Question: Our office manager thinks we need to contact the authorities after her laptop got stolen out of her car. It had patient information on it and was not encrypted nor password-protected. What should we do? Codify Subscriber Answer: If you uncover a HIPAA breach in your office, you do have to alert the Department of Health and Human Services (HHS) about it. Keep the following in mind, depending on how many patients were impacted by your breach. Breaches that include more than 500 individuals: Breaches that include less than 500 individuals: Even a small practice can make an impact with HIPAA protocols by stopping breaches before they start and setting up business agreements that are compliant, but the initial task of creating resources and office compliance codes can be a daunting task. Educating both your staff and business associates on what a breach consists of and why and how it must be reported to avoid penalties is paramount. It may sound basic, but stressing effective and timely communication within the entity is one of the keys, so that any suspected breach can be evaluated and, if necessary, reported within the required time frames. Resource: For an overview of the Breach Notification Rule, visit https://www.hhs.gov/hipaa/for-professionals/breach-notification/.