Under the Security Rule, encryption is required if it is reasonable and appropriate to protect patient information. If you decide not to encrypt, you must document your decision and the reasoning behind it. Appropriate encryption can also help prevent a reportable data breach. Therefore, appropriate encryption for your practice’s computer hardware, handhelds, mobile devices, and removable media is strongly recommended. Encryption should be included in a dental practice’s periodic risk analysis to evaluate the risk of unauthorized access to Electronic Protected Health Information (ePHI) (for example, as a result of loss or theft of a laptop or other device).