Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Encryption at rest and media disposal controls: what §164.310 actually requires

Physical media disposal is a HIPAA §164.310 obligation — here's how to close the asset-tracking and encryption gaps before a retired hard drive becomes a breach.

Patient Protect ResearchJune 9, 2026First reported in HIPAA Pulse →

The control gap

Physical media disposal is a HIPAA Security Rule obligation that most small practices treat as an IT housekeeping task — and that gap is exactly where some of the largest per-record exposures occur. When a hard drive leaves a clinical environment without verified data destruction, every digital security control the practice has invested in becomes irrelevant: firewalls, access management, and audit logging provide zero protection against data read directly off unencrypted physical media. The Hokkaido hospital network incident — in which drives removed from two hospitals were listed on consumer auction platforms, potentially exposing records for up to 510,000 patients and staff — illustrates the pattern at scale. First reported in HIPAA Pulse →(https://hipaapulse.com/jp-hokkaido-hospitals-data-leak-may-hit-510k-hdds-sold-online-blamed-708285f5)

The HIPAA Security Rule provision in play

45 CFR §164.310(d) — the Device and Media Controls standard — requires covered entities to implement policies and procedures governing the disposal of ePHI and the hardware on which it resides. Subsection §164.310(d)(1) mandates final disposal procedures; §164.310(d)(2)(i) requires media re-use controls; §164.310(d)(2)(iii) requires an accountable data backup and storage record. Separately, §164.312(a)(2)(iv) addresses encryption and decryption as an addressable implementation specification — meaning practices must either encrypt ePHI at rest or document a risk-based rationale for not doing so. The Advocate Medical Group resolution agreement ($5.55M) established that unencrypted portable media combined with inadequate asset inventory constitutes willful neglect under these provisions.

How Patient Protect addresses this

  • Information Systems Inventory maps every workstation, drive, and portable device to a location and lifecycle status — making it operationally difficult for hardware to exit the environment without a recorded disposition.
  • Security Risk Assessment (SRA) includes physical media and device controls as a scored risk domain, prompting practices to evaluate disposal procedures as a compliance obligation rather than an ad-hoc IT decision.
  • Policy Generation produces written media disposal and encryption policies with the documented procedures §164.310 requires — including assignment of responsibility and approved destruction methods.
  • BAA Management / Vendor Risk Scanner structures the third-party disposal relationship: if a hardware vendor handles decommissioned drives, that relationship requires contractual data-destruction obligations analogous to a Business Associate Agreement.
  • Autonomous Compliance Engine recalculates the practice's compliance posture when device inventory or policy documentation falls out of date, surfacing the gap before an OCR audit does.

Practical next steps

  • Audit your hardware register this week. List every workstation, external drive, backup device, and decommissioned machine — confirm each has a recorded current status (active, stored, or destroyed with documentation).
  • Verify encryption is enabled on every active drive. Full-disk encryption renders physical media unreadable without the key; confirm it is deployed at the OS level on all devices holding ePHI.
  • Require a signed destruction certificate from any disposal vendor. The certificate should specify method (overwrite, degaussing, or shredding) and individual drive serial numbers.
  • Add media disposal to your next SRA cycle. Document your disposal procedure as a formal control — incomplete documentation is itself a finding in OCR investigations.
  • Include physical device controls in workforce training. Staff who handle equipment transitions need to know that "retired" hardware is not zero-risk until destruction is confirmed and documented.

Try Patient Protect

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/jp-hokkaido-hospitals-data-leak-may-hit-510k-hdds-sold-online-blamed-708285f5