Complying with HIPAA to protect patient health information is your responsibility, but what do you do if your computer is stolen? Some of the biggest HIPAA violation fines have been due to stolen laptops. In several instances, a single stolen laptop has led to fines in excess of $1million.

  • The theft of a single unencrypted laptop containing electronic protected health information (ePHI) led to a $1.5 million fine in Massachusetts. source
  • When a laptop with sensitive medical information of 599 patients was stolen from a doctor with Lahey Hospital and Medical Center, OCR deemed that Lahey did not take the necessary precautionary measures to prevent this violation and settled upon $850,000. source
  • No physical article need be stolen for a violation to be made. An investigation of Concentra Health Services was initiated after an unencrypted laptop was reported stolen from an office. Even though the laptop was later found in the office, the fact its data was unencrypted triggered a $1.7million HIPAA fine. source
The acquisition of unsecured Protected Health Information (PHI) is considered a breach, and must be reported to the US Department of Health and Human Services (HHS), to your patients, and to the media. However, because MacPractice encrypts your data, you qualify for “safe harbor” and are not required to report a breach. While this is good news for your reputation and your patients' privacy, there are a few more steps you can take for even more precaution.

Consider the following steps, regardless of whether the stolen computer was a MacPractice Server or Client machine:
  1. Change all user passwords. In the References ability, under the Users node, select each user's record and reset the password with the Set Password button.
  2. Delete the Database Access item: If a client machine was stolen, delete the item from Preferences > Database Access to “unsynch” the device and revoke permission to access the server using that device.
  3. Evaluate network security. Call a local network professional to confirm your office's network is secure. If a static IP address is used for the MacPractice server, it may need to be updated.
  4. Secure the MacPractice server. I  your MacPractice server was stolen, you’ll need to set up a new server. Once you have set up a new computer as the server, you may find it helpful to keep the server in a locked, secure room, to deter future theft.
MacPractice Support is happy to assist with any part of this process. Please call 877-220-8418 or email with any questions. Visit HIPAA's website and review any policies regarding security breaches for more information.