A few points:
1. Encrypting the server drives using SED's is inadequate as that covers the server only and not all the PHI residing on the workstations. Using TrueCrypt or Bitlocker can get all Windows computers in the domain. I recommend bitlocker because you can centrally manage it on the domain controller. Do keep in mind that for versions of Windows before Vista and for non-Windows computers in the domain, a third party solution will need to be considered.
2. It is quite correct that if no TPM chip is available, then with bitlocker the decryption key will need to be printed out or stored on a USB drive. While this is not ideal, it can work. The person in charge of the encryption will need to be most diligent. If the USB chip is stolen or lost, then the idea is to assume a breach in security has occurred.
3. The encryption we have discussed thus far (SED, TrueCrypt, Bitlocker) does not affect backups. Backups from computers encrypted in such a way are unencrypted.
Each encryption method has its strengths and weaknesses that will need to be considered.
JamesNT
.png "ACUF Donor I")
