Written by: Daniel Haurey on 09/28/18

In a word, yes.  HIPAA section 164.308 requires covered entities to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

Is it reasonable to have employees’ potentially leaving unencrypted laptops in the back seats of taxi cabs with private data on them?  Of course not!  The scenario of stolen, unencrypted laptops has played out far too many times as you can see below.

  • Horizon Blue Cross Blue Shield paid $1.1 million when two unencrypted laptops were stolen from their Newark, NJ headquarters.
  • Concentra Health Services unit of Humana Inc. agreed to pay $1.7 million after an unencrypted laptop was stolen from one of its facilities.
  • QCA Health Plan Inc. paid $250,000 to settle HIPAA violations when an unencrypted laptop containing information on 148 individuals was stolen.
  • HHS’s Office for Civil Rights has said, “Our message to these organizations is simple: encryption is your best defense against these incidents.”

So why do so many healthcare facilities still choose not to encrypt laptops and other devices with full disk encryption?  When we see this objection, it is typically because the organization points to section 164.312 of the HIPAA Security rule that labels encryption as “addressable”.

The misunderstanding is that “addressable” means “I don’t have to do it”.  In fact, addressable means if there’s a risk to protected health data, then you need to address it.  Running around with unencrypted laptops and mobile devices is risky behavior and behavior that can lead to 6 and 7 digit fines and huge reputation costs.  The other concern might be time and cost.  There is a false belief that implementing whole disk encryption throughout an organization is (1) time-intensive, and (2) costly.  Neither of these is true.  The cost of whole disk encryption for a single laptop is as low as a few bucks per device per month.  This is obviously far less than the cost of fines and the reputation loss.  Whole disk encryption protects healthcare companies by ensuring that even if a device is stolen, the data on the hard drive will be useless and unreadable to the thief.