Do any HIPAA provisions specify requirements that protect traveling information?

Q: One of our healthcare professionals carries patient information in his vehicle during his daily travel between multiple physician offices, our practice's administrative office, and his home office. This includes patient information stored on his laptop computer. Do any HIPAA provisions specify requirements that protect this traveling information? What are your suggestions for adequate protection of patient information on laptop computers?

A: HIPAA does not specifically address transportation of PHI. However, the physical safeguards provisions of the HIPAA security rule require covered entities to protect any portable media or devices, whether permanently stationed or in transit. The HIPAA privacy rule also requires covered entities to implement physical safeguards to protect all forms of PHI, including any paper charts transported between offices.

Secure Remote Access and PHI Transmission: Best Practices

CMS has published specific guidelines pertaining to remote access. Remote login to applications and networks was their original focus, but the guidelines now also address transport of data. (Visit CMS’ Web site at

to read the guidelines.) CMS has stated publicly that remote access guidelines will be among the criteria used during security rule audits.


When transporting PHI between facilities, lock any hardware, media, and paper documents containing PHI in a secure location in the vehicle (e.g., the trunk).Never leave PHI in plain sight—especially if stored on a laptop computer. Lock or otherwise secure boxes and folders containing paper charts and ensure that they are not visible to reduce the likelihood of theft.


Ensure that your healthcare professional follows appropriate security practices when using the laptop computer or media containing PHI at all locations. Each location represents another environment where security safeguards are necessary.


Home is often the least secure place to store patient information, unless special care is taken to store and lock the PHI when not in use. Your healthcare professional should access PHI only in areas where no individuals not privy to the information are present.

More Relevant Questions

What Are The Entities That Transport PHI

Entities transporting PHI (Protected Health Information) include healthcare providers, health plans, healthcare clearinghouses, business associates, and any other parties involved in the transmission or handling of patient health information.

Does All Protected Health Information Stored On a Computer Need To Be Encrypted

Encrypt all stored Protected Health Information on computers to ensure compliance with HIPAA regulations and safeguard patient data from unauthorized access.

Have questions? I’m here to help.

This field is for validation purposes and should be left unchanged.