Physician Practice

Q&A: You've got questions! We've got answers!

Physician Practice Insider, September 20, 2016

Submit your questions to Associate Editor Nicole Votta at and we will work with our experts to provide you with the information you need.

Q: I work for a facility that uses password-protected laptops that are connected to a server. No PHI is stored on the laptops, and we are not allowed to remove them from the facility. Do the laptop hard drives need to be encrypted?

A: If the laptop hard drives are not used to store PHI and there are mechanisms in place to prevent PHI from being stored on the laptops, encryption is not a requirement. Staff can't simply be forbidden from storing PHI on the laptops; there must be security measures in place that prevent staff from downloading PHI to store on the hard drive, inserting a USB drive that may store PHI and transferring it to the hard drive, or copying PHI from, for example, an EHR and storing the PHI on the hard drive. It's a good idea to keep in mind that if other sensitive information such as employee files or company intellectual property is stored on the hard drives, it is a good idea to encrypt the hard drives to protect the organization. Also, removing the laptops from facilities may be prohibited, but that won't stop a thief from stealing the laptops. If there's a possibility that PHI or other sensitive data may be stored on the hard drives of the laptops, it's wise to encrypt the laptops.

Editor’s note: Chris Apgar, CISSP, president of Apgar and Associates, LLC, answered this question for Briefings on HIPAA. This information does not constitute legal advice. Email your questions to Associate Editor Nicole Votta at

Most Popular