A nurse manager had her laptop stolen. The police found it abandoned within a day. There is no indication that they accessed or used the laptop. Do we have an obligation to notify patients whose records were on the laptop?

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). It protects the privacy and security of individually identified health information that is referred to as protected health information (PHI).

Under the regulations, HIPAA applies to healthcare providers who transmit PHI in an electronic form. The HIPAA regulations also advise that PHI includes a person’s past, present or future mental health conditions. PHI includes the provision of healthcare to the individual and past, present or future payments for it.

With your question, I think it is fair to assume the laptop contains PHI and that the nurse manager is a business associate under HIPAA. Failure  to protect the privacy of PHI subjects healthcare providers to penalties, which prior to Feb. 18, 2009, would be up to $100 per violation with a calendar cap of $25,000. Since that date, the penalty has been $100, to $50,000 or more per violation with a calendar cap of $1.5 million. 

If a healthcare provider receives a notice of penalty, it has an opportunity to present evidence of circumstances that would reduce or bar the penalties.

Failure of a provider to notify a patient of a potential breach of privacy can be a breach of HIPAA. Thus, the safest approach would be to notify all patients who had PHI on the laptop of the circumstances of the robbery and recovery of the laptop. 

You may also want to advise that the nurse manager was not negligent and was in full compliance of the provider’s privacy policy.