HackFirstAidMedical
All playbooks
Playbook

A laptop, tablet, phone, or USB with patient data is missing

If the device was encrypted and you can prove it, HIPAA's safe-harbor provision often means no breach notification. If you can't prove encryption, the law presumes a breach.

The first hour

  1. 1Write down exactly what's missing, where it was last seen, and what PHI it could have held — including locally cached email and downloaded reports.
  2. 2Pull encryption evidence from the management console: BitLocker / FileVault status, MDM enrollment, last successful encryption check-in. Screenshot it now.
  3. 3Remote-wipe through MDM if available. Do this before declaring the device lost — wipe commands queue until the device comes online.
  4. 4Change credentials for every account that was signed in on the device. Force a new MFA enrollment.
  5. 5File a police report if theft is suspected. The report number is useful for insurance and sometimes for state notification.
  6. 6Open the breach assessment in writing: what PHI, how many patients, encrypted-and-proven (safe harbor) or not (presumed breach).

Frequently asked

What counts as 'encryption' under HIPAA?+

HHS specifies NIST-approved algorithms (effectively AES-128 or stronger) applied to data at rest. The key cannot be on the same device unprotected. BitLocker with a TPM, FileVault with a strong password, and a properly configured MDM-enforced encryption profile all qualify. A password-protected document is not encryption under the rule.

Do we have to notify if we're sure no data was accessed?+

Not always. The Breach Notification Rule allows a four-factor risk assessment: nature of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and the extent of risk mitigation. Document the assessment. If the conclusion is 'low probability of compromise' and you can defend it, notification may not be required.

Does a phone with the EHR app count?+

Yes, if the app caches PHI or stores credentials. Most modern EHR mobile apps cache. Treat the phone the same as a laptop.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

Book a call

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.