If a laptop, phone, or USB drive containing patient information just went missing, you have a narrow window to respond correctly. The first 24 to 72 hours determine whether this stays a manageable internal incident or becomes a reportable breach with notification obligations, HHS involvement, and potentially significant fines. This guide walks you through the steps in order, explains the encryption safe harbor that may eliminate your reporting obligation entirely, and covers what you need to document along the way.
One important note before diving in: a lost or stolen device is not automatically a HIPAA breach. Whether it becomes one depends on a specific risk assessment your team must complete. That assessment — and how you document it — is the difference between an incident that stays in your files and one that ends up on HHS's public breach portal.
Free 30-Minute Session
Ready to Get Compliant?
Walk through your current program with an experienced compliance consultant. Get an honest assessment and a clearer path forward.
Compliancy Group and One Guy Consulting both offer HIPAA gap analysis. One requires you to work through a platform step by step. The other automates the pipeline. Here is how they ...