HIPAA Workstation and Device Controls

Why HIPAA workstation and device controls matter

The HIPAA Security Rule dedicates three separate standards to the endpoints where workforce members interact with ePHI. §164.310(b) covers workstation use, §164.310(c) covers workstation security, and §164.310(d) covers device and media controls. Together they establish the expectations for every laptop, phone, kiosk, thumb drive, and backup tape that ever touches protected health information.

These standards have aged well because the regulators wrote them in technology-neutral language. Workstations in 1998 were beige towers bolted to desks. Workstations in 2026 are MacBooks in a coffee shop, iPads in a clinical bag, and shared kiosks at a reception desk. The requirements still apply — and the threats they address (lost devices, shared screens, improperly disposed media) have survived every hardware generation.

For the broader physical safeguards context, see the HIPAA Security Rule guide and the HIPAA hub page. For the facility-level perimeter, see facility access controls.

Workstation use — §164.310(b)

The workstation use standard requires covered entities and business associates to "implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information."

In practice, the workstation use policy answers three questions.

1. What functions are allowed on each workstation class? A developer laptop can write code and access test data. A clinical terminal can enter orders and view records. A personal phone enrolled in MDM can receive email notifications. Mixing functions expands risk — draw the lines intentionally.
2. How must those functions be performed? Specific expectations for screen positioning, privacy screens, locked rooms, approved Wi-Fi networks, and acceptable software. This is where the policy translates into daily workforce habits.
3. What surroundings are acceptable? Public spaces, shared living spaces, airports, and client sites each carry different risks. The policy should call out the surroundings where PHI work is prohibited outright.

Different workstation classes warrant different expectations. Publish a short matrix so workforce members can find their class without reading the full policy.

Workstation security — §164.310(c)

The workstation security standard requires "physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users." This is a single specification, and it is required — not addressable.

Workstation security covers the physical controls that prevent an unauthorized person from interacting with an ePHI-capable workstation. In shared environments, that might mean cable locks, locked rooms, or privacy screens. For mobile devices, it means device-level authentication, automatic screen lock, and remote wipe capability. For fixed clinical terminals, it means positioning screens out of patient and visitor view.

A useful test: could a visitor, a janitorial contractor, or another workforce member without authorized access reach the workstation, unlock it, and view ePHI during a normal day? If the answer is yes, the control needs work.

Device and media controls — §164.310(d)

The device and media controls standard governs "the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility." Four implementation specifications sit underneath it — two required, two addressable.

Disposal — required — §164.310(d)(2)(i)

Disposal requires policies and procedures to address the final disposition of ePHI and the hardware or media on which it is stored. NIST Special Publication 800-88 Rev. 1 is the industry standard. It distinguishes three levels of sanitization.

• Clear — logical techniques that overwrite data, suitable for media being reused in the same protection environment.
• Purge — physical or logical techniques that render data recovery infeasible with state-of-the-art laboratory techniques, suitable for media leaving the organization's control.
• Destroy — physical destruction (shredding, incineration, melting) so that media cannot be reused at all.

Select the level based on media type and confidentiality risk. Retain certificates of destruction from third-party disposal vendors. The most common OCR finding in this area is a missing certificate — not a failed sanitization technique.

Media re-use — required — §164.310(d)(2)(ii)

Media re-use requires removal of ePHI from electronic media before the media are made available for re-use. This is the sanitization step for devices that stay inside the organization — a laptop reassigned from one workforce member to another, a tablet moved between clinical roles, a backup drive repurposed for a test environment. Document the sanitization method, date, and responsible owner.

Accountability — addressable — §164.310(d)(2)(iii)

Accountability requires records of the movements of hardware and electronic media and the person responsible. Modern MDM and endpoint inventory tools handle most of this automatically for corporate devices. Gaps typically appear at the edges: portable backup drives, shipped development hardware, and devices loaned to contractors.

Data backup and storage — addressable — §164.310(d)(2)(iv)

Data backup and storage requires creating a retrievable, exact copy of ePHI before the equipment is moved, when needed. This overlaps with the contingency plan's backup specification — most programs satisfy both with the same backup infrastructure.

Building a modern endpoint program

A defensible workstation and device program for a 2026 workforce includes six layers.

1. Inventory. Every device that could handle ePHI is enrolled and tracked. Unmanaged devices are either blocked or registered under a clear exception process.
2. Configuration baseline. Full-disk encryption, screen lock, MFA, automatic patching, approved software, and logging. Enforce through MDM.
3. Access controls. Unique user identification, conditional access based on device posture, and role-based application access tied back to the Security Rule's access control standard.
4. Monitoring. Endpoint detection, audit log collection, and alerting for anomalous behavior. Monitoring is also how you satisfy the audit controls standard in the Security Rule.
5. Lifecycle management. Structured onboarding issues devices in a known-good state; structured offboarding recovers, sanitizes, and retires them with a documented trail.
6. Incident response integration. Lost, stolen, or compromised devices trigger a defined runbook that ties back to your Breach Notification Rule procedures.

For healthcare environments with a wide range of device types — infusion pumps, imaging workstations, clinical tablets, workstation-on-wheels — add a medical device security program that addresses the specific risks of devices the IT organization may not fully control.

How this fits into your HIPAA program

Workstation and device controls live at the intersection of physical and technical safeguards. They pair with facility access controls to define the outer perimeter. They pair with the Security Rule's access control, audit controls, and encryption standards on the technical side. They pair with workforce training because workstation expectations only operate if the people at the keyboard know them. And they pair with the sanctions policy, because a workforce member who ignores workstation policy must face consistent consequences.

Common pitfalls

• Personal devices in the gray zone. Workforce members use personal phones to read ePHI-laden email "sometimes," but no MDM enrollment and no formal policy ever gets written. Every lost phone becomes a potential breach.
• Disposal without certificates. Devices leave the organization through informal channels — an IT manager's car trunk on the way to a recycler — without signed certificates of destruction.
• Shared clinical terminals with generic logins. Audit logs cannot attribute actions to individual workforce members, collapsing the Security Rule's unique user identification requirement.
• Unencrypted backup media. Production systems are encrypted, but offline backups on portable drives are not. A lost drive becomes a reportable breach.
• Old hardware in closets. Retired devices accumulate in storage, some still containing ePHI, none on the inventory, none scheduled for disposal.
• Home office blind spot. Workforce members print ePHI at home "occasionally," and there is no guidance on storage or disposal. Printed PHI falls under the Privacy Rule regardless of whether anyone thinks about the print job.
• No deprovisioning tie-in. Device recovery at offboarding is a manual checklist that managers sometimes complete, so retired workforce members occasionally retain a company laptop with ePHI access for weeks.

How episki helps

episki connects device inventory, MDM posture, and disposal records into the HIPAA evidence locker that auditors and customers review. Workstation use policies, encryption attestations, certificates of destruction, and lost-device runbooks live alongside the §164.310(b), (c), and (d) controls they satisfy. Offboarding checklists tie into the HR event so device recovery and access revocation run on the same timeline. Workforce members see the policy that applies to their device class, and you see the gaps before an auditor does.

See the full HIPAA platform overview or start a free trial from the top of the hub page.