It could happen, says HIPAA expert. Willful neglect violations can lead to some humongous fines. And one of your practice's biggest vulnerabilities may be portable devices containing unsecured PHI, say experts (see the article, "Keep HIPAA Concerns at Bay With Simple Risk Analysis" on page 76). "HHS hasn't formally made a determination that a lost or stolen laptop [or other device containing unencrypted PHI posing a significant risk of harm to an individual] represents willful neglect," observes consultant Abner Weintraub in Orlando, FL. "If HHS made such a finding, it would likely be that not encrypting the data would constitute the 'willful neglect.'" That could happen considering that "HIPAA is a reasonableness standard," Weintraub says. "Covered entities are supposed to take reasonable precautions against reasonably anticipated risks." And that includes the potential for what have been widely reported thefts of laptops containing unencrypted PHI, he points out. "Laptop thefts are probably second to cell phone theft." Don't be one of these: