Q&A: Laptop encryption

Q. Do laptops need to be encrypted if there is no PHI stored on them? Employees do use them to access PHI, but the PHI is stored remotely. We have a policy that states that employees are not allowed to save PHI to laptops.

A. If no PHI is stored on laptops, they don’t need to be encrypted to comply with HIPAA. On the other hand, encryption protects other sensitive information that may be stored on the laptops, such as accounting records, trade secrets, intellectual property, and personally identifiable information.

Adopting a policy prohibiting the storage of PHI on laptops only goes partway to securing PHI. It’s a good idea to either periodically scan the laptops for PHI or inspect the laptops to make sure no PHI is stored on the devices. It can be surprising to CEs and BAs what is actually being stored on hard drives. For example, I once conducted a risk analysis for a large practice, and the practice’s security officer insisted no PHI was stored on workstations—but when a scan of the devices was conducted, 75% of the workstations were found to have PHI. Policies are necessary, and so are enforcement mechanisms.