In 2013 I reviewed the AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL and concluded that I needed to have all Protected Health Information (PHI) on my office network encrypted in order to be compliant with HIPAA. After discussing the matter with some people at Crystal, I decided that instead of encrypting all the information on my computers, I would keep all PHI within the CPM database. I do this by storing all documents with PHI as files attached to specific patients. For example, I do limited insurance billing, and receive a small number of paper EOB's from AETNA. I scan those EOB's into the Files section under the patient tab of a patient called AETNA EOB . I have been diligent about removing all pdf files, images, etc. that have PHI from my computers and storing that information within the Crystal PM Database. Until recently, I have been very comfortable with my decision. Then, just the other day I found a pdf file in the folder C:\Program Files (x86)\CrystalPM\temp that was not encrypted. It was placed there by accident when I opened a pdf file within Crystal and inadvertently selected "Save as". I cancelled the operation before I intentionally saved the file, but it had already been saved in the temp file. This has given me second thoughts about the security of my PHI. Should I encrypt all the data on my network? Is it practical to do that? Do you encrypt your data?