<div><span style="font-weight: 400;">My office was broken into last night. I use electronic health records, but we do store some protected health information for my patients in paper files. These files are not secured, so the burglars did have access to them. It did not appear that the files were touched as the burglars were looking for cash. What responsibilities do I have to my patients in a situation like this? Do I need to contact them and advise them that their PHI could have been compromised?</span></div>

Regardless of whether or not you think that there was a breach, HIPAA mandates that you do a Breach Risk Assessment (see Resource 755) and document the results including police reports of the incident where available.

Depending on the results of that risk assessment, you would then take whatever is considered the appropriate steps. To be perfectly honest, even if it looks like they did not open the file cabinets, you do NOT have definitive proof (unless you have fingerprinting done on the cabinets or video tape) that the burglars did not view PHI.

At the minimum, you need to notify your patients that there was a potential breach of PHI with an explanation of why you believe it is only a potential breach.

Alert: Your state may also have breach notification rules so you would need to check with your state to see if their standards are more stringent than HIPAA regulations.