Part of a self assessment and policy is understanding what makes sense.
This NPR article notes some instances of poor risk management.
Any business in the medical industry needs to fully understand the risk in loading a laptop (or other mobile device) with PHI.
Quite frankly, I can’t come up with a single reason a medical practice would need to remove any PHI from an office on a laptop or hard drive (short of an office move). If you are having an employee take an external hard drive home as part of your off site backup, you have a serious problem.
The thought process for removing PHI from an office should be addressed in your company computer policy.
Any medical business that regularly removed PHI from the office on electronic media must ensure that data is encrypted, so if it is lost or stolen, none of it can be accessed.