OGC
Act Immediately

Employee Lost a Device with ePHI Access

An employee lost a laptop or phone that had access to patient data.

Act Within the First Hour

A lost or stolen device with access to electronic Protected Health Information (ePHI) is a potential HIPAA breach. The faster you respond, the better your chances of containing the exposure and demonstrating good-faith compliance to OCR if this ever comes under scrutiny.

Do not wait to confirm it's really gone. Begin containment steps immediately. If the device turns up later, you can stand down. But every minute of delay increases exposure risk.

Step 1: Remote Wipe Immediately (If Possible)

If your organization has a Mobile Device Management (MDM) system or endpoint management tools, initiate a remote wipe now. This erases the device's data and renders it useless to anyone who found or stole it.

  • For iPhones/iPads: Use Find My (iCloud) → select device → Erase iPhone
  • For Android: Google's Find My Device or your MDM console
  • For laptops: Microsoft Intune, Jamf, or similar MDM — trigger full device wipe
  • No MDM? Document this gap. You'll need MDM going forward. Focus on credential revocation instead.

Step 2: Revoke All Credentials Immediately

Assume the device is in hostile hands. Revoke access now:

  1. Change or reset the employee's passwords for all systems they accessed — EHR, email, VPN, cloud storage, portal
  2. Revoke any active sessions or tokens (most cloud platforms have a "sign out all devices" option)
  3. If the employee uses single sign-on (SSO), disable their SSO session through your identity provider
  4. Revoke any API keys or certificates stored on the device if applicable
  5. Notify IT to flag the device as compromised in your asset management system

Step 3: Assess What Data Was Accessible

This is critical for your breach risk assessment. Work with IT to determine:

  • Was the device encrypted? (Full-disk encryption like BitLocker or FileVault means data is unreadable without credentials)
  • Was the device password/PIN protected? Was it set to auto-lock?
  • What applications were installed that could access PHI? (EHR client, email, cloud drives, VPN)
  • Were any PHI files downloaded locally, or was all access via browser/thin client?
  • What was the last known date of use? What patients or records were accessed recently?
  • Was two-factor authentication required to access PHI applications?

Was the Device Encrypted? — This Changes Everything

Under the HIPAA Breach Notification Rule, a breach involving encrypted data that meets NIST encryption standards is considered "not a breach" for notification purposes — the data is unreadable, unusable, and undecipherable.

If your device was fully encrypted and the encryption key was not also compromised, you may not have a reportable breach. Document the encryption status thoroughly and consult with your Privacy Officer.

If the device was not encrypted, treat this as a presumed breach and proceed with the four-factor risk assessment.

Step 4: Conduct a Breach Risk Assessment

Your Privacy Officer must perform a four-factor risk assessment to determine if this constitutes a reportable breach:

  1. Nature and extent of PHI involved — What types of data (names, SSNs, diagnoses, financial info)? How sensitive?
  2. Who accessed or could have accessed it — Was it stolen vs. lost in a trusted location? Is there any evidence of access?
  3. Whether PHI was actually acquired or viewed — Remote wipe logs, access logs, device location data
  4. Extent to which the risk has been mitigated — Remote wipe completed, passwords changed, etc.

Step 5: Documentation

Document everything with timestamps:

  • When the device was reported lost/stolen
  • When remote wipe was initiated and confirmed
  • When credentials were revoked
  • List of systems and data accessible from the device
  • Encryption status confirmation
  • Results of the risk assessment

Retain all documentation for at least six years. This is your evidence of good-faith response if OCR ever audits you.

Step 6: Prevention Going Forward

After the immediate response, address the root causes:

  • Implement or enforce full-disk encryption on all devices with ePHI access
  • Require MDM enrollment before any device can access PHI systems
  • Enforce automatic screen lock after 2-5 minutes of inactivity
  • Implement MFA on all PHI-accessible applications
  • Prohibit local storage of PHI files — use cloud access only
  • Conduct workforce training on device security and what to do if a device is lost

Related Guides

Act Immediately

Did I Just Witness an Incident?

I saw something that might be a breach — what do I do?

Read Guide
Act Immediately

Someone Clicked a Suspicious Link

An employee clicked a phishing email — what happens now?

Read Guide
Act Immediately

Forgot to Revoke a Terminated Employee's Access

We forgot to revoke a terminated employee's system access.

Read Guide
Back to all guides