This entry is part 12 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

(iii) Accountability (Addressable).  Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Tell Me More:

For the Accountability implementation specification, covered entities and business associates must address how to maintain a record of the movements of hardware and electronic media.

In order to control access to ePHI, it is necessary to consider documenting the location of the information. Toward that end, it is recommended that each covered entity and business associate create an inventory of hardware and electronic media containing ePHI, including mobile devices such as PDAs and cellphones. That inventory should detail the location of and the person responsible for the hardware and electronic media. The inventory should be updated when the location or person changes.

complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Does the organization have an inventory of all hardware and electronic media containing ePHI?
  • Does the inventory indicate the location of and person responsible for the hardware and media?
  • Is the log kept up to date, such that the movements and current locations of the hardware and media are recorded?


Series Navigation<< 164.308(b)(1) Administrative safeguards – Standard: Business associate contracts and other arrangements164.310 Physical safeguards >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.