This is a common response when I ask if a practice has encrypted their laptops.
Horizon BCBS is a glaring example of why this does not matter.
Horizon had some laptops that were just password protected, not encrypted.
NOTE: password protection is simple to break – generally can be done in under 5 minutes, whereas encryption is entirely different.
They felt that since these laptops did not normally leave the office AND they were secured to the work area with a cable lock…
there was no reason to encrypt them.
That thinking has now been proven wrong and Horizon is paying for it in multiple ways.
Remember: the idea here is to reduce risk.
You may have very practical reasons for not encrypting a computer, but encryption is one of the absolutely easiest ways to gain safe harbor of there is an issue.
Something else to be aware of – being on the cloud does not guarantee your computer is clean of PHI.IF you are on a cloud version of an EHR, before you assume your computers are “clean”, get a written statement from your EHR vendor that ZERO PHI is on your computer(s).
Want to join the discussion?
Feel free to contribute!