It could happen, says HIPAA expert. Willful neglect violations can lead to some humongous fines. And one of a home care provider's biggest vulnerabilities may be portable devices containing unsecured protected health information (PHI), say experts (see related article, this page). The Department of Health and Human Services "hasn't formally made a determination that a lost or stolen laptop [or other device containing unencrypted PHI posing a significant risk of harm to an individual] represents willful neglect," observes consultant Abner Weintraub in Orlando, Fla. "If HHS made such a finding, it would likely be that not encrypting the data would constitute the 'willful neglect.'" That could happen considering that the Health Insurance Portability and Accountability Act "is a reasonableness standard," Weintraub says. "Covered entities are supposed to take reasonable precautions against reasonably anticipated risks." And that includes the potential for what have been widely reported thefts of laptops containing unencrypted PHI, he points out. "Laptop thefts are probably second to cell phone theft." Don't be one of these: "If you look at research and surveys related to data and device thefts, a lot of organizations still don't encrypt health data ... that could harm individuals if it fell into the wrong hands," cautions Weintraub.