Should you encrypt electronic Protected Health Information (ePHI)? Ask Leon Rodriguez, Director, Office of Civil Rights, whose department is responsible for HIPAA audits
"Every time there is a HIPAA data breach penalty for a lost laptop or hard drive, the penalty would have been avoided if the data was encrypted."
Question: Does HIPAA require ePHI encryption?
The HIPAA Security Rule doesn’t explicitly require encryption of data at rest, or even during transmission. However, this doesn’t mean what people think it means and that misunderstanding is getting a lot of people in trouble (literally).
HIPPA requirements are broken down into two categories: Required (must be implemented) and Addressable (may be implemented).
So, since the encryption rule is addressable, you have three choices:
You can implement encryption and if that encryption follows specific government standards - referred to as Safe Harbor - and you don't even have to report a breach!
Implement one or more alternative security measures to accomplish the same purpose, or
Don't implement either an addressable implementation specification or an alternative.
If you stop reading here, you may think you can chose  and move on, until the rest of the rule is considered, which basically says that you don’t “have to” encrypt, but if you choose not to you’d better be prepared to demonstrate, in writing, why you believe that. Then, in the event of an audit, The Office for Civil Rights (OCR) will review your documentation and determine whether or not they agree with you. If they don't agree, you may be fined.
If you chose  and do nothing, and you are audited, you may be subjected to a large fine. Datran can add an Encryption Module to our Virtual Desktop to meet the needs of any size practice or business. The encryption process is very simple, and amounts to a simple right mouse-click to encrypt or decrypt a file or folder.