In a word, yes. HIPAA section 164.308 requires covered entities to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”
Is it reasonable to have employees’ potentially leaving unencrypted laptops in the back seats of taxi cabs with private data on them? Of course not! The scenario of stolen, unencrypted laptops has played out far too many times as you can see below.
So why do so many healthcare facilities still choose not to encrypt laptops and other devices with full disk encryption? When we see this objection, it is typically because the organization points to section 164.312 of the HIPAA Security rule that labels encryption as “addressable”.
The misunderstanding is that “addressable” means “I don’t have to do it”. In fact, addressable means if there’s a risk to protected health data, then you need to address it. Running around with unencrypted laptops and mobile devices is risky behavior and behavior that can lead to 6 and 7 digit fines and huge reputation costs. The other concern might be time and cost. There is a false belief that implementing whole disk encryption throughout an organization is (1) time-intensive, and (2) costly. Neither of these is true. The cost of whole disk encryption for a single laptop is as low as a few bucks per device per month. This is obviously far less than the cost of fines and the reputation loss. Whole disk encryption protects healthcare companies by ensuring that even if a device is stolen, the data on the hard drive will be useless and unreadable to the thief.