Hardware, Media Management, and Data Destruction Policy

Note: Sections labeled [HIPAA] apply when systems/media create, receive, maintain, or transmit ePHI. Otherwise, follow the baseline requirements.

**1.0 Purpose**

Define secure lifecycle requirements for hardware and removable media and the standards for data sanitization/destruction at transfer, reuse, or end‑of‑life. [HIPAA] Ensure alignment with HIPAA Security Rule.

**2.0 Scope**

All company‑owned/managed endpoints, servers, network devices with storage, and removable media (USB, external disks, tapes, optical, mobile) across all sites and cloud environments. [HIPAA] Applies to ePHI‑capable systems/media.

**3.0 Roles and Responsibilities**

- **IT Asset Management**: Inventory, custody tracking, disposition coordination.
- **IT Operations**: Deployment, maintenance, incident handling; execute sanitization/destruction.
- **Security**: Policy oversight, audits, exceptions; [HIPAA] Security/Privacy Officer approvals.
- **Employees**: Proper custody and use of assigned devices and media.

**4.0 Policy Statements**

**4.1 Asset Inventory and Ownership**
- Maintain CMDB inventory with unique IDs, owner, location, configuration, and data classification.
- Track chain of custody for device/media transfers.
[HIPAA] Retain records relevant to ePHI for ≥ 6 years.

**4.2 Procurement and Standard Builds**
- Use approved hardware standards and secure images/baselines.
- Enforce full‑disk encryption (FDE) on supported devices; enable secure boot and TPM.
[HIPAA] Encrypt ePHI at rest/in transit; implement access controls and audit logging.

**4.3 Storage and Physical Security**
- Store spares/returned devices in locked cabinets with access logs; use tamper‑evident seals for data‑bearing items.
[HIPAA] Limit physical access to authorized personnel; maintain access records.

**4.4 Removable Media Controls**
- Restrict media use to business need; disable by default where feasible.
- Encrypt removable media; label with owner/asset ID; prohibit personal media for business data.
- Scan media for malware prior to use.
[HIPAA] Apply minimum necessary standard for ePHI; document approved use cases.

**4.5 Transport and Shipping**
- Use tracked carriers; tamper‑evident packaging; document chain of custody for transfers.
- For high sensitivity, use two‑person control.
[HIPAA] Protect ePHI during transport; ensure BAAs with handlers where applicable.

**4.6 Maintenance and Repair**
- Sanitize/remove drives before third‑party service when feasible; otherwise ensure vendor data protection.
[HIPAA] Execute BAAs with vendors potentially handling ePHI; log custody.

**4.7 Incident Handling**
- For loss/theft, quarantine via MDM/EDR; initiate remote wipe if appropriate; notify Security; document.
[HIPAA] Assess for reportable breach; follow Breach Notification procedures.

**4.8 Return, Decommission, and Disposition**
- Collect devices on offboarding/replacement; reconcile inventory; proceed to sanitization/destruction per Section 4.10.

**4.9 Training and Awareness**
- Provide onboarding and annual refresher training on hardware/media handling.
[HIPAA] Include HIPAA device/media handling modules.

**4.10 Data Sanitization and Destruction**
- Follow NIST SP 800‑88 Rev.1: select Clear, Purge, or Destroy based on media type and reuse.
- Document method, tool/procedure, operator, witness, serials, timestamps.
- Verify results (hash/visual/certificate) and file Certificates of Destruction when applicable.
[HIPAA] Maintain documentation for ≥ 6 years; ensure alignment with 45 CFR §164.310(d) and §164.312(e).

**4.11 Third‑Party Vendors**
- Use vetted vendors; obtain certificates for destruction; ensure contractual safeguards.
[HIPAA] Execute BAAs with vendors that may handle ePHI; require adherence to NIST 800‑88.

**4.12 Compliance and Audit**
- Perform periodic audits of inventory accuracy, custody logs, storage controls, and destruction records; remediate gaps.

**5.0 Exceptions**

Exceptions require documented justification, risk assessment, compensating controls, and Security (and [HIPAA] Security/Privacy Officer) approval.

**6.0 Review**

Review annually or upon significant operational/regulatory changes.