 800-88 Purge level).
Records: 12 Exceptions surfaced: 0 Sampling: full
#A2 Backup Verification 2026-04-19T02:25:35.202960+00:00
Azure Backup recovery point integrity verified weekly. 13 of 13 weeks green.
Records: 13 Exceptions surfaced: 0 Sampling: full

5. TESTING PROCEDURES & RESULTS

Test of Design (does the control exist?) + Test of Operating Effectiveness (does it work consistently?). Sampling per AICPA AU-C 530.

Test of Operating - NIST 800-88 disposal compliance OPERATING PASS
Sample size: 12 disposals

All 12 had Purge-level sanitization certificates.

6. FINDINGS / EXCEPTIONS

Active findings: 0 · Accepted risks (exceptions): 0 · Total: 0

Click any finding to view detail, remediation, and record an exception (risk acceptance). Exceptions are retained in the report as part of the audit trail.

No findings for this control.

7. MANAGEMENT RESPONSE

SOC 2 Type 2 and HITRUST assessors require management's written response to findings.

Management has reviewed 0 findings. No open findings for this control period. Next review cycle: quarterly.

8. AUDIT TRAIL

ScannerTITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Scanner versionv2.0.1
Collection timestamp2026-04-19T02:25:35.202960+00:00
Retention2555 days (HIPAA 164.316(b)(2))
Report hash (SHA-256)a858185e0abe2c7a2f4faf2019cafd63b0f3b07cdf00065233c42b33fbe483c9

9. CROSS-FRAMEWORK MAPPING

This same evidence is admissible for the following related controls. Scan once, satisfy multiple frameworks.