Skip to main content
All playbooks
Playbook

A laptop, tablet, phone, or USB with patient data is missing

If the device was encrypted and you can prove it, HIPAA's safe-harbor provision often means no breach notification. If you can't prove encryption, the law presumes a breach.

Last reviewed: May 2026

The first hour

  1. 1Write down exactly what's missing, where it was last seen, and what PHI it could have held — including locally cached email and downloaded reports.
  2. 2Pull encryption evidence from the management console: BitLocker / FileVault status, MDM enrollment, last successful encryption check-in. Screenshot it now.
  3. 3Remote-wipe through MDM if available. Do this before declaring the device lost — wipe commands queue until the device comes online.
  4. 4Change credentials for every account that was signed in on the device. Force a new MFA enrollment.
  5. 5File a police report if theft is suspected. The report number is useful for insurance and sometimes for state notification.
  6. 6Open the breach assessment in writing: what PHI, how many patients, encrypted-and-proven (safe harbor) or not (presumed breach).

Evidence to preserve

What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.

  • Screenshot the MDM / BitLocker / FileVault console showing encryption status and last successful check-in for the missing device.
  • Export the device's last sync, last login, and any locally cached email or file list.
  • Save the police report number if filed.
  • Document the four-factor breach risk assessment in writing — nature of PHI, who took it, was it accessed, mitigation steps.

The HIPAA breach clock

The breach-notification clock starts at discovery. Federal HHS deadline is 60 days; many states are faster.
HHS / patient (federal)
September 5, 2026
60 days from discovery
CA / FL / others
August 6, 2026
30-day state floor
NY / others
August 21, 2026
45-day state floor

Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.

Regulator contacts

Frequently asked

What counts as 'encryption' under HIPAA?+

HHS specifies NIST-approved algorithms (effectively AES-128 or stronger) applied to data at rest. The key cannot be on the same device unprotected. BitLocker with a TPM, FileVault with a strong password, and a properly configured MDM-enforced encryption profile all qualify. A password-protected document is not encryption under the rule.

Do we have to notify if we're sure no data was accessed?+

Not always. The Breach Notification Rule allows a four-factor risk assessment: nature of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and the extent of risk mitigation. Document the assessment. If the conclusion is 'low probability of compromise' and you can defend it, notification may not be required.

Does a phone with the EHR app count?+

Yes, if the app caches PHI or stores credentials. Most modern EHR mobile apps cache. Treat the phone the same as a laptop.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.