There is a common (wrong) belief out there that when something is password protected, it is therefore encrypted.
This is totally wrong.
The recent “loss” of a laptop by BP that contained the personal data of 13,000 people brought this misconception back to light.
Briefly: this lost BP laptop was password protected, but not encrypted. On this lost laptop was a spreadsheet containing personal data on about 13,000 claimants.
Nope, this isn’t a HIPAA issue as it pertains to BP, but HIPAA is all about privacy, and this is an excellent example of how NOT to handle peoples private data.
Passwords only restrict access to data. Passwords can by bypassed quite easily.
Encryption scrambles the data on a hard drive. Even if the data is accessed, if the de-cryption key is not available, that data can not be read.
If your office puts ePHI on any portable storage device: laptop, external hard drive, USB “thumb” drive, etc, then that device needs to be encrypted.
Make sure you are not in the embarrassing headlines for this kind of ignorance and encrypt your hard drive.