This is a common response when I ask if a practice has encrypted their laptops.

Horizon BCBS is a glaring example of why this does not matter.

Horizon had some laptops that were just password protected, not encrypted.
NOTE: password protection is simple to break – generally can be done in under 5 minutes, whereas encryption is entirely different.

They felt that since these laptops did not normally leave the office AND they were secured to the work area with a cable lock…
there was no reason to encrypt them.

That thinking has now been proven wrong and Horizon is paying for it in multiple ways.

Remember: the idea here is to reduce risk.

You may have very practical reasons for not encrypting a computer, but encryption is one of the absolutely easiest ways to gain safe harbor of there is an issue.

Something else to be aware of – being on the cloud does not guarantee your computer is clean of PHI.IF you are on a cloud version of an EHR, before you assume your computers are “clean”, get a written statement from your EHR vendor that ZERO PHI is on your computer(s).