Your Devices

Picture this: you’re at a coffee shop between sessions, your laptop is on the table, and you step away for thirty seconds to grab a refill. When you come back, it’s gone. For most people, that’s a lost laptop. For a healthcare provider, it’s potentially a reportable breach — because somewhere on that disk is a cached email, a downloaded insurance form, a scheduling note. That’s ePHI, and under HIPAA you are responsible for it whether you put it there on purpose or not.

Encryption is HIPAA’s answer to that risk. The Security Rule lists it as a technical safeguard under §164.312(a)(2)(iv). The rule marks it “addressable,” which sounds optional but isn’t — it means you do it unless you can document a very good reason not to. For a laptop or phone that could walk out the door, there isn’t one. This is widely considered an industry-standard baseline.

Encryption is also the single-biggest physical-safeguard win you can get. Locked cabinets and privacy screens matter, but nothing else turns a stolen device into a non-event the way full-disk encryption does. The good news: FileVault on macOS, BitLocker (or Device encryption) on Windows, automatic encryption on iOS and Android when you set a passcode — usually one toggle away.