Question: One of the doctors at our practice got a new cell phone and gave his old phone to a friend. Now our office manager said since it was a practice-owned phone, we should have taken steps to wipe it clean first. What is the issue here? Codify Subscriber Answer: Mobile devices are a popular and necessary means to deliver efficient care nowadays. Unfortunately, they are also very vulnerable to cyber attack. That’s why when you’re ready to upgrade to a new device, you should take particular care on how you dispose of your hardware. Even if you’re donated it to a trusted friend, that doesn’t mean you should forego the steps that would protect your patients’ privacy. Risk management under HIPAA requires covered entities and their business associates to protect patients’ protected health information (PHI), and that includes data available on electronic devices and media, maintains the HHS Office for Civil Rights (OCR) in its July 2018 Cybersecurity Newsletter. “Improper disposal of electronic devices and media puts the information stored on such devices and media at risk for a potential breach,” the guidance reminds. “Data breaches can be very costly to organizations.” Assess your disposal rules, analyze and investigate your HIPAA security compliance shortcomings, and then back up your findings with a comprehensive management plan. Because remember, not only do you endanger the livelihood of your practice with shoddy protocols, but you put your patients at risk, too. Resource: Take a look at the July 2018 issue of the OCR’s Cybersecurity Newsletter at www.hhs.gov/sites/default/files/cybersecurity-newsletter-july-2018-Disposal.pdf.