Skip to Main Content
Services Talent Knowledge
Site Search

Blog Post

October 15, 2018

OCR Issues Further Guidance on Electronic Media and Devices

The US Department of Health and Human Services’ Office of Civil Rights published its August 2018 cybersecurity newsletter focusing on security considerations in the receipt, removal, and movement of electronic media and devices. These devices include laptops, smartphones, servers, desktops, and tablets as well as electronic storage devices, such as hard drives, USB drives, CDs and DVDs, tapes, and memory cards.

These devices and media are commonly used by many health care organizations to process, transmit, and store sensitive protected health information (PHI). Those who have physical access to these devices and media could potentially change configurations or information, install malicious programs, or access sensitive information––all of which could adversely affect the confidentiality, integrity, or availability of PHI.

The OCR reminded covered entities that they must implement policies and procedures governing the movement of hardware and electronic media containing electronic PHI (ePHI) in and out of an organization’s facility as well as internally to reduce the risk of loss, theft, and potential PHI breaches.

Health care organizations should consider the following questions when developing policies and procedures regarding device and media controls:

  • Is there a record that tracks the location, movement, modifications, repairs, and disposition of devices and media throughout their lifecycles?
  • Does the organization’s record of device and media movement include the individuals responsible for these devices and media?
  • Are workforce members, including management, trained on the proper use, transportation, and handling of devices and media to safeguard ePHI?
  • Are appropriate technical controls, such as access controls, audit controls, and encryption, in use?

HIPAA covered entities and business associates are required to have a security-management process in place that includes conducting a risk analysis and implementing a risk-management process to reduce risks and vulnerabilities. Asset inventory and tracking can help organizations identify, analyze, and manage risks associated with the devices and media used within their environments. Device and media inventory and tracking controls can also help organizations respond to and recover from security incidents and breaches. An organization’s risk analysis and risk-management processes should guide it to identify and implement its approach to appropriate device and media controls.

If you have questions regarding the content of this blog post, please contact Fran Ciardullo, special counsel, at fciardullo@barclaydamon.comor another member of the firm’s Health Care & Human Services Practice Area.


Click here to sign up for alerts, blog posts, and firm news.


Sign up to receive our latest news via email

Practice Areas

Featured Industries

New & Emerging Industry Practice Areas


View our Privacy Policy

Featured Media


NYS Office of Renewable Energy Siting Proposes New Rules Implementing the Major Renewable Energy Development Program


Strict New Criteria for Community Medicaid Program Takes Effect October 1


FERC Formalizes Its Practice That States Have a Full Year to Act on Section 401 Certification Requests for Natural Gas Act Infrastructure Projects


Have You Received an "Urgent Notice" About Your Trademark?


COVID-19: Anticipated RESTAURANTS Act of 2020 Will Establish a $120 Billion Fund for Assistance


Post-ARRA COBRA Litigation May Signal COBRA Lawsuits to Come

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out